Analysis Date2015-03-30 20:03:47
MD5d99067da3460efcdf401f5fe4929efc7
SHA197b09377fdb5252291fafa85c5cdae6e56101c6e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 91d99a9336eb97970779c7f04113c221 sha1: c0088ae6194c46390a915c35f0134a8bd2b17ce7 size: 13824
Section.rdata md5: 3c98090d8afa38e17756ac3aa123bf4e sha1: 3a424e7bb1d311b9edd2883353a8c05d5a96f7a8 size: 4096
Section.data md5: 6b92cb7bc967929e8f3dbad416f333c8 sha1: eb912c60b039a557bef970e65f1ef4abdc7de375 size: 22016
Section.reloc md5: ae03bc2723c76f4a9c1b0efc0d617d8e sha1: 7814aca716af0c502cb69125d08f700447de8ecf size: 1536
Sectioneflrdvr md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2008-12-09 03:22:39
PEhash8e5f2c90f4126d46a8a8f7b9150b28182fd85acf
IMPhash5d59935744c2951aba607e801e09dcde
AV360 SafeTrojan.Downloader.Win32.Cutwail.A
AVAd-AwareGeneric.Malware.SFBdld.B34E488A
AVAlwil (avast)ShellCode-AU [Trj]
AVArcabit (arcavir)Generic.Malware.SFBdld.B34E488A
AVAuthentiumW32/Injector.A.gen!Eldorado
AVAvira (antivir)TR/Patched.Ren.Gen
AVBullGuardGeneric.Malware.SFBdld.B34E488A
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVTrojan.Downloader.Small-3221
AVDr. WebTrojan.DownLoader8.7342
AVEmsisoftGeneric.Malware.SFBdld.B34E488A
AVEset (nod32)Win32/Wigon.PH
AVFortinetW32/Pushdo.B!tr.bdr
AVFrisk (f-prot)W32/Injector.A.gen!Eldorado
AVF-SecureGeneric.Malware.SFBdld.B34E488A
AVGrisoft (avg)Win32/DH{AyAkIiUP}
AVIkarusGen.Trojan
AVK7Trojan ( 001d712b1 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesTrojan.Spammer
AVMcafeeDownloader-FHG!D99067DA3460
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Generic.Malware.SFBdld.B34E488A
AVRisingno_virus
AVSophosMal/Emogen-Y
AVSymantecTrojan.Gen
AVTrend MicroTROJ_CUTWAL.SML3
AVVirusBlokAda (vba32)BScope.Trojan.Cutwail.4512

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\conuqdewuvyk ➝
C:\Documents and Settings\Administrator\conuqdewuvyk.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\conuqdewuvyk.exe
Creates Mutexconuqdewuvyk

