Analysis Date2014-11-02 05:57:46
MD5603b7541a5f87042e8ff9ac58a9ad1c3
SHA17cd3e6c1f2d5f7b4eeab632eff48f5e86c45d208

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bc91dc699835247f23016e0494b79725 sha1: 36134269489beb612dd92e4b677e562fdb64708e size: 58880
SectionDATA md5: 92be403dbebb084994367073fd67a9c4 sha1: 896bb632ad5c3bc1322295d9cf7a6efaeff99db6 size: 147968
Section.Rsrc8 md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.Rsrc4 md5: 52e3129a6ee088ecd35fb8e7022360cb sha1: 3bb1e687ffb8aafbc029ab994ed97269a7c6471d size: 2048
Section.Rsrc0 md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.Rsrc6 md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.Rsrc3 md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.Rsrc2 md5: 848a580197f134f8164595f8bc02123a sha1: bd2507fa44d4b9e5a90271d0c663202227e4d297 size: 512
Section.rsrc md5: a9be05c6973b829057fc4e2a06d84e2a sha1: 67673cea6c682b7bd1f997f7b2e51744c7ff24a6 size: 1024
Timestamp2009-11-02 21:40:23
VersionLegalCopyright: Copyright © Extra Windows 2011 Edition
InternalName: Extrim Edition.exe
FileVersion: 1.0.706.72
CompanyName: Avira GmbH
ProductName: MSE Extrim Version 2011 Edition
ProductVersion: 1.0.706.72
FileDescription: Windows Setup API
OriginalFilename: Extrim Edition.exe
PEhash9edcd24ce4b9637bda8509ff96c5b011f9ddb79e
IMPhash2b9fc6be1061f89984765b9b2da1e31c
AV360 SafeGen:Heur.FKP.1
AVAd-AwareGen:Heur.FKP.1
AVAlwil (avast)MalOb-EA [Cryp]
AVArcabit (arcavir)Heur.W32
AVAuthentiumW32/FakeAlert.IV.gen!Eldorado
AVAvira (antivir)TR/Agent.328704.3
AVBullGuardGen:Heur.FKP.1
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LX
AVClamAVTrojan.Downloader-100330
AVDr. WebTrojan.DownLoader1.51929
AVEmsisoftGen:Heur.FKP.1
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BHF
AVFortinetW32/CodePack.CX!tr
AVFrisk (f-prot)W32/FakeAlert.IV.gen!Eldorado
AVF-SecureGen:Heur.FKP.1
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan-Downloader.Win32.CodecPack
AVK7Trojan-Downloader ( 001eecd01 )
AVKasperskyPacked.Win32.Krap.ih
AVMalwareBytesTrojan.Agent
AVMcafeeDownloader-CEW.q
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.MJ
AVMicroWorld (escan)Gen:Heur.FKP.1
AVNormanGen:Heur.FKP.1
AVRisingTrojan.Win32.Generic.126CE4D4
AVSophosMal/FakeAV-CX
AVSymantecTrojan.FakeAV!gen29
AVTrend MicroTROJ_FAKEAV.SM17
AVVirusBlokAda (vba32)Trojan.FakeAV.1215

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ C:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat > nul 2> nul

Creates Filenul
Deletes FileC:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat

Network Details:

DNSuol.com.br
Type: A
200.221.2.45
DNSuol.com.br
Type: A
200.147.67.142
DNSzedo.com
Type: A
64.41.197.44
DNSrydergen.in
Type: A
DNSqueyocero.in
Type: A
DNSpixovuonline.in
Type: A

Raw Pcap

Strings
..1
.
 
