Analysis Date2013-12-24 15:46:11
MD593cefb441742b80fe1ab6c12ae307898
SHA19e43928f78b1e8d54731731fdcfeba9c7a724c7d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2d7897fcd3c44a88e681271be50620b6 sha1: 13d9240f929e9d38fc757a9e32c0c471d463b701 size: 47104
Section.rdata md5: 714eb1f7fceac6023dfc11591e66680d sha1: 446c9a26227e4c33336f2ecb4169b27545c14775 size: 6144
Section.data md5: f06452c2394f24f46be48fda2c45070e sha1: 3cd6ebb941d5225aaad53631cb04dbebef1b8538 size: 302592
Section.rsrc md5: 02f7c1cf07a7a81c95d5544a3465109f sha1: 650efbe9663096c428b48e6f7109688402c061a2 size: 17408
Timestamp2012-11-28 08:27:46
PackerMicrosoft Visual C++ 5.0
PEhasha62394b4c2ac0ed30d5339c427e622ead17e33e9
AVmcafeeRDN/Generic BackDoor!vu
AVmsseBackdoor:Win32/Simda.gen!B
AVavgBackDoor.Generic16.RUO

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:Windows Explorer\\x00
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\c059900a ➝
DM\\xbd\\xfb2\\xb1:\\x84\\xa4\\xe1 \\x89\\x07\\xd8\\x1a\\x8c\\x05\\x81\\xd0?2R\\x8f\\x8a\\xd0\\x825b\\xf1,\\xefQL\\xcc\\xf1\\x08\\xff\\xb9\\x9f\\x9bX\\xa1\\xbe\\xe0\\x0b\\xaa\\xe0\\x935\\xe5\\xfb\\x1b\\x7f\\x15\\x8fi\\x11-\\x9C:\\xbd\\xde\\xa2\\xcd\\x8ds\\xb66\\xc3\\x02+\\xd1\\xefb\\xfd\\x15.\\xd3n.\\x0b\\xb3z.\\x86\\x03\\x83V9\\xde\\x0e\\xde.\\xc5\\xea\\x8b\\x9d\\xcf\\xde"\\x0b6n9\\x96Y\\x9d\\xc3\\xab_6\\xf9^\\xcf:}1\\x9a\\xce\\xa1\\x95\\r\\x9a\\x85%9\\xd1B\\xfa\\x8f\\xcb\\xd5\\x8fv\\xabka\\t>\\xd2-\\xf6\\xbb\\x0f\\xb3\\x87K\\xc9\\xde\\x15\\xf1\\xcfq\\xc5\\xb5~\\xf6\\x11\\x86E~\\xbe/\\xed\\xbe=\\xc2\\xfd\\x1e\\x19\\rVfy\\xd5\\xb2\\x05\\t%\\xd5\\xfa\\x817F\\x96\\x93\\xf9}vr\\xea\\x06\\x8dW\\x95%\\x86\\xdfn\\xf3\\x1f\\xb25\\xf6\\x93\\x82\\x91c\\x7f~\\x07\\xf6E\\x8eM\\xc9>\\x06\\xc1\\xa3"\\xddk:\\xef\\x86\\xab\\x1a\\x86K\\xb9S\\xde\\x86\\xcd\\x8a\\xabN\\xee\\xf3S\\xee\\xad\\xdf\\xda\\xb6\\xa5\\xe6\\x157\\x96\\xeds\\x0e\\xb2\\xa1\\xf5[\\x86\\x89
Creates FilePIPE\lsarpc
Creates MutexMicrosoftSysenterGate8

Network Details:

DNSany.edge.bing.com
Type: A
204.79.197.200
DNSxuxuxex.info
Type: A
195.22.26.231
DNSxuxuxex.info
Type: A
195.22.26.254
DNSxuxuxex.info
Type: A
195.22.26.252
DNSxuxuxex.info
Type: A
195.22.26.253
DNSnozybak.info
Type: A
8.5.1.49
DNSvofajim.info
Type: A
176.124.107.14
DNSany.edge.bing.com
Type: A
204.79.197.200
DNSwww.bing.com
Type: A
DNSdiviguw.info
Type: A
DNSjecukyn.info
Type: A
DNSfotavoz.info
Type: A
DNSkeromij.info
Type: A
DNSgahepas.info
Type: A
DNSciqiruf.info
Type: A
DNSlygefor.info
Type: A
HTTP GEThttp://xuxuxex.info/posting.php
User-Agent:
HTTP GEThttp://nozybak.info/posting.php
User-Agent:
HTTP GEThttp://vofajim.info/posting.php
User-Agent:
Flows TCP192.168.1.1:1033 ➝ 204.79.197.200:80
Flows TCP192.168.1.1:1037 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1038 ➝ 8.5.1.49:80
Flows TCP192.168.1.1:1039 ➝ 176.124.107.14:80
Flows TCP192.168.1.1:1040 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1041 ➝ 8.5.1.49:80
Flows TCP192.168.1.1:1042 ➝ 176.124.107.14:80
Flows TCP192.168.1.1:1044 ➝ 204.79.197.200:80

