Analysis Date2015-02-03 05:47:22
MD5ae5f8a1060827886cc9868c097042fd5
SHA1739522d05e9f5d57be8ddb63d2b835d635fa071b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 00d8a895ebdf39ac9091f58c05a15849 sha1: 91e5597ef25b0527357748e4c78ecd308a4541d4 size: 8192
Section.rdata md5: 118b9dd158b4e5f0d8c61509ea8df58a sha1: abf69f716c35a26389d64c61105b5505639cb7a9 size: 3584
Section.data md5: ab8a717a80dc396164e9e7ada620eb09 sha1: 3bf136cfaa4dc8825b96f8d164c543d2e13ffbc0 size: 3072
Section.rsrc md5: 853ed00a1530a6bf3e02e4003aefb739 sha1: 2ba8b371e8e06e0aff50e71e3e08ece6d8bd1629 size: 20480
Section.reloc md5: 9cd592481a1988dc2433d36e4e780280 sha1: a9d428588082c9fe879f8842909bad7f31dda65e size: 4096
Timestamp2012-01-13 15:40:06
PEhash1792011b317dee5547645e27e78f3a229baa2cc5
IMPhashb3d97b1e32329056478778885727a7f5
AV360 Safeno_virus
AVAd-AwareTrojan.Agent.BHJU
AVAlwil (avast)Downloader-VQV [Trj]
AVArcabit (arcavir)Trojan.Agent.BHJU
AVAuthentiumW32/Trojan.HPPB-6376
AVAvira (antivir)TR/Cabhot.A.262
AVBullGuardTrojan.Agent.BHJU
AVCA (E-Trust Ino)Win32/Tnega.TMNEWSD
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Agent.BHJU
AVEset (nod32)Win32/Kryptik.CVTU
AVFortinetW32/Kryptik.CVBD!tr
AVFrisk (f-prot)W32/Trojan3.NFS
AVF-SecureTrojan.Agent.BHJU
AVGrisoft (avg)Zbot.WZL
AVIkarusTrojan-Ransom.CTBLocker
AVK7Trojan ( 004b44121 )
AVKasperskyTrojan-Downloader.Win32.Cabby.ccdl
AVMalwareBytesTrojan.Email.FakeDoc
AVMcafeeDownloader-FAMV!AE5F8A106082
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis.C
AVMicroWorld (escan)Trojan.Agent.BHJU
AVRisingno_virus
AVSophosTroj/Agent-AIRO
AVSymantecno_virus
AVTrend MicroTROJ_CRYPCTB.SME
AVVirusBlokAda (vba32)Trojan.FakeAV.01657

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\739522d05e9f5d57be8ddb63d2b835d635fa071b.rtf
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_73812.cab
Creates File\Device\Afd\AsyncConnectHlp
Creates Mutex93031785
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
157.55.240.216
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.192.91
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Flows TCP192.168.1.1:1031 ➝ 157.55.240.216:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520372e 303b2057   ble; MSIE 7.0; W
0x00000040 (00064)   696e646f 7773204e 5420362e 30290d0a   indows NT 6.0)..
0x00000050 (00080)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000060 (00096)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000070 (00112)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000080 (00128)   6c6f7365 0d0a0d0a                     lose....


Strings
....U..
.Jy.0rZ..Q....
..S..w..e.n
n....~P(.......0j?v)..%o.v.l.....a......{.../.4.mw^l.*.+.....+...s(. q.........m.t..A"..
O....
.6......]......|.L......@&7%..U.T..[{.....|S...."..A4.u.
)6K).6y.\.K
.+
...3..^i..Lj.^.i....
..

