Analysis Date2014-12-09 22:44:29
MD55bd47833e48f4a145f5c28ccc27ceff3
SHA17099a17a9f2a2995c758ca525337eb0928d2fe72

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.textR md5: 81b60ed8bc985ec482143d5a1b22436c sha1: d3d49e63b14663f8572fbe6c9d048867ed690fb5 size: 44544
Section.xdata md5: e00459e9fecc00b9e354687d4a647031 sha1: 7e60446b6842d86b06199c110ff2b9f2a7adf8ac size: 13312
Section.rdata md5: 837e878c5bf68cdb120a2df507d5f350 sha1: 6587616eb844dd5188158dba3e26507e81e27f4d size: 8192
Section.rsrcl md5: 91f5c6c1ce55df6e6f6515617137d11b sha1: 0d673f4e5e2874737fedcd5fd5a53a9d21c76567 size: 16384
Timestamp2010-12-05 00:19:02
VersionLegalCopyright: 432 1997 +2011
InternalName: Jewish
FileVersion: 1 8 3
CompanyName: Pecoma Groningen
ProductName: Relax Loved Macaw Owe Moved
ProductVersion: 1 8 5637
FileDescription: Aluzova
OriginalFilename: Croon.exe
PEhashcdfad72e05a8ea481c40c8cce3f9f487a338cce4
IMPhash9cb7b0ce00d4022b8cdfc046536803d6
AV360 SafeGen:Variant.Kazy.380811
AVAd-AwareGen:Variant.Kazy.380811
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.TZZK-6415
AVAvira (antivir)TR/Crypt.Xpack.66143
AVBullGuardGen:Variant.Kazy.380811
AVCA (E-Trust Ino)Win32/Zemo.G
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoad3.33368
AVEmsisoftGen:Variant.Kazy.380811
AVEset (nod32)Win32/TrojanDownloader.Elenoocka.A
AVFortinetW32/Tiny.NKF!tr.dldr
AVFrisk (f-prot)W32/Trojan2.OFAZ
AVF-SecureGen:Variant.Kazy.380811
AVGrisoft (avg)Crypt3.PCW
AVIkarusTrojan.Win32.Dynamer
AVK7Trojan-Downloader ( 00499db21 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Zbot.VXGen
AVMcafeeDownloader-FSH!5BD47833E48F
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Zemot.C
AVMicroWorld (escan)Gen:Variant.Kazy.380811
AVRisingno_virus
AVSophosTroj/Optin-A
AVSymantecTrojan.Gen.SMH
AVTrend Microno_virus
AVVirusBlokAda (vba32)TrojanSpy.Zbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\7099a17a9f2a2995c758ca525337eb0928d2fe72.rtf
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_72796.cab
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Mutex99257134
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.158
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Opera/9.25 (Windows NT 6.0; U; cn)
Flows TCP192.168.1.1:1031 ➝ 65.55.50.190:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4f706572   User-Agent: Oper
0x00000020 (00032)   612f392e 32352028 57696e64 6f777320   a/9.25 (Windows 
0x00000030 (00048)   4e542036 2e303b20 553b2063 6e290d0a   NT 6.0; U; cn)..
0x00000040 (00064)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000050 (00080)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000060 (00096)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000070 (00112)   6c6f7365 0d0a0d0a                     lose....


Strings
1w
.
