Analysis Date2015-10-26 12:30:14
MD5b54331ba2c77ff2e204e7a443e5ac893
SHA16a42333cb4166d52638f025fe429ec5625f9022b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6ef359bc18a65a5dea8e7eac3c09049e sha1: 0893aff2a4e8036819e4e455bb505d349cdb43c1 size: 67584
Section.rdata md5: c491ca232f5b02e52305769f40ee66ca sha1: 50f808863d86b73b7c0da657b94ba96d98a8e067 size: 6656
Section.data md5: 0ebca16960628061dcf3807fd384d9e9 sha1: 3e49e6e59efbe43e33663390fd2bd9da75d2c041 size: 512
Section.CRT md5: 46427531aec4f8d9880007a20e5c74d6 sha1: 5a207163719992c5ddb86f96101bb7f09e69db69 size: 512
Section.rsrc md5: cf437d4894a449115cb977a950609e7d sha1: 9d8f2f6d407ea9ed8a0c2f02de9d9375e82c7a8a size: 16384
Timestamp2010-02-10 13:09:37
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhash10ba3b06295d3a6275569b8bb9641a4ea3621db5
IMPhash9402b48d966c911f0785b076b349b5ef
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Korplug.292980
AVTwisterno_virus
AVAd-AwareDropped:Trojan.Generic.14921453
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Korplug.GI
AVGrisoft (avg)no_virus
AVSymantecno_virus
AVFortinetW32/Zegost.GI!tr.bdr
AVBitDefenderDropped:Trojan.Generic.14921453
AVK7Trojan ( 004c8ef81 )
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)Dropped:Trojan.Generic.14921453
AVMalwareBytesno_virus
AVAuthentiumW32/Trojan.JEGX-2409
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Korplug
AVEmsisoftDropped:Trojan.Generic.14921453
AVZillya!no_virus
AVKasperskyBackdoor.Win32.Zegost.mswyl
AVTrend Microno_virus
AVCAT (quickheal)Trojan.Dyname.r5
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardDropped:Trojan.Generic.14921453
AVArcabit (arcavir)Dropped:Trojan.Generic.14921453:Trojan.Generic.14921453
AVClamAVno_virus
AVDr. WebTrojan.DownLoader15.5108
AVF-SecureDropped:Trojan.Generic.14921453
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File__tmp_rar_sfx_access_check_1785062
Creates Filemcut.exe
Creates FileMcUtil.dll
Creates Filemcutil.dll.bbc
Deletes File__tmp_rar_sfx_access_check_1785062
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\mcut.exe

Process
↳ C:\Documents and Settings\All Users\DRM\muccay\mcut.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\mcut.exe

Creates FileC:\Documents and Settings\All Users\DRM\muccay\mcutil.dll.bbc
Creates FileC:\Documents and Settings\All Users\DRM\muccay\mcut.exe
Creates FileC:\Documents and Settings\All Users\DRM\muccay\mcutil.dll
Creates MutexGlobal\yqabqzdwapbpx
Creates MutexGlobal\calqmhjhpcnaonawr
Creates Servicemuccay - C:\Documents and Settings\All Users\DRM\muccay\mcut.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\DRM\muccay\avc
Creates Filepipe\winlogonrpc
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\system32\msiexec.exe
Creates MutexGlobal\yqbiqpzzzdnkw
Creates MutexGlobal\oobyk
Creates MutexGlobal\mxtia
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\yqabqzdwapbpx
Creates MutexGlobal\elohuygwdpgsm
Creates MutexGlobal\calqmhjhpcnaonawr
Creates MutexGlobal\gcboa
Creates MutexGlobal\ypocwmwmybjtf
Creates MutexGlobal\ordefamblbyvoxdzw
Creates Mutexc:!documents and settings!administrator!cookies!
Creates MutexGlobal\kichv
Creates MutexGlobal\sxzfpnxmf
Creates MutexGlobal\aklrjsqho
Creates MutexGlobal\agbvz
Creates MutexGlobal\iwmvdlkwfalpkjxvz
Creates MutexGlobal\eqmrikmfucabncwuu
Creates MutexGlobal\ottyogwawzjtcocvg
Creates MutexGlobal\TOrGkOgiFmpSZjtXlLKL
Creates MutexGlobal\camfytcwv
Creates MutexGlobal\mbdlmpnpzvyvxjgfu
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\undqqwznr
Creates MutexGlobal\qilfudpezygogwvqe
Winsock DNS23.234.29.133

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\DhcpNameServer ➝
192.168.254.254\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\Parameters\Tcpip\DhcpDefaultGateway ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer ➝
192.168.254.254\\x00
Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\MCUT.EXE-1A4061F6.pf
Creates FileC:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf
Creates FileC:\WINDOWS\Prefetch\MCUT.EXE-08B5C7AB.pf
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Prefetch\6A42333CB4166D52638F025FE429E-02BDB67D.pf
Creates File\Device\Afd\Endpoint
Creates FileNDIS
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\services.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

Network Details:

HTTP GEThttp://23.234.29.133:8080/41FAEF3BB7202B782C45680D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows TCP192.168.1.1:1033 ➝ 23.234.29.133:8080
Flows TCP192.168.1.1:1034 ➝ 23.234.29.133:8080
Flows UDP192.168.1.1:1035 ➝ 23.234.29.133:8080

Raw Pcap
0x00000000 (00000)   1784f69f 78531703 4021866b fedab94e   ....xS..@!.k...N
0x00000010 (00016)   f873fd08 9d14be08 34eea36b 6a2ce1f4   .s......4..kj,..
0x00000020 (00032)   5f4af0e8 ef947a32 f3                  _J....z2.

0x00000000 (00000)   47455420 2f343146 41454633 42423732   GET /41FAEF3BB72
0x00000010 (00016)   30324237 38324334 35363830 44204854   02B782C45680D HT
0x00000020 (00032)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000030 (00048)   2a2f2a0d 0a436f6f 6b69653a 204c6250   */*..Cookie: LbP
0x00000040 (00064)   597a4653 62695a42 68417435 504b4747   YzFSbiZBhAt5PKGG
0x00000050 (00080)   696f4565 4a476555 3d0d0a55 7365722d   ioEeJGeU=..User-
0x00000060 (00096)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000070 (00112)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000080 (00128)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000090 (00144)   73204e54 20352e31 3b202e4e 45542043   s NT 5.1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 3b205356   LR 2.0.50727; SV
0x000000b0 (00176)   31290d0a 486f7374 3a203233 2e323334   1)..Host: 23.234
0x000000c0 (00192)   2e32392e 3133333a 38303830 0d0a436f   .29.133:8080..Co
0x000000d0 (00208)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000e0 (00224)   6c697665 0d0a4361 6368652d 436f6e74   live..Cache-Cont
0x000000f0 (00240)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000100 (00256)   0a                                    .


Strings