Analysis Date2014-12-25 12:08:45
MD525856208a1ddcc4e8e12b3a592d61bab
SHA157e46073554acf3a5225369ecd3b8e1f46bf9b5c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7e70f72bf0f91ec3bbb7af2369d6de86 sha1: a112a6eb771300c739acb3aa1d11d835f331e23c size: 17408
Section.rdata md5: f7e12bef3a012ceabbec08849ef734d7 sha1: e1dd1c9c9c4fff57a86576eab5d59b085aaa0b5b size: 112640
Section.data md5: d1d991205c383c08a6ae8bae1c78ddfc sha1: 01c8488538ab2758c207477df7bd2d86f1f59938 size: 3072
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.reloc md5: e1f43a63c2c5d9305a502908a795db80 sha1: 6f6b3e5293132dd3c56e5ccd834cb25916d423ac size: 2560
Timestamp2014-03-06 16:59:48
PackerMicrosoft Visual C++ ?.?
PEhashc2e97ff8ac93ec54873bcc7e820103d19d9ae396
IMPhash22bcdb1c2f9a247cef43b48f73d606ff
AV360 SafeGen:Win32.ExplorerHijack.iuW@aaoGr6j
AVAd-AwareGen:Win32.ExplorerHijack.iuW@aaoGr6j
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Win32.ExplorerHijack.iuW@aaoGr6j
AVAuthentiumW32/Trojan.OJIL-3089
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardGen:Win32.ExplorerHijack.iuW@aaoGr6j
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoader9.41477
AVEmsisoftGen:Win32.ExplorerHijack.iuW@aaoGr6j
AVEset (nod32)Win32/Kryptik.BYKN
AVFortinetW32/Kryptik.BYKN!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Win32.ExplorerHijack.iuW@aaoGr6j
AVGrisoft (avg)Crypt3.KWV
AVIkarusGen.Win32.ExplorerHijack
AVK7Trojan ( 00497c9c1 )
AVKasperskyTrojan-Dropper.Win32.Injector.kzxr
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.dx!dgh
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)Gen:Win32.ExplorerHijack.iuW@aaoGr6j
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\DRM\RasTls\RasTls.exe
Creates ProcessC:\Documents and Settings\All Users\DRM\RasTls\RasTls.exe
Creates MutexGlobal\irtgsjufn

Process
↳ C:\Documents and Settings\All Users\DRM\RasTls\RasTls.exe

Creates Process
Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates MutexGlobal\kgmdtngvnotbrhrdw
Creates MutexGlobal\ommdvtuqnjwvdfajh
Creates MutexGlobal\qdteroali
Creates MutexGlobal\ehjdbqcjicgzm
Creates MutexGlobal\ssmuagced
Creates MutexGlobal\irseozgsercpkmgwv
Creates MutexGlobal\mschu
Creates MutexGlobal\aabhnqurdbfoh
Creates MutexGlobal\irtgsjufn
Creates MutexGlobal\stuxkwabijxwwaxrh
Creates MutexGlobal\wubqw
Creates MutexGlobal\aacxh
Creates MutexGlobal\uimnyxkbx
Creates MutexGlobal\mxunbqgir
Creates MutexGlobal\iqlpefsfveadljlia
Creates MutexGlobal\mwmjwuuwpuvcczsph
Creates MutexGlobal\aelgflwcvvytstumy
Creates MutexGlobal\mtjjj

Process
↳ Pid 0

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\DRM\RasTls\nprqyjadoqkp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexMy_Name
Winsock DNSkjrpmh.chatnook.com

Network Details:

DNSkjrpmh.chatnook.com
Type: A
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53

Raw Pcap

Strings
...
.CC
 
.
.
t.
Z.:
.
.
.
.

- abort() has been called
April
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
- CRT not initialized
dddd, MMMM dd, yyyy
December
DOMAIN error
February
- floating point support not loaded
Friday
                                 H
         (((((                  H
         h((((                  H
HH:mm:ss
January
July
June
KERNEL32.DLL
March
@Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
mscoree.dll
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
October
Program: 
<program name unknown>
- pure virtual function call
R6002
R6008
R6009
R6010
R6016
R6017
R6018
R6019
R6024
R6025
R6026
R6027
R6028
R6030
R6031
R6032
R6033
runtime error 
Runtime Error!
Saturday
September
SING error
Sunday
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
Thursday
TLOSS error
Tuesday
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Wednesday
WUSER32.DLL
|"$%%%
                          
