Analysis Date2014-03-19 02:39:51
MD55019ce4f4639a8808a1145b0468a9a14
SHA160d602b3f2efe3f960d97b289343e0210a51573a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.Upack md5: c8f5ced71c328ce2ade20bb4f5107433 sha1: 06fdfedf2f505108b5d941933eabf9bbe94e5b19 size: 192
Section.rsrc md5: 94f72abcd1e25d58d3f84c380444e9bd sha1: ad20ee541198a870ffa979d58757a0737f4181ad size: 125545
Timestamp1970-01-01 00:00:00
VersionLegalCopyright: Microsoft Corporation
InternalName: resources
FileVersion: 3.00
CompanyName: Microsoft Corporation
LegalTrademarks: Microsoft Corporation
Comments: resource
ProductName: resource
ProductVersion: 3.00
FileDescription: resource.exe
OriginalFilename: resources.exe
PackerUpack v0.31 beta -> Dwing
PEhash929ed95a4eb15c3ba48339d60b5b63ca4a1a992b
IMPhash87bed5a7cba00c7e1f4015f1bdae2183
AVavgPSW.Banker.EZU
AVclamavTrojan.Bancos-478
AVaviraTR/Crypt.FKM.Gen
AVmsseTrojanSpy:Win32/Bancos
AVmcafeePWS-Banker.gen.bb

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\windows\resources.exe
Creates Processc:\windows\resources.exe

Process
↳ c:\windows\resources.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Service System ➝
"c:\windows\resources.exe"\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Run\Service System ➝
"c:\windows\resources.exe"\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\ieupdate.dat
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFC32.tmp
Winsock DNSwww.supernet.speedserv.com
Winsock URLhttp://www.supernet.speedserv.com/downloads/winlockdll.dll

Network Details:

DNSsmtp.mail.eu.am0.yahoodns.net
Type: A
188.125.69.59
DNSwww.supernet.speedserv.com
Type: A
DNSsmtp.mail.yahoo.com.hk
Type: A
Flows TCP192.168.1.1:1032 ➝ 188.125.69.59:25

Raw Pcap

Strings
040904B0
3.00
Comments
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
Microsoft Corporation
OriginalFilename
ProductName
ProductVersion
resource
resource.exe
resources
resources.exe
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
0&+74d
0c_tQj43
0ODH[T
0t|55T
1;772)
]1D'~vo
1Q m@m
+1|Z4	L
2LX\g)
2,@U$3.
3aP%}	
3>gie%3
3@:KCTL
3r(UNu
=4`a4!)
~	'4DN=
5JcriB
5	P&xYM
5zdUQx
_)*+/6
67s~zgBl
6Eg0%=X@
6F"@Vm
6OqTpN
	7oSP5
#^7PX\
(+}%8~
8 73X}
\8A>phP1
>8m&UtJ
8Pw	Q3w
8Q5lDC
8-X`C}\
9<5SJw
]9C&:}
&\%,9l
^`!9MlX
9+oJru 
9}rL`E
\9WGKY
9Y8=Q@
a,`41B%
A=4mgV
aCrG	o
ak0md{
Alu`0c
)aQ\YE
asW0ctg
-aUfw6hh
+aZ^	>I
b0)!mRV1O	
B`9Knj
~B!baZ
!Be*/%
BE)%6m,a
B-N yC
ByDwing@
@CC]{6
~CO	/O
c#z0Cn
CZ?"C{%
D6T]l$S
@dBy'[
De1u,fs
\DKV5u
{d>~Lc
DQ9*$X
&&e|4N
e8a+ W
E,CcdddH
e,d4d~
\E*n[U
ENYg2.@
eq4%17
EU-041
f2E'D+
~F:CH2
FG{Z,%X
%]F&hU>
<~Fk&Z
-fmMI[
foh8Qm<
FYH$PD$D
_")g5d|
GC*]zys
GetProcAddress
;G}+K5
G:m*U%
g&[#Pt
g(Q7>o
`-gXE%
gx+_Ja
h[9(\H
h"CnY(
HOqAFo
H PF8F
Hwl	>2
I#_9 d
i/$cbb
I@eaQA
,&iJk 8zJ+
i`kS0=
];ip5\
IPDmJG
isTA2'
i%#`Yw
!_J[_	
'j0m%,T
-J1;~L;9'
ji[z>`
J^N]a,Q
JQ5)>j(
"jRL>E
j#<vIX
{~JWm}
k_9h!i
>kaw{[(
{)K+CIX
k|)f@*
{"k!j78
<@KQuK
LBiN|%c
Lfuwof
LoadLibraryA
LpFzK3
l]VGR1m3
l@@&}Y
mB;2;!O
MDD|a<
mEG)"";
mGH~JRb
#m"gVy
%~M<GXu
:MHE@]
M%=pFI
&M^Pqx
=m'SD9
Mtl;djZ
M#T>u8
m-u~3	
MZKERNEL32.DLL
N:ais'	
N{e9Zx.
^~NlG0Q
Nm$:HL
N<,qKn
,nRn0[
NXHn&W
n>YE7Y_
nYP#-x	
[O571Mz
)o842a
o8>C/j@
oi&W<qokAV
#oLat'
o	u@<F
{Ov+*4:EY
OYWb2	
p6;bin
pdHC|r
P=nW/E
" pZIL
q8VVg6
q=jrw+\0e
_QLpJ^
qMO(C2
<;Q"OM
qp"Wmh
QS z\!
q*_Uw1
-Qvu?0
R+#5/5
;]R;h%R!
{Rnogi
&RP*a/
RU}{TGb
$R%wF#
RZ-}#C
R.Z-n20
s{C3$K
S*CaJ o
sP|B4'
~s?V/?
S>x]"G
]T6x+Y
Tgh1;(
tlQCN*
,tO|&cU!
t>R[qc
:T<uU2
t<xtMB
`<^U,a
~U(A;5
>ua Aig
Uago=`
UGlW-f
"UHgre
UI8!EM
U*lW.A
UnIJjUg
.Upack
uvq,6 u
v8Xf[4
vdi[?Q
vg&og@
Vh0K9o
vmMi}?qj}Uu
]>vN<u
W?AjJUS
`WeXB:
WI>2zNP31?
W+l_Zm
W"=Nlg
?X8bt3
#XboQw
XcPy:8
XlU^,n
}{^X,tK
]x]}(Us@
	:xv5@^
]x@?yRtxn
[##Y1-
$,Y3p5
y+7$8f
yb+\4o7`
YB5t1i
yK'VzE
yNJ5W9i
YQn#y;d
yvaNh.
Y;vk~{KY
z_"CcR
zE554@
zS.i>9