Analysis Date2014-07-04 10:47:00
MD5d8d18606988f77cba07dcd876064bc4d
SHA172dc08614f8a0d48391a24e792a6ab3b62d3c664

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3b1afa6b4161f1e49689fb2c6af76e5b sha1: a78632a351fdd13463771bdfce04516a91ae4767 size: 65024
Section.xdataH md5: ab3390c28c871082054b871f02b6dd7d sha1: d66946a33c511e0f084af1f37d76652af69603d8 size: 37376
Section.rdata md5: 20c7953ef917963f210c6c33d9a83a23 sha1: ec5fa2c15529b840d14e45fe143c5ab32c70456a size: 6656
Section.rsrc md5: 01188c1d7dc49e83e9f902168b3c1af7 sha1: 616f74598ddd3feeeb683391a1b7bde3b351182d size: 6144
Section.rsrcs md5: e48a18fa83cbf69c388c206d9f50c6c5 sha1: 439ed64ba490f8209d2d5360a8e8c00db8797c24 size: 1536
Timestamp2004-07-04 04:56:44
VersionLegalCopyright: Begs 2001 2011
InternalName: Runway
CompanyName: Confiance IP Solutions
ProductName: Click Glade Fuji Jill Penn Exxon
ProductVersion: 4 7 6157
FileDescription: Ewyrad
OriginalFilename: Tamer.exe
PEhasha028bf2c66d395e98a285f46221c9b6863232594
IMPhash57f02603e470685aa13bfaad2dcaa121
AV360 SafeTrojan.GenericKD.1650908
AVAd-AwareTrojan.GenericKD.1650908
AVAlwil (avast)Agent-ATKC [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.VHCU-3737
AVAvira (antivir)TR/Crypt.Xpack.57733
AVCA (E-Trust Ino)Win32/Cutwail.CBS
AVCAT (quickheal)TrojanDownloader.Cutwail.rw5
AVClamAVno_virus
AVDr. WebBackDoor.Bulknet.1391
AVEmsisoftno_virus
AVEset (nod32)Win32/Wigon.PI
AVFortinetW32/Pushdo.RLL!tr.bdr
AVFrisk (f-prot)W32/Trojan2.OELS (exact)
AVF-SecureTrojan.GenericKD.1650908
AVGrisoft (avg)SHeur4.BUDA
AVIkarusTrojan-Spy.Zbot
AVK7Backdoor ( 004567271 )
AVKasperskyBackdoor.Win32.Pushdo.rll
AVMalwareBytesTrojan.Agent.ED
AVMcafeeRDN/Downloader.a!qe
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail
AVMicroWorld (escan)Trojan.GenericKD.1650908
AVNormanwinpe/Troj_Generic.TQCKY
AVRisingno_virus
AVSophosTroj/Agent-AGXX
AVSymantecBackdoor.Trojan
AVTrend MicroTROJ_KRYPTIK.YWK
AVVirusBlokAda (vba32)no_virus
AVDr. WebBackDoor.Bulknet.1391
AVMcafeeRDN/Downloader.a!qe
AVSymantecBackdoor.Trojan
AVAuthentiumW32/Trojan.VHCU-3737
AVEmsisoftno_virus
AVFortinetW32/Pushdo.RLL!tr.bdr
AVMalwareBytesTrojan.Agent.ED
AVCAT (quickheal)TrojanDownloader.Cutwail.rw5
AVTrend MicroTROJ_KRYPTIK.YWK
AVGrisoft (avg)SHeur4.BUDA
AVF-SecureTrojan.GenericKD.1650908
AVNormanwinpe/Troj_Generic.TQCKY
AVAlwil (avast)Agent-ATKC [Trj]
AVArcabit (arcavir)no_virus
AV360 SafeTrojan.GenericKD.1650908
AVVirusBlokAda (vba32)no_virus
AVAvira (antivir)TR/Crypt.Xpack.57733
AVRisingno_virus
AVCA (E-Trust Ino)Win32/Cutwail.CBS
AVFrisk (f-prot)W32/Trojan2.OELS (exact)
AVK7Backdoor ( 004567271 )
AVKasperskyBackdoor.Win32.Pushdo.rll
AVEset (nod32)Win32/Wigon.PI
AVClamAVno_virus
AVIkarusTrojan-Spy.Zbot
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail
AVAd-AwareTrojan.GenericKD.1650908
AVMicroWorld (escan)Trojan.GenericKD.1650908

