Analysis Date2014-11-02 00:05:48
MD51b10d10915edde8919347e7100203c04
SHA13e2591cc9e6f82eaa9e50a56463a8c8f0c641e31

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3da826a3fec72c1da8630201ec5ff5d3 sha1: 88eb3119ee8f3f7c0fab1e871d21c7350a11770c size: 14848
Section.rdata md5: 802d7c14d571f93d625a2bc033726ac8 sha1: 899acb9b4fb78ed6dd13a0a3ba2cb4921581dffa size: 3584
Section.data md5: 20d7477243ca3051f817e2663cd34940 sha1: d2c7e6d37e3511921829e7858069c4e3bbb8fe15 size: 112640
Section.rsrc md5: eba39ca81deb5c37cf008061910af1c1 sha1: 60e07761e4aba89760e10a45bf6a53340c63d28e size: 5120
Timestamp2009-10-21 00:39:04
VersionLegalCopyright: Copyright © 2010 y Setup Technologies u
InternalName: F setUp hn4
FileVersion: 4.1.0.0
CompanyName: Jordan Russell
LegalTrademarks:
Comments:
ProductName: Internet Security d
ProductVersion: 4.1.0.0
FileDescription: Setup Self-Extractor q
OriginalFilename: F setUp hn4
PackerBorland Delphi 4.0
PEhash5c97030c91d674d600d2c17213c67bfb241b77ac
IMPhash71a809413459d5a071ab3e9b92ac092c
AV360 SafeGen:Heur.FKP.1
AVAd-AwareGen:Heur.FKP.1
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Heur.FKP.1
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVno_virus
AVDr. WebTrojan.DownLoader2.30783
AVEmsisoftGen:Heur.FKP.1
AVEset (nod32)Win32/Kryptik.MLP
AVFortinetW32/Generic.IZ!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Heur.FKP.1
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.SuspectCRC
AVK7Trojan ( 0023cd531 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ai
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.FKP.1
AVNormanGen:Heur.FKP.1
AVRisingTrojan.Win32.Generic.1284CEB4
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV!gen52
AVTrend MicroTROJ_FAKEAV.SM95
AVVirusBlokAda (vba32)Trojan.Diple

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\W5E7SH31DG ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\W5E7SH31DG\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSberndkoop.com
Winsock DNShopvariety.com

Network Details:

DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNShopvariety.com
Type: A
DNSberndkoop.com
Type: A
DNSmyreposite.com
Type: A
DNSmykdirect.com
Type: A

