Analysis Date2014-07-03 12:02:58
MD53fc11728efad63a084b00c14bc3cdb92
SHA185af27c1f341324ead8ea4f2de5ce8d28eb75e61

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 196b984527305b7584689a58e7b4c293 sha1: 6865f65f51b0bf96e30993bc7ae6a54ceffcc14f size: 1024
Section.rdata md5: 8013970f7c52c4cb5b3c11a726a2b2cb sha1: 40c0fd764dd27d6db6a647212efa7199534468cf size: 512
Sectioncode2 md5: a2828793777103275fc7aee40ab8fe54 sha1: f140b6098acd2ddda0d477885483ecbddf0ae64a size: 512
Sectionzdata md5: 2447b871343f93a6f5b737ce06f13660 sha1: d8ef9cebcdf1446ca3d1fcffb1b87b6128e6edae size: 512
Sectioncodej md5: 72aab3599727f9b7622a9dfc918c6b55 sha1: 92b58cb13201716372059595293b1caaaa9fc8a0 size: 512
Section.rsrc md5: 4f223cd5a25b4958c02197fc3f09adf6 sha1: d102b1a232eb13671c56f50a0abf1d9c3b410a08 size: 58880
Timestamp2014-04-11 14:24:19
VersionLegalCopyright: Copyright (C) 2003
InternalName: welled
FileVersion: 4,1,4,24
ProductName: welled Application
ProductVersion: 2,3,2,5
FileDescription: welled Application
OriginalFilename: welled.exe
PackerPE Diminisher v0.1
PEhash88851ac96a4161cfe7eeb1849af2b0c8f1c2767c
IMPhasheaeaf27597bb0523389a72cda6281fd0
AV360 SafeGen:Variant.Zusy.89319
AVAd-AwareGen:Variant.Zusy.89319
AVAlwil (avast)Kryptik-NRD [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/ATRAPS.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebBackDoor.Bulknet.1150
AVEmsisoftno_virus
AVEset (nod32)Win32/Kryptik.BZQQ
AVFortinetW32/Agent.APDJ!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.89319
AVGrisoft (avg)no_virus
AVIkarusTrojan-Downloader.Win32.Cutwail
AVK7no_virus
AVKasperskyTrojan.Win32.Agentb.apdj
AVMalwareBytesTrojan.Cryptor.XGen
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Zusy.89319
AVNormanno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Pandex!gen4
AVTrend MicroTROJ_CUTWIL.SM1J
AVVirusBlokAda (vba32)Trojan.Agentb

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\gijyzkinysby ➝
C:\Documents and Settings\Administrator\gijyzkinysby.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\timeturkey[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rewardhits[2].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wildrosemarketing[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rewardhits[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\midwestga[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\guberman.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\teasing-video[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fastarchofamerica[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ginalimo[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\appelfarm[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\buzzkillmedia[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rewardhits[2].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wildrosemarketing[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fastarchofamerica[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rewardhits[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\midwestga[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ginalimo[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\guberman.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\appelfarm[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\teasing-video[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\buzzkillmedia[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSrewardhits.com
Winsock DNSe-shuukyaku.com
Winsock DNSactfactory.net
Winsock DNSbuzzkillmedia.com
Winsock DNSmidwestga.com
Winsock DNSagrarno.ru
Winsock DNSisp-h.com
Winsock DNSguberman.com.br
Winsock DNSfastarchofamerica.com
Winsock DNSginalimo.com
Winsock DNSpaulrenna.com
Winsock DNStoutenmeuse.com
Winsock DNSappelfarm.org
Winsock DNSetcycles.com
Winsock DNSbeechwoodmetalworks.com
Winsock DNStimeturkey.com
Winsock DNSwildrosemarketing.com
Winsock DNSteasing-video.com
Winsock DNSdormfantasies.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSfastarchofamerica.com
Type: A
69.163.209.176
DNSbuzzkillmedia.com
Type: A
184.168.221.38
DNSginalimo.com
Type: A
176.74.176.178
DNSrewardhits.com
Type: A
184.168.221.16
DNSwildrosemarketing.com
Type: A
192.99.14.40
DNSappelfarm.org
Type: A
162.159.248.49
DNSappelfarm.org
Type: A
162.159.247.49
DNSmidwestga.com
Type: A
23.91.121.152
DNSteasing-video.com
Type: A
162.159.246.204
DNSteasing-video.com
Type: A
162.159.247.204
DNSetcycles.com
Type: A
50.22.150.2
DNSdormfantasies.com
Type: A
184.94.149.35
DNSe-shuukyaku.com
Type: A
211.13.204.89
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNStimeturkey.com
Type: A
DNStoutenmeuse.com
Type: A
DNSisp-h.com
Type: A
DNSactfactory.net
Type: A
DNSagrarno.ru
Type: A
DNSguberman.com.br
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25

Raw Pcap

Strings
....].G
.
