Analysis Date2014-04-17 16:25:08
MD561d07c130d3dfaa62500bf87e281a373
SHA190ad4994b8f235ff084183096e298d2bd1d52f71

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 092f00eb9c057342ce42147943dd2849 sha1: 663edcff086e7c211ea7dd9a015c74319f8ec8af size: 16384
Section.rdata md5: 3025093ec45a34fbb091ff4ec96c7de4 sha1: 03d51b4ab3a423d7fce7bd096640d167fc94a753 size: 8192
Section.data md5: cd5b44606f1459ab56be2f3b3103c13f sha1: 1132ff750b8ec7f2d06d67a3fc0cd20b03f6a49e size: 577536
Section.rsrc md5: 80b9eddf166cae564eb4ff181fff8f91 sha1: 74706ce2b665d5f832fd22ca0071331d839bf632 size: 8192
Timestamp1972-06-07 16:15:14
PackerMicrosoft Visual C++ v6.0
PEhash1e523021fd39723b526440cbd1ae6ef6b65a1205
IMPhashdc7b6807367f5e15e49ab86424c3bedd
AVmsseBackdoor:Win32/Caphaw.A
AVavgCrypt3.FRR
AVmcafeeBackDoor-FBXG!61D07C130D3D

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileWMIDataDevice
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates MutexDBWinMutex
Creates Mutex792C67C2BCE7AA32D61EE66942B58830792C67C792C67C2

Network Details:

DNSpqe.su
Type: A
Flows UDP192.168.1.1:1031 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1031 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1031 ➝ 208.67.222.220:53

Raw Pcap

Strings
\
. 
.i..=
.
f.=%
...
k
X9.
&wD.
....v.6
2..
5.
.Cx.
.
.
...
.P.V%.d
Cancel
Dialog
         (((((                  H
@jjj
msctls_updown32
MS Sans Serif
Spin1
~*;<=>
	"	|=/
00By\O
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
0B=p9I
0G fc7
0HlSu&
18;YCO
'1'BbT
20s.h?
|259E;
26E%2;W!
2c@HYT
2P+%FG
3^\M6Y
3N1%&5
3T8sPk<
3UK1;^
;3VRCx`
3Z+ITf-
|4,O&g>*
@, 4Pi
4y2s+d
5eL~N,
.5GzO@
5Ko+dE
5\oQF0
5TV2G/
`'6"R8
6zhJ$!%i
73S7wJ
7E4O=?
7?O%@z
7t/gt1Z
?7wE47
80zZ/.
81*58I
8"ma*X3sm
9!0--r
94M-hA
-A%0g5
A@2`tR
A9cW*i
abnormal program termination
ADVAPI32.dll
<!!ae7
a^n@*}
["aQGu\
AW5#w'G
axO?bE
AY$Y5c
B	\c(`
b%cvph
Bf]a6i%&
{~bJpq"j
b;MB	1
bpWH3g
bw_vE]@
cdeghij2
CertAddEncodedCertificateToSystemStoreW
*cfqG4
CIB,u7
CkX 37
cR~Kai
Crypt32.dll
]c\W-*
cz++[S
@.data
DOMAIN error
Ds$5hl
DSUVWh
dVs)M4
d>X:=tZ
%"\"=e
E'3Y+a
EN40H 
EnableWindow
etsB5$
/EU%fWD
ExitProcess
$F',F+ 
FindClose
- floating point not loaded
FPy~$Q
FreeEnvironmentStringsA
FreeEnvironmentStringsW
f	^R~&Ez
GA,"*2
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetThreadPriority
GetVersion
g`)i5p
g*U=ET
G;wn1F
)Hcno4
>hDUb=
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HU2`Jt
hv5YK@R
&H*y}#
i3^/%Y~
I81cXC
iG{';>Z
+ijklmnopqrstuvwxyz{|}~
in0($XF
^i~THGl@
]jF17k
j}+}Z`
k#()*+
k6Eix&
KBugH)
KERNEL32.dll
K}KJ:$
kKPVPoF
\KkZj&
$~KN2H,r#H
K@r7]9
kxr,Vo0
l*0.w!A9
^L4]'n
L/@C	6
LCMapStringA
LCMapStringW
LH".UG
lI+P4y
L%nJ;s
LoadLibraryA
LoadLibraryExA
Lwl] x
:lY},%.
m:	;1&
m|}5FO
MessageBoxA
Microsoft Visual C++ Runtime Library
%mNv&j~
#m~sRd
Mssign32.dll
$`-MSuQ
m#u5x`
MultiByteToWideChar
.N(gae}o
#NI9kK
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
nV2Q+	
n==Z:;
O])[9*
|<ob?Aw
"Ob~Rv0
ocw!s&
oe\&%r
OLEAUT32.dll
o]xHXJd
OXYZ[#
\P0GT@^
 p~4q2
p,7GWj
p9Yl E
%`PH{LD
piY4at
%Pkt*W
P=nw'L
Program: 
<program name unknown>
PT/-F:
pu5i-WI
- pure virtual function call
PvkFreeCryptProv
pwBp9}
{P|,Z b
Q0t8Ll
Q5]ds;
$Q!dCo#+g
QueryServiceConfigW
{=_q|V
`~R:[ 
rckQS~
`.rdata
rm~1RN_
rMB7K>
Ropqr:
r^pX](
RsP7HpE7
RtlUnwind
runtime error 
Runtime Error!
$R*w/.G
SCardConnectA
SCardForgetCardTypeW
SetHandleCount
SetProcessWindowStation
Shijk3
SING error
siovQm
SS@SSPVSS
SwitchDesktop
syY||lS
&T3Iug
_T5_0^
Tabcd,
td'2>n
TerminateProcess
TerminateThread
!This program cannot be run in DOS mode.
T{JC)!;
TLOSS error
tN qNp 
To/rP{
tPFlyA
~T#P~_oW
(t[SAO	
t#SSUP
t.;t$$t(
t$$VSS
tWPwl)b9e$
Tz1^]J
u4IfRh
+*UBVa
UFCIR3
ulE[^F
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
?U>p1~
up&T}Y
user32.dll
USER32.dll
&UtxQj
uw>eLs
u YF{f>'
v00DF=
<v8|J}
VC20XC00U
VirtualAlloc
VirtualFree
]vwxyA
?v=w"Y
W3#)2.
WideCharToMultiByte
winscard.dll
WinSCard.dll
@wKJc}
]/@wq/
WriteFile
WS2_32.dll
W}t*VM
{Xmu['
Xt),-I
y_~0&;
Y;5D=I
y9W47h
Y>-AlT
'yb,_S
&yGZ`u
YRd7e3~&
y@U[1c
:YV3`d|
_^][YY
YYh(p@
YZ[]^_`(
}z,dL|
&.Zl$O
z_T$pAk