Analysis Date2014-03-04 22:13:03
MD52a94fc7764f8e207f4497b9aee0383fd
SHA193d287c6f0f30bbf566179c2eec1a5eaf47ca109

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dc32da2ccfd17b5aa14f4b9d08e63f08 sha1: 41f82ab543daf98891dad9ce884bf794dcc37da9 size: 1024
Section.rdata md5: 405bbbf59eda28b11e01b8a3d76914a5 sha1: 1ce3ca9d381a8e4fedc8b7166dc50930ddbdbb9e size: 512
Section.data md5: 572a379a158e192da01d4376e8f3abe1 sha1: e717c5132b8c12eed15ed607e770d4653701882c size: 512
Section.rsrc md5: 12e1d25519d5f09a505ec91608bfe993 sha1: fc33cbde69e5c9e76a078def0c81844ae2d7b958 size: 43520
Section.reloc md5: feb69391b38984cb5abaca827e9893b4 sha1: 0ae0c99ad50837cac5d00d5ac0ad61f60775f21f size: 512
Timestamp2005-12-17 02:18:09
PackerPE Diminisher v0.1
PEhash37ef5e9d4c26cf891809ad175399dbcee0962227
IMPhash200c4533900c2a2013f68ace09a3f2fd
AVavgBackDoor.Generic17.ASPA
AVmcafeeCutwail-FCTP!2A94FC7764F8
AVaviraTR/Dropper.Gen
AVmsseTrojanDownloader:Win32/Cutwail.BS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\kemrapryvybd ➝
C:\Documents and Settings\Administrator\kemrapryvybd.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\kemrapryvybd.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexkemrapryvybd
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSrobertmcintyre.com.au
Winsock DNScelebikalip.com.tr
Winsock DNSskaner.com.pl
Winsock DNScoe.pku.edu.cn
Winsock DNSbuzzkillmedia.com
Winsock DNSnasz-sklep.pl
Winsock DNSboundbydesign.com
Winsock DNSoptiver.com.au
Winsock DNShostphd.com.br
Winsock DNSavisay.com
Winsock DNSvioladagamba.com
Winsock DNSmail57.us2.mcsv.net
Winsock DNSredconeretreat.com
Winsock DNSacmepacificrepairs.com
Winsock DNSkorta-sa.com
Winsock DNSjeansmate.co.jp
Winsock DNSarckepesajandek.hu
Winsock DNShpp-services.com
Winsock DNSdjkentaro.com
Winsock DNSsarahdavid.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.96.11
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.96.11:25

