Analysis Date2014-08-03 15:18:44
MD5b68924418543d6383619211a8b6085e6
SHA13a2fb1347278ec3660ef9505ff4d7a131995e193

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhasha75fd93914cb67fb86cb25124b4ce4b0f38c9819
IMPhash2b072d2f99f59cda3f10d4acfcbc456a
AV360 SafeTrojan.GenericKD.1749798
AVAd-AwareTrojan.GenericKD.1749798
AVAlwil (avast)Kryptik-OAP [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Backdoor.HAVI-5222
AVAvira (antivir)TR/Crypt.ZPACK.59075
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Agen.r4
AVClamAVWin.Trojan.Generickd-457
AVEmsisoftTrojan-Downloader.Win32.Agent
AVEset (nod32)Win32/TrojanDownloader.Zurgop.BK
AVFortinetW32/Zurgop.BK!tr
AVFrisk (f-prot)W32/Backdoor2.HUWK (exact)
AVF-SecureTrojan.GenericKD.1749798
AVGrisoft (avg)Generic_s.DST
AVIkarusTrojan.Win32.Agent2
AVK7Trojan-Downloader ( 004973061 )
AVKasperskyTrojan.Win32.Agent2.mmm
AVMalwareBytesSpyware.Zbot.VXGen
AVMcafeeRDN/Generic BackDoor!yz
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dofoil.T
AVMicroWorld (escan)Trojan.GenericKD.1749798
AVNormanwinpe/Suspicious_Gen4.GSRMY
AVRising0x56ff2d94
AVSophosTroj/Zulu-B
AVSymantecTrojan.Smoaler
AVTrend MicroBKDR_SHARIK.SMA3
AVVirusBlokAda (vba32)Trojan.Agent2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:

DNSus.co1.cb3.glbdns2.microsoft.com
Type: A
131.253.40.1
DNSwww.go.microsoft.akadns.net
Type: A
134.170.184.137
DNSwww.wip4.adobe.com
Type: A
192.150.16.64
DNSlb1.www.ms.akadns.net
Type: A
65.55.57.27
DNSwww.msn.com
Type: A
DNSgo.microsoft.com
Type: A
DNSwww.adobe.com
Type: A
DNSwww.microsoft.com
Type: A
HTTP GEThttp://www.msn.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=45396
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.adobe.com/support/main.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.adobe.com/support/main.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.microsoft.com/windows
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.microsoft.com/windows
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=146008
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=146008
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 131.253.40.1:80
Flows TCP192.168.1.1:1032 ➝ 134.170.184.137:80
Flows TCP192.168.1.1:1033 ➝ 192.150.16.64:80
Flows TCP192.168.1.1:1034 ➝ 192.150.16.64:80
Flows TCP192.168.1.1:1035 ➝ 65.55.57.27:80
Flows TCP192.168.1.1:1036 ➝ 65.55.57.27:80
Flows TCP192.168.1.1:1037 ➝ 134.170.184.137:80
Flows TCP192.168.1.1:1038 ➝ 134.170.184.137:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x00000060 (00096)   2e353037 3237290d 0a486f73 743a2077   .50727)..Host: w
0x00000070 (00112)   77772e6d 736e2e63 6f6d0d0a 436f6e6e   ww.msn.com..Conn
0x00000080 (00128)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000090 (00144)   0a                                    .

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d343533 39362048 5454502f   nkId=45396 HTTP/
0x00000020 (00032)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000030 (00048)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000040 (00064)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000050 (00080)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000060 (00096)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000070 (00112)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x00000080 (00128)   73743a20 676f2e6d 6963726f 736f6674   st: go.microsoft
0x00000090 (00144)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000a0 (00160)   3a20636c 6f73650d 0a436f6e 74656e74   : close..Content
0x000000b0 (00176)   2d4c656e 6774683a 20313431 0d0a436f   -Length: 141..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a0d   rm-urlencoded...
0x000000f0 (00240)   0a8d                                  ..

0x00000000 (00000)   504f5354 202f7375 70706f72 742f6d61   POST /support/ma
0x00000010 (00016)   696e2e68 746d6c20 48545450 2f312e31   in.html HTTP/1.1
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000070 (00112)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000080 (00128)   20777777 2e61646f 62652e63 6f6d0d0a    www.adobe.com..
0x00000090 (00144)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x000000a0 (00160)   650d0a43 6f6e7465 6e742d4c 656e6774   e..Content-Lengt
0x000000b0 (00176)   683a2033 31390d0a 436f6e74 656e742d   h: 319..Content-
0x000000c0 (00192)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000d0 (00208)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000e0 (00224)   656e636f 6465640d 0a0d0a3f 01         encoded....?.

