Analysis Date2015-02-03 06:14:37
MD59821b1062e7a093df66c2f921548eee7
SHA141c62702217cb389b1f94835ff551322af9169c9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 00d8a895ebdf39ac9091f58c05a15849 sha1: 91e5597ef25b0527357748e4c78ecd308a4541d4 size: 8192
Section.rdata md5: 118b9dd158b4e5f0d8c61509ea8df58a sha1: abf69f716c35a26389d64c61105b5505639cb7a9 size: 3584
Section.data md5: ab8a717a80dc396164e9e7ada620eb09 sha1: 3bf136cfaa4dc8825b96f8d164c543d2e13ffbc0 size: 3072
Section.rsrc md5: bf56d92e2b699f47e057b36889fc50cd sha1: b6618ffa8ea962fff0d32861946135e3ed3ec701 size: 20480
Section.reloc md5: 419d8384b49d8f6d8cd09701aac4213b sha1: 4e20e153bd05c7cb4c38067e93a4bb46456cebb0 size: 3584
Timestamp2008-09-10 08:31:18
PEhashcb05d864650585cbc23ca22e5240148fdf3a4f98
IMPhashb3d97b1e32329056478778885727a7f5
AV360 Safeno_virus
AVAd-AwareTrojan.Agent.BHJU
AVAlwil (avast)Downloader-VQV [Trj]
AVArcabit (arcavir)Trojan.Agent.BHJU
AVAuthentiumW32/Trojan.HPPB-6376
AVAvira (antivir)TR/Cabhot.A.284
AVBullGuardTrojan.Agent.BHJU
AVCA (E-Trust Ino)Win32/Tnega.TMNEWSD
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Agent.BHJU
AVEset (nod32)Win32/Kryptik.CVTU
AVFortinetW32/Kryptik.CVBD!tr
AVFrisk (f-prot)W32/Trojan3.NFS
AVF-SecureTrojan.Agent.BHJU
AVGrisoft (avg)Zbot.WZL
AVIkarusTrojan-Ransom.CTBLocker
AVK7Trojan ( 004b44121 )
AVKasperskyTrojan-Downloader.Win32.Cabby.ccdl
AVMalwareBytesTrojan.Email.FakeDoc
AVMcafeeDownloader-FAMV!9821B1062E7A
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis.C
AVMicroWorld (escan)Trojan.Agent.BHJU
AVRisingno_virus
AVSophosTroj/Agent-AIRO
AVSymantecTrojan.Gen
AVTrend MicroTROJ_CRYPCTB.SME
AVVirusBlokAda (vba32)Trojan.FakeAV.01657

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\41c62702217cb389b1f94835ff551322af9169c9.rtf
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_74437.cab
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Mutex93031785
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.192.91
DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Flows TCP192.168.1.1:1031 ➝ 65.55.192.91:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520372e 303b2057   ble; MSIE 7.0; W
0x00000040 (00064)   696e646f 7773204e 5420362e 30290d0a   indows NT 6.0)..
0x00000050 (00080)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000060 (00096)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000070 (00112)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000080 (00128)   6c6f7365 0d0a0d0a                     lose....


Strings
....U..
.Jy.0rZ..Q....
..S..w..e.n
n....~P(.......0j?v)..%o.v.l.....a......{.../.4.mw^l.*.+.....+...s(. q.........m.t..A"..
O....
.6......]......|.L......@&7%..U.T..[{.....|S...."..A4.u.
)6K).6y.\.K
.+
...3..^i..Lj.^.i....
..

