Analysis Date2014-07-06 06:46:20
MD5e35ec38e1f75d4226ba0027631286311
SHA13b2d3d9339d88dd757b9a9009fd9047d82767c3c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a2082feb970de47e4e7136b97ac746a1 sha1: 20610de5d580d040849b2910ff5c72e7007afdfd size: 3072
Section.rdata md5: 9f54fed295c5bf23b793d759a4f7f487 sha1: 1c417c12270e375a4af290ba3c37c2463a8fec6b size: 1024
Section.data md5: 1205206d88340b9f0289fd001fabb56c sha1: 93a7347331b6f74d28cae14c7a222b0a42795c8b size: 1536
Section.rsrc md5: 2174acdf389054b7f3f83fadfdaf38c7 sha1: d4526838d20a9b0b1d599e8a24e50fe3a5c0bc84 size: 40960
Timestamp2014-06-17 19:22:58
VersionLegalCopyright: Copyright (C) 2008
InternalName: sickly
FileVersion: 7,2,4,19
ProductName: sickly Application
ProductVersion: 6,3,4,31
FileDescription: sickly Application
OriginalFilename: sickly.exe
PEhashca00d69e4af8b337f91720bec6752ab2001b1a97
IMPhashcabb308efe69c2b97bdbdd5c98e96b1c
AV360 SafeTrojan.Dropper.Agent.VNI
AVAd-AwareTrojan.Dropper.Agent.VNI
AVAlwil (avast)Kryptik-NXT [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)Win32/Kryptik.CEET
AVFortinetW32/Kryptik.CEET!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Dropper.Agent.VNI
AVGrisoft (avg)no_virus
AVIkarusTrojan.Dropper.Agent
AVK7no_virus
AVKasperskyTrojan.Win32.Cutwail.dbz
AVMalwareBytesTrojan.Agent.ED
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Trojan.Dropper.Agent.VNI
AVNormanno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Zbot
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\dufnokjilcoz ➝
C:\Documents and Settings\Administrator\dufnokjilcoz.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\dufnokjilcoz.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rcainc[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\maccustoms.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bluecrushcommunications[1].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\eurofilms[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\theparentingcenter[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\autobus.qc[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\strataplus.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sormpack[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rmueller[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\7-24airx[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\strataplus.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sormpack[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rcainc[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rmueller[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\7-24airx[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\maccustoms.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bluecrushcommunications[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\eurofilms[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\theparentingcenter[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\autobus.qc[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexdufnokjilcoz
Winsock DNSmjferguson.co.uk
Winsock DNStheparentingcenter.org
Winsock DNS7-24airx.com
Winsock DNSurivit.com
Winsock DNSrmueller.com
Winsock DNSmailershaven.com
Winsock DNSbaiyokehotel.com
Winsock DNScidemtokyo.com
Winsock DNSmaccustoms.com.au
Winsock DNSeurofilms.com
Winsock DNSstrataplus.com.au
Winsock DNSindustrieundhandelsverlag.de
Winsock DNShzjinhai.com
Winsock DNSautobus.qc.ca
Winsock DNSrabhas.com
Winsock DNSrcainc.biz
Winsock DNSblackvoib.com
Winsock DNSbluecrushcommunications.com
Winsock DNSsormpack.com
Winsock DNSsterlingfoundations.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSautobus.qc.ca
Type: A
192.30.162.55
DNSrmueller.com
Type: A
69.167.190.104
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSrcainc.biz
Type: A
HTTP POSThttp://rmueller.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25
Flows TCP192.168.1.1:1035 ➝ 69.167.190.104:80

Raw Pcap
0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000020 (00032)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000030 (00048)   6e2d7573 0d0a436f 6e74656e 742d5479   n-us..Content-Ty
0x00000040 (00064)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000050 (00080)   6f637465 742d7374 7265616d 0d0a436f   octet-stream..Co
0x00000060 (00096)   6e74656e 742d4c65 6e677468 3a203532   ntent-Length: 52
0x00000070 (00112)   340d0a55 7365722d 4167656e 743a204d   4..User-Agent: M
0x00000080 (00128)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000090 (00144)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000a0 (00160)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a20726d   ; SV1)..Host: rm
0x000000c0 (00192)   75656c6c 65722e63 6f6d0d0a 436f6e6e   ueller.com..Conn
0x000000d0 (00208)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000e0 (00224)   76650d0a 43616368 652d436f 6e74726f   ve..Cache-Contro
0x000000f0 (00240)   6c3a206e 6f2d6361 6368650d 0a0d0a35   l: no-cache....5
0x00000100 (00256)   6930755a 626a3436 52667a56 62664b4f   i0uZbj46RfzVbfKO
0x00000110 (00272)   2b526839 7174345a 78594167 696d5662   +Rh9qt4ZxYAgimVb
0x00000120 (00288)   4a2f6c58 4c375842 62784268 7a773051   J/lXL7XBbxBhzw0Q
0x00000130 (00304)   432f7263 43576365 51777755 3144780d   C/rcCWceQwwU1Dx.
