Analysis Date2014-04-22 09:08:57
MD5004ccf5ff48ede89ebad8924cd1bb0a3
SHA14475fc8bf0733e3d9602b4187f434eb13ceb828e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section md5: 96779a6fd461ca4d440e3e3d2b3dd8e5 sha1: 4253ed8ac5a5d4c4ab00b5fe9cf1145e174dc223 size: 344064
Section md5: 0fef4eaf84ca891024251cc1bc99c1ba sha1: 7deb89b2efd1411d30d3f0ed16ba3eee151454ea size: 4096
Section.rsrc md5: 27fe4d6e809b41bbf99a7e6633285dd9 sha1: d0667757c6045d5b62f4a0d71ecab427a3d39720 size: 4096
Section.x01 md5: b65e2b694538e8242074bf7ff22960ab sha1: f36a7aa2aac43a7ad0dcfafa0409135cebad95dd size: 4096
Section.yP md5: fbc6fbe00913e8eecbc30be63f7b8b3e sha1: 9d517b77af50993e0d7892eb96c6b49dd4c8fe98 size: 16384
Timestamp2006-10-21 17:22:48
PackerHying's PE-Armor 0.75.exe -> Hying
PEhash9a65ca4ddafb970875229bdb70ab975de5d6bc18
IMPhash87bed5a7cba00c7e1f4015f1bdae2183
AVavgPSW.Banker2.STJ
AVaviraTR/Spy.Banbra.JC.22
AVmcafeePWS-Banker
AVmsseTrojanSpy:Win32/Bancos.DV

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\windows\system32\tasklist32.exe
Creates Processc:\windows\system32\tasklist32.exe

Process
↳ c:\windows\system32\tasklist32.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TaskList ➝
"c:\windows\system32\tasklist32.exe"\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\InternetMail\RealTimeScan\OnOff ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFDF65.tmp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\AsyncSelectHlp
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\winhlp32.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates ProcessC:\Arquivos de Programas\Internet Explorer\iexplore.exe http://www.controlarms.it/img/lula.jpg

Process
↳ C:\Arquivos de Programas\Internet Explorer\iexplore.exe http://www.controlarms.it/img/lula.jpg

Network Details:

DNSsmtp.mail.eu.am0.yahoodns.net
Type: A
188.125.69.59
DNSsmtp.mail.yahoo.com.br
Type: A
Flows TCP192.168.1.1:1031 ➝ 188.125.69.59:587

Raw Pcap

Strings
.v.
.
l)
G.
T...
R..
T
..
.
..
(
...

