Analysis Date | 2014-07-03 18:12:47 |
---|---|
MD5 | b1e673123f5a5629608021583236f557 |
SHA1 | 3a81e579f0637fb4c8c87019fc81012a41bf3105 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: d60bb1ebffb0b4ec86ae36b314dde987 sha1: c27410913ea3db9c801dbb5b402b86b2a46157af size: 53248 | |
Section | .rdata md5: e0eec2bdef055d94d31054fff8183034 sha1: 80f58c65d2c61400f4cb93d51ca428604e99e2dd size: 6144 | |
Section | .data md5: 56f68ba45bb046b8a4757f1348ebe4ac sha1: 5c295e5b5bc5cf7419b73fa8b8774d692dfb0d78 size: 2048 | |
Section | .rsrc md5: e8bbbe57f5063f7b789ea4324af6126f sha1: 9586a91e60a2f8f0ba7b4df66b3f42e202f0b4d4 size: 3584 | |
Timestamp | 2011-12-04 18:23:58 | |
Version | LegalCopyright: Copyright Dejaneyro (C) 2013 InternalName: Arcom FileVersion: 1, 1, 2, 1 CompanyName: Arcom LegalTrademarks: ProductName: Arcoms Application ProductVersion: 1, 1, 2, 1 FileDescription: Arcoms Application OriginalFilename: Arcoms.exe | |
Packer | Microsoft Visual C++ v6.0 | |
PEhash | 4835ae77afff0b12288e80d883476dc8b1d84216 | |
IMPhash | ee9d78c6a317c62ddc9759e4ed67e2b8 | |
AV | 360 Safe | no_virus |
AV | Ad-Aware | no_virus |
AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
AV | Arcabit (arcavir) | no_virus |
AV | Authentium | no_virus |
AV | Avira (antivir) | TR/Dldr.Cutwail.128 |
AV | CA (E-Trust Ino) | no_virus |
AV | CAT (quickheal) | no_virus |
AV | ClamAV | no_virus |
AV | Dr. Web | no_virus |
AV | Emsisoft | no_virus |
AV | Eset (nod32) | Win32/Kryptik.CERD |
AV | Fortinet | no_virus |
AV | Frisk (f-prot) | no_virus |
AV | F-Secure | no_virus |
AV | Grisoft (avg) | Generic11_c.LF |
AV | Ikarus | Trojan-Downloader.Win32.Cutwail |
AV | K7 | no_virus |
AV | Kaspersky | Trojan-Dropper.Win32.Dorifel.alkg |
AV | MalwareBytes | Trojan.Ranver |
AV | Mcafee | RDN/Generic.dx!dcw |
AV | Microsoft Security Essentials | TrojanDownloader:Win32/Cutwail |
AV | MicroWorld (escan) | no_virus |
AV | Norman | winpe/Kryptik.MFC |
AV | Sophos | Mal/Zbot-QL |
AV | Symantec | Backdoor.Trojan |
AV | Trend Micro | TROJ_CUTWAIL.YAW |
AV | VirusBlokAda (vba32) | no_virus |
AV | CA (E-Trust Ino) | no_virus |
AV | Kaspersky | Trojan-Dropper.Win32.Dorifel.alkg |
AV | F-Secure | no_virus |
AV | Dr. Web | no_virus |
AV | K7 | no_virus |
AV | ClamAV | no_virus |
AV | Fortinet | no_virus |
AV | Arcabit (arcavir) | no_virus |
AV | Symantec | Backdoor.Trojan |
AV | Grisoft (avg) | Generic11_c.LF |
AV | CAT (quickheal) | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | Eset (nod32) | Win32/Kryptik.CERD |
AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
AV | 360 Safe | no_virus |
AV | Trend Micro | TROJ_CUTWAIL.YAW |
AV | Ad-Aware | no_virus |
AV | Authentium | no_virus |
AV | Emsisoft | no_virus |
AV | Frisk (f-prot) | no_virus |
AV | Ikarus | Trojan-Downloader.Win32.Cutwail |
AV | Norman | winpe/Kryptik.MFC |
AV | Avira (antivir) | TR/Dldr.Cutwail.128 |
AV | MalwareBytes | Trojan.Ranver |
AV | MicroWorld (escan) | no_virus |
AV | Mcafee | RDN/Generic.dx!dcw |
AV | Microsoft Security Essentials | TrojanDownloader:Win32/Cutwail |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\nybriqkildok ➝ C:\Documents and Settings\Administrator\nybriqkildok.exe |
---|---|
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
Registry | HKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝ NULL |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\Documents and Settings\Administrator\nybriqkildok.exe |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nisekotourism[1].htm |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[1].htm |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670 |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nisekotourism[1].htm |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[1].htm |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | WininetConnectionMutex |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Creates Mutex | nybriqkildok |
Winsock DNS | mauigiftbaskets.com |
Winsock DNS | daltontokyo.com |
Winsock DNS | charteronerealty.com |
Winsock DNS | computerprose.com |
Winsock DNS | nathancurrin.com |
Winsock DNS | sakkoh-kiyota.com |
Winsock DNS | bcalex.com |
Winsock DNS | arice.net |
Winsock DNS | cokocoko.com |
Winsock DNS | rbrides.com |
Winsock DNS | aydindisplays.com |
Winsock DNS | owensound.library.on.ca |
Winsock DNS | bouchon.de |
Winsock DNS | paravision.org |
Winsock DNS | nisekotourism.com |
Winsock DNS | mpccontainment.com |
Winsock DNS | catapultmarketing.com |
Winsock DNS | sormpack.com |
Winsock DNS | tasteofcharlotte.com |
Winsock DNS | ravanagym.com |
Network Details:
DNS | smtp.glbdns2.microsoft.com Type: A 65.55.176.126 |
---|---|
DNS | smtp.mail.us.am0.yahoodns.net Type: A 98.139.211.125 |
DNS | smtp.mail.us.am0.yahoodns.net Type: A 63.250.193.228 |
DNS | smtp.mail.us.am0.yahoodns.net Type: A 98.138.105.21 |
DNS | smtp.live.com Type: A |
DNS | smtp.mail.yahoo.com Type: A |
Flows TCP | 192.168.1.1:1031 ➝ 65.55.176.126:25 |
Flows TCP | 192.168.1.1:1032 ➝ 98.139.211.125:25 |
Raw Pcap
Strings