E.

&0--0--4 declaims
041904b0
1'AN
2,3,2,5
2DWM
4,1,4,24
5little thrust Italian sashes secluded looking Company
A-6>
&abandon pearl
&about VOICES
abroad
accordion different
&addresses fashion
&Adonai
&affected Lion's
affirm volumes
afternoon tastefully
&again didn't
&again little
&Alderman KEYES
alive
amalgamated Hawkins upcast wife's
&Anch'io unusual
&apoplexy
&Arbour strode
&Armagh
Assuming
&Astronomy
&astute ville
&attack Cuckoo
&attention answered
Aubrey
Awaiting
&Battersby
bearded
&beating pawnbroker's
beautiful
&beauty
&because
bedrooms
&before
before's proprietor
&beggar wheels
&behind
benefit
between proposed
&bicycle
&birdsnies perceive
&blackbeetles
blessed
&bloody
&BLOOM
&BLOOM paper
&blowing
bluecircled
boatbearers symmetry
&Boylan
&bring
&bringing
&bronzed again
brother because
&brotherhood smooths
brow fleshpot
brushes
&buccal
&Buckley's
&Buddha
bunched mixture
&buries
business commonly opening
&buttocksmothered finger
&Caballero amours
cacophonous
Caffrey
&Caffrey through
&cagework hyenas
Cameron
&cassock
Castile Ireland remember yanked
&castor
&catechism
&catechism What's
&Celestine
&centrifugal
cesspools whereas
&Chacun please
&chair
&champions
&chancre
Changing hubbub
&chap's property
Chaste
children
&circumcised
&cityful
coarse
cocked
&cohesion poison
&colleagues
&combings described
coming
&composed Mulligan
&condition immense
connected wonder tabinet
&Conscious Crofter
constellation
&continental
Copyright (C) 2003
&corner weeks
&corporation ground
Costello
Costello posthumous constancy
costumed
&couldnt
&Couldn't
countries depicted planted It's
&cover babyish
&Cranly's
cried
&cried clapped
&croak
&crooked thunders
&crushed
&Cuckoo premium
Cunningham
&Cunningham George's
&dainty
&dancing
&dateshaped though
daughter
&days
&deeply
deficiency
&degrees staunch
delights indeed
depravatio
Desire's unless socialist
devil's
&didn't
&didn't municipal
different Richmond staring
&Dignam
&distinctly
&doesn't
drifting
Drink
drooping street
Dublin Stephen
&eddies
&embroidery facile
Emperor's
entwined
&envelopes
&equilibrium
&esplanade brother
&evening
evening hissing
&Examiner
&excited
excursion
&experience
&extension
&Exuberant STEPHEN
&faded division
fastened
&father Roscommon
&featherskins student
&fellow eunuch
&field looking
FileDescription
FileVersion
&finespun
first polished halldoor
&fjords
&flambeaus confession
flies
&following smouldered
&forgetmenot cures
&forming
&fortnight
&forward
&foundation
foundered
&fraction
&friendly permeates
&Garryowen
&general
gestures
giving
&Glendalough Oxford
&glitter height
&Gloomily
&goodness Mulligan's
&Goulding
&grace
&grammar Dorans
&grass
&Greeks gorgeous
&green
Green bawling
&greenhouses
&greenish moustache
&grief
ground
&habits Bringing
&hackle
&hairbrush
&halfclosed BLOOM
&halldoor
&hand
&hangdog wenching
Hanukah sentiment
happens
harking
&health
&Higgins Runs
&himself
&hither people
Holles
&horns
&horsenostrilled minutes
hoses
hotwaterjar trailed
&house timehonoured
&howled
&Hungary Williamites
&immodest
&imprint
incrispated
&indeed
&individual right
inserts
InternalName
&involving Crawford
&jessamine
&jogged
kings'
&kissed change
&kitchen Murmurs
kneecap
&knives constant
&Lambert
&Leahy's unascertained
LegalCopyright
&Lenehan edition
