Analysis Date2014-11-01 02:39:32
MD51317058491d79847f66cea0eea0eb818
SHA1975574d6e67b711064086f6ec63d3e546ef1e5da

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 083d06ffd3c42b21eddf2bc49621acf8 sha1: e0dfc3db1bac5b71e8b6b79a2137817ba23fb61b size: 3072
Section.rdata md5: 9f54fed295c5bf23b793d759a4f7f487 sha1: 1c417c12270e375a4af290ba3c37c2463a8fec6b size: 1024
Section.data md5: 1205206d88340b9f0289fd001fabb56c sha1: 93a7347331b6f74d28cae14c7a222b0a42795c8b size: 1536
Section.rsrc md5: 7761c4885eae6274d8ef6363cc8080bd sha1: 21097f5fdf625182aa60e8d75481af1d32f665af size: 40960
Timestamp2014-06-17 19:19:37
VersionLegalCopyright: Copyright (C) 2008
InternalName: sickly
FileVersion: 7,2,4,19
ProductName: sickly Application
ProductVersion: 6,3,4,31
FileDescription: sickly Application
OriginalFilename: sickly.exe
PEhashaa08b345557f392f5cf9a25e767913eb6eda649a
IMPhashcabb308efe69c2b97bdbdd5c98e96b1c
AV360 SafeTrojan.Dropper.Agent.VNI
AVAd-AwareTrojan.Dropper.Agent.VNI
AVAlwil (avast)Kryptik-NXT [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.GXUD-6785
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardTrojan.Dropper.Agent.VNI
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Generic.r4
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Dropper.Agent.VNI
AVEset (nod32)Win32/Kryptik.CEET
AVFortinetW32/Kryptik.CEET!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Dropper.Agent.VNI
AVGrisoft (avg)Agent
AVIkarusTrojan.Dropper.Agent
AVK7Trojan ( 0049b9671 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent.ED
AVMcafeeRDN/Downloader.a!sq
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Trojan.Dropper.Agent.VNI
AVNormanTrojan.Dropper.Agent.VNI
AVRisingno_virus
AVSophosTroj/Loader-N
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Cutwail

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\xoluzrixykba ➝
C:\Documents and Settings\Administrator\xoluzrixykba.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\xoluzrixykba.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexxoluzrixykba

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25

Raw Pcap

Strings
.
.
.
t
041904b0
]\4"
6,3,4,31
7,2,4,19
absence express different daughter
&accompanied Miriam
&adjuration--words dramatic
&agreeable
&always certain
amendment worrying
angelic
&answer continued
appears hours
&asked; experience
attempt Peter
&audibly spirit
&ballet--a
better Harsh
&caution
conscious
considered
conviction
Copyright (C) 2008
cried particular
Dallow silence
&damned richly
&dangerous
&declared necessity--without
degree simply
&differently
&diversion
drawing Grace believe intimate
effect nothing
&elapsed
electronically demands
&enough behind--Im
entered
entirely
&evidently moustache
&exhibitions
&existence reason
expressed
&expressed
fellow
field crabbed
FileDescription
FileVersion
&general
Harsh
her--if
&herself accused
herself perform
&himself
humbugging
hundred actress mother chin--a
&ill-timed prefers
imperturbably
importunity
&inquiries nature
inquiry
intended
interesting
&interesting encouragement
interests ridiculous
&interfere living
InternalName
interval should
&itself
kindly
large
&leaned
LegalCopyright
like--doing
meeting naturally
&mingled
Miriam
&Miriam
&misunderstood
&mouth
MS Shell Dlg
oddest
OriginalFilename
&outsider
&passion
Peter
picture
piece
&please Sometimes
portents
possible erect
prize simplified something
ProductName
ProductVersion
&propositions vehicle
public
rehearsal imperious penalty
&remember
&repeated--go
returned
&returned
RichEdit20A
&risked
&river to-morrow
should
sickly
sickly Application
sickly.exe
&sometimes crumble
sought truth;
&sounds
speech Project chance doubts
spending
steps
StringFileInfo
&stupid entertainer
suggestion
&surprised
SysListView32
Tahoma
&telling
&terribly should
&theatre
&things;
&thinks tendency
&thorough beautiful
&thrown
&together success
Translation
turned
understand
urgent beautifully beribboned
&uttered
VarFileInfo
VS_VERSION_INFO
&wanted
&way--so
&Wheatsheaf Rooth
&whether
which
window chance
&winter scene
wishing consciousness
&without
&woefully youth
wouldnt
{0W2$'>
<3d,68q
5^62Cc
5cUa;;
640d}u
6:N 3j*
7U?~os~
940=3rr{
<9T*t{Qk
{9Yxb	h
:a 2 k
aDSNV61b
A~N/CF
-CFmHYp
`C?%g"
c~NCI0$%
CreateWindowExA
@.data
&De~^;
DefWindowProcA
DispatchMessageA
:;D{/Z
ExitProcess
FindResourceA
FvRGZx
<fYp4^
G2hgMT\i!\
g{ckMi}
GetCurrentProcessId
GetMessageA
GetModuleHandleA
GetProcessHeap
HeapAlloc
Hj47o!
}h]Q%P
Hxw{]6,Oz
ibq*O@
J5?06k
jI-X*0
jm)/W~
-j~RyC)
_JxIY(:/
kBgS)n*
kernel32.dll
KillTimer
K!nanDo
kS@6	%
KyEo{n
LoadCursorA
LoadIconA
LoadResource
nB9kdgfrwerbbbmddd
@o-Nx`K
Oso'0~
p(#f5u
p	.I@!
PostQuitMessage
"/\$PR
=q+'1	
`.rdata
RegisterClassExA
&""S|.
"S6s?_
'S,B~I
s!`C<d
SetTimer
ShowWindow
`te=_s
!This program cannot be run in DOS mode.
?t	 *j
TranslateMessage
'TTc/L
 &)U*N!1
UpdateWindow
user32.dll
$,!UVe'G
U\VSOJ@IqhboKF\
+*V]#[;
vf-(NM^G
vGMT*T*
(v kC 
V:mqjy
w+^3v~
^|W=bJ
wgW^f5
]Wlt;Z
<+x (Q
ylETI<:,
Z33 Ejc
|zN2Tg