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.163.152:25

Raw Pcap

Strings

1gzip
text
0.0=0s0
0_1e1y1
0#1Q1c1j1y1
041T1{3
;0;G;^;
1<1K1Q1f1m1~1
1'393Z3
17cu>~
2?2^2e2o2y2-3@3%4G4X4n4
3)3Z3}3
3&4A4P4]4p4
4elements.cz;4-elements.se;4elementos.es;4elements.gr;4elements.us;8zaamarchitecten.nl;4energia.ee;4ernila.de;accountingtechs.biz;0handicap.at;accords-bilateraux.ch;4effect.ca;4elementos.cl;4elements.de;4-elements.se;8zaamarchitecten.nl;4enerchi.nl;4ernila.de;accountingtechs.biz;4dmobil.at;accords-bilateraux.ch;4effect.pl;4elementos.es;8zstabor.taborak.cz;4ergindl.at;accounting.ee;4dmobil.at;accords-bilateraux.ch;4effect.pl;4-elements.ch;
5+5<5U5w5
5 5*5y5
5$5C5J5e5q5
5'6C6L6U6
6A9s9{9
6G6P6z6
70>0L0
7"7.7@7E7
7&898@8E8T8_8n8x8
7K7R7Z7n7v7
8.868H8~8
.-8SUc
9#:8:F:
9,9;9B9
=(9m[o
9R\:_FwT^C78
9=xBap
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmopqrstuvwxyz0123456789_
Accept: */*
Accept-Language: en-us
ADVAPI32.dll
A;L$,|
~anC)9
AppManagement
B?r3ST
C9#eVR
CloseHandle
CoCreateInstance
CoInitialize
Content-Length: %d
Content-Type: application/octet-stream
conuqdewuvyk
CopyFileA
CoTaskMemFree
CoUninitialize
CreateFileA
CreateMutexA
CreateProcessA
CreateRemoteThread
CreateThread
CreateToolhelp32Snapshot
CreateWellKnownSid
CryptAcquireContextA
CryptDecrypt
CryptDestroyKey
CryptEncrypt
CryptExportKey
CryptGenKey
CryptImportKey
CryptReleaseContext
;[;c;x;
D$ _^][
D3*#~"&T
D5!;~!?I
D$ 9\$,
D$(;D$,
del %%0
del %s
>D?O?j?p?
d(xJ'o
/)/EBKddp
eflrdvr
;"=E=L=d=
EnumProcessModules
EPtnL{u0}`E"~CHL.2'
EqualSid
ExitProcess
GetAdaptersInfo
GetAllUsersProfileDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetEnvironmentVariableA
GetExitCodeProcess
GetFileSize
GetLastError
GetModuleFileNameA
GetModuleFileNameExA
GetProcAddress
GetProcessHeap
GetProcessImageFileNameA
GetSystemDirectoryA
GetTempFileNameA
GetThreadContext
GetTickCount
GetTokenInformation
GetVolumeInformationA
gfxLFc:7W11T14Z:
GV>OsQ
g^xLFc:7
g^xLFc:7W11T14Z:@iLU
=G=Z=k=
HeapAlloc
HeapFree
HttpAddRequestHeadersA
HttpOpenRequestA
http://%s
HttpSendRequestA
https://%s
if exist %s goto :repeat
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetQueryOptionA
InternetReadFile
InternetSetOptionA
IPHLPAPI.DLL
Ip"miP
>/>I>W>`>
[jo}!UF[
=_>j>x>
KERNEL32.dll
'[Kk8 
LoadLibraryExA
"lqPx6
lstrcatA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
mail.airmail.net
Microsoft Enhanced Cryptographic Provider v1.0
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
nc{Q:;
n\m8)=
ole32.dll
OpenProcess
OpenProcessToken
pejVNVE@K=;I>?PHL`[byw
PGltZyBzcmM9ImRhdGE6aW1hZ2UvanBlZztiYXNlNjQs
<)"`PL
Process32First
Process32Next
PSAPI.DLL
PSSSSSS
PVVVVVV
*QRk2#
QueryPerformanceCounter
&'$R,"
`.rdata
ReadFile
RegCloseKey
RegDeleteValueA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
:repeat
ResumeThread
SetThreadContext
SetUnhandledExceptionFilter
SHLWAPI.dll
smtp.compuserve.com
smtp.directcon.net
smtp.live.com
smtp.mail.yahoo.com
smtp.sbcglobal.yahoo.com
software\microsoft\windows\currentversion
software\microsoft\windows\currentversion\run
:S*pTY
%s\%s.exe
StringFromCLSID
\system32\svchost.exe
SystemRoot
t`\?.-
TerminateProcess
TerminateThread
!This program cannot be run in DOS mode.
tJUPWV
/<TLu]h-
TMi?;Z32T02W6;cEMx]h
)}uFBW?&
]UpE@^64U01U37^?FpT^
USER32.dll
USERENV.dll
USERPROFILE
}UtV{yF
vghPDH3*1
VirtualAlloc
VirtualAllocEx
VirtualFree
vrpM ?4T
 ^W6({8
WaitForSingleObject
WideCharToMultiByte
WININET.dll
wnsprintfA
WriteFile
WriteProcessMemory
WS2_32.dll
wsprintfA
XgkJ"C
|xPwpzw
}xrYd^(|
yvZJJ1$'
zs|lhtgfukm