Analysis Date2014-02-11 01:41:54
MD55445a5f8eeecd8d9009a18d5907e87c7
SHA14a2a6be2582128a211e2bda4ccbc9be17c77912f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a48436ba7bf6370e4ecc5bfee256f5a4 sha1: 361096e903d87ed1a7f9a95364a26f58dfd8fd67 size: 2048
Section.rdata md5: 7778e82b298a9234726818f6a6f4b909 sha1: fbf9673587b46619408b3f85a6dfe3bcef0136f4 size: 2560
Section.data md5: b311cc8bff2a20ed90ae8db181098321 sha1: d41535355350d86bb3ea4bd9692ad30f65d28eb2 size: 89088
Section.rsrc md5: 72b9d4419654149cc308652ea7ee5832 sha1: 66deef580f7d93f2abb38c6c65ffbfc26b2edd52 size: 13312
Section.reloc md5: 860c33da667676222213085702a1b597 sha1: ec45cab78fd6a661ef29a8f754c91a8393ee670c size: 131072
Timestamp2011-02-02 18:55:02
VersionLegalCopyright: Copyright © 2007 Avira GmbH. All rights reserved.
InternalName: AntiVir/Win32
FileVersion: 7.6.0.59
CompanyName: Avira GmbH
PrivateBuild:
LegalTrademarks: AntiVir® is a registered trademark of Avira GmbH, Germany
Comments:
ProductName:
SpecialBuild:
ProductVersion: 7.6.0.59
FileDescription: AntiVir Command Line Scanner for Windows
OriginalFilename:
PEhash78828cabb835b437c81c073a20c5600378ca63f0
AVavgWin32/Sality
AVaviraW32/Sality.AT
AVmcafeeW32/Sality.gen.z
AVmsseVirus:Win32/Sality.AT
AVclamavTrojan.Ramnit-4

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:ipsec
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Fobvexllmtqkq\A1_0 ➝
332287070
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\WINDOWS\137e3
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Creates MutexuxJLpe1m

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\malware.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Program Files\huettqja\px3.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Program Files\Internet Explorer\dmlconf.dat
Deletes FileC:\Program Files\huettqja\px3.tmp
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Network Details:

DNSstromoliks.com
Type: A
66.228.61.232
DNSgoogle.com
Type: A
173.194.34.169
DNSgoogle.com
Type: A
173.194.34.161
DNSgoogle.com
Type: A
173.194.34.168
DNSgoogle.com
Type: A
173.194.34.167
DNSgoogle.com
Type: A
173.194.34.165
DNSgoogle.com
Type: A
173.194.34.166
DNSgoogle.com
Type: A
173.194.34.164
DNSgoogle.com
Type: A
173.194.34.162
DNSgoogle.com
Type: A
173.194.34.174
DNSgoogle.com
Type: A
173.194.34.160
DNSgoogle.com
Type: A
173.194.34.163
DNSstromoliks.com
Type: A
66.228.61.232
DNSpromoliks.com
Type: A
66.228.61.232
DNSpromoliks.com
Type: A
66.228.61.232
Flows TCP192.168.1.1:1038 ➝ 66.228.61.232:443
Flows TCP192.168.1.1:1039 ➝ 173.194.34.169:80
Flows TCP192.168.1.1:1040 ➝ 66.228.61.232:443
Flows TCP192.168.1.1:1041 ➝ 66.228.61.232:443
Flows TCP192.168.1.1:1042 ➝ 66.228.61.232:443

