Analysis Date2015-05-06 17:07:37
MD522b196da2605f9f77848c62e580216b4
SHA1780e03d5ae742850625a4a878b1180dd44ca5b84

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 443f0720a59096acd7a8530efdf47276 sha1: 7427f2aa48eeacfb918d29325ad769579325f361 size: 93184
Section.rdata md5: b3c24a12c93887e730c4f2e2ba7016df sha1: ca551a05c834ea090711fed640c661a27261aa88 size: 20480
Section.data md5: 42f31e63e59f776fb7468ca1903aca54 sha1: 9dbc525223562dfd3dfc41bf99e8ffc3fc65a76a size: 5632
Section.rsrc md5: 2f1844fb7c7f7c69343e9613797cebad sha1: f3899b1948e8dc0d03adabcdf0c35b38286082d0 size: 41984
Timestamp2015-04-21 22:52:39
VersionLegalCopyright: Copyright (C) Improve 2002-2013
Legal Trademarks: Improve
Internal Name: Seldom.exe
CompanyName: Arrange wherever additional - www.Improve.com
ProductName: Improve
Original Filename: Seldom.exe
ProductVersion: 2.0
FileDescription: Salmon halfway industrial mad negative pilot previous
FileVersion: 2.0.0.3
PackerMicrosoft Visual C++ ?.?
PEhash0de7865c7d367e7ad43983dd6968e035c0bbc14c
IMPhash8bd9c4dfa0af7daee9757bce74028254
AVAd-AwareTrojan.GenericKD.2315096
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.2315096
AVAuthentiumW32/Trojan.JCNJ-2508
AVAvira (antivir)Worm/Gamarue.162304
AVBitDefenderTrojan.GenericKD.2315096
AVBullGuardTrojan.GenericKD.2315096
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.PWS.Stealer.4118
AVEmsisoftTrojan.GenericKD.2315096
AVEset (nod32)Win32/Kryptik.DGNQ
AVFortinetW32/Tinba.BI!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.2315096
AVGrisoft (avg)Crypt4.SDK
AVIkarusTrojan.Win32.Crypt
AVK7Riskware ( 0040eff71 )
AVKasperskyno_virus
AVMalwareBytesTrojan.Agent.DED
AVMcafeeRDN/Generic Dropper!wu
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.AR
AVMicroWorld (escan)Trojan.GenericKD.2315096
AVPadvishno_virus
AVRisingno_virus
AVSophosTroj/Agent-AMTL
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
84.2.44.19
DNSeurope.pool.ntp.org
Type: A
131.211.8.244
DNSeurope.pool.ntp.org
Type: A
5.196.160.139
DNSeurope.pool.ntp.org
Type: A
46.243.50.14
DNSnorth-america.pool.ntp.org
Type: A
69.50.219.51
DNSnorth-america.pool.ntp.org
Type: A
72.38.129.202
DNSnorth-america.pool.ntp.org
Type: A
198.60.22.240
DNSnorth-america.pool.ntp.org
Type: A
15.125.94.25
DNSsouth-america.pool.ntp.org
Type: A
191.96.4.121
DNSsouth-america.pool.ntp.org
Type: A
192.188.53.26
DNSsouth-america.pool.ntp.org
Type: A
200.1.19.17
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSasia.pool.ntp.org
Type: A
202.65.114.202
DNSasia.pool.ntp.org
Type: A
106.186.114.89
DNSasia.pool.ntp.org
Type: A
129.250.35.251
DNSasia.pool.ntp.org
Type: A
185.22.67.230
DNSoceania.pool.ntp.org
Type: A
121.0.0.41
DNSoceania.pool.ntp.org
Type: A
192.189.54.33
DNSoceania.pool.ntp.org
Type: A
202.60.94.11
DNSoceania.pool.ntp.org
Type: A
27.116.36.44
DNSafrica.pool.ntp.org
Type: A
168.167.252.243
DNSafrica.pool.ntp.org
Type: A
197.82.150.123
DNSafrica.pool.ntp.org
Type: A
197.157.194.21

Raw Pcap

Strings
...i.C
00-+ -E-
-0
-0010+-0
0
-0
.
..
\
.CC 
00
...........?- 
0
0
0
0
s
u
M
.
 ((.
'|,;
]#*(
040904E4
'0)v
}@)1
{{1F
1``F
1;X5
2.0.0.3
2~Iz
2]"s
/=31
(4*z
56><
`6.;O
(:8?
8bm*P
954:
9/gGY
Ad+1
Am*!