Raw Pcap

Strings
_..
=
.
0Loads an alpha channel onto the current document
 1999 Microsoft Corporation.  All rights reserved.
6Open another window for the active document
About4Quit the application; prompts to save documents
About DirectX Texture Tool
&About DxTex...
Activate Task List
Activate this window
&Add/Remove Cube Map Faces...
&Alpha Channel Only
&Arrange Icons
Arrange Icons/Arrange windows so they overlap
Cancel
&Cascade
Cascade Windows5Arrange windows as non-overlapping tiles
Change &Background Color...
&Change Image Format
Change the window position
Change the window size
Close
&Close
Close the active document
Copy1Cut the selection and put it on the Clipboard
&Copy	Ctrl+C
Copyright 
Create a new document
&Cube Map Face
Cube Map Faces
Cu&t	Ctrl+X
.dds
DDS Document
DDS.Document
DDS Files (*.dds)
DirectDrawSurface
DirectX Texture Tool
DirectX Texture ToolG
?Display program information, version number and copyright
DXT&1 (1-bit alpha)
DXT&2 (4-bit alpha premult)
DXT&3 (4-bit alpha non-premult)
DXT4 (interpolated alpha premult)
DXT&5 (interpolated alpha non-premult)
&Edit
Enlarge the window to full size"Switch to the next document window&Switch to the previous document window9Close the active window and prompts to save the documents
Erase
Erase All3Copy the selection and put it on the Clipboard
Erase everything
Erase the selection
Exit
E&xit
&File
Find
Find the specified text
F&ormat
&Generate Mip Maps
Generate Mip Maps#Convert to a different image format
&Help
Insert Clipboard contents
kernel32.dll
&Larger Mip Level	PgUp
MS Sans Serif
MS Shell Dlg
Negative X
Negative X	x
Negative Y
Negative Y	y
Negative Z
Negative Z	z
&New Format	2
&New Window
New Window7Arrange icons at the bottom of the window
Next Pane5Switch back to the previous window pane
Open
Open an existing document
O&pen As Alpha Channel...
Open As Alpha For This C&ubemap Face...
Open As Alpha For T&his Mipmap Level...
Open As Th&is Cubemap Face...
Open As &This Mipmap Level...
&Open...	Ctrl+O
Open this document
Open this document(Switch to the next window pane
&Original Format	1
Paste
&Paste	Ctrl+V
Positive X
Positive X	X
Positive Y
Positive Y	Y
Positive Z
Positive Z	Z
Previous Pane
Ready
Recent File
Redo
Reduce the window to an icon
Repeat1Replace specific text with different text
Repeat the last action
Replace%Select the entire document
!Restore the window to normal size
Save0Save the active document with a new name
Save As
Save &As...
&Save	Ctrl+S
Save the active document
SCRL
See dxtex.txt for help with using this program.
Select All
Select which faces you would like to be present in the cube map:
'Show or hide the toolbar
S&maller Mip Level	PgDn
Split
&Status Bar
TEXTINCLUDE
 =Texture maps must have even (multiple of 2) width and height.2Source image width and height must be powers of 2.[This image does not have the same dimensions as the source image.  Is it okay to resize it?2Generation of the alpha image unexpectedly failed.UThis operation cannot be performed because the source image uses premultiplied alpha.
&Tile
Tile Windows5Arrange windows as non-overlapping tiles
Tile Windows(Split the active window into panes
Toggle StatusBar
Toggle ToolBar,Show or hide the status bar
&Toolbar
&Undo	Ctrl+Z
Undo&Redo the previously undone action
Undo the last action
&View
Warning: The source image contains premultiplied alpha, and the RGB values will be copied to the destination without "unpremultiplying" them, so the resulting colors may be affected.
&Window
Zoom I&n	+
Zoom O&ut	-
:!,'	,
1 1&141G1L1Q1\1j1p1
2;2C2L2]2
2vL`3L
3~gtZFj
3t!(l,
:_45iLnu
50A0c0i0
)5,Ym!V=
&:)<#7
81&eKS
	-'8Ba
8i,m#(AR
^a-N_3	
<ax<'b
B6*B;Y
^&b B:
}bx`GC
bzLz@G
@.data
#define _AFX_NO_OLE_RESOURCES
#define _AFX_NO_PROPERTY_RESOURCES
#define _AFX_NO_SPLITTER_RESOURCES
#define _AFX_NO_TRACKER_RESOURCES
d<Pa1v
#endif
#endif //_WIN32
Fq}}B^wA)g;
gdi32.dll
GetComputerNameA
GetModuleHandleA
GetModuleHandleW
GetObjectA
GetProcAddress
!GPCtW
h6.$0T
h'8Tg;##<U
H|A610p
HU3<fu
+i{7=Yl
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
#ifdef _WIN32
(I?ioq
#include "afxres.h"
#include "afxres.rc"         // Standard components
jXH$RM
kbZY0".
<K#d0s
kernel32.dll
?)L3H|
LANGUAGE 9, 1
LoadImageW
LoadLibraryExA
LYu2hk
m@)8tyW
md5NBU
N1$H[6
\.nBox
nGai-G
-N!ihL
nv/m]Yn
O/a]^"
Or~XO 
P[h;0@
pi?g']
_PKyhZ
#pragma code_page(1252)
PVPZUUZ	1
q8&c	0
(qgI_i
] q;@Nv
`.rdata
@.reloc
resource.h
RP>B3[<
}SNy%1
Swi+6i^
Tg@%k/
!This program cannot be run in DOS mode.
U1+bGhf
user32.dll
wF&@;z9
WPOm)7
(;X21dI
X;egTa
xNlSyQG:
z82m+>
'z&8aR
Zc/)q`g
[_z$]em