Analysis Date2015-04-01 05:51:25
MD52b4af92caf0c38e18c0a249231a78e1d
SHA195c7abf09d4f18b4651c674548d8f9908eb3de66

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b47f059faa605a5320b391eb139aab95 sha1: 88153ec1639cec52e9bb948f14ad26f728c96ed9 size: 210432
Section.rdata md5: e6af58d8c869746e67545a78c3c5a730 sha1: 5eae357f2ca8add35c79ed384c1e83c3d6dbed96 size: 4608
Section.data md5: 8715af63f4da8fba03b1f15caabad0d2 sha1: 43487e5ef05a215bb5ecc26f2e4499b7b75650e4 size: 102912
Section.venue md5: 90d29cef4aa4a39508ec511f60a40650 sha1: c9fdbbd87ba216ef0d8df6c219c23be1db7eb592 size: 5120
Timestamp2005-10-22 17:47:44
PEhashd6ad54920e3f4e4433fdac8bae1b74ef96906e5f
IMPhashef2e83bc0cf62a303e92520e66484452
AV360 Safeno_virus
AVAd-AwareGen:Heur.Cridex.2
AVAlwil (avast)MalOb-FN [Cryp]
AVArcabit (arcavir)Gen:Heur.Cridex.2
AVAuthentiumW32/FakeAlert.JZ.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Heur.Cridex.2
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)FraudTool.SpyPro
AVClamAVno_virus
AVDr. WebTrojan.Siggen.64617
AVEmsisoftGen:Heur.Cridex.2
AVEset (nod32)Win32/Kryptik.JMP.Gen
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/FakeAlert.JZ.gen!Eldorado
AVF-SecureGen:Heur.Cridex.2
AVGrisoft (avg)Luhe.Fiha.A
AVIkarusTrojan.Win32.FakeAV
AVK7Trojan ( 003d9e461 )
AVKaspersky 2015Trojan.Win32.FakeAV.zys
AVMalwareBytesTrojan.FakeAlert
AVMcafeeFakeAlert-SpyPro.gen.bb
AVMicrosoft Security EssentialsRogue:Win32/FakeSpypro
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVRisingno_virus
AVSophosMal/FakeAV-IC
AVSymantecTrojan.FakeAV!gen39
AVTrend MicroTROJ_FAKEAV.SMDF
AVVirusBlokAda (vba32)Trojan.FakeAV

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wmduwdny ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\bbkirybcg\eemcwitlajb.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes ➝
.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures ➝
no\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\bbkirybcg\eemcwitlajb.exe
Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\bbkirybcg\eemcwitlajb.exe
Creates MutexGlobal\Miranda64

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\bbkirybcg\eemcwitlajb.exe

Creates FilePIPE\lsarpc
Creates MutexGlobal\Miranda64

Network Details:


Raw Pcap

Strings
K
.
.
.
H
.m
.
+
m
^
.
s
...
.
m
.....b.
s..

