Analysis Date2015-11-05 19:31:07
MD580846fe17c79f7f93d057102414b6634
SHA1830c8fc74e6f92e963a11558ba751eae9a201cec

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cdb0dd040b74904dc80080c1d9ef9677 sha1: aaa567d7c7a5bcb1275e8c6e80eea79b6a65e023 size: 1024
Section.rdata md5: 5e001465d8cd3c885bc984c952e08cb6 sha1: 32ee3ee5d774fd02de6c2a88102ae2ee5e5e4e06 size: 1024
Section.data md5: fc7eb756c1f4b17f16449816cc3cec81 sha1: 2617518e49202d532dae1af9ba05aecfefd1e75b size: 512
Section.rsrc md5: bfbfb2b58126cb0d9793b9dd80a46abe sha1: ecab58906301588c04fd8806177a68cb706caca0 size: 58368
Timestamp2014-06-26 11:41:00
PEhashf13de80a8e0ee698bbf613cc72d0cfdb65aee45e
IMPhash4ca0a0adb97211d9334271ded971bdde
AVRisingNo Virus
AVMcafeeDownloader-FAKU!80846FE17C79
AVAvira (antivir)TR/Dropper.Gen
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.327123
AVAlwil (avast)Cutwail-CM [Trj]
AVEset (nod32)Win32/Kryptik.CFFF
AVGrisoft (avg)Agent
AVSymantecNo Virus
AVFortinetW32/Generic.AC.286294
AVBitDefenderGen:Variant.Kazy.327123
AVK7No Virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Kazy.327123
AVMalwareBytesTrojan.Agent.US
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Cutwail
AVEmsisoftGen:Variant.Kazy.327123
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_CUTWAIL.SM0
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)Trojan.Cutwail
AVPadvishNo Virus
AVBullGuardGen:Variant.Kazy.327123
AVArcabit (arcavir)Gen:Variant.Kazy.327123
AVClamAVNo Virus
AVDr. WebTrojan.MulDrop3.14959
AVF-SecureGen:Variant.Kazy.327123
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeDownloader-FAKU!80846FE17C79
AVAvira (antivir)TR/Dropper.Gen
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.327123
AVAlwil (avast)Cutwail-CM [Trj]
AVEset (nod32)Win32/Kryptik.CFFF
AVGrisoft (avg)Agent
AVSymantecNo Virus
AVFortinetW32/Generic.AC.286294
AVBitDefenderGen:Variant.Kazy.327123
AVK7No Virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Kazy.327123
AVMalwareBytesTrojan.Agent.US
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Cutwail

