Analysis Date2014-03-07 18:18:21
MD5311501b0a78a0e3b4e02808a467ba94d
SHA19c394ee08f5686c6bbe268288f86cc5eb5aa2f5e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 24b3cdc7415c38c085784bd84cada4dd sha1: 8acf42fe445bed3343f5a418ccc96c00719da5f1 size: 32768
Section.rdata md5: 1f2d1b0a33c623593b8737adf1fd8a22 sha1: dfc1acbcd30bd74510f59de9a16394b43616f237 size: 8192
Section.data md5: 8f668ba4dbd60a2f0d1b5bb63c46e675 sha1: e0a24665ce5bc1f5de4781f09442725506bea740 size: 4096
Section.idata md5: 2f3b7b3f8d398d09fbf9954c94e32569 sha1: 1d029a6228291cbffe25258273172c06b667fe87 size: 8192
Section.rsrc md5: 84d484510f7b31fb48dbe77db644199f sha1: 6f4640badbef38be0a2f2b733c8933982b136158 size: 32768
Section.reloc md5: d15ed5cc73b949d3957fd6a3f53b9b9d sha1: 63606cc6f44ab6f01da0b050cdc0aa7e47065018 size: 40960
Sectionoiwnvvi md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Sectionbaoeuaq md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2008-04-16 19:19:03
PackerMicrosoft Visual C++ v6.0
PEhashbc135fff65efa699e4100a36121b6f56ef7d44f4
IMPhash9fee2c642bd19893674e9eddfd102e69
AVavgWin32/DH{CQNiICR8ZBNYIiU}
AVaviraTR/Patched.Ren.Gen
AVclamavWin.Trojan.Neshgaig
AVmcafeeCutwail-FCLU!311501B0A78A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Process.dll_d
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Process.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini_d
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cmss.exe
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\seruvice.lnk
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Process.dll
Creates MutexAssassin

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.172.254
DNSsmtp.live.com
Type: A
DNSwww.viprambler.com
Type: A

Raw Pcap

Strings
*0_.
!
!
...
b..5QT.
{{{{{{{{
{{{{{{{{{{
{{{{{{{{{{{{{
{{{{{{{{{{{{{{{{{{{
#'#'#'#'#'",
########################
									
