Analysis Date2014-08-05 21:06:56
MD5b9df4e23984c8f70b82dee4a611f4b65
SHA1832382a784c6b688c6c7812053daa7030f8529d5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d306527cafb335d4316f704bb87c6919 sha1: a759c17183e17bb1b13c9517ac31503dbdd9dde4 size: 8704
Section.data md5: b0de33230b3773122f5b4c03d36232dd sha1: 31db1c583cf676e9d2863049fe189752a135b7c3 size: 11264
Section.bss md5: 83f455eee5cf2308df038e795d5c6bfb sha1: 06c2501a0cdb1087e226e9a2e1cede89c91dee77 size: 49152
Section.idata md5: 7c5b860db158acd85911a3bc4315599c sha1: 20bceb0416be15a86cd59302a7df8ca32f4eb117 size: 4096
Section.edata md5: 6b6737768c9e75dea8b66b16d8b412b6 sha1: 0918e2c25f05d6925f04b73be1d1b84aa75c29f4 size: 512
Section.rsrc md5: 27efb612cdb7b70e2983f2c79325e810 sha1: cabd78765679ed5e581212eb29d47de612c17b78 size: 4096
Timestamp2009-07-19 17:52:29
VersionLegalCopyright: Copyright © 2010 PC Tools. All rights reserved. wk
InternalName: rPmagUfq.exe
FileVersion: 7.0.0.61
CompanyName: videosoft
LegalTrademarks:
Comments:
ProductName: IE
ProductVersion: 7.0.0.61
FileDescription: Video Componenta
OriginalFilename: rPmagUfq.exe
PEhash9b2d6b958b59349d978a69c9fabeaf0f62c38207
IMPhash7896ce837f6bfd77d2d3d967089243fb
AV360 SafeTrojan.Generic.KDV.205231
AVAd-AwareTrojan.Generic.KDV.205231
AVAlwil (avast)MalOb-KD [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Agent.79360.AB
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Agent-242220
AVDr. WebTrojan.DownLoader2.45130
AVEmsisoftTrojan.Generic.KDV.205231
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BBT
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan.Generic.KDV.205231
AVGrisoft (avg)Downloader.Generic11.VTW
AVIkarusTrojan.Win32.Agent2
AVK7Trojan ( 0024c3cb1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Trojan.Generic.KDV.205231
AVNormanwinpe/Renos.CKNJ
AVRisingTrojan.Win32.Generic.12868A07
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV
AVTrend MicroTROJ_AGENT.SMAH
AVVirusBlokAda (vba32)BScope.Trojan-Inject.Popup.01658

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ C:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat > nul 2> nul

Creates Filenul
Deletes FileC:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat

Network Details:

DNSrepubblica.it
Type: A
213.92.16.101
DNSseesaa.net
Type: A
59.106.98.139
DNSseesaa.net
Type: A
59.106.28.139
DNSyelp.com
Type: A
198.51.132.160
DNSyelp.com
Type: A
198.51.132.60
DNSflipdog.in
Type: A
DNSgrindbuzzchat.in
Type: A

Raw Pcap

Strings
..
!
AC.

040904E4
 2010  PC Tools.  All rights reserved. wk
6s2XP
7.0.0.61
&About
BBABORT
BBALL
BBCANCEL
Comments
CompanyName
Copyright 
E&xit
&File
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
MAINMENU(
&Open
OriginalFilename
ProductName
ProductVersion
RFaYz0
rPmagUfq.exe
StringFileInfo
T8pl
Translation
VarFileInfo
Video Componenta
videosoft
VS_VERSION_INFO
0H9Ykq6zTW
0y45vj
="1.02
1oxPWZ
1uQe9u
:33:"$
"*"$33
3333:"$
333333
3333333
$3333333
33333333
33333333?333333
333333333333333333
3333333333333338
333333:"33333338
33333:"$3333338
3333339
333338
33333833
#33338
:*"*"$3338
333838
334C33333338
33B$3333333
33^n|)
34""C33333833
3B""$33333
4"*""C3338
%4	Q$V
>"5:F7
7irHtU
8[]eRP
9eGqRY
+a5,`r
ADV-PIM
aG987654@
aphen@
  </application> 
  <application> 
aQBEHI
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
;{B-{[}
$basic_1tr
BeginPaint
bj80_&
bmbly 
b+^|WpaC	
"C3338
"C8338
CharNextW
CharToOemA
ChildWindowFromPoint
ChooseColorA
CloseClipboard
CloseHandle
COMDLG32.DLL
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CreateEventA
CreateMenu
Cy	hzW4
`.data
DefWindowProcA
deMaZW
DestroyIcon
DestroyMenu
DestroyWindow
@D!faul'
dG#?RC@L
DispatchMessageW
DrawIconEx
dRh@QE
DRujVW
dvd35g
@.edata
EnableWindow
EndDialog
EnterCriticalSection
,$e~Qa
eTQTlb
ExitProcess
FindFirstFileA
FindTextA
_#foy$
GetActiveWindow
GetCapture
GetClassLongA
GetClientRect
GetDesktopWindow
GetDlgItem
GetFileTitleA
GetFullPathNameA
GetIconInfo
GetKeyNameTextA
GetKeyState
GetLastActivePopup
GetMenu
GetMenuItemCount
GetModuleFileNameA
Get:)m&Z
GetOpenFileNameA
GetParent
GetSaveFileNameA
GetStringTypeW
GetSystemMenu
GetSystemMetrics
GetTickCount
GetWindowLongW
GetWindowPlacement
GetWindowThreadProcessId
GlobalDeleteAtom
G'{-pbt8o?
gpc5IC
HeapFree
@.idata
InitializeCriticalSection
IsCharLowerA
IsDialogMessageA
IsDialogMessageW
IsIconic
IsRectEmpty
IsWindowEnabled
IsZoomed
i&u)7)hD
"J333333
JB%Ifi+
"J"C3333
;/J:]Ta
KERNEL32.DLL
KillTimer
^k~jN!
koh8hl
Kqcpy.
k&-un}
lDyRtV_sft81i@4
LoadBitmapA
LoadIconA
LoadKeyboardLayoutA
LoadLibraryA
LoadResource
LocalReAlloc
LockResource
l vers
main.cpl
MapVirtualKeyA
MessageBeep
MessageBoxA
m$HH8,
N9lJNJ
O \.|1
OemToCharA
pqx<@q|)
puZS)4
p{Wt1`fU
)Q:KAD
&q!Q,7=
)^;QXq
R6+C"4
ReadFile
RegisterClipboardFormatA
RegisterWindowMessageA
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
RmwfhlC
rPmagUfq.exe
@.rsrc
RYyLcEG
ScrollWindow
      </security>
      <security>
SendMessageW
SetClipboardData
SetHandleCount
SetMenu
SetPropA
SetRect
SetThreadLocale
SetWindowLongW
SetWindowTextA
s>fZ%9
s ^U$e
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
SystemParametersInfoA
t2eeqg
tEDVXGcW
tGihTR
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
TranslateMDISysAccel
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
TVuuSA
u'j0<%d
UNk7o9
UpdateWindow
uReg7pf
urR:XchR
USER32.DLL
$V<6$e
VirtualAllocEx
VirtualQuery
w-Ckhm
WindowFromPoint
wk~j(5
Xc9Kqv
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-X#Q2T/`+S
XXDCHTay
YJBIsK
[YZd[u9
zC4cgzK
zcIl1s
zREeGAwf8O8
z)$?vAe