Raw Pcap

Strings
.
!..
040904E4
 2010 y Setup Technologies u
4.1.0.0
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
F setUp hn4
InternalName
 Internet Security d
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
Jordan Russell
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
 Setup Self-Extractor q
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
thz5
Translation
VarFileInfo
VS_VERSION_INFO
0DXk+|
0P@7h9
|15fik
19)R^,
1G98*654r
1p8F0~
1RWCh'
22+t.*/:**="&Eh!
29ddZL
2+eFPYm
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3rB ,q<0$sB
`3rB"y
3rBz/xQ
3rtzPzK1
4F~[L[z2
4K+Z3rB-
4Pyp<$
4ttP&/
4yrRGr3VE
5,B(]EV
5HA!z]e
5wjnGQ
6$&^MPn
6t}:=v6
@-6 w%
7:5s 	
@7P:8/
%`7|:Z
[=8f70u&
8hXvP0
8KEF!O
8rjtv0RKr@12
8ZiGd@20
9nKvx7
?9zD&W
(aA`[sX
|AE>}B
!*A<KmR
@A(pgs
a@_rVe{Jfu
,`AV9!
B$#,:{
`B5hX*
BEIPqDu
B%([G	
BhF^vK
BKo>1K
BLt/D&
=@BNIW$
_&>B~o
bQb@tr
B|r0X^
BRmOpx
B@tbf=n
cA[Wb6l
CharNextA
CharToOemA
CharUpperA
CHDNo@c
CheckMenuItem
ChildWindowFromPoint
=cM36$
CpfzgH
CreateIcon
CreateMenu
CreateWindowExA
crOsuJ6hHty@12
C[tf:h
@.data
DefMDIChildProcA
DestroyCursor
DestroyWindow
DrawEdge
D>sd)P3
-D\%SK
>DSp\H	
dXPw%N
:DY0(5
.|%-E8^
E}BBA}H
_ei26Nqomp
EnumThreadWindows
e_rC(9
;}eX6[
F5*_v-
fA/jWxd
FrameRect
F setUp hn4
F}vQ^+F0
fWMz<j
f^Z4{bM
G8:b7z
gDl^I	~
GetActiveWindow
GetClientRect
GetCursor
GetDCEx
GetForegroundWindow
GetKeyboardState
GetKeyboardType
GetMenu
GetPropA
GetScrollInfo
GetSysColorBrush
GetSystemMenu
GetWindow
GetWindowDC
GetWindowLongA
GetWindowLongW
GetWindowThreadProcessId
G/Fnm!|
GFRe[C
GHg6eN
gtFTQITEiKlr
{Hgx7'
HIG{7G
HJJL[@
@H"`-KS<
I1priA
I4C:@L@=
@i`8+w+
*i&=b7
IhY[vF/|*@a9" t	
InsertMenuA
IsDlgButtonChecked
IsWindowVisible
IsZoomed
JN,Bgd^
?k1A$b
KERNEL32.dll
kHF _Q
KillTimer
lEW.dRjr
lJIj>Kv
LoadBitmapA
LoadIconA
LoadLibraryA
LoadStringA
MapVirtualKeyA
MapWindowPoints
M)AtA}[
Md)LL(
M|JxSb
Mk8qsyT
mQ;0tsr
MSPCP60
Mv2_o"
<N	6{E
n7~GxH
n<`DY?
\nT6Y>
nW@~O#
NY`FA$B
<nZrBa3rBh
o3rB_3
oA$>}[
OffsetRect
O-J!f,
>O}ML@i
oP3eT4QVYKZDXc
OpenIcon
oVONjJc
&||}p&
PeekMessageW
PostMessageA
pP6jWm
P/Q7_E
Proced
PtInRect
P'V50Xi
QAE1XZ
qjpUCHn
QMj&U;
R"5O<?
rB.3rBh
rB"VrBE_
r]CrRs
`.rdata
rDUfauleL
ReleaseDC
RemovePropA
RkCs@.
[ro73r>h
RttQAL
R v@`5V
?RYY.S&m
<s3HC|3
sB"VrB
ScreenToClient
SendMessageW
SetClipboardData
SetErrorMode
SetEvent
SetFilePointer
SetHandleCount
SetLastError
SetPropA
SetScrollInfo
SetThreadLocale
SetTimer
SetWindowPlacement
SetWindowPos
ShowOwnedPopups
ShowScrollBar
Sj-rht
]$SmFp
{Sob%#ZG
SRQPWja
S|z,0s
t@3rGJ
t!|4C 
This program must be run under Win32
t$k=qZ
TranslateMessage
tsFilFG
tULn1JmpI7Zx@12
TZmLuB0
>~'&u/
UBlhR4Kl@4
<u$ GB
u{HkVcXI
UJ7V[m
UnregisterClassA
user32.dll
uVI"G wt,x
V_^3+*
V39!=[M
V5bD09
_V94Pi3d@4
v+Ev51
VirtualAllocEx
VKGuxXtNAF8
<"VrBw`sB
vshlwapi
v$Y}q)VS
*vy>\wZ
_W0?_%5,
w<6?Nu2
w7WY4UY
We'J=;W
WF(ogY
WindowFromPoint
W:iwpTR
| W{.S
)?WyF8Z
@*XjMs
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
x/[_Q8
X@>V8]
xv>O.d
XwYbGJN
XzcseYbysleMOE
yB6PQ+
'yBYAb,
Y|leat
yz O:K
$Z3rB{+s
zcm2s^0*
)Z#,p[
z<vho=
|zX*tue