Analysis Date2014-06-13 17:30:07
MD54fa3b23c6557ec300ccd3eb10da496cc
SHA150bd3d84dbbdd0a74ab7519e1fdafafdddbc470d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 185492ee589e45ae90dbacfd422ca514 sha1: 83e3763aa23a6c41f6aeb7b19729b1287ec5808a size: 7168
Section.data md5: 24529b37d72ad021ea9b008a4a61c8ac sha1: ec1166322ce4ed5853fc72795dee8b68d47ae31f size: 12288
Section.bss md5: a54482415d063d90b3d0f88d54ce5c69 sha1: c15b2c5acfc6436820d65d8841c99badfb3dad35 size: 48128
Section.idata md5: 637b403457bdf33f18752ec51c90afe1 sha1: 53278ebe427ad41bbd2331fab9e67e537cefb8c9 size: 4096
Section.rsrc md5: 11aabfb9df67d859852fe278f7b408cf sha1: c57e7b09e865394e3c5dbe04280d9915119aa6aa size: 4096
Timestamp2009-02-08 03:10:36
VersionLegalCopyright: Copyright © 2010 cW PC Tools. E All rights reserved. lV
InternalName: fmag3Do.exe
FileVersion: 7.0.0.61
CompanyName: videosoft
LegalTrademarks:
Comments:
ProductName: X 4P
ProductVersion: 7.0.0.61
FileDescription: JVideo Component0
OriginalFilename: fmag3Do.exe
PEhash65193a774f60f36b2d9586644f5a6c302dceb340
IMPhashf69c628b1cefcfe491741d113bed4576
AV360 SafeTrojan.Generic.KD.202026
AV360 SafeTrojan.Generic.KD.202026
AVAd-AwareTrojan.Generic.KD.202026
AVAd-AwareTrojan.Generic.KD.202026
AVAlwil (avast)MalOb-IJ [Cryp]
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Dldr.Renos.MK.1
AVAvira (antivir)TR/Dldr.Renos.MK.1
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Jorik-122
AVClamAVTrojan.Jorik-122
AVDr. WebTrojan.DownLoader2.42906
AVDr. WebTrojan.DownLoader2.42906
AVEmsisoftTrojan.Generic.KD.202026
AVEmsisoftTrojan.Generic.KD.202026
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BBT
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BBT
AVFortinetW32/Krypt.QKV!tr
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan.Generic.KD.202026
AVF-SecureTrojan.Generic.KD.202026
AVGrisoft (avg)Generic22.UBH
AVGrisoft (avg)Generic22.UBH
AVIkarusTrojan.Win32.Jorik
AVIkarusTrojan.Win32.Jorik
AVKasperskyTrojan.Win32.Generic
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.MJ
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.MJ
AVMicroWorld (escan)Trojan.Generic.KD.202026
AVMicroWorld (escan)Trojan.Generic.KD.202026
AVNormanwinpe/FakeAV.ADQA
AVNormanwinpe/FakeAV.ADQA
AVRisingTrojan.Win32.Generic.1286646C
AVSophosMal/FakeAV-IZ
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV
AVSymantecTrojan.FakeAV
AVTrend MicroTROJ_AGENT.SMAH
AVTrend MicroTROJ_AGENT.SMAH
AVVirusBlokAda (vba32)Trojan.ExpProc.EA

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ "C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Deletes FileC:\malware.exe

Network Details:

DNSrepubblica.it
Type: A
213.92.16.101
DNSseesaa.net
Type: A
59.106.98.139
DNSseesaa.net
Type: A
59.106.28.139
DNSyelp.com
Type: A
198.51.132.160
DNSyelp.com
Type: A
198.51.132.60
DNSflashz.in
Type: A
DNSwebdatum.in
Type: A

