Analysis Date2015-11-16 23:58:23
MD5fbd560c07793f4f63a57be21bffd86c5
SHA14fd8b1d6a19056e3ac39980c3cd842c4afc887b7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ce86ae0feea80ce96dc6edd9de6e5e7f sha1: ee0ed718dcef95dbfdf0456bc912d7d0fc86b16e size: 3072
Section.rdata md5: 9f54fed295c5bf23b793d759a4f7f487 sha1: 1c417c12270e375a4af290ba3c37c2463a8fec6b size: 1024
Section.data md5: 1205206d88340b9f0289fd001fabb56c sha1: 93a7347331b6f74d28cae14c7a222b0a42795c8b size: 1536
Section.rsrc md5: 6369b81a448c0677c83e7bfb6a47ac73 sha1: 8e20644dbbfaedd9a51ee711fcca6712afd797c0 size: 40960
Timestamp2014-06-12 06:28:09
VersionLegalCopyright: Copyright (C) 2008
InternalName: sickly
FileVersion: 7,2,4,19
ProductName: sickly Application
ProductVersion: 6,3,4,31
FileDescription: sickly Application
OriginalFilename: sickly.exe
PEhashaa08b345557f392f5cf9a25e767913eb6eda649a
IMPhashcabb308efe69c2b97bdbdd5c98e96b1c
AVF-SecureTrojan.Dropper.Agent.VNI
AVAuthentiumW32/Trojan.PEZH-2882
AVMalwareBytesTrojan.Agent.ED
AVDr. WebTrojan.DownLoad3.40089
AVGrisoft (avg)Agent
AVMalwareBytesTrojan.Agent.ED
AVEset (nod32)Win32/Kryptik.CEET
AVMicroWorld (escan)Trojan.Dropper.Agent.VNI
AVTrend MicroTROJ_CUTWAIL.SM8
AVClamAVno_virus
AVAd-AwareTrojan.Dropper.Agent.VNI
AVEset (nod32)Win32/Kryptik.CEET
AVBitDefenderTrojan.Dropper.Agent.VNI
AVMicroWorld (escan)Trojan.Dropper.Agent.VNI
AVAvira (antivir)TR/Dropper.Gen
AVAlwil (avast)Kryptik-NXT [Trj]
AVFortinetW32/Kryptik.CEET!tr
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVIkarusTrojan.Dropper.Agent
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)Trojan.Cutwail
AVArcabit (arcavir)Trojan.Dropper.Agent.VNI
AVMcafeeDownloader-FAKN!FBD560C07793
AVTwisterTrojan.DOMG.bszi
AVAvira (antivir)TR/Dropper.Gen
AVAlwil (avast)Kryptik-NXT [Trj]
AVSymantecno_virus
AVFortinetW32/Kryptik.CEET!tr
AVK7Trojan ( 0049b9671 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVRisingno_virus
AVMcafeeDownloader-FAKN!FBD560C07793
AVTwisterTrojan.DOMG.bszi
AVAd-AwareTrojan.Dropper.Agent.VNI
AVGrisoft (avg)Agent
AVSymantecno_virus
AVBitDefenderTrojan.Dropper.Agent.VNI
AVK7Trojan ( 0049b9671 )
AVAuthentiumW32/Trojan.PEZH-2882
AVFrisk (f-prot)no_virus
AVEmsisoftTrojan.Dropper.Agent.VNI
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardTrojan.Dropper.Agent.VNI
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Dropper.Agent
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\gulipfeterol ➝
C:\Documents and Settings\Administrator\gulipfeterol.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\synergistic-technologies[1].htm
Creates FileC:\Documents and Settings\Administrator\gulipfeterol.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\inventagrupo[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dcppcc[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mailhost.midwestlabs[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\computappoint.co[1].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lagranmanzana[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\cccfcpa[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\1banhope[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sexxx-porn[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\gtsinteriorsupply[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\oiler.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\synergistic-technologies[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\cccfcpa[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\1banhope[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sexxx-porn[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\gtsinteriorsupply[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\inventagrupo[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dcppcc[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mailhost.midwestlabs[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\computappoint.co[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lagranmanzana[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\oiler.com[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexgulipfeterol
