Analysis Date2014-12-19 21:28:18
MD514fb61413f7586576e3fde3bb98b10df
SHA171374d194a9f3ce4b32047007113fb11e15cb167

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 80d48f935b9a63e4545bb1e51c127e47 sha1: 70f91a5b053b309b98f96b4b74f84af07f15e7c5 size: 1024
Section.rdata md5: d142ff8363f84f1a597aeba0a1bd1aa8 sha1: 929b39b97ae79730ef95ad271aa9b96e2149ca5e size: 512
Section.data md5: 2b32054178ee4a4f1f9e3d585e3e68d9 sha1: 65fc1c0ea124669b207236dd66e8898835275993 size: 512
Section.rsrc md5: 3cea958625c7d330b3ba5ff622ba24cb sha1: 54c591c6311a39e89eb018b4d2160e4c0544e3ed size: 12288
Section.reloc md5: 04486d7a26f51c31c3b64db0c2d31d41 sha1: 7789df2a03f63e97b69aa0fb3a0abe0d637ff13b size: 512
Timestamp1997-08-23 04:41:08
PEhash703cb3f1db941b1cf51f096787e1799e381da6eb
IMPhash220dd34a24dccda46890e8130a432e1d
AV360 SafeGen:Variant.Kazy.35347
AVAd-AwareGen:Variant.Kazy.35347
AVAlwil (avast)Dropper-JTF [Drp]
AVArcabit (arcavir)Gen:Variant.Kazy.35347
AVAuthentiumW32/GenTroj.N.gen!Eldorado
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardGen:Variant.Kazy.35347
AVCA (E-Trust Ino)Win32/Scar.ZD
AVCAT (quickheal)Trojan.Dynamer.A
AVClamAVWin.Trojan.Scar-632
AVDr. WebBackDoor.Bulknet.546
AVEmsisoftGen:Variant.Kazy.35347
AVEset (nod32)Win32/Kryptik.ZFU
AVFortinetW32/Kryptik.ZFU!tr
AVFrisk (f-prot)W32/GenTroj.N.gen!Eldorado
AVF-SecureGen:Variant.Kazy.35347
AVGrisoft (avg)Agent
AVIkarusWin32.SuspectCrc
AVK7Trojan ( 003abe041 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Scar
AVMcafeePWS-Zbot.gen.aac
AVMicrosoft Security EssentialsTrojan:Win32/Scar.T
AVMicroWorld (escan)Gen:Variant.Kazy.35347
AVRisingno_virus
AVSophosTroj/Pile-A
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Scar

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\o302wvg55a ➝
C:\Documents and Settings\Administrator\o302wvg55a.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\o302wvg55a ➝
NULL
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\o302wvg55a.exe
Creates Mutexo302wvg55a

Network Details:

DNSsbulfert.in
Type: A
109.74.195.149
DNSabc.sbulfert.in
Type: A
109.74.195.149
DNSmhogran.com
Type: A
208.73.210.211
DNSmhogran.com
Type: A
208.73.211.167
DNSmhogran.com
Type: A
208.73.211.244
DNSmhogran.com
Type: A
208.73.211.250
DNSwww.mhogran.com
Type: A
208.73.211.164
DNSwww.mhogran.com
Type: A
208.73.211.177
DNSwww.mhogran.com
Type: A
208.73.211.195
DNSwww.mhogran.com
Type: A
208.73.211.239
DNSmail.mhogran.com
Type: A
208.73.211.164
DNSmail.mhogran.com
Type: A
208.73.211.177
DNSmail.mhogran.com
Type: A
208.73.211.195
DNSmail.mhogran.com
Type: A
208.73.211.239
DNSmx.mhogran.com
Type: A
208.73.211.244
DNSmx.mhogran.com
Type: A
208.73.211.250
DNSmx.mhogran.com
Type: A
208.73.210.211
DNSmx.mhogran.com
Type: A
208.73.211.167
Flows TCP192.168.1.1:1031 ➝ 66.199.236.114:443
Flows TCP192.168.1.1:1031 ➝ 66.199.236.114:443
Flows TCP192.168.1.1:1032 ➝ 66.199.236.115:443
Flows TCP192.168.1.1:1033 ➝ 66.199.236.116:443
Flows TCP192.168.1.1:1034 ➝ 174.34.176.90:443
Flows TCP192.168.1.1:1035 ➝ 174.34.176.91:443
Flows TCP192.168.1.1:1036 ➝ 174.34.176.92:443
Flows TCP192.168.1.1:1037 ➝ 109.74.195.149:443
Flows TCP192.168.1.1:1038 ➝ 109.74.195.149:443
Flows TCP192.168.1.1:1039 ➝ 208.73.210.211:443
Flows TCP192.168.1.1:1040 ➝ 208.73.211.164:443
Flows TCP192.168.1.1:1041 ➝ 208.73.211.164:443
Flows TCP192.168.1.1:1042 ➝ 208.73.211.244:443

Raw Pcap
0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..


Strings
U

Halt
Help
* {l
Software testing tool
Start
Stop
Verdana
0\1IsWm
0O0`0e0s0
{0#suW
1a4>'$
1Ry-Il$;[
 +2FITj]j
2O|DZ~0Cd
'2:QQ]u]k
3.6M?KcIXr@Sn
5\|(Mi&E^(CX(@T
6`(:_0?`
#65ASR^pVauCPj%4U
6Zx7Wt9Wp:Tl/G]*?U
"?&?a6b
$A+&$E
Al03Z[N
aPBs#Fh
+AP%BX
A_|>Xv7Ok*A[
+B;Kb[k
@.data
)D.B[IZuWi
DC,V?9
D{"G{1Iw
+@DSfj{
eI'5|?
EnumWindows
\EvZWpL
ExitProcess
 Ff.Tt9^
FindResourceA
fs@8)=
Fv#Iy%Ht$Cj#<^ 2O
GcOI2j
GetCommandLineA
GetProcAddress
GetWindowLongA
GetWindowTextA
GetWindowTextLengthA
@]$Gh"Hk#Ku'P}%O~
h<3|#>
H	/Y%ClDT
"I&1W4>f
>i!;_$6S#1H$+>!(7
&I=~Ack
=i#Bo ?l
,`"J~=e
JpP+Qr
)"%K$Af#Rx9t
kernel32.dll
KERNEL32.dll
?](Lj0Vv0Vy2Y
LoadLibraryA
LoadResource
lstrcmpiA
m<G|!]
$Mn4]~@f
p1% @A"
,/:PNYtN_zJ^}Ul
%]?q|!
`.rdata
@.reloc
"S1g7A
Shadowline variant
TGD_'i
!This program cannot be run in DOS mode.
USER32.dll
VirtualAlloc
VirtualFree
:Vx/Hh!7S
wW9!i(