Analysis Date2015-11-25 08:19:24
MD53a38994d8158c1e052667b78688c33c7
SHA147ebbefd6f830d2a558eac91dded2e7fe4f8ef26

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 856b32eb77dfd6fb67f21d6543272da5 sha1: 6597c511c2ee72f68f5246460f0683dae16dcade size: 24064
Section.rdata md5: dc77f8a1e6985a4361c55642680ddb4f sha1: 3d397ee25b2dd83ab741c67375880151cae94ed8 size: 5120
Section.data md5: 7922d4ce117d7d5b3ac2cffe4b0b5e4f sha1: 4e56bb1994226ae0285c7adee470777262de2c99 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 050893857ce0fbe26bb7e94d7167f0fa sha1: a74db8a941fc5579b150c6afdfb68db39b3a4974 size: 2560
Timestamp2009-12-05 22:50:52
PackerNullsoft PiMP Stub -> SFX
PEhash8634f676afcce193953762d0ee8dfaec0ca4b777
IMPhash7fa974366048f9c551ef45714595665e
AVF-Secureno_virus
AVAuthentiumW32/Trojan.OQFP-6333
AVMalwareBytesTrojan.Dropper
AVDr. WebTrojan.DownLoader5.30059
AVGrisoft (avg)Generic26.ATIP
AVMalwareBytesTrojan.Dropper
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BNE
AVMicroWorld (escan)no_virus
AVTrend Microno_virus
AVClamAVno_virus
AVAd-Awareno_virus
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BNE
AVBitDefenderno_virus
AVMicroWorld (escan)no_virus
AVAvira (antivir)no_virus
AVAlwil (avast)Downloader-WF [Trj]:MDE-A [Susp]
AVFortinetW32/Yakes.B!tr
AVMicrosoft Security EssentialsTrojan:Win32/Bulta!rfn:Rogue:Win32/Defmid
AVIkarusDDoS.Win32.Dofoil
AVKasperskyTrojan-FakeAV.Win32.SecurityDefender.h
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)no_virus
AVMcafeeGeneric FakeAlert.hs
AVTwisterTrojan.E75712C6981DC8F8
AVAvira (antivir)no_virus
AVAlwil (avast)Downloader-WF [Trj]:MDE-A [Susp]
AVSymantecTrojan.ADH.2
AVFortinetW32/Yakes.B!tr
AVK7Trojan ( 0033e8311 )
AVMicrosoft Security EssentialsTrojan:Win32/Bulta!rfn:Rogue:Win32/Defmid
AVRisingno_virus
AVMcafeeGeneric FakeAlert.hs
AVTwisterTrojan.E75712C6981DC8F8
AVAd-Awareno_virus
AVGrisoft (avg)Generic26.ATIP
AVSymantecTrojan.ADH.2
AVBitDefenderno_virus
AVK7Trojan ( 0033e8311 )
AVAuthentiumW32/Trojan.OQFP-6333
AVFrisk (f-prot)no_virus
AVEmsisoftno_virus
AVZillya!Trojan.FakeAV.Win32.167021
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusDDoS.Win32.Dofoil
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\activate.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\miniloader.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd1.tmp
Creates Processrundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Temp\miniloader.dll",Install C:\Documents and Settings\Administrator\Local Settings\Temp\activate.dat

Process
↳ cmd.exe /e:on /d /c ping -n 6 127.0.0.1 && DEL /F "C:\Documents and Settings\Administrator\Local Settings\Temp\miniloader.dll" >> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\miniloader.dll
Creates Processping -n 6 127.0.0.1

Process
↳ rundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Temp\miniloader.dll",Install C:\Documents and Settings\Administrator\Local Settings\Temp\activate.dat

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Processcmd.exe /e:on /d /c ping -n 6 127.0.0.1 && DEL /F "C:\Documents and Settings\Administrator\Local Settings\Temp\miniloader.dll" >> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexMSIMGSIZECacheMutex
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{95421E23-08A2-28C6-E46D-0AD5D01E6CF9}
Winsock DNSwindowsupdate.microsoft.com
Winsock DNSgnopkos.in

Process
↳ ping -n 6 127.0.0.1

Winsock DNS127.0.0.1

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.157
DNSwindowsupdate.microsoft.com
Type: A
DNSgnopkos.in
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 65.55.50.189:80

Raw Pcap

Strings