Analysis Date2015-10-19 17:51:22
MD589cfe39aeb433c9a21e6862f9895284a
SHA137551ad0d90904b633e335315e1c1abe39c65cf3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c9bf5b79f75a522a94b02746b417399b sha1: 57c59c19f785f73b2de9f50242daa25de76a5912 size: 139264
Section.rdata md5: 3d636d537f3b7b7a0b189acc98d38544 sha1: a79f7ccbe1dfb9ea57ce0949a0db63498c962abc size: 512
Section.data md5: b9989fc8d7d64d1c425ed808750f4cb2 sha1: 87f73a0c16e4f7ad85b1dc345af50bd65a2f0ed1 size: 54272
Section.rsrc md5: a4fb978743143897402b227a08dac69c sha1: 831d4e5727a42050c851d9ea418ae7453cd6903e size: 17920
Timestamp2005-07-26 01:14:18
PEhash0a145b5211e1f0d5b4eabb2915bc8556b96c6a00
IMPhash50eeeeddde300914f2e7fa95b9bc05a2
AVRisingno_virus
AVMcafeeGeneric FakeAlert.amb
AVAvira (antivir)TR/Kazy.8090.A
AVTwisterTrojan.558BEC@1F54FF15@1.mg
AVAd-AwareGen:Heur.Cridex.2
AVAlwil (avast)MalOb-EY [Cryp]
AVEset (nod32)Win32/Kryptik.KLT
AVGrisoft (avg)FakeAlert.XN
AVSymantecSecurityShieldFraud
AVFortinetW32/FakeAV.PACK!tr
AVBitDefenderGen:Heur.Cridex.2
AVK7Trojan ( 001e60c61 )
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVMalwareBytesno_virus
AVAuthentiumW32/FakeAlert.JW.gen!Eldorado
AVFrisk (f-prot)W32/FakeAlert.JW.gen!Eldorado
AVIkarusTrojan-Downloader.Win32.FraudLoad
AVEmsisoftGen:Heur.Cridex.2
AVZillya!Trojan.FakeAV.Win32.100760
AVKasperskyTrojan.Win32.FakeAV.aepj
AVTrend MicroBKDR_CYCBOT.SMIB
AVCAT (quickheal)FraudTool.Security
AVVirusBlokAda (vba32)Trojan.FakeAV.0997
AVPadvishno_virus
AVBullGuardGen:Heur.Cridex.2
AVArcabit (arcavir)Gen:Heur.Cridex.2
AVCA (E-Trust Ino)Win32/Gbot.A!generic
AVClamAVWin.Trojan.Fakeav-69062
AVDr. WebTrojan.Fakealert.19937
AVF-SecureGen:Heur.Cridex.2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\hzdlesoac.exe
Creates Processcmd.exe /c taskkill /f /pid 1236 & ping -n 3 127.1 & del /f /q C:\malware.exe & start C:\Documents and Settings\Administrator\Local Settings\Application Data\HZDLES~1.EXE -f
Creates Mutexi'm here
Creates MutexDBWinMutex

Process
↳ cmd.exe /c taskkill /f /pid 1236 & ping -n 3 127.1 & del /f /q C:\malware.exe & start C:\Documents and Settings\Administrator\Local Settings\Application Data\HZDLES~1.EXE -f

Creates Processping -n 3 127.1
Creates Processtaskkill /f /pid 1236
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Application Data\HZDLES~1.EXE -f

Process
↳ taskkill /f /pid 1236

Creates FilePIPE\lsarpc

Process
↳ ping -n 3 127.1

Winsock DNS127.1

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Application Data\HZDLES~1.EXE -f

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Security Shield.lnk
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexi'm here
Creates MutexDBWinMutex
Winsock DNS188.132.216.217

Network Details:

HTTP GEThttp://188.132.216.217/cb_soft.php?q=d7020a72438ec013e4b1a992ad415bb3&zz=0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
HTTP GEThttp://188.132.216.217/cb_soft.php?q=d7020a72438ec013e4b1a992ad415bb3&aj=0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 188.132.216.217:80
Flows TCP192.168.1.1:1031 ➝ 188.132.216.217:80
Flows TCP192.168.1.1:1032 ➝ 188.132.216.217:80

Raw Pcap
0x00000000 (00000)   47455420 2f63625f 736f6674 2e706870   GET /cb_soft.php
0x00000010 (00016)   3f713d64 37303230 61373234 33386563   ?q=d7020a72438ec
0x00000020 (00032)   30313365 34623161 39393261 64343135   013e4b1a992ad415
0x00000030 (00048)   62623326 7a7a3d30 20485454 502f312e   bb3&zz=0 HTTP/1.
0x00000040 (00064)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000050 (00080)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000060 (00096)   61746962 6c653b20 4d534945 20352e35   atible; MSIE 5.5
0x00000070 (00112)   3b205769 6e646f77 73204e54 20352e30   ; Windows NT 5.0
0x00000080 (00128)   290d0a48 6f73743a 20313838 2e313332   )..Host: 188.132
0x00000090 (00144)   2e323136 2e323137 0d0a4361 6368652d   .216.217..Cache-
0x000000a0 (00160)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x000000b0 (00176)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f63625f 736f6674 2e706870   GET /cb_soft.php
0x00000010 (00016)   3f713d64 37303230 61373234 33386563   ?q=d7020a72438ec
0x00000020 (00032)   30313365 34623161 39393261 64343135   013e4b1a992ad415
0x00000030 (00048)   62623326 616a3d30 20485454 502f312e   bb3&aj=0 HTTP/1.
0x00000040 (00064)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000050 (00080)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000060 (00096)   61746962 6c653b20 4d534945 20352e35   atible; MSIE 5.5
0x00000070 (00112)   3b205769 6e646f77 73204e54 20352e30   ; Windows NT 5.0
0x00000080 (00128)   290d0a48 6f73743a 20313838 2e313332   )..Host: 188.132
0x00000090 (00144)   2e323136 2e323137 0d0a4361 6368652d   .216.217..Cache-
0x000000a0 (00160)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x000000b0 (00176)   650d0a0d 0a                           e....


Strings