.VX..8y...X.Y.h

040904B0
1  8 3
1   8  5637
432  1997  +2011
Aluzova
Boil Hint
Boise
Bytes
Chops Tycoon
CompanyName
Croon.exe
Cubs
Curve
Domed
Elks Chow
Fife
FileDescription
FileVersion
Games Edify
Gaps
Gown
Guano
InternalName
Jewish
Kudzu Temps Seam
LegalCopyright
MS Sans Serif
Naps
Need
Omen
OriginalFilename
Pals
Pecoma Groningen
ProductName
ProductVersion
Relax Loved Macaw Owe Moved
Safari
Silver
Sinks Pin Grad
Skin
StringFileInfo
Suds
Translation
VarFileInfo
VS_VERSION_INFO
Woman
Zulu Begun
@:<!?>;
@._@@_
021fkb_
.0>o/-
-0O_++
0oVUOe
>0V0+-
0Z-O+8
145214335
2FA]_s
2{\&Fu
2q4j4dek
3=(<E-5
%+)47K
4cl4$tS
524223518465651
5co<zp7
5S42y3x
62446283164577
6576848473356
6?GP%b
721156445287
7685713
<77e?98
8fySNKea_yqqjb`\UPNIFHBArmj
8/JZKJ
8o+8-.Y
&8>/-OJ
8YYXVVU+U/V
94edh`CW
<99YSQldb^SUyupD
Acagyv
A>=e:35
Afuneq
Agyguvy
AssignProcessToJobObject
bcc:79c_[ia_OTM0
Bujozo
Bydysux
Bysytew
\][cabvnjxoqvjk_[VE?;<:6D@<
Caguxaq
Cedeful
Cevexu
ChangeClipboardChain
CharLowerA
CharUpperBuffA
CheckDlgButton
ChooseColorA
Cixatyr
ClusWorkerCreate
Cokyvy
COMDLG32.DLL
CStdStubBuffer_Invoke
CTwbXuGLPAYlmVg
Cujyki
Cytoxof
D\Aent
Dazehij
DceErrorInqTextW
DdeQueryConvInfo
dfAKyDpOLwVC
DialogBoxIndirectParamW
DialogBoxParamA
DlgDirListW
Dohapap
dY[`[]
Dybika
Dymywu
"! e&%%
>efe_Yy
Efyleg
Efymur
Egaweka
Eleqef
el}:hP_H
Elyrabo
EndDialog
Enijinu
eRpGL2YU
Erybuju
e-U8y8/
Ewelezy
ExcludeUpdateRgn
ExitWindowsEx
fa\2gca
Fepawi
FileTimeToDosDateTime
;(FpV*
Funuqi
fVX_J+
&fZ@>>O
g8{\/U`
GEE;NGH
Genaxu
GetCursorInfo
GetProcAddress
GetSystemMetrics
Gikofef
g_Zk`^g][fd_
Heludu
hFmiBovP
hjGbsawLseI
Hotibe
hthjf6em2ygox
hvbCLAy
Ididesi
Idyxacy
Ifutac
Ijuxix
Ikyzaly
Ilavyp
InterlockedDecrement
Ipononu
Iqadef
Iqahal
Iqazyw
iqMWoNFqhvf
Iritej
I_RpcBindingInqDynamicEndpointW
I_RpcBindingInqWireIdForSnego
I_RpcBindingToStaticStringBindingW
I_RpcDeleteMutex
I_RpcFreeBuffer
I_RpcFreePipeBuffer
I_RpcPauseExecution
I_RpcRequestMutex
I_RpcSendReceive
I_RpcServerAllocateIpPort
I_RpcServerInqTransportType
I_RpcServerRegisterForwardFunction
I_RpcServerUseProtseq2A
I_RpcTransConnectionReallocPacket
I_RpcTransDatagramAllocate
I_RpcTransDatagramAllocate2
I_RpcTransDatagramFree
I_RpcTransGetThreadEvent
I_RpcTransIoCancelled
I_UuidCreate
iwWGLOTYr
Jalawi
jd^dndb
JX88->-
-JX&ZV
J+Zo&O
K.00f_
k6A9NHFSMOi_]XONKFF?=:HACzzx
Kajava
Kanykaj
Kefonol
KERNEL32.DLL
K@eVX+
Ke@+y_Zy
KIGkfe
Kiwyqa
Korozy
K-o./ZUfK&e
Kyryqer
Lamewy
Lepyrys
Lilyqu
Luwufo
meOtetNWpGRPGJ
MesDecodeBufferHandleCreate
MesDecodeIncrementalHandleCreate
MesEncodeFixedBufferHandleCreate
MesEncodeIncrementalHandleCreate
Microsoft Visual C++ Runtime Library
~	>+)/-m]M
mNkXsyPluEn
Mubecu
MulDiv
'MYqod
Nadaqyx
NdrAllocate
NdrByteCountPointerUnmarshall
NDRCContextMarshall
NDRCContextUnmarshall
NdrClearOutParameters
NdrClientInitialize
NdrClientInitializeNew
NdrComplexArrayBufferSize
NdrConformantArrayMemorySize