0x00000140 (00320)   0a577351 686a3355 75613765 7067474a   .WsQhj3Uua7epgGJ
0x00000150 (00336)   42733866 68734c59 73623571 354c6d68   Bs8fhsLYsb5q5Lmh
0x00000160 (00352)   4b712f61 6c77324c 41526843 644e7276   Kq/alw2LARhCdNrv
0x00000170 (00368)   6e4a4867 736c6939 30745174 70616558   nJHgsli90tQtpaeX
0x00000180 (00384)   510d0a6a 4d2f734e 6d744957 47596531   Q..jM/sNmtIWGYe1
0x00000190 (00400)   4f766943 70526a79 725a6a32 5a67366f   OviCpRjyrZj2Zg6o
0x000001a0 (00416)   44586939 69722f4b 35493153 43573967   DXi9ir/K5I1SCW9g
0x000001b0 (00432)   64586f54 62317354 47522b41 35495249   dXoTb1sTGR+A5IRI
0x000001c0 (00448)   5779570d 0a6b366f 375a6267 74467237   WyW..k6o7ZbgtFr7
0x000001d0 (00464)   54794979 496e4659 4f2b6c57 42586f61   TyIyInFYO+lWBXoa
0x000001e0 (00480)   62483544 64743771 706a3457 72554a6a   bH5Ddt7qpj4WrUJj
0x000001f0 (00496)   4e314332 4e466d62 2f736b47 51667875   N1C2NFmb/skGQfxu
0x00000200 (00512)   675a4877 410d0a79 68424566 36493451   gZHwA..yhBEf6I4Q
0x00000210 (00528)   724e4970 79763269 78665066 48555949   rNIpyv2ixfPfHUYI
0x00000220 (00544)   6c4b3678 4f583375 65474443 7866656d   lK6xOX3ueGDCxfem
0x00000230 (00560)   6177596c 4a783953 51546350 524c3365   awYlJx9SQTcPRL3e
0x00000240 (00576)   6c722f44 5a36300d 0a726443 38547831   lr/DZ60..rdC8Tx1
0x00000250 (00592)   6f527047 35704457 35797873 2b54727a   oRpG5pDW5yxs+Trz
0x00000260 (00608)   50376262 4f4e3174 4b424c55 69324c63   P7bbON1tKBLUi2Lc
0x00000270 (00624)   576d592f 6968714b 3172444a 65526a49   WmY/ihqK1rDJeRjI
0x00000280 (00640)   764b7833 34706268 2b0d0a6a 4b2f534e   vKx34pbh+..jK/SN
0x00000290 (00656)   46513764 30586b4d 67774342 36746f43   FQ7d0XkMgwCB6toC
0x000002a0 (00672)   4a697864 65305773 732b5571 71794930   Jixde0Wss+UqqyI0
0x000002b0 (00688)   38784541 79387450 48414834 74513178   8xEAy8tPHAH4tQ1x
0x000002c0 (00704)   70646239 34586747 39314c0d 0a4e726e   pdb94XgG91L..Nrn
0x000002d0 (00720)   592b5a49 4a577a67 65336847 63355964   Y+ZIJWzge3hGc5Yd
0x000002e0 (00736)   34387545 4462786b 586a5041 5651374d   48uEDbxkXjPAVQ7M
0x000002f0 (00752)   32314474 72695068 6b5a7150 67493879   21DtriPhkZqPgI8y
0x00000300 (00768)   62503237 386b513d 3d0d0a              bP278kQ==..