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\dezmyqwuwyzu ➝
C:\Documents and Settings\Administrator\dezmyqwuwyzu.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\public3.sta.net[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bfmedical[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sqdog[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mucinonline[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dcppcc[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\cjborden[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\computappoint.co[1].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\indianapt[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\gsprinters[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\takinoyu[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\plyny[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\winstedapts[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lovelaceinteriors[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hornetinc[1].htm
Creates FileC:\Documents and Settings\Administrator\dezmyqwuwyzu.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\einus[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\indianapt[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\public3.sta.net[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\gsprinters[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bfmedical[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\takinoyu[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sqdog[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\plyny[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mucinonline[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lovelaceinteriors[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dcppcc[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\cjborden[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hornetinc[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\einus[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\computappoint.co[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexdezmyqwuwyzu
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSgsprinters.com
Winsock DNSwinstedapts.com
Winsock DNStakinoyu.net
Winsock DNScjborden.com
Winsock DNSeinus.net
Winsock DNSpublic3.sta.net.cn
Winsock DNSchaseinternet.com
Winsock DNSharunachiro.com
Winsock DNSthelavenderpatch.com
Winsock DNSbaruch-biz.com
Winsock DNSoiler.com.pl
Winsock DNSbelleaire.org
Winsock DNScomputappoint.co.uk
Winsock DNSlavenhamhorserugs.com
Winsock DNSy3sloans.com
Winsock DNSbfmedical.com
Winsock DNSdistronic.es
Winsock DNSindianapt.com
Winsock DNSsigmaflex.com
Winsock DNSplyny.com
Winsock DNSlovelaceinteriors.com
Winsock DNSdcppcc.org
Winsock DNSgreciahouse.it
Winsock DNSmucinonline.vn
Winsock DNStasteofcharlotte.com
Winsock DNSsormpack.com
Winsock DNShornetinc.com
Winsock DNSsqdog.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.138.105.21
DNScjborden.com
Type: A
50.63.202.16
DNSdcppcc.org
Type: A
158.199.140.60
DNSpublic3.sta.net.cn
Type: A
218.1.66.90
DNSeinus.net
Type: A
221.143.46.17
DNSsqdog.com
Type: A
66.7.203.146
DNSindianapt.com
Type: A
50.28.36.130
DNStakinoyu.net
Type: A
203.189.105.187
DNScomputappoint.co.uk
Type: A
162.13.76.194
DNSmucinonline.vn
Type: A
112.213.89.82
DNSplyny.com
Type: A
62.109.134.56
DNSlovelaceinteriors.com
Type: A
107.180.44.124
DNSgsprinters.com
Type: A
192.185.169.161
DNSbelleaire.org
Type: A
104.28.1.26
DNSbelleaire.org
Type: A
104.28.0.26
DNSchaseinternet.com
Type: A
207.65.154.240
DNSharunachiro.com
Type: A
210.172.144.248
DNSsigmaflex.com
Type: A
80.74.157.68
DNSdistronic.es
Type: A
46.226.47.26
DNSy3sloans.com
Type: A
217.174.255.31
DNSoiler.com.pl
Type: A
212.85.98.15
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSthelavenderpatch.com
Type: A
DNSsormpack.com
Type: A
HTTP POSThttp://dcppcc.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://cjborden.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://plyny.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://einus.net/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://public3.sta.net.cn/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://indianapt.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://sqdog.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://computappoint.co.uk/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://takinoyu.net/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://mucinonline.vn/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://gsprinters.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://lovelaceinteriors.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://chaseinternet.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://belleaire.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://harunachiro.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://distronic.es/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://sigmaflex.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://y3sloans.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://oiler.com.pl/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25
Flows TCP192.168.1.1:1034 ➝ 158.199.140.60:80
Flows TCP192.168.1.1:1041 ➝ 50.63.202.16:80
Flows TCP192.168.1.1:1042 ➝ 62.109.134.56:80
Flows TCP192.168.1.1:1043 ➝ 221.143.46.17:80
Flows TCP192.168.1.1:1044 ➝ 218.1.66.90:80
Flows TCP192.168.1.1:1045 ➝ 66.7.203.146:80
Flows TCP192.168.1.1:1046 ➝ 50.28.36.130:80
Flows TCP192.168.1.1:1047 ➝ 162.13.76.194:80
Flows TCP192.168.1.1:1048 ➝ 203.189.105.187:80
Flows TCP192.168.1.1:1049 ➝ 112.213.89.82:80
Flows TCP192.168.1.1:1050 ➝ 192.185.169.161:80
Flows TCP192.168.1.1:1051 ➝ 107.180.44.124:80
Flows TCP192.168.1.1:1052 ➝ 104.28.1.26:80
Flows TCP192.168.1.1:1053 ➝ 207.65.154.240:80
Flows TCP192.168.1.1:1054 ➝ 210.172.144.248:80
Flows TCP192.168.1.1:1055 ➝ 46.226.47.26:80
Flows TCP192.168.1.1:1056 ➝ 80.74.157.68:80
Flows TCP192.168.1.1:1057 ➝ 217.174.255.31:80
Flows TCP192.168.1.1:1058 ➝ 212.85.98.15:80

Raw Pcap

Strings