Winsock DNSmauigiftbaskets.com
Winsock DNShendersonranchprop.com
Winsock DNS7-24airx.com
Winsock DNSbaanukulele.com
Winsock DNSoiler.com.pl
Winsock DNScccfcpa.com
Winsock DNSaskdd.com
Winsock DNScomputappoint.co.uk
Winsock DNSpetrus-kirche.ch
Winsock DNSaviationexam.com
Winsock DNSgtsinteriorsupply.com
Winsock DNSsouthamerica-photo.com
Winsock DNSdistronic.es
Winsock DNSsynergistic-technologies.com
Winsock DNS1banhope.com
Winsock DNSdcppcc.org
Winsock DNSmailhost.midwestlabs.com
Winsock DNSinventagrupo.com
Winsock DNSsexxx-porn.com
Winsock DNSlagranmanzana.es
Winsock DNSlotcottages.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.139.211.125
DNSaviationexam.com
Type: A
93.185.110.148
DNSgtsinteriorsupply.com
Type: A
184.168.47.225
DNSinventagrupo.com
Type: A
50.63.202.61
DNSdcppcc.org
Type: A
158.199.140.60
DNSsynergistic-technologies.com
Type: A
66.49.205.251
DNScccfcpa.com
Type: A
192.254.210.123
DNSsexxx-porn.com
Type: A
108.59.8.74
DNSlagranmanzana.es
Type: A
52.30.54.117
DNSdistronic.es
Type: A
46.226.47.26
DNS1banhope.com
Type: A
210.172.144.23
DNSoiler.com.pl
Type: A
212.85.98.15
DNS7-24airx.com
Type: A
97.74.42.79
DNSbaanukulele.com
Type: A
27.254.96.180
DNSmauigiftbaskets.com
Type: A
198.154.239.214
DNSaskdd.com
Type: A
184.168.221.1
DNShendersonranchprop.com
Type: A
76.77.144.86
DNSpetrus-kirche.ch
Type: A
80.74.155.167
DNSsouthamerica-photo.com
Type: A
89.161.171.117
DNSlotcottages.com
Type: A
54.231.132.61
DNScomputappoint.co.uk
Type: A
162.13.76.194
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
HTTP POSThttp://lagranmanzana.es/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://inventagrupo.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://gtsinteriorsupply.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://dcppcc.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://synergistic-technologies.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://sexxx-porn.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://cccfcpa.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://1banhope.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://oiler.com.pl/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://distronic.es/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://7-24airx.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://aviationexam.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://baanukulele.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://mauigiftbaskets.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://askdd.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://hendersonranchprop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://petrus-kirche.ch/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://southamerica-photo.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://lotcottages.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://computappoint.co.uk/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.163.152:25
Flows TCP192.168.1.1:1032 ➝ 63.250.193.228:25
Flows TCP192.168.1.1:1037 ➝ 52.30.54.117:80
Flows TCP192.168.1.1:1041 ➝ 50.63.202.61:80
Flows TCP192.168.1.1:1042 ➝ 184.168.47.225:80
Flows TCP192.168.1.1:1043 ➝ 158.199.140.60:80
Flows TCP192.168.1.1:1044 ➝ 66.49.205.251:80
Flows TCP192.168.1.1:1045 ➝ 108.59.8.74:80
Flows TCP192.168.1.1:1046 ➝ 192.254.210.123:80
Flows TCP192.168.1.1:1047 ➝ 210.172.144.23:80
Flows TCP192.168.1.1:1048 ➝ 212.85.98.15:80
Flows TCP192.168.1.1:1049 ➝ 46.226.47.26:80
Flows TCP192.168.1.1:1050 ➝ 27.254.96.180:80
Flows TCP192.168.1.1:1051 ➝ 93.185.110.148:80
Flows TCP192.168.1.1:1052 ➝ 97.74.42.79:80
Flows TCP192.168.1.1:1053 ➝ 198.154.239.214:80
Flows TCP192.168.1.1:1054 ➝ 184.168.221.1:80
Flows TCP192.168.1.1:1055 ➝ 76.77.144.86:80
Flows TCP192.168.1.1:1056 ➝ 80.74.155.167:80
Flows TCP192.168.1.1:1057 ➝ 89.161.171.117:80
Flows TCP192.168.1.1:1058 ➝ 54.231.132.61:80
Flows TCP192.168.1.1:1059 ➝ 162.13.76.194:80

Raw Pcap

Strings