 !"#$%
'()*+,-.
./012345
04aRr9
05jr0g
08k MDR
}'{!0 A
0{i0k\'G
0j>:&I
)<0KJe"
%0| M4c
0uf(gp6
0?x.qYH
%0zRhS
=}15M C/L1
17P+NF
192+]m
1*#*b(
)1Ccw)
1_d{a;
 1'D([-r*
1EjZK\
1.)enH
1_ERsC
1jSl@ 
1{(n29i0
#/1wy`
+1wzb$
1%YQ	^
1*+,yx1L
2`3D7"
24zNrt
_27l>7
2$FkzX
2(GGKnV-
2+HfI(V
2h@\Laj
2]hq;u
2/j$[v
2J{Xn\{
2k= j 
2LrJDlf
2*\_M;
'2n(;!
2*[q8N
2uGy2^
2/XpG_
,`2[Zk
,~2zQW8
<36Q0]+7D
3Cfb<f
)3e)+LjQRSTJ
:3FiS28
<@3|n-
3(ZdZR
(()*4+
[)`/4+
41DL!i
47ho3'FX
4B)3G%"
4b7HBk/
4D9HII
4_f%^\:}Qp
4|%_]i
#4i*6'
4n%glijk
4ohx9x
4oyXQp
4tZ*8+
"4w.'J
(4-xL^?
":-@%`<5
5"5U?=
5@[6{%
5BsCA{
5Dw5LC;
5\F&mE
5G	'OQ
5i(D\*o
/5lt!)
5P4JAv
5	QR@3p;
5z;Ywiem
:&6!a'
6C,	Cx5t
6gD4zC;u
+6Jzq_E
6Jzt;5
=6%!k:~
6k\SQ@v
_6l_11
"=6OAd{s
6qwdDn(
6t80?GEE
6WN+{{
-:?6~Zl
7+1js[
71=*(r
73P3gN
7%naj{
\7(q9@>
7soN3H!
^)\7.t
`7%^X$^
~7Z\d%/
8bC/k3j
$.8bEi
8D0@>G
8OY8b.
8R:ZR%
8XAT<%[
8Za3[[
}[$9\"
90!Xr%b
91$Dp]
-977SE,5
99:;E< 
9An`|0Y
$9h.~S
9;I~oo
9/[Ne>
 +9.O+
?9{ok#q
9*	p'1
9.pq*^
:~9%?t$
a0GEmV
A.0wW	
A]3f2X
A5~%jA9C
a6b&F`
A7?G+:i6
a9<}AVT
A}A;E_}
^_`abcdeFGHIJKLMnopqrstuVWXYZ[\]
^_`abcdeFGHIJKLMnopqrstuVWY
>?@ABCDE&'()*+,-NOPQRSTU6789:;<=
>?@ABCDE&'()*+,-NOPQRSX
aDkG-~
Af_vV"
A\>G@AB
|/AgB(
aj^85\
'A<jc{
+AKmb\
a_;k|Tg
ambN)3E
A<mRO:f
a$~N&yR
ao D7E
At<qA*P
a#Uo4gh^
A'><V7\}
@awg?,4$
~AZ8h\
\; AZG4ad
~#*~B}
b0.7;i
B0t}e1
B&~1kO
b2<DMb
b9n#]lTPL
^BA3M`
ba%h28fG0
)	Bl+=:
bNo,$xB
b>nu;@
BOH3:z
BR1*	:
B T5Hlm
b`uD$,
BX8t:6
Bye2 0
c8n!@-
cAOH@~
cEQReq
?{<C%f
"CF*LU
"CG1*C
ch9@e <!Y
?CK~WX
(,,cL]
C?L7+1E
+clE{|k;
|CM|-V
C}Ns z
:c;O31
cP-7NM}
c=-]RP
C\/Xn`-=
.cYm,*
!CYnmo
czuRxM4U
d1Hixg`
"D	|b,
d:Be3}}
dDjWwU
>ddL2~
#D~F%9
DF-&{q0
DHe[~"
dIhIaEd+
Dj~B0;
D_K.`k
DNKcOt
}D_P<z9
&D"'+{s
dW7a"S
D[_Z,U
eA5(/m
&E$ c.
E\~!Dh{
eE7LU`s
[e!FHiD	
efLv!}*
ei~Gnbwf
&ekeQ-_
Em%u0h
e<%mw:=
E&rBCu
;e_.sZ
e=\=uGj``
eW%A6Lg
E&XX]^>
" ]{ey
F06+,c%Ff
F2RmmWm
F3n!sem
f^9){o
FC3(hds
',:fC9
fcmn	R
f//:dX