Raw Pcap
0x00000000 (00000)   47455420 2f706f73 74696e67 2e706870   GET /posting.php
0x00000010 (00016)   20485454 502f312e 310d0a52 65666572    HTTP/1.1..Refer
0x00000020 (00032)   65723a20 68747470 3a2f2f77 77772e67   er: http://www.g
0x00000030 (00048)   6f6f676c 652e636f 6d0d0a0d 0a         oogle.com....

0x00000000 (00000)   47455420 2f706f73 74696e67 2e706870   GET /posting.php
0x00000010 (00016)   20485454 502f312e 310d0a52 65666572    HTTP/1.1..Refer
0x00000020 (00032)   65723a20 68747470 3a2f2f77 77772e67   er: http://www.g
0x00000030 (00048)   6f6f676c 652e636f 6d0d0a0d 0a         oogle.com....

0x00000000 (00000)   47455420 2f706f73 74696e67 2e706870   GET /posting.php
0x00000010 (00016)   20485454 502f312e 310d0a52 65666572    HTTP/1.1..Refer
0x00000020 (00032)   65723a20 68747470 3a2f2f77 77772e67   er: http://www.g
0x00000030 (00048)   6f6f676c 652e636f 6d0d0a0d 0a         oogle.com....


Strings
         (((((                  H
0o7b&(
0.^v1H9|2
0wA]Su
1'5{xr^`h
19:25 %x
1C8zt9
1]E3U_
1Uj+v>
2\"f2i
@2V+v<
38vl^P
3qud\7
%{3Re*O7
3WZ&1*
=}3x0/n
42}sHx
;/${444$
4440444
4440444g444l444O4444444
444$0("S444~eP0
4441444
4442444
4442<4'e3-(
4443444
444 444
444,444
444:444
444(444
444&444
444+444
4444444
444]444*444
444#444(444.4440444,444*444 444
444&4445444F444e444b444z444
444[4447444&444"4444444hA6%
444^444*a;
444~444R4442444
4445444
4446444
4446444K444i444
4447444
4448444
4449444
444a444>444'444
444D444
444E444
444F444
444F444!
444f444c:-
444h444&
444k444 
444K444
444k444p444W444D4442444
444L444&
444M444
444n444&
444N444
444O444%
444r444&
444r444I444-444
444u444&
444W444)444
444X4445444
444y444
444Y444
444Y444$
444Y4443444
444z444+
444Z444
4_,7[d
)4A'xf
4u@@(s
4u\$$s`:
@4uX\hu
4?X};j=
5C~D#K%
_5lN@]
*5~nIK(1
%6aV3Px
6_:BL,
6e 2j5!
7ea(Vk{
7FG,oOm>
7[	l1Q
8^bKCp
[8EmKR
]:8klq
8QR-&b
8<uEMH
8wUm~K*
99/mE~
9`A$;qK(TjH)7cE)C444
9=/G3-
(}9pRy
9^$t?rG
~@9Z7m
A05/d[
A5)>NF]
AAMBQ;
aBk(2.
abnormal program termination
<%a(bUr%
ADVAPI32.dll
AFtmMq
@aFx[B
A/g@,D
a|kBhse
#AL;T*
A}`:m6
am6WLAowc
america
american
american english
american-english
Ap^6L9
Argentina
August
Australia
australian
Austria
Ay3!>	>
Ay},c+`
);B*4P
b8o'6=n*
Basque
belgian
Belgium
Bm[YpP$
B#NF{U
Bn,P&t@
BNq&i.H
 Bo{DS
britain
B-u/I)
?BYSJ8J
BziD#cp
Bzy8n)
c$0[pvu .&
c38m6+
!$!`!@C5
Canada
canadian
CB}Ks8
cel6]{
chinese
chinese-hongkong
chinese-simplified
chinese-singapore
chinese-traditional
chV%-g
c*&_i'
cKBsv}
cMZ|ea5
Colombia
CompareStringA
CompareStringW
Costa Rica
CreateEventW
CreateFileMappingA
CreateWindowExW
cRwCFnk
CtfFQfX
cu2-3,sc
>Cu28V
=?	;d"
@.data
\db q^
dddd, MMMM dd, yyyy
DDE}444+
)=De0B
December
DeleteCriticalSection
DeleteFileW
{DgP%XH
DhV|P]
dJ4]Nm
DOMAIN error
Dominican Republic
d;sYaSv
Dudov WW
