Analysis Date2014-08-30 02:43:57
MD52ae48904f68d918a9ff6e32f4c4e9102
SHA193f906d47299a069c2645b08be70ed4873974095

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 6521777524332aa3b005b2b4df517385 sha1: 72cee21dacfb638cae52cce0e309e4d41bb5829a size: 155136
Section.rdata md5: 34dbac1ebdaed2dc7e11c57330f7e5d5 sha1: 8149f0ee3c6f5effb54d600ab8f76ece54f5e4e9 size: 2048
Section.data md5: 04262f48bd8b6e6946ba6130576e4aaa sha1: c9707b87231d38e9465b1cff670fceddf31ca1a5 size: 24576
Section.tls md5: d220f6d38d14ab5e6aa71158a9954217 sha1: f435c808eb2f65bcf4e58d0130a7532992c82c93 size: 512
Timestamp2005-09-21 18:59:24
VersionPrivateBuild: 1508
PEhashc7d6aeea92dc1245b161f7716683d564e5d04c4a
IMPhashf03f53713f94276a90e22932fecdf75b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSstellasystemsonline.com
Winsock DNS127.0.0.1
Winsock DNSgravatar.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSgravatar.com
Type: A
192.0.80.241
DNSgravatar.com
Type: A
192.0.80.242
DNSgravatar.com
Type: A
192.0.80.239
DNSgravatar.com
Type: A
192.0.80.240
DNSstellasystemsonline.com
Type: A
HTTP GEThttp://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be2?v97=93&tq=gHZutDyMv5rJeCG1J8K%2B1MWCJbP4lltXIA%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 192.0.80.241:80

Raw Pcap
0x00000000 (00000)   47455420 2f617661 7461722e 7068703f   GET /avatar.php?
0x00000010 (00016)   67726176 61746172 5f69643d 66326133   gravatar_id=f2a3
0x00000020 (00032)   38383961 66663666 63393731 31613363   889aff6fc9711a3c
0x00000030 (00048)   62636665 36343036 37626532 3f763937   bcfe64067be2?v97
0x00000040 (00064)   3d393326 74713d67 485a7574 44794d76   =93&tq=gHZutDyMv
0x00000050 (00080)   35724a65 4347314a 384b2532 42314d57   5rJeCG1J8K%2B1MW
0x00000060 (00096)   434a6250 346c6c74 58494125 33442533   CJbP4lltXIA%3D%3
0x00000070 (00112)   44204854 54502f31 2e300d0a 436f6e6e   D HTTP/1.0..Conn
0x00000080 (00128)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000090 (00144)   6f73743a 20677261 76617461 722e636f   ost: gravatar.co
0x000000a0 (00160)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x000000b0 (00176)   55736572 2d416765 6e743a20 6d6f7a69   User-Agent: mozi
0x000000c0 (00192)   6c6c612f 322e300d 0a0d0a              lla/2.0....


Strings
tD*4{.
..
.....
\...4
7x
.m(U
.Te.
<
?
d..&
n..L.-.
V.E.iD=.
uwF.X.
.
#6..@4..
..#...
...9.UAu..
&MG.p1..
.-.65.v.a...+.
.
.
....[.q..Fr.}.
d^
D.~.V.........Vj.5.
j
...@.
A
_

040904b0
1508
$gF#
&g'R
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
;_-\<*
0g4yLeFca
1}2tA>
\?1MHH3~
2T|aVW
2_Xotw!
%3+UBp
64>GGo
6n,kIf
+7/Tl^
7,zt[L
8wWuvB
\=9tmI
A1T2CKD
[%a:d[
 A*m&J
!BC!Hk
C(0l)#
CallNextHookEx
ChildWindowFromPoint
ClipCursor
comdlg32.dll
CompareStringW
CreateFiber
D%1x,/
@.data
DefWindowProcW
DestroyCursor
DestroyIcon
D]F"6*
DrawEdge
EmptyClipboard
EnumResourceNamesA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindResourceExA
FlushFileBuffers
GetFileAttributesA
GetFileTime
GetFileTitleA
GetFileType
GetProfileStringW
GetSysColor
GetSysColorBrush
GetSystemDirectoryW
GetSystemTime
GetUserDefaultLangID
GetVersionExW
GetVolumeInformationW
*G_Kgd
gzswAyW
H==]/_
%(Hha5*
HS/&w|,
?I+7w4
I}&F9-
I	i	:^V:2
I:<M)|
IsClipboardFormatAvailable
IsDBCSLeadByte
_J&3;?1!
j5L85u
[_	j:e
Jo6L;t
JRichu
j(z\Oq
KERNEL32.dll
?{kY5w
L6wz;)=F
<l^{$8i
^LFUgK=
LI]l	l
L>Mmjo
L\[|o)
LocalAlloc
LockFile
$Lqk?gC
M9?,jA
mfKl7i
{-;mhmt
Mm=uh)
,n/|8_
NdrClientCall
nk6zx*C
=Nn5ch
!o6pxaLc
O}B1Cm
@O/K;j%a
P8$|p%
P\c*8I0
Q=K)	d
R:c<wMk
`.rdata
RealGetWindowClass
RegisterClassW
RpcBindingFromStringBindingA
RpcBindingSetAuthInfoA
RPCRT4.dll
RpcStringBindingComposeA
RpcStringFreeA
s\&:7IVF
SearchPathW
SetClipboardData
SetEndOfFile
SetScrollRange
SetWindowPos
SetWindowsHookExW
sH9;-U"
s&Ue-	#t
T6IS\)
T~A@aI
=,,/td
TerminateProcess
!This program cannot be run in DOS mode.
TjW./)+p
ToAscii
T-uXJ]
UnhookWindowsHookEx
UnlockFile
USER32.dll
VerLanguageNameW
?vf6?9
W{=7u|
WinHelpW
+x2gB-
_xi{LP
xtB,0?{)C
X?yn{<
y|{9,W
;yMW7v
yNwh(R
?y	Xnw(