Analysis Date2014-12-12 13:42:57
MD5c942142587e007e9f3f7b49fd5d3c0c0
SHA146d6cf00e3dfe70e170af30642f5accde821d0f1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6420e552f3f1be7221f2a91995df3ff9 sha1: c226b48fed868b3eea4d52df0357a6e91222c59d size: 49152
Section.rdatat md5: 93a7c1db32de1e2b317e43d4ec66cd6d sha1: 3506503a5fe6ccba4c8aca4a8bcf5e5d253a2cd6 size: 5120
Section.rdata md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.rsrc md5: d14bac5e2ed4753557032723f3b8ffdd sha1: 5e71fd1378cf85d0117a30585fb9bd8acdcb7116 size: 5120
Section.xdata md5: fdc4226684ef317409fe69e927191afa sha1: 9c8184205ff5f189d94ca5135380ceda5de2a9d0 size: 14848
Timestamp2008-01-20 09:30:44
VersionLegalCopyright: 432 1997 +2009
InternalName: Stay Morse Horn Bored
FileVersion: 2 1 3
CompanyName: MicroVision Development
ProductName: Clammy Awl
ProductVersion: 2 1 5040
FileDescription: Utenika
OriginalFilename: Burger.exe
PEhashbb75fa073727e647ac1e4c197239a706ca758e06
IMPhashae93f43243c8a27eabcbaaa6b029880b
AV360 SafeTrojan.GenericKD.1681097
AVAd-AwareTrojan.GenericKD.1681097
AVAlwil (avast)Rysaoa-E [Cryp]
AVArcabit (arcavir)Trojan.GenericKD.1681097
AVAuthentiumW32/Trojan.TNSX-5831
AVAvira (antivir)TR/Crypt.Xpack.66372
AVBullGuardTrojan.GenericKD.1681097
AVCA (E-Trust Ino)Win32/Tnega.AULH
AVCAT (quickheal)TrojanDownloader.Wauchos.rw5
AVClamAVno_virus
AVDr. WebTrojan.Hottrend.349
AVEmsisoftTrojan.GenericKD.1681097
AVEset (nod32)Win32/TrojanDownloader.Wauchos.AD
AVFortinetW32/Tiny.NKF!tr.dldr
AVFrisk (f-prot)W32/Trojan3.IIT
AVF-SecureTrojan.GenericKD.1681097
AVGrisoft (avg)Crypt3.PSJ
AVIkarusTrojan-Spy.Zbot
AVK7Trojan ( 0049a3a41 )
AVKasperskyTrojan.Win32.Agentb.apko
AVMalwareBytesSpyware.Zbot.VXGen
AVMcafeeRDN/Generic.dx!dbx
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.AM
AVMicroWorld (escan)Trojan.GenericKD.1681097
AVRising0x56ca9665
AVSophosMal/Zbot-QY
AVSymantecBackdoor.Trojan
AVTrend MicroTROJ_WAUCHOS.VTN
AVVirusBlokAda (vba32)Trojan.Agentb

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe
Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
Creates File\Device\Afd\Endpoint
Winsock DNSclothesshopuppy.com
Winsock DNSfreefinder.me
Winsock DNScityhotlove.com

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
Creates File\Device\Afd\Endpoint
Winsock DNSfreefinder.me
Winsock DNScityhotlove.com

Network Details:

DNSupdate.microsoft.com.nsatc.net
Type: A
65.54.51.250
DNSupdate.microsoft.com.nsatc.net
Type: A
65.55.138.126
DNSupdate.microsoft.com
Type: A
DNScityhotlove.com
Type: A
DNSfreefinder.me
Type: A
DNSclothesshopuppy.com
Type: A
Flows TCP192.168.1.1:1036 ➝ 65.54.51.250:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1040 ➝ 65.54.51.250:80
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1042 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1044 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1047 ➝ 8.8.4.4:53

