Analysis Date2015-10-01 01:40:23
MD5f99bd80e2b5cf31e4ca5bdbfa63679b0
SHA148a9a737dc5de0c1c30486f1fb956be741d2e098

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7e6197a66188fa76e334a295d18c0aea sha1: 781db98a6c1f339a3e31ca32c84cb9fd3384e5a5 size: 1536
Section.rdata md5: 88ed43d03075e48f9c84575a5dc6b28c sha1: 9b6f7d22f59443d3b921f7f0a6cdf5127cdbb550 size: 512
Section.data md5: 96a48bd7c1d7899d6e63402c89ae76e3 sha1: ccc0f92735a288e5760a0a822cbe1f8382d368f6 size: 512
Section.rsrc md5: d756720750adebbe9af8a1e63f0ae043 sha1: 40f2c88ce6132f11d6d2e2050bef1a8c63132924 size: 34816
Section.debug0 md5: 649c4b905cccbeccc918f45eeba15a12 sha1: 241a70723415139ae536293c8cb75fdf7b6ce829 size: 225280
Timestamp2008-05-23 00:35:32
VersionLegalCopyright: Copyright (C) 1998
InternalName: cbrowse
FileVersion: 1, 0, 0, 1
CompanyName:
LegalTrademarks:
ProductName: cbrowse Application
ProductVersion: 1, 0, 0, 1
FileDescription: cbrowse MFC Application
OriginalFilename: cbrowse.EXE
PackerMicrosoft Visual C++ ?.?
PEhash0d4f3d849cd10a1b68897ac3443d2c54de494e8f
IMPhash425d8549e34f9b5f96a79f790e0a5069
AVCA (E-Trust Ino)Win32/Zbot.CXZ
AVF-SecureWin32.Panot.A
AVDr. WebTrojan.MulDrop3.14959
AVClamAVTrojan.Spy.Zbot-142
AVArcabit (arcavir)Win32.Panot.A
AVBullGuardWin32.Panot.A
AVPadvishVirus.Win32.Pioneer.dd
AVVirusBlokAda (vba32)Trojan.Cutwail
AVCAT (quickheal)W32.Pioneer.DD1
AVTrend MicroPE_PATNOTE.A
AVKasperskyVirus.Win32.Pioneer.dd
AVZillya!no_virus
AVEmsisoftWin32.Panot.A
AVIkarusTrojan.Crypt2
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Trojan.ZXTJ-7053
AVMalwareBytesTrojan.Agent.BFG
AVMicroWorld (escan)Win32.Panot.A
AVMicrosoft Security EssentialsVirus:Win32/Panot.A
AVK7Virus ( 0040f78e1 )
AVBitDefenderWin32.Panot.A
AVFortinetW32/Zbot.AT!tr
AVSymantecW32.Patorge
AVGrisoft (avg)Win32/Zbot.AL
AVEset (nod32)Win32/Agent.NBN virus
AVAlwil (avast)GenMalicious-HMV [Trj]:Kryptik-NFR [Trj]
AVAd-AwareWin32.Panot.A
AVTwisterTrojan.64FF3530000000@2F.mg
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVMcafeeW32/Patched.gen.d
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\xutiripqonym ➝
C:\Documents and Settings\Administrator\xutiripqonym.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Moeh\Ryweb ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving ➝
NULL
Creates FileC:\Documents and Settings\Administrator\xutiripqonym.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\notepat.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\temp\files\notepat.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\notepat.exe
Creates Mutexkwtpistzvfewyyszbvypdkpnpvqdtex
Creates Mutexfvlkneeerfxwzsfbstgkqxwoyruaahn
Creates Mutexxutiripqonym
Creates MutexGlobal\{B25E7F3C-6EBF-D0DB-8B32-B022153A2108}

Process
↳ "C:\WINDOWS\system32\cmd.exe" /c "C:\Documents and Settings\Administrator\Local Settings\Temp\tmpab23b30c.bat"

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\notepat.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\Fakua\icukf.exe
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\Anvaho\qozy.hud
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tmpab23b30c.bat
Creates Process"C:\Documents and Settings\Administrator\Application Data\Fakua\icukf.exe"
Creates Process"C:\WINDOWS\system32\cmd.exe" /c "C:\Documents and Settings\Administrator\Local Settings\Temp\tmpab23b30c.bat"
Creates MutexGlobal\{24FB6DA1-7C22-467E-8B32-B022153A2108}
Creates MutexGlobal\{B25E7F3C-6EBF-D0DB-8B32-B022153A2108}

Process
↳ "C:\Documents and Settings\Administrator\Application Data\Fakua\icukf.exe"

