Analysis Date2013-11-24 17:54:24
MD5850b7d707e286b1de677bd5b50845d64
SHA137a9e249873939df27b23c4803208891eb64ab11

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionC0DE md5: c150cab82e7dbdefc8e3ef7d88be6e94 sha1: 1107b2deb7506836a00aaa9e755d74db7d3e6a24 size: 98304
SectionDATA md5: c0071c6279f1ddb58d46d9990f828cea sha1: 56f10775a3ca5f893cc2b75374fbe9627a390516 size: 8704
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.id0ta md5: 69ea237bdc14c1e3bb86936623b3d388 sha1: 8126c32cab85c95f2745942ee773687112b36553 size: 3584
Section.reloc md5: 22192bf2adca1a97064559e006d90c7b sha1: 57bf3c88fb912c339e774e35a9de1814e05965e7 size: 6656
Section.rsrc md5: eedeeb061a93836442f6511d74513c21 sha1: f7283762df4ec7ec15fc4359ec29436bd730c16d size: 12288
Timestamp1992-06-19 22:22:17
VersionLegalCopyright: Copyright 2013
InternalName: Downloader
FileVersion: 1, 0, 0, 0
ProductName: Downloader
ProductVersion: 1, 0, 0, 0
FileDescription: Downloader
OriginalFilename: Downloader.exe
PEhash17876d6fc82cfcb03c1efa0fdfd3ea5a3150f063
AVavgWin32/Cryptor

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Process?

Process
↳ ?

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSforces.wiretorrent.ru

Network Details:

DNSforces.wiretorrent.ru
Type: A
94.242.246.199
HTTP GEThttp://forces.wiretorrent.ru/get_xml?stb=1&did=412899020&file_id=38283502
User-Agent: Downloader MLR 1.0.0
HTTP GEThttp://forces.wiretorrent.ru/get_xml?stb=1&did=412899020&file_id=38283502
User-Agent: Downloader MLR 1.0.0
Flows TCP192.168.1.1:1031 ➝ 94.242.246.199:80
Flows TCP192.168.1.1:1032 ➝ 94.242.246.199:80

Raw Pcap
0x00000000 (00000)   47455420 2f676574 5f786d6c 3f737462   GET /get_xml?stb
0x00000010 (00016)   3d312664 69643d34 31323839 39303230   =1&did=412899020
0x00000020 (00032)   2666696c 655f6964 3d333832 38333530   &file_id=3828350
0x00000030 (00048)   32204854 54502f31 2e310d0a 55736572   2 HTTP/1.1..User
0x00000040 (00064)   2d416765 6e743a20 446f776e 6c6f6164   -Agent: Download
0x00000050 (00080)   6572204d 4c522031 2e302e30 0d0a486f   er MLR 1.0.0..Ho
0x00000060 (00096)   73743a20 666f7263 65732e77 69726574   st: forces.wiret
0x00000070 (00112)   6f727265 6e742e72 750d0a43 61636865   orrent.ru..Cache
0x00000080 (00128)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000090 (00144)   68650d0a 0d0a                         he....

0x00000000 (00000)   47455420 2f676574 5f786d6c 3f737462   GET /get_xml?stb
0x00000010 (00016)   3d312664 69643d34 31323839 39303230   =1&did=412899020
0x00000020 (00032)   2666696c 655f6964 3d333832 38333530   &file_id=3828350
0x00000030 (00048)   32204854 54502f31 2e310d0a 55736572   2 HTTP/1.1..User
0x00000040 (00064)   2d416765 6e743a20 446f776e 6c6f6164   -Agent: Download
0x00000050 (00080)   6572204d 4c522031 2e302e30 0d0a486f   er MLR 1.0.0..Ho
0x00000060 (00096)   73743a20 666f7263 65732e77 69726574   st: forces.wiret
0x00000070 (00112)   6f727265 6e742e72 750d0a43 61636865   orrent.ru..Cache
0x00000080 (00128)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000090 (00144)   68650d0a 0d0a                         he....