Raw Pcap

Strings
b...
040904B0
2  1 3
2   1  5040
432  1997  +2009
Aesop
&?@B
Bandit
Breeze
Bureau
Burger.exe
Bush
Clammy Awl
Clap
CompanyName
Derek
Dote
Emote
Eureka
FileDescription
FileVersion
Herd
InternalName
Irons
LegalCopyright
Loamy Gunk Opens
Lost
Matt
Maude
MicroVision Development
MS Sans Serif
Nets
OriginalFilename
Paths Julie
People
Pluto
ProductName
ProductVersion
Push
Raze
Reins
Review Chest
Sands Brig
Slop
Slops
Stay Morse Horn Bored
StringFileInfo
Syrup
Translation
Tube
Under
Utenika
VarFileInfo
VS_VERSION_INFO
Webs
Wins Genes
With Cram
Zooms
09AV#d
158f8x5hu1
1v5nmpnm
2 ,,<|
#-/21M
//2#5M
274328726
?2cbnfEQ
:2| Et
2/Jw8E
>>2/>LM
?2%L%M.M,
2w|eec<
3818315
:\4*(/
5cE :.[|/
5J5/.ep
5L?:s8
5>?MU2e
5s5U8>E
+<67xN
[82,<5,8a
,82F>%
8[a>:d
8dEe/[pp
8-/)+k[K
|8:S>e
8tsMOO[
Acuzumu
ACYKVB
_adj_fdivr_m16i
_adj_fdivr_m32i
aE:eMU
aeEs [,
Agecacu
AJh0x@
Akitus
Akucuku
a#MF% e,
%.a>MO
\^\A^Q
__argv
Asihada
AssignProcessToJobObject
atexit
athsve
_atodbl
Atysope
Avugoz
/:a#wUw
$b`5Q	
_beginthreadex
Bizuva
BOUELRCUOQLYX
bywUAnJIIvbUe
^BZ@OYKh
:>c/5<
ca:>[ 
calloc
c<bY':~
_c_exit
>>c<:FL
_cgets
CharToOemW
_chsize
_CIacos
_CIasin
_CIatan2
_CIcosh
_CIpow
_CIsqrt
cJaUJE
cKeEpF?w
c??M|M
[|c|O%cE%
<cO#UE
_cprintf
_ctype
d2Mep:
daKess
Datijuk
dawe%[<
DdePostAdvise
Detixen
DialogBoxParamA
d<M%L>
Doqeqo
__doserrno
Dunifyz
Dycuno
%,% E 8dpMa
Ebixury
Ecusyzo
e:d:s|F
E|#FeaE
EFM8w|5S
Egebox
_EH_prolog
Ekalyja
Ekokihe
>[E:L2M
EMcKEc
EndDialog
|e%.OL[
Eregab
Esacydy
Et:U>/
Evohoce
Ewejapy
Ewoduze
_execlpe
_execvp
EXyOfkt
Ezomoqi
F2/LKt
Fa>,w2
F,cdO%
_fdopen
FileTimeToDosDateTime
_findfirst
_findnexti64
FKasFc
_flushall
FM<>Kap
Foxiba
fprintf
F/p|tS
_fputwchar
FreeDDElParam
freopen
:FsM?MM2
_fstati64
><Ft2Lt
;fu,l{~D;
?FU.sO
fwrite
Fygitob
FYWAQHJQQDBFWO
g1s5inx
gDEfiHuapOBoaKb
_getdcwd
_getdrives
Getiqyx
GetKeyboardLayoutNameW
GetMenuItemInfoA
GetProcAddress
GetSystemMenu
GetWindowTextW
Gevigen
Gihuvul
gmtime
_gmtime64
Goheko
Gudalug
_heapadd
_heapused
_heapwalk
Hehilyb
hGhjSHgb
Hobomev
Hotywir
_i64toa
Ibuweh
Icezit
Idifixy
Ifeler
Ihizet
IMM32.DLL
ImmAssociateContext
InterlockedDecrement
InterlockedIncrement
Ipoveqi
Ipyxat
Iqelih
IsCharAlphaNumericA
isdigit
_ismbbalnum
_ismbbgraph
_ismbblead
_ismbbtrail
_ismbchira
_ismbckata
_ismbclower
iswalpha
iswctype
iswdigit
iswupper
Ixocev
Izynuf
Jajuda
JarvSuWhJiwjfCg
J[%Dikeqy
J<E,SwU
jfQ8xQ6
[JJ:JMMO
J%,<LL
JMM|2L8c
JO<eM/
#:Jp,tO#
JSNDILQBYX
JUMppU
K2c cKp/#
K8/OE ,
KERNEL32.DLL
Kicavu
/K##:M
KU<U%a
K<wwL:
lAlloc
__lc_collate_cp
L d2wF
Lexewad
Ligahi
LoadCursorFromFileA
LoadCursorW