Creates FilePIPE\lsarpc
Creates MutexGlobal\{18A79F29-8EAA-7A22-5976-D9E9C77E48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-1577-D9E98B7F48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-3D72-D9E9A37A48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-2976-D9E9B77E48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-4177-D9E9DF7F48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-9174-D9E90F7C48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-2571-D9E9BB7948C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-5977-D9E9C77F48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-0977-D9E9977F48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-1572-D9E98B7A48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-E171-D9E97F7948C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-3570-D9E9AB7848C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-F571-D9E96B7948C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-9175-D9E90F7D48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-7975-D9E9E77D48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-3574-D9E9AB7C48C3}
Creates MutexLocal\{179958A0-4923-751C-8B32-B022153A2108}
Creates MutexGlobal\{18A79F29-8EAA-7A22-B976-D9E9277E48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-6D70-D9E9F37848C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-8176-D9E91F7E48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-C571-D9E95B7948C3}

Process
↳ C:\WINDOWS\system32\userinit.exe

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run\icukf.exe ➝
"C:\Documents and Settings\Administrator\Application Data\Fakua\icukf.exe"\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe ➝
C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Moeh\Ryweb ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1609 ➝
NULL
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\{18A79F29-8EAA-7A22-5976-D9E9C77E48C3}
Creates MutexLocal\{58DFB90C-A88F-3A5A-8B32-B022153A2108}
Creates MutexGlobal\{18A79F29-8EAA-7A22-1577-D9E98B7F48C3}
Creates MutexGlobal\{FD538B37-9AB4-9FD6-8B32-B022153A2108}
Creates MutexGlobal\{18A79F29-8EAA-7A22-3D72-D9E9A37A48C3}
Creates MutexGlobal\{A18555F1-4472-C300-8B32-B022153A2108}
Creates MutexGlobal\{5894ACAB-BD28-3A11-8B32-B022153A2108}
Creates MutexGlobal\{18A79F29-8EAA-7A22-2976-D9E9B77E48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-4177-D9E9DF7F48C3}
Creates MutexGlobal\{A27C55BA-4439-C0F9-8B32-B022153A2108}
Creates MutexGlobal\{18A79F29-8EAA-7A22-9174-D9E90F7C48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-2571-D9E9BB7948C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-0977-D9E9977F48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-5977-D9E9C77F48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-E171-D9E97F7948C3}
Creates MutexGlobal\{B25E7F3C-6EBF-D0DB-8B32-B022153A2108}
Creates MutexGlobal\{18A79F29-8EAA-7A22-3570-D9E9AB7848C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-F571-D9E96B7948C3}
Creates MutexGlobal\{B2156A9B-7B18-D090-8B32-B022153A2108}
Creates MutexGlobal\{18A79F29-8EAA-7A22-7975-D9E9E77D48C3}
Creates MutexGlobal\{BE4FAF52-BED1-DCCA-8B32-B022153A2108}
Creates MutexGlobal\{18A79F29-8EAA-7A22-B976-D9E9277E48C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-6D70-D9E9F37848C3}
Creates MutexLocal\{B42229D5-3856-D6A7-8B32-B022153A2108}
Creates MutexGlobal\{18A79F29-8EAA-7A22-C571-D9E95B7948C3}
Creates MutexGlobal\{18A79F29-8EAA-7A22-8176-D9E91F7E48C3}
Creates MutexGlobal\{2B634A46-5BC5-49E6-8B32-B022153A2108}

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1406 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406 ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Moeh\Ryweb ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\ConnectionSettingsMigrated ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\OlkContactRefresh ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1406 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name\ ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Server ID ➝
4
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab~
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\Microsoft\Outlook Express\Offline.dbx
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\Microsoft\Outlook Express\Inbox.dbx
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\MPS1.tmp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\Microsoft\Outlook Express\Sent Items.dbx
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\Microsoft\Outlook Express\Folders.dbx
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\Microsoft\Outlook Express\Inbox.dbx
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\MPS1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\Microsoft\Outlook Express\Sent Items.dbx
Creates MutexMPSWabDataAccessMutex
Creates MutexOutlookExpress_InstanceMutex_101897
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates MutexMPSWABOlkStoreNotifyMutex
Creates Mutexc:_documents and settings_administrator_local settings_application data_identities_{66520883-af04-4437-a539-3e2f2944b956}_microsoft_outlook express_offline.dbx_directdbmutex
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:_documents and settings_administrator_local settings_application data_identities_{66520883-af04-4437-a539-3e2f2944b956}_microsoft_outlook express_sent items.dbx_directdbmutex
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\{B25E7F3C-6EBF-D0DB-8B32-B022153A2108}
Creates Mutexmicrosoft_thor_folder_notifyinfo_mutex
Creates Mutexc:_documents and settings_administrator_local settings_application data_identities_{66520883-af04-4437-a539-3e2f2944b956}_microsoft_outlook express_inbox.dbx_directdbmutex
Creates Mutexc:_documents and settings_administrator_local settings_application data_identities_{66520883-af04-4437-a539-3e2f2944b956}_microsoft_outlook express_folders.dbx_directdbmutex

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1033 ➝ 98.138.105.21:25

Raw Pcap

Strings