Analysis Date2014-09-01 20:05:46
MD55df9cab0451fc35d37c25aa6cb618de4
SHA1680de4165a02609a7397904bd1a3208e32657df0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhash51f543bc6c18e3e67f3b8de093de196cd693dbf8
IMPhash

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processtear

Process
↳ tear

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSforces.fast-mir.ru

Network Details:

DNSforces.fast-mir.ru
Type: A
82.118.19.182
HTTP GEThttp://forces.fast-mir.ru/get_json?stb=1&did=771407764&file_id=219731980
User-Agent: Downloader 1.2
HTTP GEThttp://forces.fast-mir.ru/get_json?stb=1&did=771407764&file_id=219731980
User-Agent: Downloader 1.2
HTTP GEThttp://forces.fast-mir.ru/launch_error?text=can't%20get%20info:%20Error%20HTTP%20status%20404
User-Agent: Downloader 1.2
Flows TCP192.168.1.1:1031 ➝ 82.118.19.182:80
Flows TCP192.168.1.1:1032 ➝ 82.118.19.182:80
Flows TCP192.168.1.1:1033 ➝ 82.118.19.182:80

Raw Pcap
0x00000000 (00000)   47455420 2f676574 5f6a736f 6e3f7374   GET /get_json?st
0x00000010 (00016)   623d3126 6469643d 37373134 30373736   b=1&did=77140776
0x00000020 (00032)   34266669 6c655f69 643d3231 39373331   4&file_id=219731
0x00000030 (00048)   39383020 48545450 2f312e31 0d0a5573   980 HTTP/1.1..Us
0x00000040 (00064)   65722d41 67656e74 3a20446f 776e6c6f   er-Agent: Downlo
0x00000050 (00080)   61646572 20312e32 0d0a486f 73743a20   ader 1.2..Host: 
0x00000060 (00096)   666f7263 65732e66 6173742d 6d69722e   forces.fast-mir.
0x00000070 (00112)   72750d0a 43616368 652d436f 6e74726f   ru..Cache-Contro
0x00000080 (00128)   6c3a206e 6f2d6361 6368650d 0a0d0a     l: no-cache....

0x00000000 (00000)   47455420 2f676574 5f6a736f 6e3f7374   GET /get_json?st
0x00000010 (00016)   623d3126 6469643d 37373134 30373736   b=1&did=77140776
0x00000020 (00032)   34266669 6c655f69 643d3231 39373331   4&file_id=219731
0x00000030 (00048)   39383020 48545450 2f312e31 0d0a5573   980 HTTP/1.1..Us
0x00000040 (00064)   65722d41 67656e74 3a20446f 776e6c6f   er-Agent: Downlo
0x00000050 (00080)   61646572 20312e32 0d0a486f 73743a20   ader 1.2..Host: 
0x00000060 (00096)   666f7263 65732e66 6173742d 6d69722e   forces.fast-mir.
0x00000070 (00112)   72750d0a 43616368 652d436f 6e74726f   ru..Cache-Contro
0x00000080 (00128)   6c3a206e 6f2d6361 6368650d 0a0d0a     l: no-cache....

0x00000000 (00000)   47455420 2f6c6175 6e63685f 6572726f   GET /launch_erro
0x00000010 (00016)   723f7465 78743d63 616e2774 25323067   r?text=can't%20g
0x00000020 (00032)   65742532 30696e66 6f3a2532 30457272   et%20info:%20Err
0x00000030 (00048)   6f722532 30485454 50253230 73746174   or%20HTTP%20stat
0x00000040 (00064)   75732532 30343034 20485454 502f312e   us%20404 HTTP/1.
0x00000050 (00080)   310d0a55 7365722d 4167656e 743a2044   1..User-Agent: D
0x00000060 (00096)   6f776e6c 6f616465 7220312e 320d0a48   ownloader 1.2..H
0x00000070 (00112)   6f73743a 20666f72 6365732e 66617374   ost: forces.fast
0x00000080 (00128)   2d6d6972 2e72750d 0a436163 68652d43   -mir.ru..Cache-C
0x00000090 (00144)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000a0 (00160)   0d0a0d0a                              ....


Strings
.

