Analysis Date2014-07-03 18:12:47
MD5b1e673123f5a5629608021583236f557
SHA13a81e579f0637fb4c8c87019fc81012a41bf3105

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d60bb1ebffb0b4ec86ae36b314dde987 sha1: c27410913ea3db9c801dbb5b402b86b2a46157af size: 53248
Section.rdata md5: e0eec2bdef055d94d31054fff8183034 sha1: 80f58c65d2c61400f4cb93d51ca428604e99e2dd size: 6144
Section.data md5: 56f68ba45bb046b8a4757f1348ebe4ac sha1: 5c295e5b5bc5cf7419b73fa8b8774d692dfb0d78 size: 2048
Section.rsrc md5: e8bbbe57f5063f7b789ea4324af6126f sha1: 9586a91e60a2f8f0ba7b4df66b3f42e202f0b4d4 size: 3584
Timestamp2011-12-04 18:23:58
VersionLegalCopyright: Copyright Dejaneyro (C) 2013
InternalName: Arcom
FileVersion: 1, 1, 2, 1
CompanyName: Arcom
LegalTrademarks:
ProductName: Arcoms Application
ProductVersion: 1, 1, 2, 1
FileDescription: Arcoms Application
OriginalFilename: Arcoms.exe
PackerMicrosoft Visual C++ v6.0
PEhash4835ae77afff0b12288e80d883476dc8b1d84216
IMPhashee9d78c6a317c62ddc9759e4ed67e2b8
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dldr.Cutwail.128
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)Win32/Kryptik.CERD
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)Generic11_c.LF
AVIkarusTrojan-Downloader.Win32.Cutwail
AVK7no_virus
AVKasperskyTrojan-Dropper.Win32.Dorifel.alkg
AVMalwareBytesTrojan.Ranver
AVMcafeeRDN/Generic.dx!dcw
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail
AVMicroWorld (escan)no_virus
AVNormanwinpe/Kryptik.MFC
AVSophosMal/Zbot-QL
AVSymantecBackdoor.Trojan
AVTrend MicroTROJ_CUTWAIL.YAW
AVVirusBlokAda (vba32)no_virus
AVCA (E-Trust Ino)no_virus
AVKasperskyTrojan-Dropper.Win32.Dorifel.alkg
AVF-Secureno_virus
AVDr. Webno_virus
AVK7no_virus
AVClamAVno_virus
AVFortinetno_virus
AVArcabit (arcavir)no_virus
AVSymantecBackdoor.Trojan
AVGrisoft (avg)Generic11_c.LF
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVEset (nod32)Win32/Kryptik.CERD
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AV360 Safeno_virus
AVTrend MicroTROJ_CUTWAIL.YAW
AVAd-Awareno_virus
AVAuthentiumno_virus
AVEmsisoftno_virus
AVFrisk (f-prot)no_virus
AVIkarusTrojan-Downloader.Win32.Cutwail
AVNormanwinpe/Kryptik.MFC
AVAvira (antivir)TR/Dldr.Cutwail.128
AVMalwareBytesTrojan.Ranver
AVMicroWorld (escan)no_virus
AVMcafeeRDN/Generic.dx!dcw
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\nybriqkildok ➝
C:\Documents and Settings\Administrator\nybriqkildok.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\nybriqkildok.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nisekotourism[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nisekotourism[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexnybriqkildok
Winsock DNSmauigiftbaskets.com
Winsock DNSdaltontokyo.com
Winsock DNScharteronerealty.com
Winsock DNScomputerprose.com
Winsock DNSnathancurrin.com
Winsock DNSsakkoh-kiyota.com
Winsock DNSbcalex.com
Winsock DNSarice.net
Winsock DNScokocoko.com
Winsock DNSrbrides.com
Winsock DNSaydindisplays.com
Winsock DNSowensound.library.on.ca
Winsock DNSbouchon.de
Winsock DNSparavision.org
Winsock DNSnisekotourism.com
Winsock DNSmpccontainment.com
Winsock DNScatapultmarketing.com
Winsock DNSsormpack.com
Winsock DNStasteofcharlotte.com
Winsock DNSravanagym.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25

Raw Pcap

Strings