Strings
..
.
w..
041904b0
]\4"
6,3,4,31
7,2,4,19
absence express different daughter
&accompanied Miriam
&adjuration--words dramatic
&agreeable
&always certain
amendment worrying
angelic
&answer continued
appears hours
&asked; experience
attempt Peter
&audibly spirit
&ballet--a
better Harsh
&caution
conscious
considered
conviction
Copyright (C) 2008
cried particular
Dallow silence
&damned richly
&dangerous
&declared necessity--without
degree simply
&differently
&diversion
drawing Grace believe intimate
effect nothing
&elapsed
electronically demands
&enough behind--Im
entered
entirely
&evidently moustache
&exhibitions
&existence reason
expressed
&expressed
fellow
field crabbed
FileDescription
FileVersion
&general
Harsh
her--if
&herself accused
herself perform
&himself
humbugging
hundred actress mother chin--a
&ill-timed prefers
imperturbably
importunity
&inquiries nature
inquiry
intended
interesting
&interesting encouragement
interests ridiculous
&interfere living
InternalName
interval should
&itself
kindly
large
&leaned
LegalCopyright
like--doing
meeting naturally
&mingled
Miriam
&Miriam
&misunderstood
&mouth
MS Shell Dlg
oddest
OriginalFilename
&outsider
&passion
Peter
picture
piece
&please Sometimes
portents
possible erect
prize simplified something
ProductName
ProductVersion
&propositions vehicle
public
rehearsal imperious penalty
&remember
&repeated--go
returned
&returned
RichEdit20A
&risked
&river to-morrow
should
sickly
sickly Application
sickly.exe
&sometimes crumble
sought truth;
&sounds
speech Project chance doubts
spending
steps
StringFileInfo
&stupid entertainer
suggestion
&surprised
SysListView32
Tahoma
&telling
&terribly should
&theatre
&things;
&thinks tendency
&thorough beautiful
&thrown
&together success
Translation
turned
understand
urgent beautifully beribboned
&uttered
VarFileInfo
VS_VERSION_INFO
&wanted
&way--so
&Wheatsheaf Rooth
&whether
which
window chance
&winter scene
wishing consciousness
&without
&woefully youth
wouldnt
0:Ua't
'1#ko!
2<xykW
2Z>vli
^3"PU[
4>(\B(X
4-IxuE
=5mS)2
7B%`<1.+Ed
80-$>l'b
 8^D&b
|9.02"
] /9{c
..?=($asrBC
B"iH]@
bu#y;^
-bZXlm
C-4ERMI
CreateWindowExA
@.data
DefWindowProcA
DispatchMessageA
@!%dQ)
d&'(re
d~v]dffa
[<e/#i
?&e:km,
ExitProcess
f\Ge@X
FindResourceA
GetCurrentProcessId
GetMessageA
GetModuleHandleA
GetProcessHeap
(	.}Hatqx
HeapAlloc
hJRmR!
_HUXD`
#hxg$P
:ia7&RB
IwtIH!
kEC2_b@
kernel32.dll
KEw~G%
KillTimer
lB_n(Ko
lNR>]e_k
LoadCursorA
LoadIconA
LoadResource
m>*+&o}}
nB9kdgfrwerbbbmddd
n+zJ;R
O3+`;u
~OC&,9
P5>";l9-[
 poGq?>
PostQuitMessage
Pta$Q-y
@r5PU?q(0
`.rdata
RegisterClassExA
r\	GrA
R_U 'H
/	&$~S
SetTimer
ShowWindow
tdJz^dNK}5
!This program cannot be run in DOS mode.
TranslateMessage
:ttHbr&<l
UpdateWindow
user32.dll
[?w	71
;WA`;b
WW+{bK
YSZb{1$ -
/Zc~:3