Leopold
&lifted Martin
little
Little group Whelan WATCH
&Livermore
&living eleven
&loincloths sidling
&Lombard
longed bright
&looked
&MacHugh Dinner
&magnetic weekly
major housetops
&Many
&married
married Fraidrine longest
Martin
&Martin William
&masses
master
master excitement
&matron
matter
&mattress
&mavourneen's thurible
meaning
&meaning
&measure
medals Greenwich
meeting wife
&mention
Mervyn flight
methods
&mirror address
mirror plaited
&missed boomerangs
&mockery family
&mollify
moment unbuttoned
&Moore's benign
&morbous night
morning
motorcar
&mourners Armagh
&mourning
&mouth
MS Shell Dlg
&Murphy's bliss
&Myles
napkin money
&nation advertisement
&natural
&nearer
&nipples
noise
&noodly
&obituary
offers scarlet little others
&oilskin ladylove
O'Neill's always
&opposite scornful
ordinaries
OriginalFilename
&others
&oysters breath
&pages
&Panama
&paradigm
parson
&Passion search
patient
&peerless
perhaps
&personal everyone
&phenomenon Bristol
&Phibsborough perfume
&pillar l'attosca
pillars halted trying certainly
&pitched BURGESS
places
plainlooking
&player
pockets
&pointing
&polished
&polycimical
&ports
&possible
possibly upholstered redeemer silverbuckled
&power
&preoccupied
&present
&pretending Molly
priceless
&probably alderman
&Produces recall
ProductName
ProductVersion
professor
&proper
property
&proposed
&propriety always
proved
&pubhunting touring
Pyrrhus
&quarter profligate
quayside
&Queenstown Gurrhr
race
&racial Hungry
&railings
&rained
rapping Rest
&really anticipation
&remote Quick
removed parlous
renovated
&report located
&repose posing
&represents literature
reservoir doffed having sugared
resistance
return
ribbons
RichEdit20A
&right revival
&rising Cowley
&rotter Where
&rudely examined
Rudolf possessed
&ruined goldhaired
&Russell connection
salted
&sanctity
&satirical
&sauce Gravediggers
&Save Whelps
&schoolfellows
&scillas attendant
&Scotch plodding
&screws giving
scullion sowing Christ slowly
&SECOND
seemed
seems
&sending Sorrow
shaded
shaded Curious
shadow despair
&Shakes Nolan
&shaking
&shame
&Shannon Inform
&shares
&Sharons
&shillings
&Shitbroleeth PRISON
&shocks spinach
shops Gallaher
should
&shouted mountain
&Shouts Shakespeare
Shreds
sidled
&sighed fumbles
&singing daystar
sister-in-law
&sisters building
&sitting
&sixteens
&skins flour
Skin-the-etcetera proximity
skipping butter tailormade
&slammed particular
&sleeve
&slowly
&slowly family
&sniffing Quigley
SNIVELS another country
&snowball oxygen
&somewhere
&sourly
&Spanish producing
&sphincter
&spoke profound
sports
spouse
&stays Doublebasses
&Stephen
&Stephen's
stepping
&Still
&stone again
&storms
Stratford generations
&street
&street follows
street notice
street Venus
&strident
StringFileInfo
Stuart
student
stupid arrive Liliata cousins
&subtile
Successively tapping
Sudden latter trouble matter
&suggest secretary's
&sullen blazes
&Suppose
survival server
sweeping Talbot
&Swinburne
SysListView32
&table
&table Ontario
Tahoma
taste
&Telegraph
telling
temperance
terrace
&textual
&there
There Because
There's
theyre
thirst answer
though ships7Gilligan changes unfolded beggar geegee middlings stick
thoughts compass
&Thursday
&timepiece Mulligan
&tinkle hop-of-my-thumb
&towards
Translation
&transmigration
Travers?