Strings
041904e3
07k5n7u
1, 0, 0, 0
43hvksno
8h8qsfzz5+hkcyob8iq03
_a-iuslp5c4rnv_7u#j
b-zcwytow83_8#cq6a
Copyright 2013
Downloader
Downloader.exe
ff-fdzkw#b
FileDescription
FileVersion
*flatout-3-_torrentin
InternalName
LegalCopyright
<<<Obsolete>>
+ofa0yknkuf#-jfls7
OriginalFilename
p0b8qd
p2zpzgs_#+6ow_xpsgvgy
ProductName
ProductVersion
rdee
StringFileInfo
tm5+fm73z2qggqwelc8c
Translation
VarFileInfo
VS_VERSION_INFO
wdzoc8zvs2g 0idq5h2bz
}_|!"`
0$0*00070=0C0I0R0Y0f0n0|0
0&0,060;0X0b0i0o0
'0.060<0I0y0
0@0F0L0R0_0i0s0
;$;*;0;7;=;L;R;X;_;p;};
0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
0SB3>76
1)101:1@1G1o1v1
110824000000Z
1&11181@1G1S1Z1`1j1p1x1~1
1#1-12181>1D1J1P1V1Z1n1
1$1*12181@1G1O1V1\1d1j1p1}1
1!1'1K1Q1W1]1c1
1255991
131010000000Z
131115075859Z0
141010235959Z0
=!=+=1=7===D=J=V=^=d=i=p=z=
190709184036Z0
;);1;9;?;E;K;Q;];b;
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
200530104838Z0{1
2"2&2*2.22262:2>2B2F2J2N2R2V2Z2^2b2f2
2&2,22282C2Z2c2p2v2|2
2(2/2;2A2G2M2T2\2b2j2
2/252;2A2G2P2V2^2d2j2t2z2
;,;2;8;C;J;R;];d;s;{;
<	<+<2<8<><J<P<V<\<b<
>%>,>2>>>F>L>W>^>k>r>x>
323E3X3k3~3
3!3'3:3@3K3S3[3h3u3
3!3+353E3M3V3\3b3h3q3
3B3L3T3Z3a3l3r3x3~3
`3f"WME
405<5B5H5N5X5b5m5u5{5
42C/=m
4$4*40464E4M4S4]4g4m4
4!4+414?4E4K4W4]4g4l4
4*4:4_4f4n4s4y4
494?4E4K4
:#:4:::@:F:O:U:x:
>">(>.>4>:>J>R>W>^>j>p>v>|>
5(50565@5J5P5k5r5z5
5&5:5A5c5p5
5+5O5U5\5c5i5p5
<%</<5<D<L<R<\<f<l<|<
? ?.?5?>?F?K?R?X?g?o?u?
5Ht2f s
=!=-=5=;=V=c=k=q=w=
65W:p6g_
6%6-636=6G6M6]6j6y6
6)6.696F6L6R6X6^6d6~6
666wCCC
=)=6=<=B=H=N=
6F6L6V6\6b6l6r6}6
;&;.;6;>;F;N;V;^;f;n;v;~;
#@6IsI
: :+:6:;:Q:W:]:g:l:w:
7(70767A7K7R7]7r7x7
7+767D7K7Z7a7j7v7{7
7$7.747L7R7X7^7d7n7{7
7#7.767>7I7P7V7\7b7h7z7
7 7$7(74787<7@7D7
<&<-<7<=<D<R<`<f<l<r<x<
8-82878<8K8X8_8m8t8z8
8+828>8J8P8V8\8i8z8
8#8,82888H8N8T8^8j8p8v8
8)888?8G8M8Z8f8m8|8
<8{\-B
?!?)?8?C?O?U?[?a?k?w?
<8<?<D<J<f<w<~<
910rNS
990709183120Z
9"919=9C9I9O9Y9c9m9w9}9
9)9/959A9G9M9R9h9r9x9~9
9 9-979S9Y9_9e9l9w9}9
9&9.9I9P9Z9l9s9{9
999tYYY
A6=<{y
aAZTZq
>A>G>d>j>p>
AND LLC0
AND LLC1
</assembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
A&T*xkd
axDqPn
!aX^lh
BGZ5;&
ChooseColorA
ChooseFontA
ChooseFontW
comctl32.dll
COMCTL32.DLL
