Analysis Date2014-03-31 05:01:28
MD52af0a1c5778e1f2bd19686d503fbd104
SHA14bbc08d6ccf92043fb5ab5b72878b927c7229d4f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 146abf7f9fbcc1abccae893c54945c13 sha1: 8ee4dc817caef4bd3b1761368c32914c46c600e9 size: 89088
Section.rsrc md5: 108464f8ee7920fe321d322d9e873553 sha1: c4c21189ead09420e8b55319f023b4327eae8283 size: 1536
Timestamp1992-06-19 22:22:17
PackerUPX -> www.upx.sourceforge.net
PEhash21c472b066e5d6f489eca5052459e079265a3edd
IMPhashff63dc9c65eb25911a9bc535c8f06ad0
AVavgPSW.Generic8.JLM
AVaviraTR/ATRAPS.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File\Device\Afd\Endpoint

Network Details:

DNSsmtp.mail.eu.am0.yahoodns.net
Type: A
188.125.69.59
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 188.125.69.59:587

Raw Pcap

Strings
Sz<
....
...I.;
B.
.;.
.).
.
&.O
Sz<
....
...I.;
B.
.;.
.).
.
&.O

DVCLAL
PACKAGEINFO
("< @	
()*+,-./
}&^~")
#$%&'*+-/=?_`{}|~
03 -7C
09GVFdBUkVcVml0YW
 0DTdi
0Global,
0%,mTg
0RPHP,
.0X'<)
0YR{Tt
(%*%+%-%/%1%3%5%7%9%;%=%?%A%D%F%
1A^8<(
"1x9NG
2%4%6%8%:%<%>%@%B%E%G%IV
2!iOw	
2)llR$
3579;=?ACEGIKMOQSUWY[]
3'C5j+k
(_3EUC-KR
3JBzM:
3 %`Qk@
3^Servibbi
`3to4+
3U} .#Q
.<3;W}n
4$0X48
"4<6*]
4%#bPCQ
<\	4%i
;/;4YE
5HO!BM
6KzXhCh
_6 ]rc
6udR\)i
6Xlk57
7A@N2%x>A@
7!gGroup
"7#RL8
7+UhA4
-7	xQI
)8aQA$
-8C]to9
@8(hYA
9"0#,G^Z 
9:;4H]
9c$[Pabcdef
9d[X!GL
9^n$"L
a}5{0	
a'8RKT
advapi32.dll
AeWFob28uY29t*
,AK5@ydC
|AMEFILE
ANEBAR/y
a=pJ*n
aq%S%V%Y%\%Y[Pp
ARc#hY
aS of sU:Yp
;'at>I@
AUTH LOGI
B4^(x4
{B-'|5
B7[m5#y 
^B8fm~
$Bad	=
=BL)XQq
Boolean
\Borland\Delphi\RTL
BrBEn"F
BUD$Y<`
.bv)r-
<*BXt k
ByZero
 !$C2$"#2$C2$%&C2$C'()$C2$*+2$C2,-.C2$C/01$C2$232$C2456C2$C789$C2$:;2$C2<=>C2$C?@A$C2$BC2$C2DEFC2$CGHI$C2$JK2$C2LMNC2$COPQ$C2$RS2$C2TUVC2$CWXY$C2$Z[2$C2\]^C2$C_`a$C2$bc2$C2defC2$Cghi$C2$jk2$C2lmn
@.C~5i\@~
c9|:J0
CallAs
C$;C(~=
%c%e%g%C%<
ceT9`V
CgRHluZ
CharNextA
CHARSET=
Ch!Typp
C#o$E0
c/-Rf;0 
cs0c3tClsLnl
CT]m_b
$CvH@ !
C"vk=a
d$){A-q
dd()#P
d%f%h%i%j%k%l%m%o%sO!,!
"DH1#lT
dH ^9C4$
&dhdLAP
DiskFreeD
dkF_Qgid
d; t="