NdrConformantStringBufferSize
NdrConformantStringMarshall
NdrConformantStructFree
NdrConformantStructUnmarshall
NdrConformantVaryingArrayFree
NdrConformantVaryingArrayMemorySize
NdrConformantVaryingStructMarshall
NdrConformantVaryingStructMemorySize
NdrCStdStubBuffer2_Release
NdrDcomAsyncStubCall
NdrDllUnregisterProxy
NdrEncapsulatedUnionFree
NdrEncapsulatedUnionMarshall
NdrFixedArrayBufferSize
NdrFixedArrayMarshall
NdrFixedArrayUnmarshall
NdrGetUserMarshalInfo
NdrInterfacePointerMarshall
NdrInterfacePointerUnmarshall
NdrMapCommAndFaultStatus
NdrMesSimpleTypeAlignSize
NdrMesTypeDecode
NdrNonConformantStringBufferSize
NdrNsGetBuffer
NdrOleAllocate
NdrOleFree
NdrPointerFree
NdrPointerMemorySize
NdrPointerUnmarshall
NdrProxyGetBuffer
NdrProxySendReceive
NdrRpcSmSetClientToOsf
NdrRpcSsDefaultFree
NdrServerCall
NdrServerContextMarshall
NdrServerUnmarshall
NdrSimpleTypeMarshall
NdrSimpleTypeUnmarshall
NdrStubCall2
NdrStubForwardingFunction
NdrUserMarshalFree
NdrUserMarshalUnmarshall
NdrVaryingArrayFree
NdrVaryingArrayMemorySize
NdrVaryingArrayUnmarshall
NdrXmitOrRepAsUnmarshall
Nifulog
nmiMKI
Nudefu
Nugyvo
@o@8@VU
obygdrvytuo
Odypur
Ofybyg
Ogabyno
)%o/\GO
&-oJXZ
.O&O>+
Opabaq
Osupuj
Otygake
oucCyrnUdiM
owjwxfx1
Oxizox
Oxuxyz
O/X-+V&
O->Y_KyXV/
/O_yYe
Ozifat
Ozojih
p+'1+e
Paluvo
PdhAddCounterW
PdhBrowseCountersA
PdhBrowseCountersW
PdhCloseLog
PdhCollectQueryDataEx
PdhComputeCounterStatistics
PdhConnectMachineW
PDH.DLL
PdhEnumObjectItemsW
PdhEnumObjectsW
PdhExpandCounterPathW
PdhExpandWildCardPathA
PdhGetCounterInfoA
PdhGetCounterInfoW
PdhGetDataSourceTimeRangeA
PdhGetDefaultPerfCounterA
PdhGetDefaultPerfCounterW
PdhGetDllVersion
PdhGetFormattedCounterArrayW
PdhGetFormattedCounterValue
PdhGetRawCounterArrayW
PdhLookupPerfIndexByNameW
PdhLookupPerfNameByIndexA
PdhMakeCounterPathA
PdhMakeCounterPathW
PdhOpenLogW
PdhOpenQueryW
PdhParseCounterPathA
PdhParseInstanceNameA
PdhParseInstanceNameW
PdhSelectDataSourceW
PdhSetDefaultRealTimeDataSource
PdhUpdateLogA
PdhUpdateLogFileCatalog
PdhValidatePathA
PdhValidatePathW
PdhVbAddCounter
PdhVbCreateCounterPathList
PdhVbGetDoubleCounterValue
PdhVbGetLogFileSize
PdhVbIsGoodStatus
PdhVbUpdateLog
Peqimig
?=<PHJe^^C;;NLHNKIb_ZNKFD>?C==[VT
pigngdpgd]SSNJH
Pocozap
Pofawud
Pybynic
Qiqedud
qj5g7w6x
Qolebi
Racozyj
Rapijyx
.rdata
ReplaceFileA
ResUtilCreateDirectoryTree
ResUtilEnumPrivateProperties
ResUtilEnumProperties
ResUtilFindDependentDiskResourceDriveLetter
ResUtilFindDwordProperty
ResUtilFindLongProperty
ResUtilGetBinaryValue
ResUtilGetDwordValue
ResUtilGetPrivateProperties
ResUtilGetProperties
ResUtilGetPropertiesToParameterBlock
ResUtilGetProperty
ResUtilGetPropertySize
ResUtilGetResourceNameDependency
ResUtilIsPathValid
ResUtilIsResourceClassEqual
ResUtilPropertyListFromParameterBlock
ResUtilResourceTypesEqual
RESUTILS.DLL
ResUtilSetDwordValue
ResUtilSetMultiSzValue
