Analysis Date2014-12-04 03:34:03
MD51b2d44e9e5dbb33239a15cb7143bacf9
SHA1982abd17f5bcdcfe18ea3e5a8fd80f0238972739

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d7b7dcc095007c77a04cbcf4fcd64aa8 sha1: 7bcfea7afac43dda6277452c5cbb561a503410a1 size: 4608
Section.data md5: 392a2dee3dba6c204401a1afa78c4061 sha1: 5a25bd99801805f16bd3d187f8f03da741aaff42 size: 7168
Section.idata md5: bdd6e11a11fffb3445806e7648a94008 sha1: 8d8b343a67cd2d91ec8e124914714cdc3cd4cc70 size: 1024
Section.rsrc md5: 74ed5917d5879efa9d7c25df0607fa36 sha1: d53d5f24d9f838674083c2a3eb567bec2aaaa402 size: 6144
Timestamp2005-05-22 14:42:06
VersionFileVersion: 6.2.3.2
FileDescrsiption: hamar.exe
CompanyName: Hamar Corp
PEhash0216acdc9908945355e3c2ff91f17f6a9d8f0084
IMPhashc5effa462f51432aeac8904668baca02
AV360 SafeTrojan.GenericKD.1463010
AVAd-AwareTrojan.GenericKD.1463010
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.Bublik.bojx
AVAuthentiumW32/Trojan.FQOW-2918
AVAvira (antivir)TR/Drop.Bublik.A
AVBullGuardTrojan.GenericKD.1463010
AVCA (E-Trust Ino)Win32/Upatre.KLEbdC
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVClamAVWin.Trojan.Bublik-469
AVDr. WebTrojan.DownLoad3.28161
AVEmsisoftTrojan.GenericKD.1463010
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVFortinetW32/Kryptik.CF!tr
AVFrisk (f-prot)W32/Trojan3.GVI
AVF-SecureTrojan.GenericKD.1463010
AVGrisoft (avg)Zbot.EOI
AVIkarusTrojan-Spy.Zbot
AVK7Riskware ( 0040eff71 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Bublik
AVMcafeePWSZbot-FOH!1B2D44E9E5DB
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVMicroWorld (escan)Trojan.GenericKD.1463010
AVNormanTrojan.GenericKD.1463010
AVRisingno_virus
AVSophosTroj/Agent-AFGR
AVSymantecTrojan.Zbot
AVTrend MicroTROJ_DROP.FX
AVVirusBlokAda (vba32)Trojan.Bublik

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"
Creates MutexVideoRenderer

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexVideoRenderer
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSmysocialwealth.com
Winsock DNSsirfad.com

Network Details:

DNSsirfad.com
Type: A
107.150.48.43
DNSmysocialwealth.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 107.150.48.43:443
Flows TCP192.168.1.1:1032 ➝ 107.150.48.43:443
Flows TCP192.168.1.1:1033 ➝ 107.150.48.43:443
Flows TCP192.168.1.1:1034 ➝ 107.150.48.43:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
..................................,
08000027
6.2.3.2
C:\43a854b3a5ce8c79c1a0126ae5c27de85fc6380911aa050ec899899db563c9c4
C:\4J2fk1kj.exe
C:\752cc3aa81c215bc05c3aa55236fb9742133d601e4caa8384d896651dadfc678
C:\c44cdef86008a10b3e814ba88f7cdb6b0a0fd51b888a95dfafc3cc0f77c9dcaa
C:\DOCUME~1\cuckoo\LOCALS~1\Temp\66299add340d4594f6e801f586cd8fb320b2461e
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LFIhXHU2c.exe
C:\eEAsDBac.exe
C:\J6wKl8Id.exe
C:\ne8AWZIS.exe
CompanyName
C:\rEOn7qjF.exe
dgKD
FileDescrsiption
FileVersion
Hamar Corp
hamar.exe
^jf}
StringFileInfo
VS_VERSION_INFO
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>?@ABC
acmFilterChooseA
acmStreamOpen
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
CloseHandle
CreateEventW
CreateWindowExA
DefWindowProcA
DeleteCriticalSection
EF&GHI
ExitProcess
FreeLibrary
GetLastError
GetMessageA
GetModuleHandleA
GetModuleHandleW
GetPrivateProfileIntW
GetPrivateProfileStringW
GetProcAddress
GetTickCount
GetVolumeInformationW
GlobalLock
GlobalUnlock
HeapAlloc
HeapCreate
.idata
InitializeCriticalSection
kernel32.dll
LoadCursorA
LoadIconA
LoadLibraryExA
lstrcpyW
mciSendStringA
Msacm32.dll
oPeN Bad.mp3 typE mPeGvideo aLIas myF
PostQuitMessage
pqrstuvwxy[9z
RegisterClassA
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
    </security>
    <security>
SetEvent
!This program cannot be run in DOS mode.
TranslateMessage
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
TryEnterCriticalSection
user32.dll
WaitForMultipleObjects
Winmm.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>