#	F+Fz
fghijklm
FH[Z?z
fIDr=<
f<NlYenM
f~N-u7(bT7
f[p#]2
fPSnj'
fR;4;w"	
F|RqY)8
-F_S"&zb
f@W@&Qe\eh
_F/-]x
FY7!u`
FYcJ8F
$,FYpW
~g7kM7b
g7MJwxy
?G*a._@
Ga}J1Of
GcHVu"
 G[}en
GetProcA
GetProcAddress
G)*;Fh;`k
GfP&A[
`/g?g 
ggcedhv1
GGHISJ
gg s:1
\/%GI)
_G@i'\	]Yu
-GJS,Zj
 ~GK4 
gKzCYg
@^'G(L
g[M0pq
gO 9a+
gR]x<&
^G`S-u
Gt#b1E}[H
-g"VBF#
G;X[-^m
!gzfz0
h0OVwP ~DP
./H1234
h1.B$b~
"h5}UnX_
h`9pv,
H^D[bt
!HE\QzO
hhijtku
HHI#V5Mno
~hi=.9
%Hmi\|
H'N^R&q
h?qZK!
H#=,uh
hV=I"=D
hv,QQI
|HY%4_
^I=~>=
i_$+#1]>
<"]i1D
i5)_yq
i8KALG
i9!"2fkB
 i9)K3
ic=TgQcl
i,D:7o
i>Gx-8
^,=>IH
iijkulv
[IlEdGm
iLksb>w#:Oh
	iNyn	v
IopSbS
^i=ox8
iR/}hB
iUQ#p$g
-I$\&v
IW@`Qu
*-}J.^
>}_j4`3
J?7I?Q
j&cbz;J
JD1wrkV
Jf@ _o
/jg~g/u
Jh8y,E
jHd1y=
j%	i7G
)JJOc+q@c
jke%7N8
/|`j-M
JMda}aE
~Jnz4O
jO?X3I
Jqvf9J
JrgFNl
JT48!j
J<"|v*
Jx<"C5
k3--NO9P
}["K4"
k-5J!]
K64V]+5OR7
k!8A{$
K+8hSI"^b
KA @>)
kA7\R\6
Kernel32.dll
 K~!!F"c|
k&}gHGx
KJ`z|	
KKLMWn
~KMn%% #1
kN5kW3
Kp&A	b	
)$KPvI
$%K=-)t
k,}u?	U
kV.LJf;
k	V_VA7&
KW%zy4&
k%\x@\
+KY}<c
KZJNE;
@L0c/B
L4C7-'
l4q~]'
L.^aH`
lbYmso
|lC1T*
|LC2]"G
%LcKb*h
LD{< Y
l'E7>k
:L#eEGHISu
l!F6[$
L+G<z0
l	JmQ*
LKSPn(
  !"l#l
LoadLibraryA
l]Qc7L
LQ	K<UkFmn
	luZ;;
>lw)FsxIT
{;%/lX
=`Ly(c
L#%yF%T
[*~ly@Y
)LZ*(d
)Lzf	z,
M_\5~:
@m#50rU
M?7.r;
|MceCbP
<m"CZI
%MDHE:-Eq
M+dkWe
M!ePEc
mf1TtUo
	mi@\lY
,m>{J3
M(l<Z/
MMCxn~
mo*Hu(
moljm~
${m[P~<O
.mqln;
`#mr2R
=MU~?<
M#u(6Z
Mvopq;c0X
MX85,!
_MY!rcC
'()?*,-N
N%2I(B
N6l[OP'
n]AYB	
^(n\BHF
ND)h~"%F
}/nf_KD
NG1Obpd
_N&gQ-cg
NhB49o
'NIF+D
N!Jslq
Nm|A)&A
nn0ptaYY+pW
,NO8RRST
[n%Q84
$Nt6$Td
nU+5uu
n	/vVY
\'<Nx;
"n!Y}.
`nzIXN
O~6L2S
Ob)+~U
-[O|'d
}ODtsN"
O*.EZ;
OgqYS.
olb})`b#
OlzwT(
oP]'a!
o-Pqdk_
opqrstuv
oSv|zI	
oS>{X>LZ
'ot_e5T
oWYA@}e
oXab0G0
OYfpqu
:o\Ym:L
OzuBh/
oZ*(Xa
P1"?d=4
p1STX -
p@6 ;0R
p7`^j5
P8p:x	
paQ6D\US
P?`*;c
 =pd3c
pD_}Rn
*PEiO\
pf5oNg
_\/pHT
p;+j)A
|POY<]N
PPQ}KJN
PP^`U+
PrQ{As
pujxBx
:Pu<LOF
 PvGV'