Raw Pcap

Strings
/4eUN...
e.O..
..
..
I
A
.
K
...
.
^?.<+
:~$0
000004b0
^|0*8
0Uf/Y j@,l2
0zv}
1cQw
!1+k
#(1Kz
{1%+t
 2007 Avira GmbH. All rights reserved.
%23)
;^25
2F O
2fYOW9
2`._Hj
$2kN
2qDO
2tD<$x<
3C,F
3i'm
3ogv
)>>4
4F.'\q
4hSr!
~~4z[s
50[:
5aLm
5EcX
5]H	r
^5J7$
.5lX
@:5Yd
60xu
6$Y<
7.6.0.59
7957
7;q{4
7v3e
8Fs,
8NDU
{8x6)
9)_,
-a=%	
_a5G
aav*
ABXir
ac)dd
AntiVir
AntiVir Command Line Scanner for Windows
AntiVir/Win32
Avira GmbH
<A-X
]BbG
BcS`a
bfQh
"c2%
c2Xz
c+-4
`?C 4
C6F"M
C.b}
C|<g
 CJ/
Comments
CompanyName
Copyright 
C]}p
Cq1`
ct|w
)$CW.
CWT<^
-c;z
"D%7
,d'BSN
dD(_R
dE5B
D`?UJO
$@e'
%eh?
E#q0
er!0u
#E^wH
 -ey
@&f4
fa5"
FileDescription
FileVersion
fkCv
>}{g
;),.g
%g&%
`,}G
g63"
g-her
gJ"a
@Gmbuo
gPtl
_gQ7s
gww5A.#
 ;	:H
heln
{H_f
HIjz3@U
 hJB
H=lt
hqF]
&hR@
+h]t
HUn:
H~vCw
hvZPIt
HyfA
HZ\_"
I+7O
iCGB
@$ig
iHuA;
$ild~t
InternalName
Ip1y
 is a registered trademark of Avira GmbH, Germany
iYptg
J'"?
][J4
JA5,
#%jb
_<J+F
}#JGk2
jh3r
J|kbHL
.j T
=[jW
Jxz8H@;
KIzr
KLU\!
*k$N
'K]vt
ky)@
}|[:l
@[l}
l3Kue
'L:Cv
ld]C
LegalCopyright
LegalTrademarks
;l(f
LnF2
lSm[Wx>
Lv)P
L)xj
\m;~
-m5b
MANIFEST
MI^B
:m.t
muH9
:nb&I
ncmR&B
nHVW
#;?nL
nL9!*Z
n$(V
nxUy
 \]o
O;2$
O\b&?Cn
%/obsB
oBsv
`	on
O'oA
o"P|
OriginalFilename
O>X1
o]xH
OZWd
--p;
p:{ 
p34+
\P|{6
@	pF
Phu'|IF
p/+P=z
PrivateBuild
ProductName
ProductVersion
+@pt
p-VQq
!'PW
pw1s
p>zq
]Q3_8.
#q+a}h
|r?\
;R.{-'
[r1%V	[
R,<Cwr"
RH6P
r"[l3=
RP[qm
rTAaw
S3%k
SBnK
sCs(
S$$*F
~S@I
S?IC
Sncr-cC
sNyw
S_p!
+SPa
SpecialBuild
s[Q[
StringFileInfo
svis
s'w#
s,)y
T3Mrrba
^t`b=
tcG1
+tDo
TdxF
tg$[^
t+G\H
t;l\
TQLj
Translation
;tuv
u0^O
{u37
u4.6l
Uc6r
UC"x
uJll
u?{M
UMxz
^U)r
U%xt
v@6x
VarFileInfo
v"/go
v:Oa/
-V/OY8?
}vR4
#vR&U
VS_VERSION_INFO
Vt;z
VUVQu2
VW8i5
VX cU
<&w]
|'%W
+{-W
w5}W
WBl%
WhT#Q
Wsf[
wuyq
X*`?
X1-UXu/
*}X8,
\X8V"
xK#{
xvJYq
X=\Z
[y/-*.
{y%$
y0Rrj
(yB7
YbhO=
YjNY
yooZ
ys&q
Ys/q0!
YS!X{
yUDx27
\YW 
+yW7GF+
Z"?$
Z3`f
~Z]f
z,HB5
!z'hi
zqG1|B
z|TE
Z +U
zUBD
"z`V
,zy>
~'&\-|
} $_/=
0!121R1l1~1
0DsoV.8
0hBE3S
0sFfTH
15292@2M2]2u2
1G~45dz
#'1YKHj~
21:}R0E
223o3u3
2/]gMYxIn9^
2KNEqY(
2O+kP#X
3>:/1y>
3C-l[g
 3H&X!
3Jw91`p
3K.+lr(
4_*3FW
{4H@A)
.4rh`\
4t@n)!
5"5(5.545:5@5F5L5R5X5^5d5j5p5v5|5
"5~F[B
5HtcVdd
5M8`uj
5MYrQ5
5)=pOU
)5Th8T
5Z`40v,
6$6*60666<6B6H6N6T6Z6`6f6l6
	6$%|pAz
6QA9zI
7&,,]#
72dD-t
7*b0R~	
{7D\cQ
|[|8$&
8*5q$1@S
8N t{T
8w6$8?r
) {'9=
9=oN#!.
9+Q3<[
	9v`Uo
AddFontResourceW
ADVAPI32.dll
% aN2d[
As/jnIp:
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
%at8mj
A#ugMF
av8#>q
Av9dd87
Aw*"BI
awPflO-L
bB[49>
*bB4I-=D
BB(Fpkr
