Analysis Date2015-11-05 04:31:01
MD5dd660df797eb3c186f2e8e6dcb237670
SHA1711c9e45f0302102de8688f2506766246322e423

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1c38e333b0f97a13ca92bca992c95155 sha1: a5a8f061fbbfe90510bdf8da0cf7bda2d211fc9d size: 107008
Section.rdata md5: 5bda89dd1db8eb7bf2d3264c137c706e sha1: 815ac12f81b4b7d80528d94418c5d034fc2ba4a1 size: 42496
Section.data md5: c0790f1591db68f7544102e03789610d sha1: 8fb2b45c2d1c023a7c11cb84e1c87cc139ae9bb8 size: 36352
Section.rsrc md5: a2be961d6ee12011a8071cab94ce98f8 sha1: 21d24058b773e7ca5bd9b36169d6b0be1cef99e6 size: 334336
Timestamp2015-10-19 07:41:32
PackerMicrosoft Visual C++ ?.?
PEhash81a41cbae2eb1381b3398f94106f0515e5b8af29
IMPhashad15c31cf224ac9a8455d638778c3f97
AVDr. WebTrojan.Inject1.56622
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVArcabit (arcavir)Trojan.GenericKDZ.30724
AVEmsisoftTrojan.GenericKDZ.30724
AVMicrosoft Security EssentialsVirTool:Win32/CeeInject.LJ
AVSymantecTrojan.Gen
AVEset (nod32)Win32/Injector.BNHS
AVPadvishno_virus
AVCA (E-Trust Ino)no_virus
AVFortinetW32/Kryptik.EASA!tr
AVAvira (antivir)TR/Crypt.ZPACK.197789
AVTrend MicroTROJ_DYER.BMC
AVFrisk (f-prot)no_virus
AVAlwil (avast)Androp [Drp]
AVClamAVno_virus
AVF-SecureTrojan.GenericKDZ.30724
AVMcafeeGamarue-FDC!DD660DF797EB
AVTwisterno_virus
AVGrisoft (avg)Inject3.MZY
AVBitDefenderTrojan.GenericKDZ.30724
AVRisingno_virus
AVIkarusTrojan.Win32.Injector
AVAd-AwareTrojan.GenericKDZ.30724
AVCAT (quickheal)no_virus
AVK7Trojan ( 004cef571 )
AVVirusBlokAda (vba32)no_virus
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVKasperskyTrojan.Win32.Yakes.namb
AVBullGuardTrojan.GenericKDZ.30724
AVMalwareBytesRansom.CryptoWall
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\748D\724D.bat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\cluspast\deskband.exe

Process
↳ cmd /C ""C:\Documents and Settings\Administrator\Application Data\cluspast\deskband.exe" "C:\711C9E~1.EXE""

Creates Process"C:\Documents and Settings\Administrator\Application Data\cluspast\deskband.exe" "C:\711C9E~1.EXE"

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates Processcmd /C ""C:\Documents and Settings\Administrator\Application Data\cluspast\deskband.exe" "C:\711C9E~1.EXE""

Process
↳ "C:\Documents and Settings\Administrator\Application Data\cluspast\deskband.exe" "C:\711C9E~1.EXE"

Creates FilePIPE\lsarpc
Deletes FileC:\711C9E~1.EXE

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\OlkContactRefresh ➝
NULL
RegistryHKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E4CCB958-F332-B65B-9D58-D74A210CFB1E\Client ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name\ ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Server ID ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates Filepipe\{DB9FF702-7E53-C564-603F-92C994E3E60D}
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexMPSWabDataAccessMutex
Creates MutexMPSWABOlkStoreNotifyMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{88944877-47AE-FA16-113C-6BCED530CFE2}
Creates MutexLocal\{0F93F2DB-2265-19A2-A4B3-765D18970AE1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexLocal\{E70AA63E-1A8B-B15F-5C0B-EE75506F0279}
Creates MutexLocal\{C18F3F26-2C26-9B6B-3E85-20FF528954A3}
Winsock DNSextime.at

Network Details:

DNSextime.at
Type: A

Raw Pcap

Strings