.3Y..
040904B0
06kB
1.0.706.72
a0ff
Avira GmbH
b2H3O
CompanyName
Copyright 
EXFl
 Extra Windows 2011 Edition
Extrim Edition.exe
FileDescription
FileVersion
GT7K
Hj:B
InternalName
LegalCopyright
LjnH
MSE Extrim Version 2011 Edition
OriginalFilename
ProductName
ProductVersion
Shak
StringFileInfo
TAEt
Translation
Ttqv
VarFileInfo
VS_VERSION_INFO
Windows Setup API
ZJcq
0d6G5d
0gl	#:d
0i07TA
0RSSOp
1!C6 s
"1+EH%
1jLFH9
1P)Q9E4
,2>0ch
27G10Trz
(2A-&8
2i3T(u_
(2qt8m|\
2tR}neA
30;%=F
34BT?%
3CJqlA
3Iz4bk
$47%9$
4CLbAn
4FYaix
4og8mI4e
-#58q:D
/%-5a|
5G{"a0
5gLJ3gZ
5NFPHck
5zo4UCC
607bD0
6JeFyTX
6rck2O
=~|7!-
71k~S4
7LONmmp
7OuzihM
827qwYj
85Nx1r
8#6j/d>k
8AmL"c
8,pwjc
[9'3ap
9@a)sc5
9pDutP
-9w~R;
A-,<-\|
a!10! 1p
!A(7&w
a_c"0>
advapi32.dll
aFAksJ
awhDtCM
B~$^+?
B8?<Q*2F
:'[B*b
BZC0)n
*cb%21
cF8Xu6
){c|gz
ChooseColorA
cIrHFF
CLSIDFromProgID
CLSIDFromString
CoDisconnectObject
comctl32.dll
comdlg32.dll
CopyEnhMetaFileA
CoTaskMemFree
CreateBrushIndirect
CreateDIBitmap
CreateDIBSection
CreateOleAdviseHolder
CreatePalette
CreateThread
]:)cu#
CUY' p
cwqokiTb2
d)>#>&
;dMtl1
DVerQueryValueA
/.[|e\
e09]Ow
EnterCriticalSection
(E+(Si
ExitProcess
ExitThread
f7J.gnJ
FindTextA
fKdrjB
FMyNoPHss
FQ't^#c@
g&7_}/6
g7JXBq
GDI32.DLL
GetCommandLineA
GetCommandLineW
GetDIBits
GetFileTitleA
GetFileVersionInfoSizeA
GetHGlobalFromStream
GetLocalTime
GetModuleHandleA
GetProcAddress
GetSaveFileNameA
GetSystemDefaultLangID
GetUserNameA
%H\}?!
h406tQ5p4
h`dr1R
~h.Xy~
I1Z08uEbGYjc
iGBT6UvTuw
Ik3ceJp
il5BnwW
ImageList_DrawEx
ImageList_GetBkColor
ImageList_Remove
ImageList_Write
IsBadHugeReadPtr
IsBadReadPtr
iUm1HxUp
iVl{x!}m
;I-$%#X9
JChO[j	j7
jDFx M	
Je2O!i4
jiQ,QE)
JqHty	
k5%A\,
kap5irfK
kernel32.dll
KERNEL32.DLL
k.&f(b
Kh0aVUA
kP]-&fp0
kt5MtRb8kW
l|#1av>8
l1"n$ 'i
^L5w6	
LoadLibraryExA
LPq-7}
lqcUpNVE
lstrcmpA
lstrlenA
LY5Sr0p8
lZYbvZ
M4jne8sC
:m(e"1
me+gRF	
MkParseDisplayName
mPDPsg
msvcrt.dll
MulDiv
mvpSiryR
 N0SEW
n50WSOt9
%!NEA#
nQ5ByU
ntdll.dll
/:o1E$
%o($5z>p
OLE32.DLL
OmZGut
ORI4dV
PathFileExistsA
PathIsDirectoryA
P.]EOIR"=
`p;)Uf
PVqN7Krp
:Q%\@	
Q11py'
QEwgGJ8
QKIk7Sx
qLY)="
Qqs'a	
q{X%S)
RauniV
rBNaqA
r^#%dHX
RegCreateKeyA
RegEnumKeyExA
RegOpenKeyA
@.rsrc
@.Rsrc0
@.Rsrc2
.Rsrc3
.Rsrc4
@.Rsrc6
@.Rsrc8
rx3N1c
rxRoeD
#^S@1B
SetBkColor
SetErrorMode
SetPixel
SHDeleteKeyA
SHEnumValueA
SHGetValueA
SHLWAPI.DLL
SHQueryInfoKeyA
SHQueryValueExA
SHSetValueA
SHStrDupA
SizeofResource
SNHQ(\&
StringFromIID
tfWyUD
!This program cannot be run in DOS mode.
tl2wR98Bv6
tRi(%9'
TZ0Xf1
U,.>1@
U,2;t 
)-UA<*
uIrdrJ
up-$`3
usvbuO5qQr
VerInstallFileA
VerQueryValueA
version.dll
VERSION.DLL
vGu08k
VHPE7v7r
VirtualAlloc
VirtualAllocEx
V[UQxmEd
WABRnj
WaitForSingleObject
WI.gP{
WriteClassStm
x7epoeO
| ,-X<7Y
x:B{=%
	|xd53T
&x@J%)
xl1#)	
X[P7/&
/xTo1`
 Y6^`mT
Y`(e0@
YhyCySd
Ze_jW;c
ZUuhmmF8D
ZuX8mLxup60C
zyP7NUV