b	 d1y
BitBlt
Bx70l8
C${cmH
CharLowerW
ChooseColorW
^C(Irhj0
CloseClipboard
_cM`g9#>
comdlg32.dll
CreateBitmap
CreateCaret
CreateCompatibleBitmap
CreateCursor
CreateDialogParamW
CreateFontIndirectW
CreatePen
@C'VaZ
+D06lV
D0QF>Er
DeleteDC
DeleteObject
Dij_Jgz
DNZ=^=vk
DrawFrameControl
Drv<I_k(
`DS;,;
";Dyw_Xc
e?DU3y
EnableMenuItem
EndDoc
;e,S.y
E,.U6R
;~	ex*
E,XDi&o
f7odYk
f'a}:9o
FindClose
FindNextFileW
FindResourceW
f]QE@Y
fq`-W*
F[)!rjd^
f`tig^K5
-F%vz=
(G3X*E
gdi32.dll
GDI32.dll
GetACP
GetConsoleMode
GetDlgItemTextW
GetGlyphOutlineW
GetKeyboardState
GetLocalTime
GetLongPathNameW
GetModuleFileNameW
GetOpenFileNameW
GetProcAddress
GetROP2
GetSaveFileNameW
GetScrollPos
GetStringTypeW
GetSystemMetrics
GetTextExtentPoint32W
GetTextMetricsW
GetTimeFormatW
GetWindowRect
.gH2up
%_g_Kd
GlobalSize
	gNjn[
&gP5h9
_Gp`g `
GX)Jv}
h&5&x6^
"H6) /
H8`40b
.HCc':z
HeapAlloc
^H\lS@<
h{,\o?
$Hwe~_
I|6aZ1
i`Co $
i"cXJB
InflateRect
InsertMenuW
InterlockedCompareExchange
iQOQvb
IsTextUnicode
iXNPkb
I\xP##
]j2p;iR
')J-,^a'
jET3nZ@
j"hewp
k1r{s 0
;\k1XG
_)k"4C
K8q2^u
kdK!Q2
kernel32.dll
KERNEL32.dll
keU6nD
 kGD$5
	KHrX3
{K!Iw.
$KlT&u
kRz4|)G
\_^k=t
	kUIsX
@l*.,)
<L{?6f
LeaveCriticalSection
LoadIconW
LoadLibraryA
lq!Y,c3
lstrcpynW
LTB$&\ `K
L&Y9"b
Mi9mNT
 {mp>KAp
mqm,_r
MtS^?0p
MultiByteToWideChar
NGEfBg
^n(URC
NX&y.q
NY[+wJ
<$n[:z
o%1QNl
o4v%DS5
#o*9v-
OF>^=<$
OffsetWindowOrgEx
ole32.dll
OleDuplicateData
OpenEventW
Op!Ma0
#p&!e@
:PIGe 
PostMessageW
PrintDlgW
pskrw}z
PTihB85
pV>i%q
p:[Vq]
q(6 '1
qg`T@0
qhy682
QN)	ri
qte*jgo
qv'MTV
>R{5!qJS
.rdata
RealChildWindowFromPoint
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegSetValueExW
@.reloc
RemoveFontResourceW
RemoveMenu
 <requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
ResumeThread
_rfd6Ud
|'RLCv
SC1#HU
ScreenToClient
sD"32x
 </security>
 <security>
SelectObject
SetFocus
SetScrollRange
ShowScrollBar
S:	,kE{
S/L~ie
Sp6#;i/
ss2d`91
SY(,I3;4
T3WBGwz
t}cG0,
TfF{b5>
tFnd/L
!This program cannot be run in DOS mode.
TlsAlloc
 </trustInfo>
 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
TVrc7	
U+$)@*
uB1kY|
uFsY<)@H
u!L wuq
uLxP##
UnhandledExceptionFilter
U(PsYF
USER32.dll
uSG`=m
UuEHwk
VirtualAlloc
VirtualProtect
v,>piP
vXlkyC}	
w326aw
W/B_Zal
$WC$@rH
wd`@Z%
`wmI$j!
WuwuSa
	wy!/-!
#x0q}L
X1PMdu~
{Xi.&E
'_XJa&
X~jCA~z
x]m^c2
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xS$qnv
XT"(WZx@
__+X=V@PO
y880GyM
	!Y9j2
yC<DgIP
ycl_"m
)yD84D
yD$c_AnRs
:[y!.oAk
YPAp{mvHi&
?Z4II0
z~7tc_/$n
~z@8/-Am
%$Zg93
z;k)^H
ZQ8M`"
zQP1>^
.ZREpCLi
ZrSv_w
z.wj&W