Analysis Date2014-03-20 08:23:22
MD531b4f7ea34d07ea2907db0f1df52fdd2
SHA17009ee430ed189a6ba343c1889eabdaab88b65cb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dc2365ed09e97aa8c891b716a562f14e sha1: a5fdef4d2cb769e86bb624df6752e95d7ee54f0d size: 2048
Section.rdata md5: 2d54b9ef443857bb7bd6ce035ed0d214 sha1: 160c7c1858b5490cc35ef4fa5e591e22338501ca size: 512
Section.data md5: 18688795a01c8badc26c3bd7f9100eb6 sha1: 3008d6d5f6582318e4d4944da7282c6c6630e192 size: 512
Section.rsrc md5: d1f579f04d4e9598a07ccf8be21503cf sha1: c0b0d615264118c2e0d92380264b6c96083ee78f size: 33792
Section.reloc md5: 25b85120ce45a58fb978e5bcaba85722 sha1: 80323e928d6b7dfad3ce806d76d2c4b98641d08a size: 512
Timestamp2004-03-09 21:56:24
PEhashb6f7446b3ef5e9117ae23e17949513b72cd72e37
IMPhash519e0b6c8b72a9b407421c70055071f2
AVavgSHeur4.BCGP
AVaviraTR/Crypt.XPACK.Gen
AVmcafeeDownloader-FKL!31B4F7EA34D0
AVmsseTrojanDownloader:Win32/Cutwail.BS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\buzyrqycobpe ➝
C:\Documents and Settings\Administrator\buzyrqycobpe.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\buzyrqycobpe.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexbuzyrqycobpe
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS4esports.eu

Network Details:

DNSsmtp1.sbc.mail.am0.yahoodns.net
Type: A
67.195.15.66
DNSsmtp1.sbc.mail.am0.yahoodns.net
Type: A
98.138.31.74
DNSsmtp1.sbc.mail.am0.yahoodns.net
Type: A
98.139.221.42
DNSsmtp.mail.eu.am0.yahoodns.net
Type: A
188.125.69.59
DNS4esports.eu
Type: A
212.172.221.9
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSsmtp.sbcglobal.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 67.195.15.66:25
Flows TCP192.168.1.1:1032 ➝ 212.172.221.9:443
Flows TCP192.168.1.1:1033 ➝ 212.172.221.9:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings

Append
APPENDER
Calendar and Date Picker controls plus other fun things
Calendar control
Click on the arrow button to pop open the Date Picker. Choose a new date  by clicking on it.
Close
Date Picker control
DateTimePicker
Enter a menu option name here.
Enter the program full path name here.
Example: c:\windows\regedit.exe
Example: c:\winnt\regedit.exe
Example: &&Regedit
If the user clicks the year displayed next to a month name an up-down control appears in place of the year. The user can change the year with this control.
MonthCalendar
MS Sans Serif
Once you have entered the proper info click on the "Append" button then right click on Windows "Start" button to access your new menu option. Your new menu option will also appear in Explorer when you right click in the left pane.
Quit
Remove
Simple Registry Key example.
SysDateTimePick32
SysMonthCal32
The user can return to the current day by clicking the "Today" text at the bottom of the control. If the current day is not visible the control updates its display to show it.
When a user clicks the name of a displayed month a pop-up menu appears that lists all months within the year. The user can select a month on the list.
0e.<6KB 
][_.1/
101231220000Z
 	)1)L%
^)_1OM
?27$$%
3(3A3Z3t3
391231235959Z0
3lu:|VC
404L4d4l4
4C6Q6g6l6v6
7&7,72787>7
88r!6U:
>a$b\_
aDIzQx
Aqariaqaaro
Aqariaqaaro0
B9=k*	
<B/>C^6
bV=H,B;
CreateThread
@.data
 =djF37
e,2wpi
>[E3oJ
EE4'g}
ePJq-v"#
ExitProcess
FindWindowA
fjyett
gdi32.dll
GetModuleHandleA
GetObjectA
GetProcAddress
GetVersion
hk^sta
HmVW|>
!hw{- 1|
I%)tSi
Iz*9;0Xc
#\|(Jj
kernel32.dll
L<h'ht
LoadImageA
LoadLibraryExA
M.\6"<(
M6AOIT
>N,R:f
:nVoH@G
o3(Gk:v)
!o' M3
P_Egmm
Qzj$o{$R
`.rdata
@.reloc
~rj0[L
ry<gYn
sFZjLc
taF)M{
!This program cannot be run in DOS mode.
TK\KVKNUe
TWP2Qx
UGetProcAddress
uH6]-t#
user32.dll
u=)V*V
v$i/$ST5
W6SSM*
WaitForSingleObject
'wvg6\
Wx5z>\
x6'u`rR
xQ-B;C
Z^Q=@,
Zyi9Wo