0x00000000 (00000)   504f5354 202f7375 70706f72 742f6d61   POST /support/ma
0x00000010 (00016)   696e2e68 746d6c20 48545450 2f312e31   in.html HTTP/1.1
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000070 (00112)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000080 (00128)   20777777 2e61646f 62652e63 6f6d0d0a    www.adobe.com..
0x00000090 (00144)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x000000a0 (00160)   650d0a43 6f6e7465 6e742d4c 656e6774   e..Content-Lengt
0x000000b0 (00176)   683a2033 34340d0a 436f6e74 656e742d   h: 344..Content-
0x000000c0 (00192)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000d0 (00208)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000e0 (00224)   656e636f 6465640d 0a0d0a58 01         encoded....X.

0x00000000 (00000)   504f5354 202f7769 6e646f77 73204854   POST /windows HT
0x00000010 (00016)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000020 (00032)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000030 (00048)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000040 (00064)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000050 (00080)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000060 (00096)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000070 (00112)   0a486f73 743a2077 77772e6d 6963726f   .Host: www.micro
0x00000080 (00128)   736f6674 2e636f6d 0d0a436f 6e6e6563   soft.com..Connec
0x00000090 (00144)   74696f6e 3a20636c 6f73650d 0a436f6e   tion: close..Con
0x000000a0 (00160)   74656e74 2d4c656e 6774683a 20323036   tent-Length: 206
0x000000b0 (00176)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x000000c0 (00192)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x000000d0 (00208)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x000000e0 (00224)   640d0a0d 0ace                         d.....

0x00000000 (00000)   504f5354 202f7769 6e646f77 73204854   POST /windows HT
0x00000010 (00016)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000020 (00032)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000030 (00048)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000040 (00064)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000050 (00080)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000060 (00096)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000070 (00112)   0a486f73 743a2077 77772e6d 6963726f   .Host: www.micro
0x00000080 (00128)   736f6674 2e636f6d 0d0a436f 6e6e6563   soft.com..Connec
0x00000090 (00144)   74696f6e 3a20636c 6f73650d 0a436f6e   tion: close..Con
0x000000a0 (00160)   74656e74 2d4c656e 6774683a 20333031   tent-Length: 301
0x000000b0 (00176)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x000000c0 (00192)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x000000d0 (00208)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x000000e0 (00224)   640d0a0d 0a2d01                       d....-.

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d313436 30303820 48545450   nkId=146008 HTTP
0x00000020 (00032)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20676f2e 6d696372 6f736f66   ost: go.microsof
0x00000090 (00144)   742e636f 6d0d0a43 6f6e6e65 6374696f   t.com..Connectio
0x000000a0 (00160)   6e3a2063 6c6f7365 0d0a436f 6e74656e   n: close..Conten
0x000000b0 (00176)   742d4c65 6e677468 3a203138 300d0a43   t-Length: 180..C
0x000000c0 (00192)   6f6e7465 6e742d54 7970653a 20617070   ontent-Type: app
0x000000d0 (00208)   6c696361 74696f6e 2f782d77 77772d66   lication/x-www-f
0x000000e0 (00224)   6f726d2d 75726c65 6e636f64 65640d0a   orm-urlencoded..
0x000000f0 (00240)   0d0ab4                                ...

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d313436 30303820 48545450   nkId=146008 HTTP
0x00000020 (00032)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20676f2e 6d696372 6f736f66   ost: go.microsof
0x00000090 (00144)   742e636f 6d0d0a43 6f6e6e65 6374696f   t.com..Connectio
0x000000a0 (00160)   6e3a2063 6c6f7365 0d0a436f 6e74656e   n: close..Conten
0x000000b0 (00176)   742d4c65 6e677468 3a203333 300d0a43   t-Length: 330..C
0x000000c0 (00192)   6f6e7465 6e742d54 7970653a 20617070   ontent-Type: app
0x000000d0 (00208)   6c696361 74696f6e 2f782d77 77772d66   lication/x-www-f
0x000000e0 (00224)   6f726d2d 75726c65 6e636f64 65640d0a   orm-urlencoded..
0x000000f0 (00240)   0d0a4a01                              ..J.