0	0(01070=0L0V0]0a0o0u0{0
0"0&030?0K0R0X0^0d0p0t0
/0dV)s
>$>*>0>:>@>F>M>[>a>j>q>w>}>
1)10151:1@1Q1W1^1b1h1p1z1
1%1-171;1A1G1M1S1Z1`1m1s1|1
? ?&?1?9?@?G?M?T?X?^?h?o?u?z?
= =&=,=1=?=E=K=O=W=a=i=
2%2*21272=2C2J2[2_2k2r2x2~2
2,2P2W2]2d2h2p2x2~2
< <&<2<><G<L<R<Y<i<o<v<
3#3,33393@3D3I3O3Y3^3i3r3~3
<%<+<3<<<@<K<R<[<o<w<|<
4!4'4+444:4A4G4M4b4q4v4}4
4#4(4-454<4B4P4X4_4e4x4
;&;4;9;>;E;K;Q;c;j;n;y;
5$5+52575=5C5I5P5i5v5}5
5!5)535?5J5P5V5_5h5~5
6%616B6I6O6U6\6b6h6l6r6y6
6$6+61686<6B6H6Q6W6\6e6y6
>$>/>6>?>F>L>R>Z>a>h>q>|>
7 7)73797=7L7c7j7p7w7
7$7(7.747;7B7H7O7]7e7p7v7|7
8#81878=8C8J8b8i8n8s8y8
8'8-84898@8F8T8X8^8e8l8u8{8
;/;8;>;G;M;T;Z;e;k;o;u;{;
8\vT/:
9 :':0:6:<:D:R:W:]:c:t:z:
9#9)909B9H9Q9U9]9j9r9z9
9$9(9.949;9D9J9P9V9`9g9l9r9z9
= =+=9=@=F=N=`=g=m=s=
ADVAPI32.dll
CACloseCA
CACloseCertType
CADeleteCA
CAEnumFirstCA
CAEnumNextCA
cAn/];
certcli.dll
CharToOemA
ClearEventLogA
CloseHandle
CompareStringA
ControlService
CountryRunOnce
CreateNamedPipeA
CreateWindowExA
@.data
DialogBoxParamA
DispatchMessageA
DrawIcon
drvCommConfigDialogA
drvGetDefaultCommConfigA
drvSetDefaultCommConfigA
Ez+	0G
:!:::F:L:R:V:\:c:i:o:t:
GetCaretPos
GetConsoleAliasW
GetCurrentDirectoryA
GetFullPathNameW
GetGeoInfoA
GetModuleHandleA
GetPrivateProfileIntA
GetPrivateProfileStructW
GetProcAddress
GetProcessId
GetTickCount
GetVersionExA
GetWindowTextA
?"?(?H?N?W?]?c?i?o?y?}?
h,S8mO
InitializeSid
InvokeControlPanel
IsDialogMessageA
IsTextUnicode
IsValidAcl
IsValidSecurityDescriptor
IsValidSid
IsZoomed
j!5lA@
KaW_TMB
KDQUeKCiqYoBg
kernel32.DLL
KERNEL32.dll
LoadCursorA
lokitar.pdb
lt`>*n
Mg<=gS
mLTF$0N
modemui.dll
<)MpGt
N<V47P
,	n<Y7
ogD[Q,
Ot;,AQN
O}u>8!gE
PathCombineA
PathCommonPrefixA
PathCompactPathA
qOrB^)
`.rdata
RegCloseKey
RegEnumKeyA
RegFlushKey
RegOpenKeyExA
RegQueryValueA
RegSaveKeyA
@.reloc
RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SHLWAPI.dll
!This program cannot be run in DOS mode.
U3A9J(
U3V0cA
UdYbvqvXIqhVHn
UrlCanonicalizeA
UrlCombineA
UrlCompareA
UrlCreateFromPathA
UrlEscapeA
UrlGetLocationA
UrlGetPartA
UrlIsA
UrlIsNoHistoryW
UrlIsOpaqueA
UrlUnescapeA
user32.dll
VirtualAllocEx
WaitForSingleObject
WTSAPI32.dll
WTSEnumerateServersA
WTSEnumerateSessionsW
WTSLogoffSession
WTSOpenServerW
WTSQueryUserToken
WTSRegisterSessionNotification
WTSUnRegisterSessionNotification
WTSVirtualChannelOpen
WTSVirtualChannelPurgeInput
WTSVirtualChannelRead
X6uEuS
	)=xA@
|xZa6-V_"n<ny& ]
yXClOLvdIpNJglYa