Analysis Date2015-05-22 13:26:56
MD58b6ee7b02040ea3e04c22f478d23cffa
SHA19c93c7564d51e7928eb6a5c609f8f59bed95ce58

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0593ec30a589bd9a2012ccca6fc354d4 sha1: d2cf084c7480db1c558fc9bc99fdcce185f23dfe size: 67072
Section.rdata md5: 29236c265e058f65f3823dc65cbbc730 sha1: d21fe80e56dbc6fb03e1c4517966493f4314c334 size: 6144
Section.data md5: 47bae24ad62323eb06e3953bae06b179 sha1: 90184f6dd860d55512ea9f816b7a40ff6d9d35ed size: 12800
Section.rsrc md5: b4ec338571829c35af0d5836b3bcbf9f sha1: 9bf7a3ae1dc31da16d29859b83248b48134242d9 size: 512
Timestamp2011-04-28 12:44:55
PackerAHTeam EP Protector 0.3 (fake PCGuard 4.03-4.15) -> FEUERRADER
PEhash56c12a9523ba674f3506e347b84a92d7c133c50e
IMPhash62bf152687fcf35bd276c150b5b17d1b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\cynnukmobpic ➝
C:\Documents and Settings\Administrator\cynnukmobpic.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\cynnukmobpic.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexcynnukmobpic

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.163.152:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25

Raw Pcap

Strings
\
. 
.
.

