Analysis Date2014-12-09 07:36:28
MD504a2260e20475ee40638aa02ce1654d0
SHA13f5b07b1ebe99dca6ec83672c6b0174d705d1abe

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ce6799a772d2a754d65c417257da6494 sha1: b7f5176cfb3424c91faa8816eaf9abaa8dc92ad0 size: 40448
Section.data md5: 8eba068eec587efc76958e0250570dd1 sha1: ad9ba77a1b08bd92d4f2c74e9ec6b0567599f800 size: 36864
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: a3cd66c37b7216b19b74c0813de6892b sha1: 9f4bf113a3a23c3ea1a6000f9341a19490ec3ce7 size: 2048
Section.CRT md5: 792bafb3424fd7f9b5a89dae09b64905 sha1: 9cc05ddd10bb5b3d586c7a15dc26d6145eb9974b size: 512
Section.tls md5: b644bd82c5219a72bfddfd3e431aadcc sha1: 4ac4ecc9b0785f1b19c99b1690cb6215a5f76b6a size: 512
Section.rsrc md5: 02cf34e605d8785d378b6f4c58df8a01 sha1: 42d2cae058ce9181911a6f38e8b33021688960a9 size: 16384
Timestamp2013-03-20 08:24:22
PEhashd2dcd3ffd0a96e37773767608362db1eef3a8ebd
IMPhash9ddbc03bd7b6412962a51d5373dcc467
AV360 Safeno_virus
AVAd-AwareGen:Variant.Application.LoadMoney.70
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/LoadMoney.A.gen!Eldorado
AVAvira (antivir)no_virus
AVBullGuardGen:Variant.Application.LoadMoney.70
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Packed.24079
AVEmsisoftGen:Variant.Application.LoadMoney.70
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)W32/LoadMoney.A.gen!Eldorado
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusWin32.SuspectCrc
AVK7Trojan ( 0040f53f1 )
AVKasperskyHEUR:Downloader.Win32.LMN.gen
AVMalwareBytesPUP.Optional.LoadMoney
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Application.LoadMoney.70
AVRisingTrojan.Agent!5438
AVSophosTroj/LdMon-A
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)BScope.Downware.LMN

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Process"C:\malware.exe" 8726691788423121482

Process
↳ "C:\malware.exe" 8726691788423121482

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNStakeinfo.ru

Network Details:

DNStakeinfo.ru
Type: A
199.59.243.119
DNStakeinfo.ru
Type: A
199.59.243.120
DNStakeinfo.ru
Type: A
199.59.243.121
DNStakeinfo.ru
Type: A
199.59.243.117
DNStakeinfo.ru
Type: A
199.59.243.118
HTTP GEThttp://takeinfo.ru/get_xml?file_id=10066720
User-Agent: tiny-dl/nix
Flows TCP192.168.1.1:1031 ➝ 199.59.243.119:80

Raw Pcap
0x00000000 (00000)   47455420 2f676574 5f786d6c 3f66696c   GET /get_xml?fil
0x00000010 (00016)   655f6964 3d313030 36363732 30204854   e_id=10066720 HT
0x00000020 (00032)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000030 (00048)   2a2f2a0d 0a557365 722d4167 656e743a   */*..User-Agent:
0x00000040 (00064)   2074696e 792d646c 2f6e6978 0d0a486f    tiny-dl/nix..Ho
0x00000050 (00080)   73743a20 74616b65 696e666f 2e72750d   st: takeinfo.ru.
0x00000060 (00096)   0a0d0a                                ...


