Analysis Date2014-03-31 07:57:24
MD5c2bd6e2d5ec7ab473abdea9e032750a1
SHA18720fc4d814003fc0238c9eeeac3c252fe723b98

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectionpcs1 md5: 66d38dbe8195bc8a8e853428c42228c5 sha1: ecb5befed52981c3bd35314e9720f7806d629174 size: 174080
Sectionpcs2 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Sectionpcs3 md5: afd1f36f086c4e3f01fa884d694a7a48 sha1: e66623ff72f1266d1e9ad7b1ec826bf887026d0a size: 3584
Sectionpcs4 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Sectionpcs5 md5: 7e0eab14dd2b8c8edb908f9e8e1e8145 sha1: c5fc49bc7139c870e0518530208f2cfe00d047e4 size: 512
Sectionpcs6 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Sectionpcs7 md5: 8253c6f74cb29a939d6af59cbb69f93b sha1: ae42751a8979a014ee8627123ee7d035dd0e1b44 size: 13312
Timestamp1992-06-19 15:40:48
PackerNsPacK V3.3 -> LiuXingPing
PEhashaeeb3769f6c8afbcb3e5855a4489e1d298883ccb
IMPhash94c7366d739e7bf962bb011f2c5fab76
AVclamavBC.Heuristic.Trojan.SusPacked.BF-6.A
AVaviraTR/Crypt.CFI.Gen
AVmcafeePWS-Banker!ckj
AVavgLuhe.Fiha.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\WINDOWS\system32\ntvdm.exe
Creates Process"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Winsock DNSwww.box.net

Process
↳ "C:\Program Files\Internet Explorer\iexplore.exe" -nohome

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Network Details:

DNSwww.box.net
Type: A
74.112.184.83
DNSwww.box.net
Type: A
74.112.185.83
Flows TCP192.168.1.1:1032 ➝ 74.112.184.83:443

Raw Pcap

Strings
!
.a..K
@..l
}
....u
*...
.
...
.5
!..
Y
..?X.0
.x7
.....
H
1s%P
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBNO
BBOK
BBRETRY
BBYES
bsJP2
DLGTEMPLATE
DVCLAL
Js2P
MAINICON
PACKAGEINFO
PREVIEWGLYPH
ssPP
TFORM1
           
,########"""""
"$$$$$$$$$##
((((''%%%$$%%%%%'(
((((((('%%%%%%%%''(
$%%$$$$$$$$
$%%%$$$$$$
$%%%%$$$$$
######
%$$$$%%$$
															