Arrange wherever additional - www.Improve.com
];B@
B@g#
blGlyphBottom
blGlyphLeft
blGlyphRight
blGlyphTop
Buttons
BUTTONS(
Bz=Z
?CA'
CompanyName
Copyright (C) Improve 2002-2013
d2k5
D	5L
^DDJ
Delphi Component
Delphi Picture
dh`+
dHs$
:DJI
e[%+)/-
_E{H2
"~fd
FileDescription
FileVersion
Fu*&]
?Ge;
%GkC
GW+{
                                 H
         (((((                  H
H-,21
h(~B
         h((((                  H
hp~B
hUTZ
[=\H-([y
hZYYd
*I3f
^i6b
i8VA
Improve
Internal Name
j98>
JIHN
jm}N
$JRPw
KERNEL32.DLL
KQL5Omg
k)qNftWU[*_]c
KTZY
l?&$
{la$b,
LegalCopyright
Legal Trademarks
MeN?r
mscoree.dll
MSQwu{y
(null)
oa6_
OK%k
okrp	[ 
O<,m
O?o%
{)Op
Original Filename
P:9-=
p,ev
$POU
ProductName
ProductVersion
PVWj
QNvt
Salmon halfway industrial mad negative pilot previous
Seldom.exe
sFpe	
s'h`~B
SRZX
StringFileInfo
}szx
t8Q<D
TButtonLayout
tekh
TNumGlyphs
Tr|`@
Translation
TSpeedButton
TSpeedButton`
TSpeedButtonActionLink
!TU:
 UFD
Uh!~B
uMLR
utz?
VarFileInfo
vihn
?vNe
VS_VERSION_INFO
vv}{
_W^\
W10V
X1-!eB
xlct
XOxW
xrC0J
yF<$
z#<'ES
~Z`J
ZYYd
                          
        />
""""""""""""""""""""""""""
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
1#QNAN
1#SNAN
2_N%{=
$2{T^dPvYGp9cR
%3`1&4
33333!333332
3mP<%G
3Q)cRTU]Ew
4DC2fa3ff3&f
4f*h*8)
<8bunz8
8Kl!sW
a3DD3&f
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
An application has made an attempt to load the C runtime library incorrectly.
  array[ %i ] = %li
<assemblyIdentity
        <assemblyIdentity
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
aTDDC&f
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
aUDDU&f
August
B 02CV
BeginUpdateResourceW
bKMJM^
Br`xA<
C =02CVu
-c8Cq(	>?
Calling function pre()
Calling longjmp() from inside function p()
?$CjbD
CloseHandle
CompareStringW
CONOUT$
CorExitProcess
CreateDirectoryW
CreateEventW
CreateFileA
CreateFileMappingW
CreateFileW
CreateThread
- CRT not initialized
Cu}2*Tx;
@.data
DDD2faVffc&f
DDDD2aT@
DDDD2aTD
DDDDC!T
DDDDC!T@
DDDDC!TD
DDDDC!TDD@
DDDDC!TDDD
DDDDC!TDDDD2
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
DeleteFileW
</dependency>
<dependency>
    </dependentAssembly>
    <dependentAssembly>
<description>InstallAnywhere.Setup</description>
DOMAIN error
EncodePointer
EndUpdateResourceW
Enter a hexadecimal number or anything else to quit:
EnterCriticalSection
Enter the size of the array
Enter the size of the new array
EnumCalendarInfoExW
EnumCalendarInfoW
EnumResourceNamesW
EnumSystemLocalesW
<@En[vP
eQsZqN@
ExitProcess
ExitThread
f"33"ffb#32&ff"33"ffb#32&f
`F7=D"
FatalExit
February
fff2fG
ffff2aV`
ffff2aVf
ffffc!V
ffffc!V`
ffffc!Vf
ffffc!Vff`
ffffc!Vfff
ffffc!Vffff2
ffffc!Vffff2 
ffffff
ff""ffffb"&ffff""ffffb"&ff
ffffffffffffffffffffffffff
FileTimeToDosDateTime
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileW
FindNextFileW
FindResourceW
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FormatMessageW
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
FreeResource
Friday
GAIsProcessorFeaturePresent
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCPInfoExW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDateFormatW
GetDiskFreeSpaceW
GetDriveTypeW
GetEnvironmentStrings
GetEnvironmentStringsW
GetExitCodeThread
GetFileAttributesExW
GetFileAttributesW
GetFileSize
GetFileType
GetFileVersionInfoSizeW
GetFileVersionInfoW
GetFullPathNameW
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocaleInfoW
GetLocalTime
GetLogicalDrives
GetLogicalDriveStringsW
GetLongPathNameW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetPrivateProfileStringW
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDefaultLangID
GetSystemDefaultUILanguage
GetSystemInfo
GetSystemTimeAsFileTime