dutch-belgian
DZ`#?n
^e1$)f
+e'1.k
`e42Te
/-ea49
Ecuador
=EE'Z'
(e%)I*I
<	EjE@X]
england
English
english-american
english-aus
english-belize
english-can
english-caribbean
english-ire
english-jamaica
english-nz
english-south africa
english-trinidad y tobago
english-uk
english-us
english-usa
EnterCriticalSection
EnumSystemLocalesA
ER'[E	
E@ RQo?
$e[w=P	7X
ex7c$,
ExitProcess
exp6fk
*F6 j5
#*!F8<
,f9=$8
f/;ApX
FatalAppExitA
fcbz[TL
$fCdt2
February
FED*d]W
%fHoPY
FindCloseChangeNotification
FindFirstFileA
FindNextFileW
Finland
Finnish
fiX=!b
fJGp2s
F@j@Ph
- floating point not loaded
F PjPWj
F$PjQWj
F.PjRWj
F*PjTWj
F+PjUWj
F,PjVWj
F-PjWWj
France
FreeEnvironmentStringsA
FreeEnvironmentStringsW
French
french-belgian
french-canadian
french-luxembourg
french-swiss
Friday
ftK;vM
F	wwp+
,F`Z-#k5x
`g3@Q!C
>Ga~7(O
German
german-austrian
german-lichtenstein
german-luxembourg
german-swiss
GetACP
GetActiveWindow
GetCommandLineA
GetComputerNameA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetExitCodeProcess
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocaleInfoW
GetMenu
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetTimeZoneInformation
GetUserDefaultLCID
GetUserNameA
GetVersion
GetVersionExA
GetVersionExW
GetWindowLongW
%G@`i\]
GlobalAlloc
GlobalFree
__GLOBAL_HEAP_SELECTED
GlobalLock
GlobalUnlock
@gm:|`
gpNy8t
great britain
g\)tsN
Guatemala
#(H3i+ _
H@3N@)}
h6B)ru
#Hd nI`L
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
h)h@6|
HHtiHtGH
HK>dJ]*
H:mm:ss
h*M!TO
holland
hong-kong
HPa@a/
=?\+hR1~?
Hr/\7_
HtHHt(
HtOHt)H
<'hWav
hW%qqBT
I(+8kesk
@}I?b9
=/iBOh~p
Iceland
Icelandic
,Ika%V
iKF(H/
i'=K/o
IMpKz3{
InitializeCriticalSection
InterlockedCompareExchange
InterlockedDecrement
InterlockedIncrement
@\i+%O
irish-english
IsBadWritePtr
IsValidCodePage
IsValidLocale
italian-swiss
It[IItM
	-	)J	
j#	0Zi
JA)K~u
JanFebMarAprMayJunJulAugSepOctNovDec
January
,_JbneaG:
j_i;br
;JmV'C
")Jn2>M
JsLmQt
\}K05<*
(k\>0M`:
k0O.bS
K1+v*:
K35c!; }_
K ,D&r
KERNEL32
KERNEL32.dll
kKr	G*|5
KM	@0'}
KQffg(
^k$['R
k]/<uA
KV_g6pO$
/KwK.+D
"KYY1TQ
)kz{T@
~l%5<%
^lb8wH
L	BD8j
LC_ALL
LC_COLLATE
LC_CTYPE
LCMapStringA
LCMapStringW
LC_MONETARY
LC_NUMERIC
LC_TIME
LeaveCriticalSection
,LNa5O
LoadLibraryA
LocalAlloc
LockResource
lPPYSzP
l?qQ@3*
`~LS_a
lstrlenA
Luxembourg
lVfeu0E
lYciPR~
M/d/yy
mE^5Gh\
MessageBoxA
Mexico
M,g9/qq
Microsoft Visual C++ Runtime Library
|mo5Xq
Monday
mp3lT^
mr\LUL0
>MR=	m
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
@?^m,V
:M'X&DR
,n52`9
n8CrU	n8Z[D
N9;rfFv
new-zealand
NjI?fi
[nJR96
norwegian
norwegian-bokmal
norwegian-nynorsk
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
(%n~{Q
nr%h["J
*nu]ps
NYz#dN 
,.+o01
.o)2xgr
O<!>3s
;o`5)/
o#7r_6JGc8
($}o8Xk
October
ODNLNG
o$IAG_
