Analysis Date2014-07-07 10:57:27
MD58a304c7502234467b2d801be95a3ba4c
SHA19d171aa1038fb86b24886c1a3465a4e153c35064

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 63c2dbc41140b31926bfac3895038bbd sha1: b1b15e3302503dc4ea68bc8b40968f05c6018e1b size: 1024
Section.rdata md5: 5e001465d8cd3c885bc984c952e08cb6 sha1: 32ee3ee5d774fd02de6c2a88102ae2ee5e5e4e06 size: 1024
Section.data md5: fc7eb756c1f4b17f16449816cc3cec81 sha1: 2617518e49202d532dae1af9ba05aecfefd1e75b size: 512
Section.rsrc md5: 13969b64b4c9eafaac4fb60fcb5bf8ad sha1: 8d6cacf2a2e1ed9ff9f271d10151f1edc72b47b2 size: 58368
Timestamp2014-06-24 19:38:02
PEhashb4f483da6ed48ce7fc8d956757473c5257e20a82
IMPhash4ca0a0adb97211d9334271ded971bdde
AV360 SafeGen:Variant.Kazy.327123
AVAd-AwareGen:Variant.Kazy.327123
AVAlwil (avast)Cutwail-CM [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.MulDrop3.14959
AVEmsisoftno_virus
AVEset (nod32)Win32/Kryptik.CFFF
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.327123
AVGrisoft (avg)Agent
AVIkarusno_virus
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Kazy.327123
AVNormanwinpe/Agent.BDUSS
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ratfezipwozu ➝
C:\Documents and Settings\Administrator\ratfezipwozu.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\1banhope[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mjferguson.co[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\anjaliagency[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hotel-otrada[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\arteksgroup[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\ratfezipwozu.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\countryday[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\magi-cat[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\arteksgroup[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\1banhope[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\anjaliagency[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hotel-otrada[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\countryday[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\magi-cat[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexratfezipwozu
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSmagi-cat.org
Winsock DNSssosoom.cz
Winsock DNSmjferguson.co.uk
Winsock DNSronnmcfarlane.com
Winsock DNSanjaliagency.com
Winsock DNSarteksgroup.com
Winsock DNSdoerrsiding.com
Winsock DNSmachins.co.uk
Winsock DNShotel-otrada.com
Winsock DNSbrandcoolmarketing.com
Winsock DNSleads.com.my
Winsock DNSpcmoddingmy.com
Winsock DNSastic-gomu.com
Winsock DNScountryday.org
Winsock DNS1banhope.com
Winsock DNShigienika.pl
Winsock DNSatre-ebisu-6fdental.com
Winsock DNSlefa.com.tr
Winsock DNSyorkmfg.com
Winsock DNSmmnabytek.cz

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSmjferguson.co.uk
Type: A
217.168.144.31
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNS1banhope.com
Type: A
DNSronnmcfarlane.com
Type: A
DNScountryday.org
Type: A
DNShigienika.pl
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25

Raw Pcap

Strings
.2
5WA	
&about highnesses
absolutely tribulations enticing
&accent
actress sufferance
&admire ambition
advice
&advise matter
affair
&affair
again
&aggressive rolled
&ahead;
&alone before
&always
&Americas Sherringham
amused
&angry unburdened
antidote eyeglass
&anything
appealed
&appear else--the
&artistic everything
&artist remained
aspirant gloves
&assent
august;
&beautiful expressed
&beauty
&because
before
&before
Before
&Before
&before rested
&belongs shouldnt
benevolent
better
&between perfectly
blowing
&bottom
&bright preference
&broken femmes
brother pockets delicate
brought
bungled abroad caring
business
&business moment
&canvas myself
&career
&career action--for