 pW!ia0/
Pwqyj*
/P;x[g
q5|#8y!i
;;]Q7\e)
q9i|Jd
QC+fCL6
>$qCXF
q"eabM
}qf"o5
q%gX_r
?qh]fU
.=@qHI
Q}']HX	
qi5XO^
qiWF+rB
QJi(Vk
qLrYL1
#}QN)/
qRad|h
=q`ty;E
qU!N.,
Qy:Tac
r1a"u)
R1C9pQ
r2G0123
-']R3g
r8=BD6
|R\$~a
Ra'9#j
rC=6uF
RD3m]q
|RE9U1
;rh{8*m
*rhZc2
*RmF3Gg
R%}N,a
}-r,QiR
rvuOt)<
{R%!W~
rW1r][7;
rX[85N
'r|XF`
R^yHN{
rZh39k
rzqxu6x
S*1TuH
s5=za7
S7	~a@m
sAZe%[:
^ SbDY;
SDPcS+
sG+y.7
SG]!Z+
Sh`_gQ
SIB`J5
)SJaf$
{sm14t
s M5/ J
]%sm )=A
s~@Mbj[	4F6
]*S{N4'O
s{+Ne&*
sNXVRgL
;!=Sp 
^#sp?#M
<Sp%[T
S#\R?Ad
s:X,9~g
sXJO;F0
SX_vLrdT0
sZmv_S!
T6EQ}4
`T7s<Y
_ tA>b
)T&adR
t\bU3~
|TE7Ue
T*fG*z
{TgRaZ 
!This program cannot be run in DOS mode.
TH_/MY
Tj#c|(
t>%JvC
(TJzRI
TkKkV),
;tp0#h
:ttuV@W
$T&WeM
$:\,t{^Y
tZk`Cc{L
Tzopv+=
u3CMa.
U41xr%K
u84Wfy
u9&.Xr
%@Ua,_#
ua,Kyx
ubH8lS{
U(cBKg
u&ebdc
uGDKN^
u)goLx
UgO{W-
+Uh6eV2
UN0H@'
u/"N(nX)
u>pGWU
upI7sJ
U~U$@@
U]V)Pk
u@ Xv-g[M
UYk-=:N
v)$&%)
;V0T^#
V2=;YL
v5vs_x
V9#Esl
V-B:H"#
VbkY5y
=V]f2:
:vGN?}
VHMuT@
vh#sSwCX
$vhWw2
->vj6|
,"Vjz%$
VL{9>Z
V]Ll)a
VME7K%
Vn_9\X
VNv4U*S
$VO.z\
vq.Lda
[.<v\S
?vt$r=T;
\vuW}B
<VVWXbY
vwxyz{|}
V=ygCX
@\;Vy<t
w1MOKJN^
$W4at.D.
^!"w4C
">wd2F
)we\ew
?w',gV
wh3jxZp
wJRj1Q
Wl(}U~{
	>|#^wPL
wP>mJ6
>Wq-8O
w/q(;gnsT
WqqrtE
Wru$d4Y,1v
>!~wS|
W{:v%Q
WXYZ[\]^?@ABCDEFghijklmnOPQRSTUV
W/z9En
X/&2M!O
x5(?5@>
X6]B,fw
x8bX'{t
Xb}+ey
_Xd'rg
 >@Xe;
xH#45K
[xIwxuL
xJFGA@
x^@K+c<
X/LUc)
XMEe/?
xNvRiC
*x?Oi$
XO}[ZT|
Xp^J:m
xp	"mvIz
,XQ3rR
&x/qrstu
X SwP%o
x.V]2z
+X-VPS
xVxonhiO#`
xWj0^x
y&(':.%#
Y<18n4
&Y2aDT
Y3t=l7
y'5dx*e
y8)<O`9
+y;Ab+,
yB<87IM@
ybn]{,
yfz	-9;
*y)@G|+
Yh{}5"kK"H
yjC(}>!
Y!&kVAe
Yl:,^6Q
==yOj2
Y}o;,K
:,=yOx
	YR9X^m0
y'@RUHG
Ysstu?V
&y!T3E:
<YUB $U
y|uiOO
\YX:B;l
?YYZ[e\f
z~22W:
z	2ck>
z8sv88?r
z8$V%!
Z9i9g<4
Za4f/)
ZA;oYKD
zcf_lx_2Rh
 Z=dAfz
Zd;TF!
ze=Zb+A
Z;Gr\)
ziO>5f
zj/HCF
)ZJZ@7
ZK;nv}ey
z#m?Tu
}zmYEJ
zph:'f
/z]qbW
$zQrmJe
zrp7WW
`Zr&uF]
zSD\9F
Z^Swscz
ZT5nD[0
ZW[S;\'x
z-Zq`w