Analysis Date2015-02-03 06:09:35
MD56b216eae50fca42eff2431b878167893
SHA142c49a559cf0f5ed7303f0c507253ce16d8b5af9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4b9d7d2fa87dd611fffc44ee108a7081 sha1: fbbad347856c3015708f8e0fdddeaab16f7611a9 size: 5632
Section.rdata md5: da3c7fa9afa6a92e2f395e03ffe962e3 sha1: 919e12759f467bbc65a6a6218e9e3b6c420d5f5c size: 5632
Section.data md5: e5414073fac724157c519d2c0ffaaedb sha1: c6b56480a7bc30bdf6a1e14a3fca4a84a94ff90f size: 1024
Section.rsrc md5: dd1c4b5991d403b52d983132918608f3 sha1: a9efa251f3c1d7b4b32996cfd3d3a9c0bb8bbd45 size: 13824
Section.reloc md5: 9eedacfd9b074273cce817e05736516e sha1: 5196e9eb36e0c9d6e4723303a6f68685dd4c1fad size: 2560
Timestamp2007-06-26 22:12:18
PEhash4dae342d6db895fe29f91a9f08f8856360f63c92
IMPhash39dbc9bb8e435aa4a792b6f8d9ba63b9
AV360 Safeno_virus
AVAd-AwareTrojan.Ransom.Dalexis.B
AVAlwil (avast)Downloader-VQV [Trj]
AVArcabit (arcavir)Trojan.Ransom.Dalexis.B
AVAuthentiumW32/Trojan.ALNH-3401
AVAvira (antivir)TR/Cabhot.A.92
AVBullGuardTrojan.Ransom.Dalexis.B
AVCA (E-Trust Ino)Win32/Tnega.QDDXCB
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Ransom.Dalexis.B
AVEset (nod32)Win32/TrojanDownloader.Elenoocka.A
AVFortinetW32/Kryptik.CVBD!tr
AVFrisk (f-prot)W32/Trojan3.NEM
AVF-SecureTrojan:W32/Agent.DVYJ
AVGrisoft (avg)Downloader.Small.MXW
AVIkarusEvilware.Outbreak
AVK7Trojan-Downloader ( 00499db21 )
AVKasperskyTrojan-Downloader.Win32.Cabby.cciq
AVMalwareBytesTrojan.Email.FakeDoc
AVMcafeeDownloader-FAMV!6B216EAE50FC
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis.C
AVMicroWorld (escan)Trojan.Ransom.Dalexis.B
AVRisingno_virus
AVSophosTroj/Agent-ALFA
AVSymantecDownloader.Ponik
AVTrend MicroTROJ_CRYPCTB.SME
AVVirusBlokAda (vba32)Trojan.FakeAV.01657

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_75078.cab
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\42c49a559cf0f5ed7303f0c507253ce16d8b5af9.rtf
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Mutex56730099
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.192.91
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Flows TCP192.168.1.1:1031 ➝ 134.170.58.222:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520372e 303b2057   ble; MSIE 7.0; W
0x00000040 (00064)   696e646f 7773204e 5420362e 30290d0a   indows NT 6.0)..
0x00000050 (00080)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000060 (00096)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000070 (00112)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000080 (00128)   6c6f7365 0d0a0d0a                     lose....


Strings
T'
.
....,..)A..39...Te.
Y...1.b.L..:.-..
.W.
..r..0{f
..)..w.U.J..9..Wrn"n~E...BH.5..
.y8.X4.$.y.....F,...S
a.p..z..
..
c
.
0!0'0,020>0D0J0S0Z0_0d0j0t0{0
0 0&010?0E0K0U0\0c0g0m0s0z0
<*<0<6<B<H<S<g<k<q<w<
?!?0?7?<?A?G?Q?W?^?b?q?w?}?