Amegadid
Arial
benefit
button
edit
however
static
to return
worth
`!%}$%
`%!$_}
`%!$-)
`%!$\!
`%!$%; 
`%!$%'
`%%&?&
 & $%$
-:%$%!
-@%$%!
-$%$%!
!`%!:=
$`!%`%
$`!%(~
$`!%$\
$`!%%$
$ =^`%
$&@-$'#
$%!*%%
$%!	)'
$%%$%!
%%$%!%
$`!%0'
0B=(KA
`%!$0D%)|
$`!0F0-\%^\
$!%0%!I%
`%!$0m`9P
&0P%'OI
0%YA4!$
$`!0yPh
1%JQu%!
$2.!!%
3%EA[f
%%$<3r
`!~'%3t
!`%4C'
4k!'%W
!`%5!'
$`!%5%%
$%!`5@
5!5]'rk8c
5H&e`K!%
^;5IKA
5~$@L%-
$%!%5Pu
$`!%5SPU
6;5EKA
$`!%6n`
!`%%7@``
%`(*#!%7
.74P0G'
%%$7FQ3sP
7=+h%%
%@7;i%I0!
7mu$L%d
%%$7$P
$`!%#$7v
$`!%[9
%%$+%9##%*
!>9]f#
9(YrS$
`%!$%a
%a`%$%!
`%%A% 
$`!%}A}
%`%&A*
\A0%5!$
$`!%A5%l
%abmL]&`%
abnormal program termination
a(Gs` 
!`%aO%68<';
A/OQ)v
	}`aP#
A$p"?	
`%!$aQ
A&!S(%%M!
]%%^%Av
AVWAf9
"%A#Y&
aY@Q%!%
%%$$ `b%_
%b&$[%
bIaC!`!
bP=x-%$
/b QR%
`b;r%$%!
%buM%P
B.vujZ
`!bXg4
`%!$C%
c57\FU
CharUpperA
c-I`%%
!CI-`!
CKhJI`%
,cm%{!
coreDestroy
$`!*CP
`C-P%%r
CreateWindowExW
c>r%{l
$&Ct%$
!`%$d?
$!%d!@
d%?%``
%%$`d3.
@.data
DE%%+%`
DefWindowProcW
DispatchMessageW
$`!`dM&u
`%!$D%n2!
DOMAIN error
$%!dP$U%3
dR'%$%!
D%&r`!
DrawEdge
DrawTextExA
DSUVWh
/(|e%!
#'E0&|
e4\@'%$%!
$`!%Ed
EHMmP5N
E N%w-D
%%:eq-
E`uA`!
%`E%%V
EVPmp`
+%"-EX
ExitProcess
$`!%eZ
`%!$f,
$`!%f$ 
$!%f0`
F%2%is
$`!F%hR9u5
- floating point not loaded
$`!%fp	
%fu*L-!$
$`!g$-	
%$G%%*
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetLastError
GetMessageW
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetVersion
GetVersionExA
GGGGFFFFIu
__GLOBAL_HEAP_SELECTED
!`%; gr
gU'Kz%!
%gy"%Yw!
%#h%C%
`%!$$he
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
!`%hhO
HNcw`!
`%!$Hp5,?P\
&Hp:5@P
hPOTFh%
h!-r``%
%!%HS}!
`%!$Ht
%!Ht)&M
$`!%hu
H[!>&v
	h%v-1
$`!%h!W
-i%$%!
`%!$%I
`%!$I]&
iAJ'`!
IJIXIIV
i`k[v`
$%!IM^
IM%P`!
$%)I'y
%%Iza.%nM%P%$
]j$% 	
%,j$%*-
$`!%&-J\
$`!%%%#J
('j5\r
%%$#J6+u
j9h,rA
jB\%7``
$%!Je%Pem
$%!J\h
j I#F-
%$j!I]Y
$`!J%M9+
>JOA`%
$`!%Jp
$`!%%j<Qv=
$`!%K,%
%$Ke%6
KERNEL32.dll
`%!$KO
kOxCy*9
`%!$K)'Q
-k\Q!s
`!kQ* s3
$KtjY$P%
KVP$`!
`%!$kXI!
$`!%@l
`%!$!L
$%!$L-
&`>L0%Y
`!L5%@
!#L!-%Bs$
LCMapStringA
LCMapStringW
L'cQf%f
L<%I2!
`%!$>LLQ/?
LoadLibraryA
$`!LpV
$`!%`LQ
LTY%%7S(H
$`!LuM
`l#X'%
$`!%LX
`%!$m`
$`!%.m%
$%)$$m
%/|m%!%
`! %&M
`%!$=M
$`!%M%
%$-M\/
M)%;1%
`%!$M7n
$`!%M7&/Q
=m=c7%!
MessageBoxA
MessageW
Microsoft Visual C++ Runtime Library
@mk&~wr4hY
$`!%MM#"]
M?N%;%
MoveWindow
`%!$M$P%%r`3%]o#!
%`mPV#
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
$`!Mx}
!`MY!$
$`!n%(
`%!$`N
$`!N-!
)N}JY]v
%nNQ%$
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
NT1J \%
 %o%$%!
`!O%	-&
`%	%O,
$`!*{O*
$%!.%O.
($%O<0
!O-%`4
$%%O&5
`%!$%O8
!`%%O>c
OhQ%!x
$!%OL7Yz^!$
`%`O)M%F
p@%$%!
p$@:$`$
`%!$}P
!`%P%<`
!`%p`1b7
P-AJu|%
#&,P%c
%*P$F`!
!%POD`!
PostQuitMessage
pOW%$%!
Program: 
<program name unknown>
`!^Psl
%`p%svvaMH
- pure virtual function call
%`%pxO
`PX)P9[
$`!%,q
$!%#q#
%q}%$%!
`!'%%Q_
$`!$,}Q
$`!%`Q
$`!%&Q
%$'$Q{
%%$Q,!
$%!&Q0
Q1'%$%!
q$584Q
Q%aP5K
QD_-`%
Q?Fp`!
Q%)G%!
$`!%'Q~!hM
%Q{Np!
QQp$e?!
$`!%]Qr
QRRh$rA
`!q*.s
`%!$$r:#[
$%!{r{_
$%!%r%
$`!% !R
!`%R14X
r`	D%!%
`.rdata
RegisterClassExW
ReleaseDC
@R%%P?
!RP5Ld
!`%$RQ"~
RtlUnwind
ruL0%`
runtime error 
Runtime Error!
r%u`q0
r`+V`IM#%$%!
{`s#$!
$`!%)s
s*!!%"
s67$H%
!`%%s 9v
$`!%saLTE
SendMessageW
SetHandleCount
`%!$sG(
ShowWindow
%Si*-]
SING error
$!%S%R
ss'*As
TerminateProcess
%Th'%`!
!This program cannot be run in DOS mode.
TLOSS error
TranslateMessage
tT`*PU`%
t.;t$$t(
!`%Tv1
`%!${{u
`%!$&u
`%u$!*
$`!%-u
u!,![.
u&%$%!
,!U%!%
$!%$'U&0suc!$
`%!$*u,4A{#3b!
%%$u!6x
%Udu!a
ue"%<p'
$`!%uf
u*f)MQ`
$`!$uM
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
uP%$%!
UpdateWindow
uP$/X'
`%-uQ"
$`!u~s`
u!S%$%!
user32.dll
USER32.dll
$`!Us/h
us;|Qt
uV'I*|
$`!%v%
$`!v}_$
`*V$&!
$`!-V 
$`!%-V
$`!%%V
`%/ =v0
$%!v27%
V5*av!
VC20XC00U
-%/v;%G
Vindow
VirtualAlloc
VirtualFree
$`!%-VO%F
%%$%vp
$`!%!vP
$`!%vQ
`%	v,V
$`!%#-vz
$`!%w"%|
$`!%#W=@
%`&]W{
%%W[_?.
!`%[*W6)
WB}7-y$=
%%$wDH
%/[W)eM
!`%-wgkK
&Wh5``!
WideCharToMultiByte
!%WmwF-
$`!%WP*H
w'Q`,m
%%$wQs&A}
$`!Wr'&}
WriteFile
`!WR}M%
(W'|u9b
WWSSSSh
X'`%%$
x8O,!Z
`%!$%Xc
<-%Xc`
*"$xd%
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>
%%$x%O
X$uXC`!%
%%@X$%'z
`%!$y%
*y%$%!
%Y0A(/
Y;5,KA
Y;5.OA
y7du%"
Y95Z$%
\YDP	P
$`!YI}
YOQ*P^-
YYh @A
$`!%Yz!
`!!z%`
$`!%*z%
$`!Z^f
%`ZJ&%%
$`!%Zu