Analysis Date2015-11-19 02:48:48
MD5a4e1436a0367590293642627f285ea00
SHA14b04c94c55216a6de971176fa0c37fe320158243

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f095169211655f559c445a3d30b8de8b sha1: 705a21fe856f2d0175cb92e26dd152623ee8080a size: 16384
Section.rdata md5: 66138462bee999644b34e5d2ee66cd34 sha1: 223054c20f05661e2bac2d1e886fb57cfb9a3d86 size: 2560
Section.data md5: 74017aa826b6b2b2a4992f50742fd9af sha1: 6f292b3012e0adea97530f64a3b9167c5597149e size: 2560
Section.rsrc md5: fab627a7ce4ebfa7689e8e2d37ef4148 sha1: fa26dfb9af0f5cccede2f4f588f0897bbb21c3e7 size: 7680
Section.reloc md5: 98e0e0754a5a341c90f27335e313d065 sha1: b4c4650f8261e8ebf17ef12b4aecf8f2e7bcabaa size: 512
Timestamp2012-03-20 03:34:18
PackerMicrosoft Visual C++ v6.0
PEhashf67acd7f49a21c4859e8a7b7f92d6ca99eb9eb6c
IMPhash8b76f15763a5001c84e7738224fac765
AVCA (E-Trust Ino)Win32/SillyDl.KceVNKB
AVCA (E-Trust Ino)Win32/SillyDl.KceVNKB
AVRisingno_virus
AVMcafeePWSZbot-FTY!A4E1436A0367
AVAvira (antivir)TR/Crypt.Xpack.37395
AVTwisterTrojanDldr.Tiny.NKK.dcbl
AVAd-AwareGen:Variant.Symmi.41676
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/TrojanDownloader.Tiny.NKK
AVGrisoft (avg)Luhe.Fiha.A
AVSymantecDownloader.Upatre!gen3
AVFortinetW32/Tiny.NKL!tr.dldr
AVBitDefenderGen:Variant.Symmi.41676
AVK7Trojan-Downloader ( 004993d51 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis.A
AVMicroWorld (escan)Gen:Variant.Symmi.41676
AVMalwareBytesTrojan.Downloader.ECA
AVAuthentiumW32/A-c6bede7f!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan-Downloader
AVEmsisoftGen:Variant.Symmi.41676
AVZillya!Downloader.Tiny.Win32.3376
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_DALEXIS.SMF
AVCAT (quickheal)TrojanDownloadr.Kuluoz.MUE.D6
AVVirusBlokAda (vba32)TrojanDropper.Demp
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.41676
AVArcabit (arcavir)Gen:Variant.Symmi.41676
AVClamAVWin.Trojan.Downloader-62901
AVDr. WebTrojan.DownLoad3.33226
AVF-SecureGen:Variant.Symmi.41676
AVRisingno_virus
AVMcafeePWSZbot-FTY!A4E1436A0367
AVAvira (antivir)TR/Crypt.Xpack.37395
AVTwisterTrojanDldr.Tiny.NKK.dcbl
AVAd-AwareGen:Variant.Symmi.41676
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/TrojanDownloader.Tiny.NKK
AVGrisoft (avg)Luhe.Fiha.A
AVSymantecDownloader.Upatre!gen3
AVFortinetW32/Tiny.NKL!tr.dldr
AVBitDefenderGen:Variant.Symmi.41676
AVK7Trojan-Downloader ( 004993d51 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis.A
AVMicroWorld (escan)Gen:Variant.Symmi.41676
AVMalwareBytesTrojan.Downloader.ECA
AVAuthentiumW32/A-c6bede7f!Eldorado
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\4b04c94c55216a6de971176fa0c37fe320158243.gif
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_72781.cab
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
157.55.240.94
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Opera/9.25 (Windows NT 6.0; U; en)
Flows TCP192.168.1.1:1031 ➝ 157.55.240.94:80

Raw Pcap

Strings
n-mO..

,/KPip
/ P6pL
/-P?pR
  !   
 ),.../////....---,,++ 
-,+,+++,,+,,-,...-
-***)'%$''*+,-,..////.//.-.----.-,,,+)()$
,/.///.--.,&
,/...-,%
',--.//--,-.--.+
'/....-.- 
'.........-.+
'')**))***++-------*
')&')*(***++,,-.-.-- 
'*((())***+*,..-/...../--.-.-.---,--,*!
'**)(*+-,.../.././/./..-,+))(''
'+**(''(())++,-..///.../..-...-.,,++**))
"(()(()*+,-..../.....././-,--,,*'&
")+,-..//..-.---,,,&
(+--.-.-.......-..--++*+(
(+,,.../..-.-,,)#
$-/-.+
*-++++,--,,,--,,--
*'&&(()))++-..././../..---..--.-,-,+(
&'&%#&(*,,,---///.-/...-...---,,,+*#
#*,))))+++,+,--...,(
%**++,---../.././.---,-+**+,$
	 .--,----,,,-..,-%
	"--,++*+,*+,--....-&
	&+*%%')*)+**+,--.-.-*
/..0././/.../..-(
.//0/.//./---..,,*
'///0./......----+
$-**'$%&')*+,,---../.0////....-,---.,,+*&'
*////0...&
*0,&+'
'.///./00//../'
'00//..-.-,+,--,,,) 
#*,./00-!
+///../000/-/
00/0......,,---+++
	"0//00.0///../.. 
,0////0000/&	
>$>,>2>9>@>K>R>X>c>h>r>
?4?:?@?F?L?R?j?t?z?
="=(=.=4=:=@=F=L=R=X=^=d=j=p=v=|=
\_#`9t!
_acmdln
_adjust_fdiv
CloseHandle
_controlfp
CreateDirectoryW
CreateEventW
CreateThread
@.data
DeleteCriticalSection
__dllonexit
EnterCriticalSection
_except_handler3
ExitProcess
FileTimeToSystemTime
FindClose
FindResourceW
FlushFileBuffers
FormatMessageW
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCommandLineA
GetCommandLineW
GetCurrentThread
GetEnvironmentStrings
GetEnvironmentStringsW
__getmainargs
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeW
GetVersionExA
GetVersionExW
HeapAlloc
HeapDestroy
HeapFree
HeapReAlloc
_initterm
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
IPHLPAPI.DLL
KERNEL32.dll
LCMapStringW
;(<.<L<j<t<z<
LocalFree
lstrlenW
MSVCRT.dll
MultiByteToWideChar
nvmpu.nvu
_onexit
__p__commode
__p__fmode
q$ydT!
RaiseException
`.rdata
ReadFile
@.reloc
ResetEvent
SCARDDLG.dll
__set_app_type
SetEvent
SetFilePointer
SetIpNetEntry
SetLastError
__setusermatherr
SHELL32.dll
SHFileOperationW
TerminateProcess
!This program cannot be run in DOS mode.
TlsAlloc
TlsGetValue
TlsSetValue
TryEnterCriticalSection
VirtualAlloc
w8Rich_
WaitForSingleObject
_XcptFilter
&XUYGYU