AF&'
b@d#
dCgg
d&f&
E&xit
f#bd"
f`g`
&File
MS Sans Serif
:[.<_'
0D^N/V
\0_}J*
	,0k*}
0lJZ4f
0p^qlxx
15:;~i
1IP8Sxs
1Y^H,E
%1zWnr
2C]hj	
:'2Gjm
2{M-4jj
(]?{2Sq
3oYhme?
3__q.C
(3S%9y
3]vmHS
3wRuyy
_,,_(4
45]] wJ6
#4|d]}
4jL| (
}<$%4&t
);5#"`
}(\57]
5=L^i^
5oA5h,
#5	TA/
5/U=Vn?y
5yz-	%o4
5*YZz]F
64=:NN
&6Ag&F
6@bQ"U":
*7!4sm(e
7ch "+
_7h)I 
_7Ln+^b
7=s@$K-']
{<<>>88
8`,d&M
+8='J|H{
8y6DV:
9q8UE(
9RCL"?
9uo?wq
AddAccessAllowedAce
AddAccessDeniedAce
ADVAPI32.dll
AllocateAndInitializeSid
apB0Y:Y
<B4'@*
Be}o4:Z
b#&)u-
CheckTokenMembership
CloseHandle
CompareStringW
ConvertSidToStringSidA
ConvertStringSecurityDescriptorToSecurityDescriptorW
CopySid
+c`QQ#
CreateDCA
CreateDirectoryW
CreateEventW
CreateFileW
CreateMutexA
CreateProcessA
CreateProcessW
CreateSemaphoreA
CreateSolidBrush
csmu'8
C/}t!G
Cvs 3+
	)(%Cw
}$d1j 
d2}F[_&'i
{dAHrq
@.data
DeleteCriticalSection
DeleteDC
DeleteFileW
DeleteObject
DnXN3t
+DOA}	
DoVmWqf
+DP#ACp
DP<Ef8
{^!D+PW
d$Q ]z[~
~e6h?#
_E:9[4BtuwKw
eAQYhC
e)BE4_
EcB{M(zf
EE`zj!
eI>J9V
eK>pmDQ
(e\L+io
~eM?;(
EnterCriticalSection
EnumDisplayMonitors
EnumWindowStationsW
.EOu}qi
e$s[.5
E~UK|r+?F
eWKW2d
ExitProcess
ExpandEnvironmentStringsW
f1A[AU
f1u 1;>
)/f2&I
FAP>RU
FlushFileBuffers
FreeLibrary
FreeSid
G`d/D,
GDI32.dll
g"+E5h'
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDeviceCaps
GetDiskFreeSpaceExW
GetFileAttributesW
GetFileType
GetFileVersionInfoSizeW
GetFileVersionInfoW
GetKeyboardLayout
GetLastError
GetLengthSid
GetLongPathNameW
GetMenuCheckMarkDimensions
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetMonitorInfoA
>GetP&
GetProcAddress
GetProcessHeap
GetProcessTimes
GetSecurityDescriptorDacl
GetShortPathNameA
GetShortPathNameW
GetStringTypeExW
GetSysColor
GetSystemDefaultLCID
GetSystemDirectoryW
GetSystemInfo
GetSystemMetrics
GetSystemTimeAsFileTime
GetSystemWindowsDirectoryW
GetTempFileNameA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetTokenInformation
GetUserDefaultLCID
GetUserNameExW
GetVersion
GetVersionExA
GetVersionExW
Gf<2W;j=
g\g{WG
=G[-K\
GK^B0<GE
GlobalAlloc
GlobalFree
GlobalMemoryStatus
#}{G=m|
g%:,,r
gr 'v6
G[,v*%
"gVyP@.
H0M(y$
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
HeapValidate
/#.	?Hf
hlAll&
hLibr&
hLoad&
hualP&
~hwiF9
hZMV.Z
I5bOb,
I\5y-NK
InitializeAcl
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeSecurityDescriptor
InterlockedCompareExchange
InterlockedExchange
+iox"8cWA	
IsDBCSLeadByte
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
IsValidLocale
IsValidSid
;Ito81x8(
I^V,BO0
ixV7i	E
j6K{HK
__J]7UQ
J7VP9iA
JcMvb2|
;jF^[Sx`
>Jh/wG
#J&INy
jLl[hvA
jN<Irz
jN`@!-N(
JYz1Q{
JZ+"%t
=` `~K
'^{K+(
K6,^wC
K,,A+!
(kb>RB
KERNEL32.dll
ktow3w
KwMv\Nj
K\xmut
`^=l)&
l1ov&E
(l2J=E
L42)xsx
LeaveCriticalSection
L@E_Z3o
=ljh]h-5)v'
Lk,E=x
Ln-SqG
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LocalAlloc
LocalFree
lRkqh%
lstrcmpiW
lstrlenW
lTtUsa
l{v6JT
M1XY0j
m2]BZ!4J
M$;57	
=M8uvD
m*j|q0
M:~\qG
^mq:K1
M}*To 
MultiByteToWideChar
M=y=-`
mZv@:r{
:N<28X
n8[IV'
:nHl(0
.:n?orq
/}NTS:
nYynyn(
=o84)E
=O&G`r
o(;.JO
]O?NN$
OpenMutexA
OpenProcessToken
OpenThreadToken
Os"SW#r
OutputDebugStringA
Oxc2g@
!p0>$s5J
`p4cZ*
p4 Has
P& AhXchG
]PF.II
;P+@fwm
PfyQAe
P>h+	B
PJ<%/_8
pL/W0}
`?\P}N
&pPl4'
PWg08J
{P</xe
=pYvp	
pzm/tj
P@zzq5
/(>Q0]
qe<N-jM
qH2BW#$
.qH3uR
Qi:UX%
QueryPerformanceCounter
Q z}'J
 r <2Y
R4k;Y`
r=/8F 
RaiseException
r~d0-2(
`.rdata
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyW
RegEnumValueW
RegOpenKeyExA
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExA
RegQueryValueExW
RegSetValueExW
ReleaseDC
ReleaseMutex
ReleaseSemaphore
r~FP!*T
rKm~R6
R{MUhs
Rn}Lq%
>rocA&
rP>hd|A
R(uZAu
Secur32.dll
SetEvent
SetFileAttributesW
SetLastError
SetSecurityDescriptorDacl
SetUnhandledExceptionFilter
S_G=R4
		SNR<
s;*rvNN
Sts|w#
s @^x!
SystemParametersInfoA
t8PkCp
T8p;s{1
T}D)j)
TerminateProcess
(TF4TQ
!This program cannot be run in DOS mode.
TjO\q<
T&;L{D
TLMno9&
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t!~\+*MHp
tWrP9$
T}YUmd
%t&yw=v
U8*|BP
\#UDc"(
_UKtu#
UnhandledExceptionFilter
USER32.dll
[[<utw
Uv^HhU
Uwp*}w
`UwzElm
.venue
VerQueryValueW
VERSION.dll
V>h@0B
VhLUYo
VirtualAlloc
VirtualFree
VirtualProtect
/vjR}s~
v>kUbM
V]kw	8
vx=ZlO
VZiZHa$
w11NM|[
WaitForSingleObject
wEqlw%
Wf3_G\
W>h~{A
<wHvL9
WideCharToMultiByte
WriteFile
)wR)<U
"W%Ry9
W_T??mO
wxJRbp
W\xpoU
WYu>=c
wz,nh\6s
\[?X/)\
:x:\3'
x#Ac\=JV
*xb*B1
xd6i0s*
 xEYk"
xJ8?	v
xJA%IK
>Xlu|q
xNi}6V
@XNS=8
xu|N8OT
XXh<0(
y,\}:^
*Y6Tl)
||y	96
<y<iZ 
Y*Nmu|
yQ	8	qV
].YV*LN
!YWNp	
Yx<wX2
yYV*30
z{3MID
Z4/Mg-0
=z "4t
<Zd4"5
  z Tj
zU(uu%
.Z>xICB
ZxL]96
z@_z,\5y4