~0=LQ@
1 1'1,121:1A1E1K1Q1[1g1m1s1~1
1-191?1E1K1Z1b1i1o1v1{1
2 2&2,232@2F2J2P2W2]2i2p2v2|2
2&2,252;2?2E2W2]2i2r2x2
3"3)3/3=3C3S3Z3a3h3u3}3
3"3(3/353;3A3M3S3Z3a3g3y3
;';.;3;8;>;H;S;Y;_;e;k;s;w;};
:&:,:3:9:?:L:X:_:f:j:p:v:~:
4%4+41464=4B4G4M4`4f4l4p4v4}4
4%4+41494B4N4X4^4k4r4}4
495M5U5`5f5t5
4Td;Y-6
6)6/656<6L6S6Y6_6d6j6s6y6
7!7+71787>7B7H7N7T7Z7d7i7p7u7z7
8#8)8/8<8C8G8M8S8Z8c8o8u8|8
9!9%9+92989>9E9W9^9c9h9n9{9
a5kG%!7
^~AECXa
AlphaBlend
}BdOs-7
B'IdM&S
bKz\V9
CACloseCA
CACloseCertType
CAEnumFirstCA
CAEnumNextCA
certcli.dll
CharToOemA
CloseHandle
CompareStringA
CountryRunOnce
CreateDirectoryA
CreateNamedPipeA
CreateWindowExA
cWBCLJqAQ
cyuS1d>H
@.data
DeviceIoControl
DialogBoxParamA
DispatchMessageA
DllInitialize
DrawIcon
|E7vh(
(+E`K)
ekOTlPeQHra
F$w5]&
gEc<eC
GetBinaryTypeA
GetCaretPos
GetComputerNameA
GetConsoleAliasW
GetConsoleTitleA
GetCurrentDirectoryA
GetCurrentProcess
GetDateFormatA
GetMessageA
GetNumberFormatW
GetPrivateProfileIntA
GetPrivateProfileStructW
GetProcAddress
GetProcessHeap
GetProcessId
GetPropA
GetSystemTimeAsFileTime
GetTickCount
GetTimeFormatA
GetWindowLongA
GetWindowTextA
GradientFill
HeapValidate
InvokeControlPanel
IsCharLowerW
IsWindow
IsZoomed
I'|%{Y
>">'>->>>J>O>V>[>`>f>p>v>}>
jwDp>lR
KeLaQWfpZXZMMo
kernel32.DLL
KERNEL32.dll
klospad.pdb
LoadLibraryA
lstrcpynA
%{M+1'iG
modemui.dll
msimg32.dll
nddeapi.dll
NDdeShareAddA
NDdeShareDelA
NDdeShareEnumA
NDdeShareGetInfoA
NDdeShareSetInfoA
nwdYZ!
Oq|I_t
PathCombineA
PathCommonPrefixA
PathCompactPathA
PeekMessageA
PostMessageA
`.rdata
ReadConsoleA
@.reloc
RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
];RvzX,T
\s~\)[
SetCurrentDirectoryW
SetCursorPos
SetEnvironmentVariableW
SetFilePointer
SHLWAPI.dll
!This program cannot be run in DOS mode.
TransparentBlt
UpdateResourceA
UrlCompareA
UrlCreateFromPathA
UrlEscapeA
UrlGetLocationA
UrlGetPartA
UrlHashA
UrlIsA
UrlIsNoHistoryW
UrlIsOpaqueA
UrlUnescapeA
user32.dll
VirtualAllocEx
vSetDdrawflag
WaitForSingleObject
W%KsJk
WriteConsoleA
	wsprintfA
WTSAPI32.dll
WTSEnumerateProcessesA
WTSEnumerateServersA
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationA
WTSQueryUserToken
WTSRegisterSessionNotification
WTSSendMessageA
WTSSetSessionInformationW
WTSSetUserConfigW
WTSUnRegisterSessionNotification
WTSVirtualChannelOpen
WTSVirtualChannelPurgeInput
WTSVirtualChannelQuery
WTSVirtualChannelRead
WTSVirtualChannelWrite
WTSWaitSystemEvent
<Z=`=g=l=s=x=}=
ZG>n^E
z	=NQ@