$1$g
3333
33333
333333
333333[[[[[[
3333333
3333333}}}}}}
333333333333333
33333333333333333
6'{{
g$C@gW
gn{1
$gWg
jWgW
@@L@
'{>n
'{>n8
njWgW
QQQQ
QQQQQ
TL>t
W1hW
~~~	===
--....
-.....
.......
........
@@@@@@
|0e*r7
0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
110824000000Z
1250801
12 Komn 42, ul.Vrubelya1&0$
140326000000Z
140412140640Z0
150326235959Z0
190709184036Z0
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
200530104838Z0{1
2]$iuL
2_X2)u$
```333
33333333333333333333333333
]!%3i!
3N,3io
57@@@@@
&5jWgW5
-7@@@@@
7BJJJJJJ
7CgQ@@
-7eeeee
990709183120Z
aOOx[JJgSCC%QBB
</assembly>
      <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
Bar>iKti
Bar>iKtir>
Baug8_u
BBB)?Dy
Bg.uu{
^BJeel
BJJJJJ
BJJJJJ'
BJJJJJJ'
BJJJJJJJ
BJJJJJJJe
BJJJJJJJJ
BJJJJJJJJJ
BJJJJJJJJJJJ
BJJJJJJJJJJJJ
BJJJJJJJJJJJJ@
BJJJJJJJJJJJJJJJN&
BJJJJJJJJJJJN&
COMODO CA Limited1!0
COMODO Code Signing CA 2
COMODO Code Signing CA 20
Cv3uTv3
Cv=g@N
  </dependency>
  <dependency>
    </dependentAssembly>
    <dependentAssembly>
d$g:&8
Dvo?3t$
'dvW$$
'dvW:$g
eeeeeeuLU
eeeuLU
@eugvP
euhQK>v
@@@@euLq
gEN2z3
GGGG@N
giuliN
giutju
giutxu
Greater Manchester1
g-r.Nk
!g.u^g
gv3NjvT
gvQu{v#
gvvu{v#
]g`XoN
H::2UEE:UDD9TEE)SCC"SED
hNp%>N
http://ocsp.comodoca.com0
http://ocsp.usertrust.com0
https://secure.comodo.net/CPS0A
http://www.usertrust.com1
!IBgv&
iiiiiiii
IkN,3N
_IL)}M
iN!{N%
IpIyuZ.
i.:Q...
Ir!xW6#
iuhlu'q
$iuL3ee
!$iuLq
$iuLQu
iutT@@
J<<BYHHSYHHVXHHCXHH8SDD#RCC
 jj 11
JJJJJ'
JJJJJJJ
JJJJJJJJ
JJJJJJJJJ
JJJJJJJJJJJ
JJJJJJJJJJJJJJJJ
\JJX[IIdZJJQUEE&QBB
jlH3Exx
jn$gWg
J<<Q[IIaZIIfXGGKVFF1WII
L3i!iL
L3$iuL3
L_Eu$l
>LHH5E
L==^\KKpYHHeUDD2SDD
>>>LL1
lll	:::
]LLNQBB
Lm$iuLm
L_NGq_
L_nrui
Lq$iuLq
LQ$iuLQ
Lq$iuLqN
LquLqj0
>lrtCK>Crt
L_ uD{
L)uh3uL)u
LVuLVu
M4/4RR4I
mKh,^r&
mmm)hhhk
Moscow1 0
Moscow region1
N,3IkN
N,3/Tv
NcdB"x
N%E#Eg
#ng.#XgE
!N%iXB
nJ]LDC;
NL)3N2
Onlain Sekyuriti Sistems, OOO0
Onlain Sekyuriti Sistems, OOO1&0$
O??qYIIYVEECRBB
P@@sRCC
--.Q..
:::Q::
QeuhQK>v
-...QQ..
Q--.Q::
###~qqq
.......Q.QQ
Q::QQ:
..QQQQ
-.QQQQ..QQ
qu2VGGGG
r>3Kt3
^!r!B'
.rEKLV
rE#ng.#XgE
        <requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
r>iKtir>
_ri#Xg5#ng
ri#Xg.#ngEN
rLzKEuL
RRR0UF
rt3K>3
rv3`Voi
S6"MuC
Salford1
Salt Lake City1
SCC%QBB
SCC%RBB"QBB
    </security>
    <security>
Sg7N23
SgLiL3Xk
support@ossonline.ru0
SXp6"Mu
@teuuQ
The USERTRUST Network1!0
!This program cannot be run in DOS mode.
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
Tv3uTv
Tv3uTv3~
Tv3uTv3~JTi
Tv#N,v
%u2,GGG
u2]GGG
u2%GGuL_
u2qGGGG
)u2qGGGK'U
u2%uL3
%u2VGGGu
.UgDN!
uh3uTv
uh#ut#
@uhvu{v
UTN-USERFirst-Object0
uTvCe@@
uTvPj0
vEEEvE
!%_V_g8e
Vu2%GGGKL
Vu2,GGuL,G
Vu2VGGG
Vu>EN!
,WIIII
www	IJJ
#Xg5#ng
X!g5X!g
X!gjX!
#Xg.#ngEN
+#XgQ#ngv
YgHeuL)
YRichb
yyHaOO
ZII?XGGKXGG?TDD0SDD
_	$.zR