comdlg32.dll
COMDLG32.DLL
COMODO CA Limited1!0
COMODO Code Signing CA 2
COMODO Code Signing CA 20
ConvertThreadToFiber
CreateFileMappingW
CreateFileW
CreateProcessA
CreatePropertySheetPageA
%=d[4 '
</dependency>
<dependency>
</dependentAssembly>
<dependentAssembly>
|dgAA9
d>jX%K
)d=lFj
DrawInsert
=!=)=D=R=X=^=n=
d@W\pA
E0AaO/
EnumSystemCodePagesA
)eWGu[
ExitThread
"fgJ@km/V
FindNextVolumeMountPointW
:(:.:>:F:N:V:^:f:n:v:~:
>.?:?@?F?S?
G0P0\0b0h0n0
GetCommandLineW
GetConsoleCursorMode
GetConsoleInputExeNameA
GetConsoleKeyboardLayoutNameA
GetCPInfoExW
GetDriveTypeW
GetEnvironmentStringsW
GetFileVersionInfoA
GetFileVersionInfoSizeW
GetLargestConsoleWindowSize
GetLocalTime
GetNamedPipeHandleStateA
GetProcessVersion
GetStringTypeExA
GetVersion
G#gn%k
GlobalFindAtomW
?gqN]7^
&,:G r
Greater Manchester1
Heap32ListFirst
|h>@k[
h+O0r-
`hthcb
http://ocsp.comodoca.com0
http://ocsp.usertrust.com0
https://secure.comodo.net/CPS0A
http://www.usertrust.com1
h %UY_
h-xUk!jY
hziO\y
|I}49q
.id0ta
`Ie2LNhB;
ImageList_DrawIndirect
ImageList_GetBkColor
info@andcompany.ru0
j[JbT'Iq
JO`&~\
jWc,1N
kernel32.dll
KERNEL32.DLL
  L4,fV
LBItemFromPt
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LZOpenFileW
Marshala Fedorenko street, 71
#MBj%X
-~mDI+
Moscow1
Moscow1%0#
Mq;mR$8
M@x\,-
	Mx+B3
n4vwOjH
_oo+~2
OpenFileMappingA
OpenJobObjectA
P.rsrc
QNWJmnA
ReadConsoleInputExW
ReadConsoleOutputA
.reloc
ReplaceFileW
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
<requestedPrivileges>
RG@hi'
;rnn7>>>TjjjO
RtlMoveMemory
sAbbl5
Salford1
Salt Lake City1
</security>
<security>
SetComputerNameA
:S`om{5_
sQkC)Vx
SubtractRect
The USERTRUST Network1!0
This program must be run under Win32
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
T(Ui7#
U&FvQ40
_%?^ur
user32.dll
UTN-USERFirst-Object0
UZc(Oe2VME
|'VbSS
VerFindFileA
VerFindFileW
VerQueryValueW
version.dll
VERSION.DLL
]V\Ij,
VirtualQuery
}V[:J_
&V/L2e
;%;V;];p;
<VT^<AFRY
W02*|&/
w|d9%*
WinExec
WriteConsoleOutputW
WriteProfileSectionW
ws2_32.dll
WS2_32.DLL
WSACloseEvent
WSAJoinLeaf
WSALookupServiceNextA
WSCWriteProviderOrder
xDx,Ko
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
?+yEE8&
)Z5[Ag
+Zf&%z
ZPc)3l