Raw Pcap

Strings
W^L
.T
.
.
.]
y
.I#^~

040904E4
 2010 cW PC Tools. E All rights reserved. lV
7.0.0.61
&About
BBABORT
BBALL
BBCANCEL
Comments
CompanyName
Copyright 
E&xit
&File
FileDescription
FileVersion
fmag3Do.exe
InternalName
JVideo Component0
LegalCopyright
LegalTrademarks
MAINMENU(
&Open
OriginalFilename
PGPC
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
videosoft
VS_VERSION_INFO
X 4P
=0Ab;s
="1.0&4 Xc
:33:"$
"*"$33
3333:"$
333333
3333333
$3333333
33333333
33333333?333333
333333333333333333
3333333333333338
333333:"33333338
33333:"$3333338
3333339
333338
33333833
#33338
:*"*"$3338
333838
334C33333338
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
5GsC_#_
_5kTzIyvdP7y@24
_5rsSHa@24
_5ZRKXT_1uUqo@20
-6 j>'
6'lkqF
6rTZakuJdu@20
=[,7 G
}7MtVW
_81oEY
8D|(D}
\8s]{5[~`Q{
%9:u$V~&
9x/8vF
  </application> 
  <application> 
Apr 24
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
bezZb1U@16
bQ9l7lIz
_BSc0HsWXJJ9
"C3338
"C8338
CharNextA
CharToOemA
CheckMenuItem
c/	m60
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CP60-e
CreatePopupMenu
Cu0Q`J
d7JvXk
`.data
dBRcSPzYs
DeleteCriticalSection
DeleteFileA
DestroyWindow
\Dp7>{
DpF589
dSKp@7
E5g~&p
EnterCriticalSection
EnumCalendarInfoA
EozpjV
EqualRect
ET.dl,
ExitProcess
FillRect
FindClose
FindFirstFileA
FindWindowA
FIN\}j
fmag3Do.exe
FrameRect
FreeResource
:f{=?V
Fz5Mf73
G987654
gcubVj
gczQAci
GetACP
GetClassLongA
GetClassNameA
GetClientRect
GetCommandLineW
GetCursor
GetDCEx
GetDesktopWindow
GetDlgItem
GetForegroundWindow
GetIconInfo
GetKeyboardState
GetKeyNameTextA
GetKeyState
GetLastError
GetMenu
GetMenuItemID
GetMessagePos
GetPropA
GetStartupInfoA
GetStringTypeW
GetSysColor
GetSysColorBrush
GetSystemMenu
GetWindowTextA
G:*L<0|
GlobalAlloc
_H7DT1
_Hs`@o
HVdRxsB`W
I4C;49
@.idata
I>d	Fu
i<Ibs#NjU
InflateRect
InitializeCriticalSection
InsertMenuA
InsertMenuItemA
IsDialogMessageA
IsIconic
IsRectEmpty
IsWindowEnabled
IsZoomed
izJ_=#
"J333333
J~73"j
j8'G(V_A
j8XKrr
"J"C3333
jf2G7k
Jfvx~Kp
|jJcE?V
K,[al/_
KERNEL32.DLL
KillTimer
LoadBitmapA
LoadLibraryA
L`+QmG1o
Ls0sH4
lyhyyDnLOB@20
m6Zy|I
m8e7sn
main.cpl
MapWindowPoints
mbly PLn
MessageBeep
MessageBoxA
mi2EIgni
MoveFileA
MsgWaitForMultipleObjects
Nj0SoM
NrPwGVt
nxDYGJ65nxUg5@8
o9~E?A
OffsetRect
oGipoMW4Cj@12
okUh)+
OOU,8{
POI0+j
PostMessageA
QAE-XZ
]q=*E@
qM{~=;
&R5cYs
RedrawWindow
RegisterClassA
RegisterClipboardFormatA
RegisterWindowMessageA
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
ResetEvent
RNFL32
+r\r%^
@.rsrc
rvbn%)
ScreenToClient
      </security>
      <security>
SetClipboardData
SetForegroundWindow
SetLastError
SetPropA
SetScrollInfo
SetWindowLongA
SetWindowLongW
SetWindowTextA
S;G'W_~
ShowOwnedPopups
ShowScrollBar
SizeofResource
skW	m6
sOGz9j2F
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
SwjURr
t	}4^I
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
\TmUS"
_|~To?
To9nVuf
toQ0[=
TrackPopupMenu
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
uHu9dX
UKqNyl
uLSfXW
UMq\aA
UnhookWindowsHookEx
user32.dll
VerFindFileA
VERSION.DLL
VirtualAlloc
VirtualQuery
.> vW'
WZYDml
x3bgkp
x?9=@Gu
xml v3
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
X_N7nT
Xn&bj"
x/.PlJF
_xqPR79jTzN
yF'{@=
{Y=/mXT"
(z9gx^O
Z;I8rNyH
#Zz-!J