 ~\DynDNS\Upd~A
	dZsQ09
e3(!d%
E6?[Hfh
!E_<8`
E8GlD"
EClass
`|eD?@
EHeapZ
EIn]Err[@iF`o
eIsoal5
ek$oM#
eLKp'D&
EmKk0_T
EOutOfMemoryS
%'{epwOcNovn
ExitProcess
F0aW9uIC
+fa3OA
FGHIJKLM
.F.,M60
foK 95bJs
F^@P@C>+
fpns	;
FPUMaskValue
ftTopO`
g 6r<*
GB2312
GetLongPathNameA
GetProcAddress
^:G!"EURI
ghijklmnopqr6uvwxyzABC
( g"(@>J=
_GKgOiAg
GpN26$WmD
`Gr`+!
#G:r@u
!g[:S7
g]u{I$
GWINDOWS{?
h	Exception0h!
HH":"NN
/;_(hj1=3b5
H%J%K%L%M%N%O%R%U%X%[%^%_%`%a%b%
hmw0Xw
H OC-B
-\hotjlCk
#@H!T`
HT`lxF
h[UO)Q
HURIAT
{H	Y}g[
#/Iad?
'I,[I(
?Ik:;<=>?@
 |{I}K
INFNAN
Integer
 IW4ClrE
J&[.']
j?9<dSu
%'JaFeb_ar
JD; OJH
JF@328
jOltI(gf
J~_X2g A
k$5g4"
kb 'Pac-
kernel32
KERNEL32.DLL
k\)l&yV
KPRAYUN
KtrGQT
L`7A6)
lBTU.'|j\k
+	Libr
LnMaxLi
LoadLibraryA
lusteWl
m0J7tDD/
:M0/rela
MAIL FROM
mE[|P3
:M*?$h
 	mpHigh!t
MtnLS[
MVyamFuNTV
'$%n-a
nClosedGradf
nDMb	64
n ?>Fp
NocuDT
Nr`KMV
nverflow\[-
N	 w2x
nYedWdm
o2022jp
OA_@v|
od/nOr?y
od	=;$T
o[EyMjMzNDQ1N
=o%hl6
O|jEw$S
~OkDS;6V
o}kS+yr)
oleaut32.dll
[#olvr
	OnG#H>H
OnlyWhen-O
oqsuwy{}
oZTUWVS
/!P/ 	
<p.}2K
P"_2<rfk
p_2W`qt
p 8`/g#hh
@.p@dp
p.!JL*
_Poi_(k
@PV2f4m
Qcales
Q!(d'8
Qkoftware
|que[,"(}
"QvGlc<
R\*AYdd
RC' TO:
RdH+(3$F )
RE5TIFNuaXBiB2MS4wG
RegCloseKey
Registry`_
rfacep
r SA4u+
r UDIwMTBAZ2
 s2}bB
SafecalA
_s\All $U
%s[%d]
sdf"k>mi{-
'/"SF4J
S 	G*F
 SiCXMXgWz'E
SilA^d/
S[\]^j
	SOFTWARE
 S|PF3
;%s <%s>h
Ssq(IG
String
<SubMulDivO
SU<HtH
?SuppEr{A
'?t{-#
t%!,%.%0%q
Tb7kB>
'|tC Z
TEifyEve
	TFile
T<H';#
This program must be run under Win32
t	lQ0Y
Tm8tSbgSW5mb3JtYXRpk`
>$TMul
[t}N	w
TObject
TocCcK	P
towshutd!
TPropFixup
#;TT#H
TTLExpired"y
:T:Tv/
+t_$xtZXtU0
ty<0mf@
u6A[Oa
u8Z7<7N
ubCCurrenc
%U&%]e
UGFzc3dvcmQ
${,U/?!i
%ULUGEK^
UNDARY=
UnknowDeci
,u{'p4lBn
user32.dll
V3 hIi
VariantCopy
V+CaG 
V/hw{Dt^
vLmNvb'
)#!V!W!"!&!r%!%#%'%)[Q
V	X^&a
w|%6Nc@
WS2Stub
!Wu6;_
\WWaitF@
;wxGx	
W!;x``R
x3ZXJrc1xEVUM=
xg@7vo
xiKHBL6
X'J+;]
^XJO8|"G
"X-:lD
;XNlcm5}WF
XorCmp4Fro
XQlTAw
#X- `Y
XYZ1234567890!
)(y0}x#
'yhuFri
%/yONUEED
yQq[-,
y_RveEB5]Vx
Yt$)O"f
YY]-/[H
(Z3`)E
Z3tbCO@iS
 ZU@}*h