Analysis Date2014-11-28 07:57:46
MD5bbc433e1cdc77e6b28ef1fc0b4377299
SHA1590db3056ac7f886dfb470f929acdd815e69ddad

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0999fdfe7c9642c9e347e975a3210075 sha1: 027491907dbd2e6bbf8f658c7263935b2f306f3a size: 8704
Section.data md5: 0863b2a100ade4946f8e2b379adcc22e sha1: 3e0958372ab30d34902741c17c4f93fc04108adf size: 12288
Section.bss md5: 187987e7cee21c83480490e87b0d176e sha1: f24674f3d0703d0270b5fef12c797490171ce07f size: 49152
Section.idata md5: 2a3e15fe95585deb614b3f82f3ca530a sha1: b10341f17636491592769b01a8be4a7103cced7f size: 3584
Section.rsrc md5: 8d6189e6619d31ea8bb0820c36318583 sha1: 30b31c5723118ac3148197d7809451dfc033fdfa size: 4096
Timestamp2010-02-12 17:44:04
VersionLegalCopyright: Copyright © 2010 PC Tools. Ym All rights reserved. w
InternalName: gmagR.exe
FileVersion: 7.0.0.61
CompanyName: videosoft
LegalTrademarks:
Comments:
ProductName:
ProductVersion: 7.0.0.61
FileDescription: PVideo ComponentS
OriginalFilename: gmagR.exe
PackerBorland Delphi 4.0
PEhasha92064d07fdbb85638665dc03af9a5854a849090
IMPhashf15ea847320c5e1160d51d3cee2c1f5f
AV360 SafeGen:Variant.Kazy.20920
AVAd-AwareGen:Variant.Kazy.20920
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Variant.Kazy.20920
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVWin.Trojan.Renos-40
AVDr. WebTrojan.DownLoader2.44220
AVEmsisoftGen:Variant.Kazy.20920
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BBT
AVFortinetW32/Diple.IZ!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Variant.Kazy.20920
AVGrisoft (avg)Citem.DQR
AVIkarusTrojan.Win32.Diple
AVK7Riskware ( 0040eff71 )
AVKasperskyTrojan.Win32.Diple.ndf
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Gen:Variant.Kazy.20920
AVRisingTrojan.Win32.Generic.1286782A
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV
AVTrend MicroTROJ_AGENT.SMAH
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.Zbot.4213

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ C:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat > nul 2> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Deletes FileC:\malware.exe

Network Details:

DNSrepubblica.it
Type: A
213.92.16.101
DNSseesaa.net
Type: A
59.106.28.139
DNSseesaa.net
Type: A
59.106.98.139
DNSyelp.com
Type: A
198.51.132.80
DNSyelp.com
Type: A
198.51.132.180
DNSvoodoopix.in
Type: A
DNSgrindbuzzchat.in
Type: A