																								
$00PXR
0&7B7D
0888!CT
0B,~w~
("0D4@
"	0DB\
0"dD(\
0f"#-V
0ke9rn
@0stSF_
0%w	#^0xTopp
1234567
#13Ch*
_:1Ed()DZt
1-:eQL
1'J)5Tf
_]1[)LId*
"1t^}	
1'!U1C&
1:X?s&'
@1Y:u]
21EA430
,2HX&9
2JEioo
.2k>dA
2P.-%Xe
?3?7!GD5b(
!]&3Bu
3	@!D"	L%
) 3D(V
|3	hyp3	D1
3'$\tRp
))44(((''''%%%%'''(
4_a)Vb|
\4C@!^
4C)d?e
4"<DDd@vH@w
&"4DJb
	4$>HT
]4P;t<jr@
'56wtS
58&$93
5KSd,P]
5.~nE-H
<5o=6gC
5V,<td
5x_-ER
5yD.7!
",	6!!
6FN?Kv
6Ielpcft]vm
6UlT" 
6YZ#BO
71h`TP
7~5"pd
7;l&!i
7S*<3G8*
8<2ix9
83Ad	H2
-854231
890ABCDE
8'&a2S
 8	a8n*s
8A]:HX
8b)OY3
	$"8DHX
8~'En}
8'Jhz[
8`;PNH
8RP(POD
8s!Bm(
;99sQ"H
9CT&NH
*9dlrL$
9E(dr2t
9!$F<'
];,!9j
A2PI,&
AC_rR`Y(
ADeLpL
aj S$<f
aka9S0##)
AM/P{;
(<A\n.X
AQukDG
AT$;~|
a}tG0oAr
>,}ATgfPW
a$Tpv@
A!u,i}r 
AutoyS1Gy
|A/vJQ
ay	<F`9
~B2lOR[
b;$-(3
%$b8	K
B:Aimk
BAyJ,!l
Bb"[B !c
%bcT1t
bE5!MM
BedPAl
BFK*uR
BFzJm#
<bhf1Ct*en	
Bitmap
B"NDXh
b{Nu+u
boaCd L
Bp2U4B]T
}BPi"9
)BR)D,2
@bT%,2$P"
Bt(E\F
BUqT)ON
&#)B~v
B|WD!d
bYKZ$$
\C 0KO
C2uf	v$~D
cA5Dx\779F~
CAAt(p
CBUVt?
Cchlse
Cd1>kj
C=>EDVD
ceptionh
C<.f,'
CG&~cINE
Chv_+%
.?ck&bw"
CL	+D$
ClipboarYd	
Cl?osR
C`olsP
cpCuh$
CRsthp
c	tDye
cVEdF}
cWXtex
"	!D.;
'D2I" 
D"5kNH]N`
*,!`D+8
$d|Amo
#Dbu=*sS
Dcb@9<
DEFAULT
D=Et6x
DF0Zkd
d)#HD5
;=DH$u,q$V
Did@	1
)Dizs bl@	Ceh<kO
d(J\<i
%'DK(B
d"lBt 3D
 dlg_h
.DLxOqtmC
dmHMY9u
%.*d,mHT
=  d*N
dn&D%"
dnH0z;~u
Dnov:w%Z
DnPTVs
$ d'`]O
Do!ubJD
dowOrg!
%"	:DPe
 ":DRf
ds"X8`
("\D T
;*Dt4L
D"TDhv
DThumjb
*"@DTl
 )$dVd
D%" WQ(	
DypJu0^
_d@zlB
?=E"1Z
,e$2Htf0
E(ALc"%s
eB|V^N
ECV" I
eD1H#Df'
$E%d'Iv
EDivB(yZ
eDockMr
!EDRwqxd
E$Fig+`D
;~?eG"_
EH!91p!6
EHeap\[
eH-#xt
.EJP(t
*e"Ku&
EL0(JJ
EmptNy
eN)0tK
EpH"+{
ePR)I^&)
Er9|,,
eru+Rx'
eSM!	%]
	,ETx(
,EV8EP"
-EVl'_
.e+;/,W
ExitProcess
_ex/{L
EZUqs\V
!|F )`$	
F0b"CTa<2s
	Fa$od
fB4H~O
=(F/BY4
F;c}P{
"fd7|	P
F)"%%e
FGHIJKLM
:/FH	p
FI$8Z0
fia_Qb
fi|nWd
(<#Fk!
flow4t
fMemory
 fo8BkV
Form(O
,ForSV
f;PhAM
F/Qui1
Ftd)0$
FyLNx!
f:ZPHt
Fz/TY4
G5_L?G}
g/7|!Ew
$gA*6W
Gb	5|yO
gEIveaN
Get-m\/
GetProcAddress
\g&hRt
{gjn(b
Gk<Fry
G*kyX&
GlobalAlloc
G@tLongPwa:hN>m
GTzt8<
$G|VCG
G+V@&D
h0RXii
)HCD8c
!h	 dkD4
H&DL'X?
H"|D@t
)hdXDI
H".fCh7
HG.'&L
	,$:HI
"hj<H#vPOS
hk%ud@
HlmQ	0lni	
hLuWlX
_H*pH+
H<;|PMu
h	read~
H'r$lzY
HR!R::
HSplit<FV
;{Ht5K
)Ht7<o	T
h !tFP
HusgDcfa
	 HuY-
HWD:dd
hw~O]!
Hxe"lTm
HXT:(V,
-|	hY|i