{{{{{{{{{{{{0
{{{{{{{{{{{{{0
0 0,0}0
<%=0=7=K=^=e=k=v=
0B0b0r0
0d0v0}0
0sNHZ_
11181D1Q1^1h1u1
1 151J1
1l2w2~2
1VY0wT
''''''''''''''''@2^
2.292@2T2f2k2{2
2+3i3y3
282I2\2m2
:":(:2:8:>:D:J:P:V:\:b:h:n:t:z:
2NlJxVP
2T2f2|2
??2@YAPAXI@Z
33333333333330
3333333333333333333
3!343E3L3
3;4J4U4
?$?3?9?
??3@YAXPAX@Z
444`4h4m4
4%464=4^4f4u4
%4d%2d%2d%2d%2d%2d%5s
%4d-%d-%d-%d-%d%s
4{IDh5
!4JJJJ1Y^
4 RAS_e
=%=4=<=R=X=c=n=}=
4seCE|
5&535N5g5m5r5x5
5.5I5e5
$'''''''''''''''-5D
}+5g}U
;*<5<J<
6,656B6H6O6T6l6
6,6@6\6
6"6(6.646:6@6F6L6R6X6^6d6j6p6v6|6
6%6G6P6Z6k6}6
:6:?:M:]:
! )6PseC|(
6PY^^^^^
70H0V0c0h0t0
7$7*70767<7B7H7N7T7Z7`7f7l7r7x7~7
7&7Q7X7
7+8V8\8s8
?}-------------+_7P^
8.848>8C8g8n8u8|8
8$8+8B8T8e8
|88rTYT
8-999N9k9x9
=$=)=8=F=
9#9(9/949
9>9b9r9
9)9E9N9`9
;';9;T;d;
9w|#][
$a )%#
.AAAAAAAAAAAAAAABB`:6/^^^^
{AAAAAcr7SJseC|
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
_access
_acmdln
_adjust_fdiv
ADVAPI32.dll
AllIndex.ini
Assassin
baoeuaq
$BBBBBBBBf`:oQ8^^^
begin::
.''''''''''''''''''''''''c0^
,c~i>[
CloseHandle
cmss.exe
CoCreateInstance
CoInitialize
_controlfp
CopyFileA
CoUninitialize
CreateFileA
CreateMutexA
CreateProcessA
__CxxFrameHandler
cZ]=`Bj
'-----------------------d*^
D3N1p3[X
@.data
DeleteFileA
__dllonexit
D:oo<q
D$,[Sj
D$ SWP
:E;]<8=B=G=S=t=y=
),eCE|
EnumProcesses
EnumProcessModules
_except_handler3
fclose
fffffffffv_74J^^^^
ffffv_Z43^^^^^
f}`HO2
f		i^^
FileTimeToSystemTime
FindFirstFileA
FindNextFileA
fprintf
fscanf
[ 	f=/_V
fwrite
GetComputerNameA
GetCurrentThreadId
GetDiskFreeSpaceA
GetDriveTypeA
GetFileAttributesA
GetFileSize
GetInputState
GetLastError
GetLogicalDriveStringsA
__getmainargs
GetModuleFileNameA
GetModuleFileNameExA
GetModuleHandleA
GetProcessHeap
GetStartupInfoA
GetSystemDirectoryA
GetTempFileNameA
GetTempPathA
GetTickCount
GetVolumeInformationA
%G\JJzF
=G>T>i>v>
='>[>g>x>
{+h1qv
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
%hJJJJFH
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
Hv5m6,
HWNL_S\R[L
.idata
IEupdate.ini
ijuO?sO
Index.ini
.ini_d
_initterm
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetReadFile
J<38^^^^^
J66r7s@q
J{Aff_7beC|
JalTJ3^^^^
JD8CV!1/
j}?hyH
Ji{xxxx_Oy|
JJ(Hccccc`
JJJJJ\,hE
JJJJJJ
JJJJJJJ
JJJJJJJJ
JJJJJJJJJ
JJJJJJJJJJ^
JJseCz|(
k----------@=:64JD
kAAAAAAAAAAAActZSJ^^^^
"`Kc>Ua
KERNEL32.dll
L;*`9O_?
Ljj8AV3
LocaAll
localtime
L=RECYCLER_w
lstrcatA
lstrcmpA
lstrcpyA
lstrlenA
MBY}XVn
memcpy
memmove
memset
M$]?fG
_mkdir
MoveFileA
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
MSVCRT.dll
MultiByteToWideChar
MXXYQUU
N.h9"*
No*&>E
;}n v5
	Nx>Tq
o|}BBBBBBBBBBBBBBBBBBBBB+]7O^
\o^guf
/oHW&>H
oiwnvvi
o/KR^^^
ole32.dll
_onexit
OpenProcess
;OQIgy
oVr;2?
{{{{{{{{{{{{{{{{{{{p
				P^
{{{{{{{{{{{{{p0
__p__commode
__p__fmode
PostThreadMessageA
Pragma: no-cache
Process.dll
Program Files
Proxy-Connection: Keep-Alive
PSAPI.DLL
PSSSSS
_purecall
q::^Ex
_QM4Z,
-------+=r,
rb?uDm
r#d;9M(!
.rdata
ReadFile
RECYCLER
RECYCLER_d
RECYCLER_u
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
@.reloc
rename
.Rh>66
\_RT)q
\?r^]v
&R+zmV/
{{{{{{{{{{{{{{{{{{s
{{{{{{{{{{{{{{{{{{{s
%s-%4d-%d-%d-%d-%d%s
%s?action=datasize
%s?action=getdata
%s?action=updated&hostid=%s
seruvice
\seruvice.lnk
__set_app_type
SetFileAttributesA
__setusermatherr
SHELL32.dll
ShellExecuteA
SHGetSpecialFolderPathA
%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=
smtp.live.com
smtp.yahoo.com
[[>SnG
_snprintf
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
sprintf
SSSPh4
Start Menu
Startup
strcat
strcmp
strcpy
strlen
_strnicmp
strrchr
_strrev
strstr
_strupr
Success:
%s:UNINSTALL
%s:UPLOAD
SVWj@3
System Volume Information
TerminateProcess
tgtCM*
!This program cannot be run in DOS mode.
TranIndex.ini
\tWI%	
.+\t|X*1
tZSJNW^^^
uoDY}8
../updata.exe
update2
USER32.dll
UuVz}Iq
$&U"~%Z
Vg_?hL
VWj@Y3
{{{{{{{{{{{{w
{{{{{{{{{{{{{{{{{{{w
WAzV#-
WINDOWS
WININET.dll
WQTVTUVU
&w'R~3
WriteFile
WS2_32.dll
wsprintfA
WSWPRZQ
wwwwwwwwwwww
wwwwwwwwwwwwwwwwww{s
{{{{{{x
{{{{{{{{{{{{x
{{{{{{{{{{{{{{{{{{{x
=X>c>j>
_XcptFilter
x(m-L4
xxxx@gmail.com
Y3[1yZ
Ypto^w
yUxQqn
~z"8<(
Z*S8(s