Tremendously
trilingual
Trombone smiles
trouserbutton
trousers pointing
&turning whistle
&unbelief Giltrap's
&unique
unweave permanence
upstairs
&urinal
&Valuing
VarFileInfo
&vendor
verbis
&veux
&vigorously There's
villa
vinegar
&VIRAG
visible housed
VS_VERSION_INFO
 &~w
&walked asked
&walked performance
wanted
&watched
&Waterford
water meant
&waters
waters didn't
&waters moisture
&weather railway
Wellcut selfinterest
welled
welled Application
welled.exe
Whelps
whereas proper
&Whereat
&Whereat quarter
&wherefore
&whining success
whisper
&white
&whole Foreign
&window picked
&windows
within choice
&without
&wonderfully
&Workbasket
&wormfingers hop-of-my-thumb
&wouldnt shoves
&you're velocity
&Youth Stephen
Z-H)
11xxxxxxxCreateWaitableTimerA
_3j=Z_D]
4aX]9,
6f[GD,
%7/F0n]
)|7o!\
8F%v{!D[
9m,.spLoadImageA
\9U7_B
"aBGm^
ag_O~[n=
A,hop,
!Bnjef
}	cC.c
cdY/pk
@code2
CreateThread
@|czO7
d,aPH(
eI_%2J$
E%-O`~
}/e%qJ
fdh37s 9llGetObjectA
!G9IL0
%,'gdi32.dll
gdi32.dll
GetModuleHandleA
GetObjectA
GetObjectW
hc"4_\H
hhgME|G
	h}W(=
	I>Fl0K]
InterlockedIncrement
Io\o	T(v?
/J\pE%t
j`Zb2i
#}k$:@
kernel32.dll
kRichn
}L4$wPW
LoadImageA
LoadLibraryExA
l!*own
.$Lq>s
m5PPgW
meXN/Q
mK\[@~J^
n<#h^t
nK%.?gE
=npUed
OBWp#CY
o(sP|j@
>pgr>zz
Q)h/q$
qHX#{Q
Q^QFl&
%]'Q`t
=qtz3[
>*R1-$
R?|b U
`.rdata
rEL;/_Qb
Rf?$Q 
R:\jfndh8883.dat
#rm243r
RPTvtc
RQrr;/!
.#ru$UR9
(RX7ZIQh
];s6IX
s83hfn257635936459350fgdgdfgdsgsdGetProcAddress
s?C?5zk
SetWaitableTimer
SleepEx
tcx'3S
!This program cannot be run in DOS mode.
;U+/4^
user32.dll
UsxR?j
UV/+!k'
v^kTd}
v}U]]C
Vwoh{Fr
WaitForSingleObject
-;W\ F/
Wx,W:K
X%6?w2Q	
x* OH''
/^xU`xo
yqMSS9
ZL8I{T
Z+s)!wd
Z)-ueC
zxc098iuser32.dll