'\i2jF
%I#2]PiP
,"I3NE$B
I3[PBR
i|)-8*
 Ib$el
&ib'rNJ
I'bTO<
icoXbmZp
I]e^iQ
>"Ig$j
>IHap=
(@ih%B8]
	;Im)g
ipbr&dY*
Iq@+a	d
I]S|IW
	ituj$
Iund[U
iu V ;p
~"- iv
[##IxAB
I_YRm8
!"I&Yt/
+jB4/Q9FJE&
J"[Dl}
J&<egsiv
jeN'(-
JeO"B-1XxG
J)hm {
/jJw4,XtB}
-#&|Jo
JSA<@<
jSHk GC
Jts4&a4
Jump$ID
j(X~%;
JyExAu
jY MPI0B8
K1ei\".#5
k3yIo3yd!sd-$c
'/	|]ka
KERNEL32.DLL
K,i,PTZ
k	ir]e
kJf\5M%,
k)\kslep
$kLk\X
+kLUXpN
k%M".>>
k)VHbt(
KWpndow
}]}L$*
L$(|&&
l32:.d
Ld	<HP
l)$EBT
,L;h_9L>
Lime84Y
LITj0%
^l@\jS
LMON.D
#LMWL4
L~<@!N
LoadLibraryA
L	"P 09D\
'=l,Sk
L"TD\d
L"ZDjz
[m)?"/
ma!fC'CH@
MageZl
MBOL2RE0
+ M#F!
MH}e;pV
((M}Iw
mk+)R(&"
".M$)l
M"UD]e
M	&W!1
+Mw"p<
N;(1pH
n4I)5*
	n6ABe
Nbo@fy
n`=GKu
}nOB%(
No*JHH
NOPQRSTU
n t_Wt
o2HE|o
Ob07uy
odS%el
O	EYEIxLe
!O{]=j
oui<XZ
{pC%,C
pd 0a}(
<"PD\t
p\dV)0R
%pDwbs#
PD#Y	>f
peprpi[f
p`F6|ZS
pFEfYVJ%
pj6!.+
PP-}9@
p}R7gi
(pS0rt
	"ptAkl
!(P"Tj
	p>t|S(a
PUMaskV
P$<yJ#Y}=X0$@
p'z]vS}
%q1J6'
qa"[;X
\qfW]mC
q[K&!f
qShHVt9
*qT,wQ
QWQLQz
QzV0$p
)}| r_
^)_[$R
R0O%Y]
R0RSof
^R9!!	f
rdgSALsUs
Regul8f
Requir
-Rf;bl 
>rG"5F
R]G8dW
r?'gb-
RGL24(K
RI9t(H
RLCx_l
RP d^"
	rQlL8<A[n
RRQS`2|L
{RT<$ 
r}Thr]
"RTUL:
#RVT&&
RY\,k?
RYXLHf
~Rzb%il
R z;-x
`S2"T 
S_BVlqy
?*?SDl
sE$<&`
SER32.
("s^^f
@$)S!I
SIx3N%
s`kQC\iL
>SM@<!
SmV1!Y'
s^OH!Y
S'p8ZJ
S~:Qe<y
S@{Q~p
sSx:	t7
Sub#TKJ
SWHqEpL
*[+`/$SYH:DU
syhp>-uYr$M
sy@@s[$
s'YT-B]_
{T%}*0
" t.?5
T\7YB(
T	AC,P
TAdzQn
$t('e"%
THandm
THelp*Co
This program must be run under Win32
tI'8,svN
TIcon6
tiiiiuv
time *
TI}WFE
,*t$Jfg0
T&lpEkI
T'M{Z<
ToB9;U
TObjecto
ToM(ul
TPlign9me
TPropFi:xu
(T`q&K
T/qlBF
'TQn{!u6
t#q>PVR
=tQq)`8
TQQFnAt
?tR1H'
T<R")yE
TScroql
Ts	x.}
tttt															t
ttttttt											t
tttttttttttttt
t	uPn-
twi;vB
[ t+<"x
TY3<7'
+u0|$]BD
u4q1^z
ufDM[%a?
%ufo7t%2
	Uhd"iF1
u]H%h0
Uhy	KD
u:ilH*(
uJVF\>
$UNj{^$
"[=.UO
UpWd>p
Uru|	Cr
USER32
UTypfe
UV8%Yi
UVek*9{Bs
"u'	Wxl
}u_:'xS
uxthem
 )uY(\
-u'Z7!
v)8Cw k
-%V9IPg
VASAvPo
vclt9es
Ve<'^dB^
Ve!rtf
!v^.F`CP
vi )\$
vI^Nv&R
	V:P\t4
VR<@PK+%aEA
-VtYV>
@%wg$49
_WINHELP
WK6#P;
-~wQ8e
Wq)	tW0Z;
Wrirb`
;w$t|$
wv@d$+%b
W(VUV 
WVWUWV
)Wydd>.
_wY@jT
WzUzXP
"x}BoX
&X)dp	
xJAb9;wl
xL="1'{
XO^!+(j
x(t7.aFz
X(-W@V)Z
Xx!h?1M
Xy.]=Q5)"
'Y2Ox0I
Y&I^lO
y|m8WFR
yS's}<
YZ]V$Y
 		~z	>
)"z\2HA(
'Z6sF)v
zD1$V)
[!:Zj3
^%%zLF)u
\Zp4%s_
$zsUd 
ZTUW,VS
(zV"BT^-@/
zw1x'{