Opg\9.
oQ)_[2J
}o"Xqe
!O.Y|=
_p	^=;
P##`*[
p.;{6s,
Panama
Paraguay
P;:IYp^W
pje[444
pmKid|v
PoH+9)
portuguese-brazilian
PP{f?	a3Q"9
PPPPPPPP
pr china
pr-china
Program: 
<program name unknown>
$p_T)b
puerto-rico
- pure virtual function call
pZW+fx
+qB<}20
@$}qB9
Qf9=x8
QN(&grV
QQSVW3
QQSVWj
{-Q]%rh
qZ$(Am
R<6+mr
(R8Mma
,<Rb(0
`.rdata
r\mVr~
RNF/j!
rRHG.$
RtlUnwind
runtime error 
Runtime Error!
*Rv_x@t
^\\R^WP
RXJ[0#'
s7ets-
Saturday
/Sav)/o
 sdAWSts
SEHg5vI
September
SetEnvironmentVariableA
SetFilePointer
SetFilePointerEx
SetHandleCount
SetLastError
SetMenuContextHelpId
SetWindowTextW
Shj"IYT
S/iBUt
SING error
slovak
$SM6pv
smh{444&
SnSETw
Sog]\U8+
south africa
south-africa
South Africa
south korea
south-korea
Spanish
spanish-argentina
spanish-bolivia
spanish-chile
spanish-colombia
spanish-costa rica
spanish-dominican republic
spanish-ecuador
spanish-el salvador
spanish-guatemala
spanish-honduras
spanish-mexican
spanish-modern
Spanish - Modern Sort
spanish-nicaragua
spanish-panama
spanish-paraguay
spanish-peru
spanish-puerto rico
Spanish - Traditional Sort
spanish-uruguay
spanish-venezuela
spZiRY
SS1Rc~
SS8x#+
SS@SSPVSS
S@tPL bUT
Sunday
SunMonTueWedThuFriSat
Sweden
Swedish
swedish-finland
Switzerland
sx"Is8}(
;sYr}u
$s^Z\/fh
TB)w;gK
tEj@Vh
TerminateProcess
!This program cannot be run in DOS mode.
Thursday
t]j-IU
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
)Tn'nBc
tn<%t2
;tOl&'
TOxNLp
TrackPopupMenu
trinidad & tobago
TRY[bC
TS1UzvNhN$
t!S;!9
t#SSUP
t.;t$$t(
Tuesday
tU~Z<5(
tVF[Ij
T`V~mE
t$$VSS
t/WWUPj
+TYV';I
U4}(<t
U;9i<t
udBc+HKh
UE[I,l
uf9=L7
>:u#FV
~*UgbPh
Un7z .
- unable to initialize heap
- unable to open console device
unC6<o
- unexpected heap error
- unexpected multithread lock error
>:uNFV
UnhandledExceptionFilter
united-kingdom
united-states
unM}<]
;Uov[8
u,R#~S
Ur-sP#
Uruguay
user32.dll
USER32.dll
USQ:I0
u%=s|wG2%-
U$\[w.
uW>AGV
u\x$p<
#uZg@X
&|V2Z}0b
V+^@86
{v_8B,w)
v8O)#h
VC20XC00U
{/vCz>
`V/d`J/`
Venezuela
@_V+f6
Vh&X	*
VirtualAlloc
VirtualFree
V}l *q
'VOe,>
Vtvj0j
v uUj^S*
<V=we-m
VWuBhX
Vz=:HH
?	w0+j
w2c$67
w3_W<Z
@	w99'
WaitForSingleObjectEx
!wAwdQj
W#D{;r
we3H'/
Wednesday
WideCharToMultiByte
wjF6D0mB
Wkp#pCm
wld*fL
/,;wM~
wm+FU<;
-{W;Q #
WQj1Pj
'WQ~mc
WriteConsoleW
WriteFile
`+W+rx
wTHL^"U;2
`WW+p7
"WWShd
W:wY{[ye<p
W~YRf@
W	;zTj'
X0a#J?
x2V='	|
x7FT|(V1
x8%0k36;o6
X]{b s
xB+s3C
xEbj+tZ
xp444!
#X|`R(
xr}>wT
XWV]e^W
XX-?b%
xY|'M5
Y(67J6
Yaie:SP
YbO3N;
YBx?(<e
@y&(E00
YI({!%
yifGs-a
y}jb	$
Yj*IQ,
ymLW F
yMX M^
yOa);z
Y^~opaW7Ff
YP$es\{
y@P%w[
+YSizIo
}?.yVq
YXVW_XQ
_^][YY
Z>8;6 
za\P}=*|
zAzF\K
ZbBrN#
zeev Bx
'z"ef4
!ZF|0_y
zfxq])]
+Z G*-
Zj;FC&
ZMe+fz<
 z<(N$
z?+oF-
Zoh4DS
Z*OS}2
+#zQSr4
zsmQ444
  z>	@t H
ztng444!
zu^SSS
`ZW+vz
^zx :C
Zy;U/2
<zZ|^d
zzh2Jw