ResUtilSetPrivatePropertyList
ResUtilSetPropertyParameterBlock
ResUtilSetResourceServiceEnvironment
ResUtilSetResourceServiceStartParameters
ResUtilSetSzValue
ResUtilStartResourceService
ResUtilStopResourceService
ResUtilVerifyPrivatePropertyList
ResUtilVerifyPropertyTable
ResUtilVerifyResourceService
RpcBindingCopy
RpcBindingFree
RpcBindingInqAuthClientExA
RpcBindingInqAuthClientW
RpcBindingInqAuthInfoA
RpcBindingInqAuthInfoExA
RpcBindingInqAuthInfoW
RpcBindingServerFromClient
RpcBindingSetAuthInfoA
RpcBindingSetAuthInfoExW
RpcBindingSetObject
RpcBindingSetOption
RpcCancelThread
RpcCancelThreadEx
RpcCertGeneratePrincipalNameW
RpcEpRegisterNoReplaceW
RpcEpRegisterW
RpcMgmtEpEltInqBegin
RpcMgmtEpEltInqNextA
RpcMgmtInqComTimeout
RpcMgmtInqServerPrincNameW
RpcMgmtInqStats
RpcMgmtIsServerListening
RpcMgmtSetServerStackSize
RpcNetworkIsProtseqValidW
RpcNsBindingInqEntryNameA
RpcProtseqVectorFreeA
RpcRaiseException
RpcRevertToSelf
RpcRevertToSelfEx
RPCRT4.DLL
RpcServerInqDefaultPrincNameA
RpcServerInqDefaultPrincNameW
RpcServerListen
RpcServerRegisterAuthInfoA
RpcServerRegisterAuthInfoW
RpcServerRegisterIfEx
RpcServerTestCancel
RpcServerUseAllProtseqs
RpcServerUseProtseqExW
RpcServerUseProtseqIfW
RpcServerUseProtseqW
RpcSmClientFree
RpcSmEnableAllocate
RpcSmFree
RpcSmGetThreadHandle
RpcSmSetClientAllocFree
RpcSmSwapClientAllocFree
RpcSsDisableAllocate
RpcSsEnableAllocate
RpcSsGetThreadHandle
RpcSsSetThreadHandle
RpcStringBindingParseA
RpcStringBindingParseW
RpcStringFreeA
ru754mch4t
SendMessageA
SetClassLongA
SetDlgItemTextW
SetMessageExtraInfo
SetWindowsHookExA
Sevoxiz
Siqyfa
S@&jWt
=`s*j}xB=
Sogute
~~~S~S
~SS~~~
S~~~S~
S~~S~~~
S~S~~~
S~S~~~~
~~~S~SS
~S~S~S~
~S~SS~~
~SSS~~
S~~~SS
S~S~S~
SS~~~~~S
~~~SS~S~S
~~S~SS~S
~SSS~S
S~~SS~S
S~SS~S~
SS~S~S
SS~SS~
SSS~S~
~~~SSSSS
S~SSSS~~
SSS~~SS
SSSS~S~
SSSSSS
SSSS~SS
Suverop
S.X[UW
Teviro
!This program cannot be run in DOS mode.
Tivabo
TowerExplode
TranslateAcceleratorA
Tunecu
Tuniwi
Tuteda
tvsH@?g`bGBA@9;PIE<;;MGJ{zu
Ubesuxa
UeK.-ZY
Ufamon
Uhebaca
Uhewom
.U&K-/
Ulufyny
UnionRect
Unocus
Urozul
Uruqyge
USER32.DLL
uSMUkSw3bl22PA
usr=65DA>GCBXSU
UuidHash
>/UV0yO
UV/e00--.-Xy
UV.Ufo
uxvomiztre_^OIFFEDD?=
(UYQrf
Uzeqyb
Uzisik
VADCKF
vgkcmmwwa
Vic^AMlAlloc
VJ&@o+8V
V/JyYV
@V&&K&
VkKeyScanW
Vo+fo0f
'=Vt`J
V_V8X0K>
Vyhycen
Vyjaro
Vy&UKX
&#"W)&%
Waxyca
Wepimer
wexMbx
wgQmfIpGfXqlS
wlvbpcrnnfet
{}}WNQE=<NDE
wtsqdtpfoeeksay
Wycepy
Xafevuf
`.xdata
Xebovom
Xekubuf
.X..@f
Xitiqu
&X@/K_
XOQmfg{ss{staZVPGI>68VPK
xrpohjwso
x^XX^\|L\
Xynuvuq
@X@Y>O
-XZY-Y
X/Z.Z0
Y0X+/8
Ydales
`^Y)e^`
ye&ZUX
Yhafoc
Yhesene
Y>J-Y0
y{k2bx
Ykejuq
@yKY-&V
Ylaryv
Ylineni
Ylulari
Ypurof
Yrajaz
YRL@[SR
yt4kxs
Yteqesy
Ytypoto
yU&O/_
y{uwqsmoikegac]_Y[UWQSMOIKEGAC
yVeUJ0
Yvycuwy
?,yw[Y_
Yxabyqa
.y.>@Xy
YY0//Z
yyleal
yZ&eK0
>Z08ooe
<Z2,.)
Z>eJKU
.Z-f8eO>@0-&->
Zizagu
Zocano
Zofypo
ZU.-e@Y&Z
?ZWSLLaVTqje`WYPKLH@A=<:prq
ZXZGXW