Analysis Date2013-08-05 21:47:37
MD5cb873ed2498b63d231427b73d6c574c1
SHA137a9d8754014858654efd9805affb5fc8de28456

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: ad16b2fc263bf20c6a3320f1f1551cf0 sha1: 267bff8d6df29f124760b55d632fba90477d090b size: 10240
SectionDATA md5: 1ab5511958c2fe3d5fdec62a6e3e9fc8 sha1: ed9166730e211e1af50000a13b9ec0e7ef7f0b44 size: 512
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: e5f23c18356aa702ebe3f08c547783aa sha1: 3ae52dadbc012906f972b10a6bbdcda9b4eb8ba8 size: 1024
Section.tls md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: 753527920e84ff25027979eeb2bca12a sha1: d430b67c2b4a0ac2c7cd3c473f0a59e603b74717 size: 512
Section.reloc md5: 28ea38498835f1c57f03463e807b5875 sha1: 54ff119552c051b881f97abb464c0c4a18447ede size: 1024
Section.rsrc md5: e56445835637e0e257efddb00ce091b2 sha1: bee6ac1b54471fb57389090f4c593dd8b39f08c1 size: 1536
Timestamp1992-06-19 22:22:17
PackerBobSoft Mini Delphi -> BoB / BobSoft
PEhash0cc2f6190ca43da925579b47decb584e922ec6e5
AVmsseTrojanDownloader:Win32/Small.gen!AO

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates ProcessC:\WINDOWS\system32\usbmsn.exe
Winsock DNSwww.freewebtown.com
Winsock URLhttp://www.freewebtown.com/servenet/Principal.jpg

Process
↳ C:\WINDOWS\system32\usbmsn.exe

Network Details:

DNSwww.freewebtown.com
Type: A
208.75.230.46
HTTP GEThttp://www.freewebtown.com/servenet/Principal.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 208.75.230.46:80

Raw Pcap

Strings