&carried continuance
&case--well daresay
challenge
character
&charmed
&charmed Biddy
&cherished no--everythings
&coachman
&coming
&companion
&compelled pleasure
competent engaged
comprehensible
computers
&comrades
comrades everything
conceded unhappy
&connexions
&conscious
&consented
&consideration Sherringham
contradicted assumed
&counted
&country-houses
&country should
covered
&creatures medals
&curiosity
curiosity synonymous
curve;
cushioned clever Better
Dashwood window charming,gentleman staring to-day; imputing presently	surprised
&dazzling
&deceit
&deeper novels
&definitely
degree
delighted
&delightful improper
&deluded laughed
&demonstration
&describe--if
destined
&device fondness
&dining
&disaster talent;
&disclaimers interests
&discouraging
&dispersal
&Dormer
&Dormer worthy
&drama;
&draught
droll vision produced audibly
&dropped hastily
During simpler stockbroker version
easily
&education
&effort
embodied
embraced
&embroidery lingered
enough
&enough
enough dreadful memory:health before anything perform expenses minister literally
entity
&epitome
essence
&events
everything
&Everythings proposed
&exactly
&exasperated
excellent Carr?? casual
&exertions
explained returned
extraordinarily
&face--in moving
&failed straight
&father delightful
&favour
&felicities before
&fellow
figure
&figuring began
flatness
&flowers
fondly celebrated
&forbore
formats bravely
formed
&Foundation effective
frankly library
functionaries
&further
future
&Gabriel humbugging
Gabriel question
general action
&general appearance
genius--he
&gentility suspicion
getting fondly struck esteemed'memories forward course invitation--and(protection abreast humiliations derision$lingering looked precisely observing2Fran?ais come--to proofs because morning pretended0domestic rudiment before during Martins reportedEthree-quarters learned indebted electricities otherwise theres excess
&gowns flaxen
graces though
&grind
&hand-bills
handsome disagree seemed
&Harsh Nicholas
&havent interesting
havent thing
hearing
heroic
&herself
herself seemed mornings never--never
&himself excuse
history
&honour Madame
house
&house
&houses
how--but definitely
however
&however tasteful
hundred
hushed paradoxical
&imagination
immediately mother
impugn are--and
&impugned impression
&inferior
&infinitely
&innocent absolutely
&inscrutably dreadful
&insistently again
&interesting
&interesting bargain
intrude
irrepressible should yours--and
&irresistible reflexion
Juliet
&junior retract
&justice--something
&justly smiling
&kindly volume
knew--I however
ladder
&ladies
&large really
&lawn-tennis returned
&leaning ardent
&length regarded
&letters Havent
LIABILITY
&liberty middle
&life--shes inanity
likely Biddys
&Little
&little short
living Beauclere
London
&London brought
&looked;
looking
&lumped
madam
mainly repeat
&making
masquerade
matter
&matter beside
&matters
means
&meant
&measurements having
&member--am analysis
&mince-meat rooms
&minds holding
Miriam
Miriams
&misfortune
&modest
&modulation
moment
moment tawdry
morning agitated
&morning picture
morning truth
&mother
&mother rather
mothers Gabriel
MS Shell Dlg
&mystery
&neither
nothing
&nothing
nudity smiled
&nutshell
object--a hoping
obstructed
obtaining
&occasion tongue
&occupied
&occurred
opposition believe
&overlooked predecessor
&Paris
particular
&particular
parts friend
patience echoed activity
&people actuality
&perfectly certain--that
performer
&perhaps greater
&personage
&persons behalf
&persuade understood
&Peter
Peters beyond gold-headed6compared delightful Hawthorne little emphasised wooden;finding engaged covertly vaguely dependent trains characterLinstinct mistake--it finished bewildered--there souffle English objurgations
phrased ignorance
please resistance
pleasure
&poets--he
point--he actress
points places wonderfully should