Strings
..
.
.~..
uM
.
<<<Obsolete>>
061117000000Z
100208000000Z
10066720
111209000000Z
130320082422Z0
140206235959Z0[1
1Baw3`
,1U$/*
200207235959Z0J1
35*u{m
360716235959Z0
3BSf`[
|3P[LZ
3tGG,r
4@EmbR
571z.p$
5k-$qF
6?.1A)
6Cycd\q
$6j[?;
6<R?;ii
=7ac^(Y
7d/Ik)]
7X%JMU
(%88@N
<8MOzO
8#Up;S
9l)RR!
9,yh$ /
/Apfz~
aP)zE+
</assembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
atexit
-"aWxFI
Bd55kw
bPtbBr	
bPt|F}
;|b,XOp
c0(/[|
/(c) 2006 thawte, Inc. - For authorized use only1
c2VQYr
calloc
Certification Services Division1806
_cexit
CommandLineToArgvW
CreateThread
c<(/Yd
D3*,_S
DeleteCriticalSection
</dependency>
<dependency>
</dependentAssembly>
<dependentAssembly>
Dk%#& 
;D	W_v
E0oY`~mv
{e3]1A
-e6/>.$vi
E8#2	N
EAZ#it
/eJ@BE
EnterCriticalSection
ExitProcess
ezVP$UyU
~F8?4(
	F"885
\F=fW2
FreeLibrary
fTK>+U
fwrite
<.g_  7
g=96Vl
]	g994P
]	g996
GetCommandLineA
GetCommandLineW
GetLastError
__getmainargs
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetStartupInfoA
gw7}_s
gWusGy
G>zkq,
gzq/Cn
?G"zs|
harDDA
hd]'Xz$w
HeapAlloc
HeapFree
h_.-Lg
H;?Pnn
hpr.D)
#http://crl.thawte.com/ThawtePCA.crl0
*http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
http://mail.ru/0
http://ocsp.thawte.com0
i&?&8M
Iaj9Hz
.idata
IE{[AcHq
InitializeCriticalSection
Iq6-cm
IsBadReadPtr
i#wIIF
>j	*7L
Jbm1[g
J^D791)
)j	@MP&
jV|jJx
_Jv_RegisterClasses
J`yu?s
KERNEL32.dll
KJW&<g
k[}~O|
k}t/C@
;^[]_L
#l0@]H
LeaveCriticalSection
l[HhIY7
libgcj_s.dll
LLC Mail.Ru0
LLC Mail.Ru1
(|l>;N
LoadLibraryA
LoadLibraryW
l+rDDA
l\=W(1
L/Wtwt
m<<`]'7
memcpy
memset
mingwm10.dll
Mingw runtime failure:
__mingwthr_key_dtor
__mingwthr_remove_key_dtor
Moscow1
msvcrt.dll
nh2JoIj
nrzNJGy
\n^V1YH
O_70't
oa`K	1
'o:En]
\okl}'p
_onexit
ong1DpL
(o>}u0
,o,*wVP
Oy=)v{+
o!zU;.
<$_P44.5
P`.data
__p__environ
__p__fmode
p~rR9|W
`Q3'6r=t
^q3K."
q-{MMJ
R&1jahQ
r6+=lc
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
<requestedPrivileges>
`RjuD}
rr|<N>
{]'rwg
S0,GE*!
</security>
<security>
__set_app_type
_setmode
SetUnhandledExceptionFilter
SHELL32.DLL
signal
:&S-J`$A
sN1UvZ
so}:O8
sq	yQ{
strcmp
T-cc`*
Thawte Code Signing CA - G2
Thawte Code Signing CA - G20
thawte, Inc.1(0&
Thawte, Inc.1$0"
thawte Primary Root CA0
!This program cannot be run in DOS mode.
tI~;Pc
TlsGetValue
t ~PPM
t.~RPM
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t[~tHs
[ue^7R
  Unknown pseudo relocation bit size %d.
  Unknown pseudo relocation protocol version %d.
USER32.dll
,U\Wus
VeriSignMPKI-2-100
vfprintf
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
  VirtualQuery failed for %d bytes at address %p
V_osyf
vS~^Xe
WaitForSingleObject
wcscpy
_winmajor
wsprintfW
x2a<ABI
XFbz<t
x!gbk6
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
#xxe? 
*XXR+G
y(4(a?T
Y%cf5S
$y:JT	b
Yq87~&
{yV::7
YYTpY~