Raw Pcap

Strings
|
5
.#..
040904E4
 2010  PC Tools. Ym All rights reserved. w
7.0.0.61
&About
AIMN
BBABORT
BBALL
BBCANCEL
Comments
CompanyName
Copyright 
E&xit
&File
FileDescription
FileVersion
gmagR.exe
InternalName
LegalCopyright
LegalTrademarks
MAINMENU(
&Open
OriginalFilename
ProductName
ProductVersion
PVideo ComponentS
slej
StringFileInfo
Translation
VarFileInfo
videosoft
VS_VERSION_INFO
 ?@~+.^
&$>-\/
 [(=08
0Kd`8uh
2H=;8Y[N
30[pX=
:33:"$
"*"$33
3333:"$
333333
3333333
$3333333
33333333
33333333?333333
333333333333333333
3333333333333338
333333:"33333338
33333:"$3333338
3333339
333338
33333833
#33338
:*"*"$3338
333838
334C33333338
33B$3333333
34""C33333833
3B""$33333
41xu(@#1
4"*""C3338
>"4:Fj
$=,[4h<qD
4kD]P1`
4k<]P1\
4:QrDVW
5y4-kD!
`6*0g+Zn
(7TU~:
7wGmVm
8[D=T`
922h7Bb
9AXF_N
_~9Q\<
{[9Vx7n
aJgUTcF-8[
ak5BE|,_
AnamniUAC2
*]aPf1
  </application> 
  <application> 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
A	#])Yn
B4mdbnj
$b~asic_:tr
bdjj>M
.Bg!TV
Bg>YPOR]<
"C3338
c6BdaI
"C8338
CallWindowProcA
CharToOemA
CharUpperBuffA
ChildWindowFromPoint
Cjfl=Rh@
_cKMEsE7Bn
CloseHandle
?c`omp
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CreatePopupMenu
"|cSG-
_CsxfbcMv7@16
`.data
DE0W97b
DeleteMenu
DestroyCursor
DiUBQnqPGr
<=D[LhTq\
d=l[tS
"	DMS}CP60
*DqEL!
DrawIconEx
;dXlit
DY@9HL
|E0KmP
e^!1|i
E ^[1k
E9?PBq
]eghfQ
EnableMenuItem
EnableScrollBar
EnableWindow
EndDialog
EnumCalendarInfoA
EnumWindows
ePtX=?V
eQ+S^^
}ET.dl
&E<tVR
eX)=/}
ExitProcess
E*xm{ 
fbeof6
fd^!1|i
_fF43eMNy7S@24
FKOYfvr
FrameRect
f~.texA
FX6xsmEg6@20
GA5WIt
GetACP
GetActiveWindow
GetClassLongA
GetClassNameA
GetClientRect
GetClipboardData
GetCurrentThread
GetCursor
GetCursorPos
GetDesktopWindow
GetDiskFreeSpaceA
GetEnvironmentStrings
GetKeyboardType
GetLastActivePopup
GetLocalTime
GetMenu
GetOEMCP
GetProcessHeap
GetScrollRange
GetStdHandle
GetStringTypeW
GetSubMenu
GetSysColor
GetSysColorBrush
GetVersionExA
GetWindowLongA
GetWindowPlacement
GetWindowRect
GetWindowThreadProcessId
GlobalAddAtomA
gmagR.exe
G%O-\o
+Gt2C/G.E=\*<]
GT:*p9=L$<A)
GUu5(kd
G#_VSl
H1pssPF1
HeapAlloc
:H	;eXL
h$/{<]T1l
huiSEW
iAPjQ^
icv6Vxl
@.idata
IntersectRect
InvalidateRect
IsCharLowerA
IsChild
IsIconic
IsMenu
IsZoomed
ixf aA;
j2Iy6AX
"J333333
"J"C3333
JkXQxa
jmwar)
jq=eE9k19q
jWBg9T@20
K#0PT(;U~
k8]L1`
k9i^<X
ke=[)5*t(
KERNEL32.DLL
<kH]t1
kI@UlP
@kL]h1x
_l8XbjujfIqe
LeR}G(
lhHkACySE
lHkgYA
LkT]\1`
LoadIconA
LoadLibraryA
LoadStringA
LocalAlloc
;LXTi\
main.cpl
MapVirtualKeyA
MapWindowPoints
mbly G
MLGoQLXM0
M[oWQ=(Zh)
MsgWaitForMultipleObjects
mzHWz@4
_nllbkG@24
NLNMKI
?nlpos#
NRBZ2db
NX;]J%QE
Ny58gve
_nZhszlbIt
O`[p4Y
o[t=y~
 p|$|!0
p0[@=P`
:P	;7XX
p99N35
pH]T1`
^p>]%i
PKt`Xux
>^P=or
PostQuitMessage
prabzh
PtInRect
pUNIQSCTR
pWAq!<
 pXkh]x1
q|$=,[4h<qD
QBEAHI
q=Bwz!
qoQRaVjI
Qvs3Sz
q Zwm3
r3ZQ)^t
r4;|Z$)
R`A!L	
RegisterClassA
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
RhhT{V]F16
rP23n8QAE
@.rsrc
rTyaD3ORM0
rxoQTRgS19u3Y
s2X]m2
_S8Jtv@16
ScreenToClient
ScrollWindow
`;sdP?
      </security>
      <security>
sert&%
SetActiveWindow
SetCapture
SetClassLongA
SetForegroundWindow
SetMenu
SetParent
SetRect
SetWindowPos
s_|(>f
sFdoMnIr
shell32.dll
SHGetDesktopFolder
SHGetDiskFreeSpaceA
Spvu*aW
[[S~Qk
SQU0cLL
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
SystemParametersInfoA
 T8i(grXXm
$t;>D^
?_Tfidy
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
Thua@dI
+T`N6j
TrackPopupMenu
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t!(z\\
;Ubh\0
UlkLUK
UnhookWindowsHookEx
up`:gx
USER32.DLL
uxApr 26
UY`!+LQ
VirtualAlloc
VirtualFree
VirtualQuery
^VZuUE
WaitForSingleObject
/WC{j=
WideCharToMultiByte
Wiy('w
-wKERN
wsprintfA
Wx0QZ^&KIY
wZpy=e4
%xa6Az
xG9876549a13:
[xh q|
;$X,i4
+)<?|xml v
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
\%|xv/
XxA[8;|X
$]}XxX
y^.V*BY
Y)=Ws-~
Z#V}GW
Z\]	Yh