&prepared sacrifice
pressed however
&pressed superior
&pretend
privately suspicion
probably
produced continued
&professional laughing
&Project
&Project women
&pronounced
&proprietress favours
purest stick
pushed
&quantum
&rather
reached
&really Certainly
&recognise side--you
reflexion notice
&regarded preparations
rehearsals challenge gathered
relieve
remain displaying thicknesses
&remarkably recognise
&remember
&remembered
&remonstrance
&repeat determination
replied
&reproducing
resistance rather
&responsible
&resting before
resumed
&returned
returned showed
return snubbed expression
RichEdit20A
&rising
&routed styles
sadly;
&saloon
&salutation affair
satirists apartments
&scene jolly
screw
searched
&seated violently
second
sensibility torment
series discuss
serious
shameful American through critic
Sherringham
&should
&should stayed
&sickly relieved
&silent daresay
sister things burning loosened
situation
slight
smashed settle
&so--he slightly
&something
sometimes almost
&splashes picture
stage
&statesman easily
station remember
&stirred
&story encourage
&Street occurred
streets
&strong Biddys
&struck
&subject
&subtle
success
suffering simply
&suggest have--you
&superseded repeated
support
&support
&surprise
surprise3perverse struck dance liking things offered thought8mother theatres associated represent--societies remember
susceptibility public
SysListView32
&table
Tahoma
&taking
talking
&talking
taste
&tasted
&temper acquaintance
&tenderness
terrible myself
&theatrical admired
&them--they
there quick
theres
&Theyll
&Theyre comparatively
&things
&things ladies
&things result
thinking
think turned minute
though
?though scraping portrait profession discretion Section opposite#Julias extent abatements individual!beside impulse ridiculous recites:visitors standing inmates Gutenberg-tm Because deliciously%submissions irritation friend bon--ah1happened struggle added things--which little--you
&thought
&throb connexion
&through havent
&thrust
tormented watery
&touches
&tragedian again;
tragic
&travel pointed
&treatise earned
trees relaxed
tremendous
turned
&turned offer--to
&uglier mother
unannounced display
unexpected fellow
&uniform futile
vaguely turning
Vavasour thing
vehemence irritation moment needed
&veiled
&vicissitudes courage
virtue
vision determined
vividly mystifying
Voyons--do
&wandered
wanted added
wanted whatever
well--youve struck
which<him--told colour English Juliet--take behind exclusion crawl0night Sherringham--when settle fiercely choosing4expression quitted paragraph nothing dealings should:invent little charity--give younger alone clever--I looked,little extent--I pertinacity removing hardly3confidence recognised though goose something circle
&whirled
whole Archive coloured havent
&window putting
wiser little
without
&without account
&without within
woman culture contradicted tongue
&world daresay
&wouldnt natural
wounded curious
&written
yards Miriam
&you--I grossness
3:&)j:
4zfeP@0
{9}'I/
9O`3=-
ABPOCHru}flc
bbsUHDCOD^AABpw{xje}
BitBlt
BK	&Jg
CreateCompatibleDC
CreateWindowExA
@.data
DefWindowProcA
DeleteDC
DispatchMessageA
diYdDa
djAFUd4
d&N^lt
EndPaint
e+)@T6E
}eT>GSNtYYAB
FindResourceA
f=	j~n
gdi32.dll
GetClientRect
GetCurrentProcessId
GetMessageA
GetModuleHandleA
GetProcessHeap
[GFn0Y
H@CQVBy{||w}z~}w
 ^~h`D
HeapAlloc
\H+,|F
Iob hP
JenausisFalisious
kernel32.dll
KillTimer
k*+Uke
*l~\51
L@[AFFE
LoadCursorA
LoadIconA
LoadResource
Lt}M<'
]m*q.<
Nel ipdp
-!<O^n
*p(@0rm
PostQuitMessage
Q:iDM<RJ<
=q+l_9g#/(
`.rdata
RegisterClassExA
>`)rFf
SelectObject
SetTimer
ShowWindow
;S{sn96
t1|h00t
	>,T9O
!This program cannot be run in DOS mode.
TranslateMessage
TrDDH%"
UpdateWindow
user32.dll
."_UtDUG
Vz_+7L
[(~W8?T<L1
/w!i}ea
wpq2fe
>:,_)X
x`d|9]:(
x:Jy`N
xM_n~o
xtwebzqs
\Y<>dF9t
]]'y	f
Z+C{cgS