Analysis Date2014-02-10 10:39:07
MD55e90643ef10d73dae16fab7cda2f5da4
SHA154b0f638606c78a5d9621efb8e741ea791bd240f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 87e6f5297088bee5465900427f008173 sha1: 6db6d347c89e9f11e5b27cf5c53669e0bd0656d4 size: 6144
Section.data md5: f1ab2370a364765cc01820a3d76a41eb sha1: a4d996a9b0fb0dd7596ff39134925b46637b7774 size: 2048
Section.rdata md5: 01462bbaa54d603bfa3454feccb63fd6 sha1: 3644b510638233ef5a7a8412f53612d28c36dd85 size: 2560
Section.idata md5: c172974ed6f2dd740abed3a81271b941 sha1: bdd328d3ed06a1f8139fb1d4caf29c748da1580d size: 1536
Section.rsrc md5: adc39a152be102eb7a041e991a6d202c sha1: 76189e9a0c3b080a0c8dcac8bfa0acf0dcd1001a size: 5120
Timestamp2004-05-20 06:02:07
PEhashab3674385af7a5984f7df04190fe4c06034fcd66
AVaviraTR/Yarwi.B.139
AVavgDownloader.Generic13.BUTM
AVmsseTrojanDownloader:Win32/Upatre.A
AVmcafeeBackDoor-FBPV!5E90643EF10D

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSfindlawenforcement.com

Network Details:


Raw Pcap

Strings

Cancel
C:\bf32d3b0\b662ef49.exe
E&xit
&File
&Help
MS Shell Dlg
&New 
~~~~~~~~
*++++++(,-.//,0 1234256++++++78
22222222222222222222222222222222222222222222222222222222222222222222222222222222
-2NO ;;; PQRS
3eLp,lWoN
7oLd7iMrLrdEcA
7oLd.u]sZr,
9T`aaa
9TTTTT
A1d5e#[YGGGGGGfgQ_	
;      (<=>?@<->A@BA@C<     * DE
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
BeginPaint
bGGGGGGHIW^c[Z
BiYmX.OlW
 b +/o
CheckMenuItem
CloseClipboard
CreateCaret
CreateDirectoryW
CreateMenu
DestroyCaret
Eh1^1g
EmptyClipboard
EnableMenuItem
/eQWTnOobP]oNA
ExitProcess
F]ePLTb]a]y
#F=FFFFF
FFFFFFF
FFFF=FFFFFF
FFFFFFFFFF=
FFFFFFFFFFF
FindWindowA
fl?8Z`et
FlashWindow
GetClientRect
GetClipboardData
GetClipboardOwner
GetCursorPos
GetKeyboardLayout
GetKeyboardState
GetMessageA
GetMessageTime
GetModuleHandleA
GetScrollInfo
GetSystemMenu
G;;;;;;HI
GlobalLock
GlobalUnlock
GPt;rZc,dOrPs^
HeapAlloc
HideCaret
HPa[C]eLtP
.idata
iGGGGGUjkXclcVmmnfodpqrUGUGGUfsQtu	
}iiiiiii~
InvalidateRect
IsBadReadPtr
IsWindow
IsZoomed
J1KL-5M@5M
kernel32.dll
LJ fw'
LoadIconA
MessageBoxIndirectA
MsgWaitForMultipleObjects
;o^t<uTt8e^sLgP
PostMessageA
.rdata
RegisterClassA
RegisterClipboardFormatA
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
;R:F?O=
?rLn^lLtPMPs^aRe
.rPa_eBiYdZw0x,
rPcZrO ]eN
ScreenToClient
    </security>
    <security>
SetCaretPos
SetClassLongA
SetClipboardData
SetKeyboardState
SetScrollInfo
SetWindowPos
SetWindowTextA
ShowCaret
S`n>hTnP
!This program cannot be run in DOS mode.
ToAsciiEx
ToUnicodeEx
TrackPopupMenu
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
ttttFFFFFFFFFFFF
	||||	u
U;;;;;;HVW0XYZ0[\]5AX^HO;;;;O;[Q_
user32.dll
VPjkrZ
W'fl:;E`YtU
WinHelpA
wUUUUUUUjxrUrjyyzrrzorUUUUUUUfs{F
XcTSPnOS_rTnRA
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>