Analysis Date2015-08-22 07:06:16
MD524987fbf8d9c4511c0cee054d29b3571
SHA167556934c9e33a5bdbd91109b43e0523d63268f3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5cc685a6d6ca5a3f77589ed9f7e42c80 sha1: 51a5cdcf9d88b34ac3de370d20370f885783cff4 size: 1024
Section.rdata md5: 5e001465d8cd3c885bc984c952e08cb6 sha1: 32ee3ee5d774fd02de6c2a88102ae2ee5e5e4e06 size: 1024
Section.data md5: fc7eb756c1f4b17f16449816cc3cec81 sha1: 2617518e49202d532dae1af9ba05aecfefd1e75b size: 512
Section.rsrc md5: c60216d6ce9d81ee1830a86aa8355cb3 sha1: e61809183d0d2f4ca03b459fc75cf0806db5e366 size: 58368
Timestamp2014-06-26 11:38:13
PEhashf13de80a8e0ee698bbf613cc72d0cfdb65aee45e
IMPhash4ca0a0adb97211d9334271ded971bdde
AVTwisterno_virus
AVAlwil (avast)Cutwail-CM [Trj]
AVBitDefenderGen:Variant.Kazy.327123
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.Gen
AVK7Trojan ( 0049c2dc1 )
AVBullGuardGen:Variant.Kazy.327123
AVZillya!Trojan.Cutwail.Win32.169
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Kazy.327123
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_CUTWAIL.SM0
AVFrisk (f-prot)no_virus
AVArcabit (arcavir)Gen:Variant.Kazy.327123
AVMalwareBytesTrojan.Agent.US
AVSymantecTrojan.Zbot
AVMcafeeDownloader-FAKU!24987FBF8D9C
AVVirusBlokAda (vba32)Trojan.Cutwail
AVClamAVno_virus
AVIkarusTrojan.Win32.Cutwail
AVCAT (quickheal)Trojan.Cutwail.r4
AVAd-AwareGen:Variant.Kazy.327123
AVEset (nod32)Win32/Kryptik.CFFF
AVDr. WebTrojan.MulDrop3.14959
AVEmsisoftGen:Variant.Kazy.327123
AVPadvishno_virus
AVCA (E-Trust Ino)no_virus
AVGrisoft (avg)Agent
AVFortinetW32/Cutwail.CFFF!tr
AVF-SecureGen:Variant.Kazy.327123
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\nupyciwypewo ➝
C:\Documents and Settings\Administrator\nupyciwypewo.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\brandcoolmarketing[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bcglaw[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\saudigypsum[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\drkassis[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\smallfuel[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ggm[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\blackvoib[1].htm
Creates FileC:\Documents and Settings\Administrator\nupyciwypewo.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nathancurrin[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\industrieundhandelsverlag[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\southamerica-photo[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\brandcoolmarketing[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bcglaw[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\saudigypsum[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nathancurrin[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\drkassis[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\industrieundhandelsverlag[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\smallfuel[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ggm[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\blackvoib[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\southamerica-photo[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexnupyciwypewo
Winsock DNSintra-lock.com
Winsock DNScrosworldmarine.com
Winsock DNSteamco.com.tw
Winsock DNSwingup-pt.com
Winsock DNSnathancurrin.com
Winsock DNSarrange-hair.com
Winsock DNSnashsolar.com
Winsock DNSbrandcoolmarketing.com
Winsock DNSbcalex.com
Winsock DNSggm.ch
Winsock DNSsouthamerica-photo.com
Winsock DNSarice.net
Winsock DNSsaudigypsum.com
Winsock DNSsmallfuel.com
Winsock DNSdrkassis.org
Winsock DNSindustrieundhandelsverlag.de
Winsock DNSblackvoib.com
Winsock DNSshirleyatkinson.com
Winsock DNSsormpack.com
Winsock DNSbcglaw.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.138.105.21
DNSbrandcoolmarketing.com
Type: A
192.254.201.177
DNSblackvoib.com
Type: A
23.106.102.12
DNSsouthamerica-photo.com
Type: A
89.161.171.117
DNSsmallfuel.com
Type: A
207.58.136.17
DNSggm.ch
Type: A
82.195.225.157
DNSbcglaw.com
Type: A
202.191.63.90
DNSindustrieundhandelsverlag.de
Type: A
87.106.1.149
DNSsaudigypsum.com
Type: A
5.2.91.41
DNSnathancurrin.com
Type: A
23.229.148.38
DNSdrkassis.org
Type: A
91.121.55.79
DNSarrange-hair.com
Type: A
210.233.78.68
DNSteamco.com.tw
Type: A
60.250.199.64
DNSintra-lock.com
Type: A
69.42.78.206
DNSshirleyatkinson.com
Type: A
80.94.193.27
DNSbcalex.com
Type: A
219.94.129.36
DNSwingup-pt.com
Type: A
219.94.163.161
DNSarice.net
Type: A
157.112.189.13
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNScrosworldmarine.com
Type: A
DNSnashsolar.com
Type: A
DNSsormpack.com
Type: A
HTTP POSThttp://blackvoib.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://bcglaw.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://drkassis.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://brandcoolmarketing.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://southamerica-photo.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://smallfuel.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://ggm.ch/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://industrieundhandelsverlag.de/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://saudigypsum.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://nathancurrin.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://arrange-hair.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://teamco.com.tw/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://intra-lock.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://shirleyatkinson.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://bcalex.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://wingup-pt.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://arice.net/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25
Flows TCP192.168.1.1:1039 ➝ 23.106.102.12:80
Flows TCP192.168.1.1:1041 ➝ 202.191.63.90:80
Flows TCP192.168.1.1:1045 ➝ 91.121.55.79:80
Flows TCP192.168.1.1:1044 ➝ 192.254.201.177:80
Flows TCP192.168.1.1:1046 ➝ 89.161.171.117:80
Flows TCP192.168.1.1:1047 ➝ 207.58.136.17:80
Flows TCP192.168.1.1:1048 ➝ 82.195.225.157:80
Flows TCP192.168.1.1:1049 ➝ 87.106.1.149:80
Flows TCP192.168.1.1:1051 ➝ 23.229.148.38:80
Flows TCP192.168.1.1:1050 ➝ 5.2.91.41:80
Flows TCP192.168.1.1:1052 ➝ 210.233.78.68:80
Flows TCP192.168.1.1:1053 ➝ 60.250.199.64:80
Flows TCP192.168.1.1:1054 ➝ 69.42.78.206:80
Flows TCP192.168.1.1:1055 ➝ 80.94.193.27:80
Flows TCP192.168.1.1:1056 ➝ 219.94.129.36:80
Flows TCP192.168.1.1:1057 ➝ 219.94.163.161:80
Flows TCP192.168.1.1:1058 ➝ 157.112.189.13:80

Raw Pcap

Strings