0	0(01070=0L0V0]0a0o0u0{0
0"0&030?0K0R0X0^0d0p0t0
/0dV)s
>$>*>0>:>@>F>M>[>a>j>q>w>}>
1)10151:1@1Q1W1^1b1h1p1z1
1%1-171;1A1G1M1S1Z1`1m1s1|1
? ?&?1?9?@?G?M?T?X?^?h?o?u?z?
= =&=,=1=?=E=K=O=W=a=i=
2%2*21272=2C2J2[2_2k2r2x2~2
2,2P2W2]2d2h2p2x2~2
< <&<2<><G<L<R<Y<i<o<v<
3#3,33393@3D3I3O3Y3^3i3r3~3
<%<+<3<<<@<K<R<[<o<w<|<
4!4'4+444:4A4G4M4b4q4v4}4
4#4(4-454<4B4P4X4_4e4x4
;&;4;9;>;E;K;Q;c;j;n;y;
5$5+52575=5C5I5P5i5v5}5
5!5)535?5J5P5V5_5h5~5
6%616B6I6O6U6\6b6h6l6r6y6
6$6+61686<6B6H6Q6W6\6e6y6
>$>/>6>?>F>L>R>Z>a>h>q>|>
7 7)73797=7L7c7j7p7w7
7$7(7.747;7B7H7O7]7e7p7v7|7
8#81878=8C8J8b8i8n8s8y8
8'8-84898@8F8T8X8^8e8l8u8{8
;/;8;>;G;M;T;Z;e;k;o;u;{;
8\vT/:
9 :':0:6:<:D:R:W:]:c:t:z:
9#9)909B9H9Q9U9]9j9r9z9
9$9(9.949;9D9J9P9V9`9g9l9r9z9
= =+=9=@=F=N=`=g=m=s=
ADVAPI32.dll
CACloseCA
CACloseCertType
CADeleteCA
CAEnumFirstCA
CAEnumNextCA
cAn/];
certcli.dll
CharToOemA
ClearEventLogA
CloseHandle
CompareStringA
ControlService
CountryRunOnce
CreateNamedPipeA
CreateWindowExA
@.data
DialogBoxParamA
DispatchMessageA
DrawIcon
drvCommConfigDialogA
drvGetDefaultCommConfigA
drvSetDefaultCommConfigA
Ez+	0G
:!:::F:L:R:V:\:c:i:o:t:
GetCaretPos
GetConsoleAliasW
GetCurrentDirectoryA
GetFullPathNameW
GetGeoInfoA
GetModuleHandleA
GetPrivateProfileIntA
GetPrivateProfileStructW
GetProcAddress
GetProcessId
GetTickCount
GetVersionExA
GetWindowTextA
?"?(?H?N?W?]?c?i?o?y?}?
h,S8mO
InitializeSid
InvokeControlPanel
IsDialogMessageA
IsTextUnicode
IsValidAcl
IsValidSecurityDescriptor
IsValidSid
IsZoomed
j!5lA@
KaW_TMB
KDQUeKCiqYoBg
kernel32.DLL
KERNEL32.dll
LoadCursorA
lokitar.pdb
lt`>*n
Mg<=gS
mLTF$0N
modemui.dll
<)MpGt
N<V47P
,	n<Y7
ogD[Q,
Ot;,AQN
O}u>8!gE
PathCombineA
PathCommonPrefixA
PathCompactPathA
qOrB^)
`.rdata
RegCloseKey
RegEnumKeyA
RegFlushKey
RegOpenKeyExA
RegQueryValueA
RegSaveKeyA
@.reloc
RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
)S{.%E
SHLWAPI.dll
!This program cannot be run in DOS mode.
U3A9J(
U3V0cA
UdYbvqvXIqhVHn
UrlCanonicalizeA
UrlCombineA
UrlCompareA
UrlCreateFromPathA
UrlEscapeA
UrlGetLocationA
UrlGetPartA
UrlIsA
UrlIsNoHistoryW
UrlIsOpaqueA
UrlUnescapeA
user32.dll
VirtualAllocEx
WaitForSingleObject
WTSAPI32.dll
WTSEnumerateServersA
WTSEnumerateSessionsW
WTSLogoffSession
WTSOpenServerW
WTSQueryUserToken
WTSRegisterSessionNotification
WTSUnRegisterSessionNotification
WTSVirtualChannelOpen
WTSVirtualChannelPurgeInput
WTSVirtualChannelRead
X6uEuS
	)=xA@
|xZa6-V_"n<ny& ]
yXClOLvdIpNJglYa