Analysis Date2014-10-11 02:29:43
MD52ab629fc1c21bf1b14058a100e05f3c5
SHA1781aafcd38e08a2d0445b4ef28866904e3b5ab6c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9e9e4a6be0c57a37046edb249b0e9d1d sha1: 4ab5fd8a38b09044ab3fcef5a09fe49a83b00d53 size: 9216
Section.rdata md5: e04f4946fa48e50ee956246b55a022dc sha1: 67a9ac98b328a6df534e790c8fd212c264fe18e8 size: 1536
Section.data md5: 226ae232ac4c18029fb782c848429e93 sha1: 0498ecba863eef75620998cb7c41028f6c7d1244 size: 512
Section.rsrc md5: 6d3ed9bfb144ddc0f956ad1cd4366817 sha1: 85917b62bb0550aaca302e7f42cfafe91fddd833 size: 8192
Timestamp2012-05-24 07:26:51
PackerMicrosoft Visual C++ v6.0
PEhash6a8475433d26eb5038b4015509ac0767a87fc284
IMPhash908d85f556f13cbb1e944bd7a23966d5
AV360 SafeTrojan.Agent.BDXS
AVAd-AwareTrojan.Agent.BDXS
AVAlwil (avast)Crypt-REV [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.DUOZ-8276
AVAvira (antivir)TR/Spy.ZBot.cehr.1
AVBullGuardTrojan.Agent.BDXS
AVCA (E-Trust Ino)Win32/Upatre.THMfKcC
AVCAT (quickheal)TrojanDownloader.Upatre.AM4
AVClamAVWin.Trojan.Agent-751392
AVDr. WebTrojan.DownLoad3.33842
AVEmsisoftTrojan.Agent.BDXS
AVEset (nod32)Win32/TrojanDownloader.Tiny.NKP
AVFortinetW32/Kryptik.TINY!tr
AVFrisk (f-prot)W32/Trojan3.JEZ
AVF-SecureTrojan.Agent.BDXS
AVGrisoft (avg)Generic36.VSG
AVIkarusTrojan-Downloader.Win32.Tiny
AVK7Trojan-Downloader ( 0049c7b11 )
AVKasperskyBackdoor.Win32.Androm.cyl
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-FSH!2AB629FC1C21
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVMicroWorld (escan)Trojan.Agent.BDXS
AVNormanwinpe/Kryptik.CECM
AVRisingno_virus
AVSophosTroj/Zbot-IPX
AVSymantecTrojan.Zbot
AVTrend MicroTROJ_UPATRE.DLR
AVVirusBlokAda (vba32)Trojan.SelfDel
AVYara APTno_virus
AVZillya!Trojan.Zbot.Win32.160403

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\disqe.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\disqe.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\disqe.exe"

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2b9e_appcompat.txt
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1472 -e 164 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 208

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 208

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1472 -e 164 -g

Network Details:


Raw Pcap

Strings
C:\22IdfwGI.exe
C:\2ui0sJst.exe
C:\3ac3qtw8.exe
C:\3MUKlrEe.exe
C:\3tsiBG0d.exe
C:\5nwzqCxs.exe
C:\5Wwnbq4v.exe
C:\6jauj0dR.exe
C:\ABTqaygC.exe
C:\AXE1SAFA.exe
C:\coP3ekWJ.exe
C:\dbFazV5I.exe
C:\D_siay1i.exe
C:\fAzUTPhW.exe
C:\FHNpq32y.exe
C:\GbarhARe.exe
C:\jZufqYnN.exe
C:\LjkrtnLY.exe
C:\Nt844WJh.exe
C:\pJZoF7tc.exe
C:\ReVo833u.exe
C:\RjO32d7_.exe
C:\RnlNCvj1.exe
C:\SMcW7lxh.exe
C:\UibBymSI.exe
C:\Users\Administrator\Downloads\fax_message.exe
C:\vvovoh_i.exe
C:\xYBbbELl.exe
dclass
Edit
Hekig
MANIFEST
SysListView32
Value
@0@5VC
44%@@^
55<,`rL
@AA% Ah
_acmdln
_adjust_fdiv
A,@kmB
</assembly>
<assemblyIdentity
		<assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
@@-AU@@
au0o"`
AVWAf9
@@B@,@
B@4@F*
"$b@k@@
C28@Gh
@@CB2m@
CJ8@h@
COMCTL32.dll
_controlfp
&Cr,c,
CreateWindowExW
@D&32}
@.data
DefWindowProcW
</dependency>
<dependency>
	</dependentAssembly>
	<dependentAssembly>
<description></description>
DestroyWindow
@@@DEXK
DispatchMessageW
E3)$D@h@
_except_handler3
@@@#%$F@
F6=*5@
FindClose
FindFirstFileW
FindNextFileW
__getmainargs
GetMessageW
GetModuleHandleA
GetStartupInfoA
^&@h4h
@@I=@0t
IF@}@@
InitCommonControlsEx
_initterm
j-.0@h
J@/@W,@=
K<325h
KERNEL32.dll
			language="*"
@@L@h@
LoadCursorA
LoadIconA
M@2Aa@
MSVCRT.dll
	name="Company.Product.Name"
			name="Microsoft.Windows.Common-Controls"
@$nLQ4(
@n$*uQP
@@ny:C
]o)@h@
@@P[C)CbC
__p__commode
__p__fmode
PostQuitMessage
			processorArchitecture="*"
	processorArchitecture="*"
			publicKeyToken="6595b64144ccf1df"
PVO8kCN*
^r&|"%
\r$AC@@
`.rdata
RegisterClassExW
:sB)2I5
SendMessageW
__set_app_type
__setusermatherr
ShowWindow
@.^sL*;@@
,T%0@3<@
!This program cannot be run in DOS mode.
tlATF&@Bh=
TranslateMessage
			type="win32"
	type="win32"
UpdateWindow
USER32.dll
	version="1.0.0.0"
			version="6.0.0.0"
WINTRUST.dll
WinVerifyTrust
_XcptFilter
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
z@e4O@h