LockSetForegroundWindow
l[?r32
L/,s?. Ow
LUdsSt
Lysasew
M1Y7 =
M5S2ML
M5ww<<
MaE>[%
M>ae85pS|
_mbcasemap
_mbccpy
_mbcjmstojis
_mbctokata
_mbctoupper
_mbctype
_mbsnbcat
_mbsnbcmp
_mbsnbset
_mbsninc
_mbsrev
_mbsspn
_mbsspnp
M[c 8J
Mc[sd[
memchr
memcmp
MenuItemFromPoint
MeOL:8
MessageBeep
Microsoft Visual C++ Runtime Library
mjyLCoRJH
_mktemp
mktime
Moxyse
_msize
MSVCRT.DLL
M:%t<E
Myconyz
Nicymeq
Nuxyli
Nyfato
Nytapy
O 5(^x
OBK@OF
O %?cE
[|Odw<MJ
Odykobi
OemKeyScan
OffsetRect
Ofimin
Ofypagy
O.<J>e
Okinymo
Okiqel
Omidum
_onexit
>OOp>8
OpenDesktopW
_open_osfhandle
Op [[MJ
,Optt2,:
Orekat
ORoxjvSBSpsXdyk
_osplatform
:Os,tSt? M
_osver
Osyhaqe
Otaledu
_outpw
Ovuras
@OZ H4
]P||||]
p:2seKswF
p5FUS<s
p/%a:dE.
__p__amblksiz
_pctype
__p__environ
pFaw/FM
Pixaqu
__p___mb_cur_max
PostThreadMessageA
]PP|]|]]
||PPP|
PP]|]P
PPPsPs
]P]P|s]
|P|]PsP
PP]||]s]P
PPs|P|s
P|P]ssPP
__p__pwctype
|P]sP]
P|]|sP
|Ps|]]s
]|Ps|sP
|||Psss|
psSUw>
__p__timezone
p ?t/MMFF
_putch
putchar
_putenv
_putws
pUUaMF
__p__wcmdln
__p__wenviron
Qinuji
qqGlNtb8M6
`.rdata
.rdata
RealGetWindowClassW
Ridyko
r_MC0EE{ya8`z
_rmdir
||s]]|
,,Sads
s,aEwL
Safaga
_safe_fdivr
_safe_fprem1
Sakoxej
 S<c,>
S d# EO
_seh_longjmp_unwind
SendMessageA
__setlc_active
setlocale
_setmaxstdio
_setmbcp
SetMenuItemInfoW
SetSysColors
_setsystime
 s.JJ d
_snwprintf
_sopen
Sotafa
]]sP]|]
s]]P||
s|PP|P
sP|]]sP
sQ\:go51CX^k
}sqwukiomcage[Y_]SQWUKIOMCAGE
s||]s|
]ss|P|]
||ssPs|
s]s|Ps
|sss]|
s]s]s|
ss||||s
ss]s]|
ss]|ss
_stat64
stdUd#s
strcoll
strcpy
strftime
__STRINGTOLD
_strlwr
strncat
_strnset
strpbrk
strrchr
strtod
\SUwama
swscanf
.S_Wt`
_sys_errlist
Syvojaj
t25 55
t2[p#t
t5>8O%%J
!This program cannot be run in DOS mode.
__threadhandle
__threadid
tJ 5><
TJ!f`_
Togovu
Totoqa
toupper
tWTJMYNLKVay
U8J/ #F
Ua?w8wE
Ubupas
Ucilog
U<eweF
Ufanot
Ufenun
Ufuqevy
_ui64toa
_umask
Umedywe
U>MOwa..
ungetc
_ungetch
_unloaddll
_unlock
U>pJ:ppO
Urehem
uRLhcTaBJMHUOiI
Usanuze
USER32.DLL
U(^]SQ
_utime64
Uvegequ
,v~-7J
ValidateRgn
Vanasu
Veveza
vfwprintf
VNetBjcbmmpSHU
vprintf
_vsnwprintf
vwkrxvhghfafb
vwyfdgrdejisml
vYAM6qLB7dI
wcschr
_wcsdup
wcslen
_wcslwr
_wcsncoll
_wcsnicmp
wcspbrk
wcsrchr
wcsstr
_wctime
_wenviron
_wexecl
_wexeclp
_wexeclpe
_wfindfirsti64
_wfindnext
_wfullpath
_wgetcwd
_wgetdcwd
_wgetenv
__winitenv
_winmajor
Wizopuz
wJd#MF
w KJa2
w#KLc,
_wmktemp
wm(u]|
wpbdQRtD7ox6a
_write
ws|8#c
wscanf
_wspawnle
_wspawnlpe
_wspawnvp
_wtmpnam
_wutime
_XcptFilter
@.xdata
Xiqawok
xmxgtbiecvst
Xoryjyq
	~X^^XZzJZ
Xygyfuq
YbSWbPTqWe
Yhutun
Ymiluli
Yqariz
Yvikiha
Yvoxunu
Yvyhego
Ywirewa
Yxatof
Yxyvybo
Zidyla
Zijohow
Zomyxub
Zypadem