Strings
^&..
040904B0
   1995
7, 3, 5
Amug
Colin Wilson
CompanyName
FileDescription
FileVersion
$Hcs
InternalName
LegalCopyright
LegalTrademarks
Locawed
OriginalFilename
Oxfn++.exe
ProductName
ProductVersion
StringFileInfo
^Tsv
Tsvs
VS_VERSION_INFO
Wozanub Suq Opop Macoqev Takoj Egaluz Evoqe Axygu Ozohuk Uhibony
Xinog Ixuxy Ehopoz
xpIGSOWiEGp
yhIfFgtfjbG
0JL\>J
2duLpN
2rNDha
3cDlmd
)%4"{+%
4AK3aeA
4kH2yW
4kHNGU6
5)qMc4
86q;B_
8oRN;-
;^9&NQ
A3xKCEl
A3xlgGl
,~aA'"
AccessCheckByTypeResultListAndAuditAlarmA
AdjustTokenGroups
ADVAPI32.dll
AhfG5O}
AoXVToC
b&bxx^L
bP6oO?]
C2j|Zo
CBrqpC
ChoosePixelFormat
CloseMetaFile
CLSIDFromString
CoCreateObjectInContext
CoRegisterSurrogate
CoTreatAsClass
CreateBitmapIndirect
CreateFontW
CreateILockBytesOnHGlobal
CreateItemMoniker
CreateOleAdviseHolder
CreatePatternBrush
CreatePen
CreatePenIndirect
CreateTraceInstanceId
CreateWellKnownSid
CryptEnumProvidersA
`.data
DcomChannelSetHResult
*dEc@O
/"&D\q
DUSVnhq
EDDi_;
ElfChangeNotify
ElfDeregisterEventSource
ElfNumberOfRecords
EnableTrace
EnumDateFormatsA
EnumDependentServicesA
ExtFloodFill
FFFRV^Z_
g6_UFu
G73RI2
GDI32.dll
GdiGetPageHandle
GetCharABCWidthsA
GetCharWidthFloatA
GetClipBox
GetClipRgn
GetCommState
GetDateFormatW
GetEnhMetaFileDescriptionW
GetGraphicsMode
GetRasterizerCaps
GetStretchBltMode
GetTextFaceA
GetTrusteeFormA
GetWindowOrgEx
GlobalGetAtomNameA
HACCEL_UserUnmarshal
HcW3=vWN
HENHMETAFILE_UserUnmarshal
HkOleRegisterObject
HMENU_UserMarshal
HMENU_UserUnmarshal
HMETAFILE_UserMarshal
HOhfUrb
i[hrhW6
InitializeSecurityDescriptor
ip8qr66
JHb3wT
jl8Npx
Jmu5Ts
JmwHEr
k.*{0Ja!j
KdWsqt
KERNEL32.dll
KiUserCallbackDispatcher
kQg4XN
lDeF!	n
LdrGetDllHandle
LockServiceDatabase
LsaGetSystemAccessAccount
LsaQuerySecurityObject
LsaSetQuotasForAccount
LypsJl
m -3cv
mO>0q1
MoveFileW
m:q=)`
nSlKYCh
NtAdjustGroupsToken
NtAdjustPrivilegesToken
NtCompleteConnectPort
NTDLL.dll
NtFreeVirtualMemory
NtLoadKey
NtOpenJobObject
NtQueryInformationJobObject
NtSetInformationKey
NtStartProfile
NtUnloadKey
N)Z_Q;g
O>'#Ap
ob^~f+
ObjectDeleteAuditAlarmW
OffsetViewportOrgEx
OLE32.dll
OleGetIconOfFile
OpenBackupEventLogA
OpenEncryptedFileRawW
OpenEventLogA
o=ybHxYh
p1cEGR1
PeekMessageW
PfxInsertPrefix
PlayMetaFile
PlayMetaFileRecord
PlgBlt
P:/	Ms
P;[Rcq
}PR_V8
PWPZ=.xp
`Q+k8[
.rdata
ReadEventLogW
ReadOleStg
RealizePalette
RegCreateKeyA
RegLoadKeyW
RegQueryInfoKeyW
RegQueryValueExA
ResetDCW
Rich;de
rj*Y!&
rpjxknC
RSDS0*
@.rsrc
RtlAllocateHeap
RtlCopyUnicodeString
RtlFindSetBitsAndClear
RtlGetDaclSecurityDescriptor
RtlLargeIntegerNegate
RtlLookupElementGenericTable
RtlNumberGenericTableElements
RtlpNtCreateKey
RtlSetAttributesSecurityDescriptor
RtlSystemTimeToLocalTime
RtlUpdateTimer
RV^ZZRV^Z
sd9<0s
SetBitmapBits
SetBitmapDimensionEx
SetConvertStg
SetDCBrushColor
SetDIBitsToDevice
SetGraphicsMode
SetKernelObjectSecurity
SetPolyFillMode
SetSecurityInfoExA
SetServiceStatus
SP1CzU
StartServiceW
StgOpenAsyncDocfileOnIFillLockBytes
SystemFunction013
SystemFunction029
Tb?M -u3~
!This program cannot be run in DOS mode.
tKJuTx
tsuHnf
u`/0vjtk
USER32.dll
U;-<UR1
\V==[ 
vleqsy
W,c7t8
wgVbYe
WriteClassStm
WriteFmtUserTypeStg
/'WZm&
+xd)W*a@
|}.YJI
Z8K7.	
ZwCreateNamedPipeFile
ZwFilterToken
ZwFindAtom
ZwRegisterThreadTerminatePort
ZwSetSystemPowerState
ZwShutdownSystem
ZwWaitForMultipleObjects
ZwWaitLowEventPair