;=""""
::_"""
:"!#""
!#&:))%%
";>$%%
""!#!]
""" ""
)!#"""
#"*"""
0.060<0F0L0V0\0f0o0z0
0&0f0l0
0(0H0T0p0|0
0%111D1V1q1y1
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
""0i""b
0M0R0l0
=!=0=S=X=]=t=
1'141@1L1R1d1l1w1
1&2,2B2G2O2U2\2b2i2o2w2~2
1 2I2Z2
"1:36%%
181X1x1
>1>a>s>
?	?*?1?=?C?O?U?^?d?m?y?
1kj"PE
; =1=k=x=
"2""."""
2}]{@"
2a#.c#
[2e:42"9
2:	K$"%
2:Vs(a"
2*y4"!h
3#32373=3F3f3l3
3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
334<4H4
$%%:35
383W3]3o3
3:J5A%
:3Op!9
3#];p"#:
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
444?4G4W4]4n4
45%%9N
49 ,Kq!5
"4b">b"Nb"l
:$:,:4:<:D:L:T:\:d:
4L#"Bb"\
5#5*51595A5I5U5^5c5i5s5|5
5?5]5d5h5l5p5t5x5|5
5(5L5X5\5`5d5h5
586P6Z6u6}6
":5A%%
5B6M6h6o6t6x6|6
""6"""
6-737?7v7
696A6M6
`"6c"6:"
""6#"\h:
6:Pi""
6:)T%%
7,7@7F7O7b7
7f7l7p7t7x7
{8!11C!ZA!Vb"
8:8J8O8T8Y8i8
8,91989=9D9I9W9
=&=8=J=\=n=
8:<L<^<p<
8>O JS 
:9"/""
"970#:
%"%%9d
9O:^:m:
'9w"v@
":,,%%[a
!;A!""
a"5#b"
:A!6C!
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
aj?!"""a
August
":AW%%
-: !b!
";"b""
$%"b"+
;&<-<B<~<
:,&B#"
""B"""
:.B!B 
B"#!B"
B#B!@C#
b"#d"#
.$%B"D
b"Hb"<b"&b"
"b""J"""#
br9*;h
:b"u""i
"@b"Xb"tb"
b#xPb#
`"~c"~
:%c"%%
""&%%c;
]"c|##
@!!`c"* 
":(C$%
C$%%"9	
]c"B #
.cB !Z
c$!"j"B""
"c< !L%
CorExitProcess
(C!RA!NC!
C#&:RB#
c vb v
cwB: @b#
d~""""
'%%d"?!""9
@.data
db"xb" 
dddd, MMMM dd, yyyy
:"dE""
December
DecodePointer
DeleteCriticalSection
-DMdvV
#""e""
."(E""
e/"5T3
:E"E%%
EncodePointer
EnterCriticalSection
ExitProcess
<?=F=[=
F:':$%"
FbD:"C
February
Fh=p%B
F\=(k@
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FreeEnvironmentStringsW
Friday
;"G'%%
""":G&%%
GetACP
GetActiveWindow
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationW
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
HH:mm:ss
h}?VRd
h(z%1.
:"i!""
-:I,%%
iA""1".
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IPIT#j
>^>i>s>
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
:_;i;v;
":j ""
#"J"""
:j0$"%
J6F""B"Y
January
j@j ^V
";#jN#"X
jxz)#s
j?!"z!"
':*@>k
kernel32
KERNEL32.dll
KW,[!B
LCMapStringW
LeaveCriticalSection
LM)0%I,:#
:L"N""
LoadLibraryW
:\m"""
:m`%%"
%%%"%M
MessageBoxW
MM/dd/yy
Monday
MultiByteToWideChar
:" n%%
:n";""
""N"""
N:1!#"
November
":nP$%%
o#	>"*
#"":"O
October
O$e^s"
o"iBZ4
OVCJEV3
"pR"u	
#"~"q"
q2:Gb"
QBcB "
Q@"c@ #
QQSVWh
QueryPerformanceCounter
 "r:}&%%
"r""~"""
}r""")
&:r ""
#	;r""""
"R"":"""
:R0$%i
|:R8""b
Rc:!c@"
`.rdata
@.reloc
RI; :R
R -J-HR
R@	j:Kf
"[""rL
R ""o"T
*:RpvB
r!Rf:h
RtlUnwind
"s"6j"xLn"N
Saturday
S#eB:xd
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
:Sf""0
S"-H	P
#S";SIS8SJ
^SSSSS
Sunday
T&%%9u
TerminateProcess
!This program cannot be run in DOS mode.
Thursday
""tiCS
t	j\Yf
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
<"t@N>
t"SS9] u
Tuesday
;t$,v-
:}U%%"
":U>%%
"""!U9
{U?!H"<3t
u}hxl@
UnhandledExceptionFilter
UQPXY]Y[
URPQQh
+v=A-~
VirtualAlloc
"VJ#L&
 vL#".
vrlWb+
:w "#"
;"W#""
":+W%%
Wednesday
WideCharToMultiByte
WriteFile
:X="":"
`xd"%%""
;xR!B"r
":Y$%%
Y;=h%B
YTRwDI
\z"""\
z:-"!@
Z:bC%%
Z"	b-R
Zc";!!
Z-K	["
#"z"""N
Zq2"%L%b
Z:Q+%%CN
Z":Tx%%