GetSystemTimes
GetTempPathW
GetThreadLocale
GetThreadPriority
GetTickCount
GetTimeZoneInformation
GetUserDefaultUILanguage
GetUserObjectInformationA
GetVersion
GetVersionExW
GetVolumeInformationW
GlobalAddAtomW
GlobalAlloc
GlobalDeleteAtom
GlobalFindAtomW
GlobalFree
GlobalLock
GlobalUnlock
`h````
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
hfpnpn
`h`hhh
HH:mm:ss
HHtXHHt
_hypot
i^^?(>
>If90t
%i    %i     %i
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
<.i_ov
,I$P}F
IsDebuggerPresent
IsValidCodePage
IsValidLocale
JanFebMarAprMayJunJulAugSepOctNovDec
January
j@j ^V
j"^SSSSS
kcLqjik
KERNEL32
KERNEL32.dll
            language="*"
LCMapStringA
LCMapStringW
LeaveCriticalSection
				level="asInvoker"
l,kg<i
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LoadResource
LocalAlloc
LocalFileTimeToFileTime
LocalFree
LockResource
longjmp has been called
lstrlenW
lV!qbi6b
MapViewOfFile
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
MulDiv
MultiByteToWideChar
    name="InstallAnywhere.Setup"
            name="Microsoft.Windows.Common-Controls"
!n!bA!ZRo
_nextafter
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
(null)
NvRb,Q
October
ohS|UL
-@~ o+#P
o:sxCE
Performing function recover()
Please contact the application's support team for more information.
PPPPPPPP
            processorArchitecture="X86"
    processorArchitecture="X86"
Program: 
<program name unknown>
            publicKeyToken="6595b64144ccf1df"
- pure virtual function call
qgfa6A
QJ#.jS
QueryDosDeviceW
QueryPerformanceCounter
RaiseException
`.rdata
ReadFile
RegCloseKey
RegConnectRegistryW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegEnumValueW
RegFlushKey
RegLoadKeyW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegReplaceKeyW
RegRestoreKeyW
RegSaveKeyW
RegSetValueExW
RegUnLoadKeyW
RemoveDirectoryW
			<requestedExecutionLevel
		</requestedPrivileges>
		<requestedPrivileges>
ResetEvent
ResumeThread
*rJ0UJ
RtlUnwind
runtime error 
Runtime Error!
RUUUUU
Saturday
	</security>
	<security>
September
S"!+eq6
SetConsoleCursorPosition
SetEndOfFile
SetErrorMode
SetEvent
SetFileAttributesW
SetFilePointer
SetFileTime
SetHandleCount
setjmp has been called
SetLastError
SetStdHandle
SetThreadLocale
SetThreadPriority
SetUnhandledExceptionFilter
SHBrowseForFolderW
SHChangeNotify
SHELL32.dll
ShellExecuteW
Shell_NotifyIconW
SHGetDesktopFolder
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
show me %i
SING error
SizeofResource
SleepEx
^SSSSS
Sunday
SunMonTueWedThuFriSat
SuspendThread
SwitchToThread
SystemTimeToFileTime
TDERfaUffU&f
TerminateProcess
The array of size %d is:
The data read was %i
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
This point should never be reached
!This program cannot be run in DOS mode.
Thursday
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tNIt?It0It 
T[nz#[U
tRHtCHt4Ht%HtFHHt
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
TryEnterCriticalSection
t"SS9]
<+t(<-t$:
t$<"u	3
Tuesday
;t$,v-
t+WWVPV
            type="win32"
    type="win32"
$_-t[z<
u3 d6%FW]
)?]ufq
				uiAccess="false"/>
uL9=X)B
U	@N?=8
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UnmapViewOfFile
UpdateResourceW
UQPXY]Y[
URPQQh(
USER32.DLL
UTg*ed
UUUUS!UUUUU2
V&><;\%|8.I+y%/
+vaRc8
VerQueryValueW
    version="1.0.0.0"
            version="6.0.0.0"
VERSION.dll
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
VirtualQueryEx
v	N+D$
_VVVVV
\*vWT1u
WaitForMultipleObjectsEx
WaitForSingleObject
WaitForSingleObjectEx
Wednesday
WideCharToMultiByte
WriteConsoleA
WriteConsoleW
WriteFile
WritePrivateProfileStringW
^WWWWW
	X 9} 
Xk@]PV
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xppwpp
xpxxxx
Y:/(A6>
>=Yt1j
YU}UPh