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\fuzjicatefly ➝
C:\Documents and Settings\Administrator\fuzjicatefly.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\fuzjicatefly.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexfuzjicatefly

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSfleshercorp.com
Type: A
208.91.197.27
DNSpenavision.co.in
Type: A
174.136.57.160
DNSstormwildlifeart.com
Type: A
70.86.7.138
DNSmiltinio-teatras.lt
Type: A
92.61.39.244
DNSstecom.nl
Type: A
193.23.143.117
DNSsarahdavid.com
Type: A
162.159.246.248
DNSsarahdavid.com
Type: A
162.159.247.248
DNSre-wakefield.co.uk
Type: A
141.101.116.86
DNSre-wakefield.co.uk
Type: A
141.101.117.86
DNSryumachi-jp.com
Type: A
111.68.174.253
DNStopex.ro
Type: A
193.226.61.45
DNStotalearthcare.com.au
Type: A
108.162.192.68
DNStotalearthcare.com.au
Type: A
108.162.193.68
DNSphotoclubs.com
Type: A
209.50.251.101
DNSpadstow.com
Type: A
62.233.107.131
DNSxing-group.com
Type: A
59.106.165.171
DNScbsprinting.com.au
Type: A
162.159.249.145
DNScbsprinting.com.au
Type: A
162.159.250.145
DNSfreepatentauction.com
Type: A
213.186.33.4
DNSeyggroup.com
Type: A
85.233.160.22
DNSezmedi.com
Type: A
218.150.78.243
DNShartmultimedia.com
Type: A
196.209.220.202
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNShifuken.com
Type: A
DNSdebtrescueusa.com
Type: A
HTTP POSThttp://stormwildlifeart.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://stormwildlifeart.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://miltinio-teatras.lt/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://stecom.nl/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://penavision.co.in/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://fleshercorp.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://sarahdavid.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://re-wakefield.co.uk/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://topex.ro/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://totalearthcare.com.au/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://ryumachi-jp.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://photoclubs.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://padstow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://xing-group.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://cbsprinting.com.au/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://freepatentauction.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://eyggroup.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://ezmedi.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25
Flows TCP192.168.1.1:1038 ➝ 70.86.7.138:80
Flows TCP192.168.1.1:1037 ➝ 70.86.7.138:80
Flows TCP192.168.1.1:1039 ➝ 92.61.39.244:80
Flows TCP192.168.1.1:1044 ➝ 193.23.143.117:80
Flows TCP192.168.1.1:1045 ➝ 174.136.57.160:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1047 ➝ 162.159.246.248:80
Flows TCP192.168.1.1:1048 ➝ 141.101.116.86:80
Flows TCP192.168.1.1:1049 ➝ 193.226.61.45:80
Flows TCP192.168.1.1:1050 ➝ 108.162.192.68:80
Flows TCP192.168.1.1:1051 ➝ 111.68.174.253:80
Flows TCP192.168.1.1:1052 ➝ 209.50.251.101:80
Flows TCP192.168.1.1:1053 ➝ 62.233.107.131:80
Flows TCP192.168.1.1:1054 ➝ 59.106.165.171:80
Flows TCP192.168.1.1:1055 ➝ 162.159.249.145:80
Flows TCP192.168.1.1:1056 ➝ 213.186.33.4:80
Flows TCP192.168.1.1:1057 ➝ 85.233.160.22:80
Flows TCP192.168.1.1:1058 ➝ 218.150.78.243:80

Raw Pcap

Strings