Analysis Date2014-08-03 13:48:51
MD5d5a2ea1441bafa2c16ed38153caa51a9
SHA19e93a51b3d66ba6f2261102c2c2241688db82555

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0a565a9c394ca88513d7b5b7318eb52d sha1: 9b51249887a107ba85a1bc8002f0ed850c1f8b4a size: 59904
Section.rdata md5: 31905e37aaea205375e4094526d22bc8 sha1: 3298181ee5688f70a049ab50e384cece7dcb92a7 size: 6144
Section.data md5: 4b9b9570b93e4ba894b5cc65dac1323a sha1: 413578e119997e18062648951936fb3ac7a5da3d size: 4096
Section.rsrc md5: 6072e755f1f4137013d3de35adbe3d66 sha1: 5109fd6edfbc6ea39799b3f915e0e4364efd6a4f size: 2560
Timestamp2014-07-29 11:01:50
PackerMicrosoft Visual C++ v6.0
PEhashc5a6e5b6aa6b3fd3ec15a31abd84ff2a17d146b0
IMPhash3d66546c37ce56757436ff0823bb263e
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.11593372
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Rogue.11593372
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Generic.11593372
AVEset (nod32)Win32/Wigon.PH
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.11593372
AVGrisoft (avg)Generic36.YDW
AVIkarusTrojan.Win32.Wigon
AVK7no_virus
AVKasperskyTrojan.Win32.Cutwail.dhq
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.Generic.11593372
AVNormanno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend MicroTROJ_CROWTI.SMN2
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\quqothibcequ ➝
C:\Documents and Settings\Administrator\quqothibcequ.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\WINDOWS\9e93a51b3d66ba6f2261102c2c2241688db82555.INI
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\quqothibcequ.exe
Creates Mutexquqothibcequ

Network Details:


Raw Pcap

Strings
.}.

0Ac1y<X
<>0cBh8g+l
=0Fkr0R
0i0!@Xcvf
0I{~"AKb
.0-O|Z
1clOSI
1H<E@c
1umlCD
1@[{WCo
23NkIm
2BMfTC
2fTLY@
;2HbK@@I
??2@YAPAXI@Z
2=Y^e<
34OD@+@H2Gxd@
3C$5Bg
@3%Ok@H
3U28<g
??3@YAXPAX@Z
44U"'@
:4/5HPc
49(zvf
4./;A#
@4A,4$
4b7=%IIfA
4<|bUg<
4D0v@$5
=-4D"f
4DSiOT|O@@I
4E=WAjis0A
4EXDANw
`$]{,4\~ HDq!
4RU@=P`&y
+4(T`>c
4tG@@ 
4Yb8b#
4ZA=*|
<52%RD@
@5b9vf
=@5Bkb
5C@AGCH
5*cb\L
5G`/4@
5G=g$f
 @ 5H@
5s*Jd;
5@UNUAz
6Az-SBbU
6{LFvf
@@6qL3J
7LB'LE$
$8)',@
'8C0cl
8H}Y"R
8=J=5G+H
8R|l#@5s(4,u
@8r?PTg
92A<gJ
94V4c#
9/dG5AE_g.
9e^iAc
9@jbr|
!)@9LA
@A@>>@
A0X0Nd5
A39UbCJ0*Ri
a4F	-H
A4{w3;@bU@
A7(9P/p
A'A4@dH$
>AA@ewB
@A@>>b
A~@b@@
A@@b@@
AB2@ab
,A:Bc@bA
AbD@r7J
Ab@FEr
]#aBh	=7;"
A$b@Lb<UA
_A/b}.R{
A clo=
_acmdln
_adjust_fdiv
AF@UAc
Ahpo6i
@Ai7-hrI
/Alb*U
@AL,ZA
AppFirst
 </application>
 <application xmlns="urn:schemas-microsoft-com:asm.v3">
Aq EFh
Aq@G@RL
</assembly>
	   </assemblyIdentity>
	   <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*">
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
%'AT1@@
AtC(zC
A'U-sv
AVWAf9
@a@xcbapL
AYSK?U
AZimvf
@@>>b>@@
b8?`4v
b>@@@A@
b@@>A@@@
bA@@>@
b>@@@A@_@6IHq
bA@@>@A
BABCxT3mMH"
b>@@@A@dib
b@@>A@@@GU
b@@>A@@@km
b@@>A@@@m
@b@AnDY
bA@@>tqP
{/bb@@
b>@b.5
bBAODAq	@*d@@D
BBB&bBw4$
b<bBC@
)bbD@@
bBg!dv
bb@ LyH
b>@b@n**
@b_bWCqD
@@.bC@ 
@bC7u@q@
@-bcdAB
B(cH5(E
bC@hAB
@bd!`@
bD1gAB
bD,bgwlv
bDBt{C4O
/BD@CO(B
	bD(U@
=bFL2Vm
@bhDbc
BIhEst4
bik@xF
b,Jqg1W
@bkce1q
BlL|~]
bNAr%h
B@N!PA:E
b,O=2@C
bOAk@b
=bP5/rCRt
@BP=A!
b@PJAA4
BP@T$v
bQ8.cF
=bQBdP
_,bSLO
bT@0~]Q
BTErb	
-B'v!4
*B@vE@
b$v$H:
,BVve%
b@w @@
b@@wQq
BxA<^D
BXB&ccD
bx,j=B
B`Y9AZ8JSt
bZBn5Q$@
C@@2LH@y!vf
C`3(LC
)CAF^44OhI
c@Ar7@L
C,@|b0Aq
cb`;G@_D
cbry@W
CC'8My
c cbC)@
C{@#cH
C,C{I9E4
cc"Zrx
<CdLC@
*.Ce\@@wWb
CIbMbA
'@CJC&Oa
CkCD_z
CLsQ(Q
.CMAF<
c"OF,-AFT
cOjCCpY
_controlfp
!c`P9%hk
Cp@Nk@
,@CREaBv,0
CTt@bj
__CxxFrameHandler
@}cyG]
cyQX3ID
_cZs'X
,D3U@P
D50bsw/`B"`
D5b*z4
DALPMh
`DAPPeA
@.data
D!Au#R
d=B!AU
'"dBc/
 Db@Ck
/,DbuA
`DCPAAF
DDDDD@
DDDDDDD
DDDDDDDDD
DDDDDDDDDDD
DDDDDDDDDDDDD
DDLDLD
DDLLDDDL
D(Dp5(
dd@Xk)/R	{@
DE@@?C
DegdE.
@De Gp
 </dependency>
 <dependency>
	</dependentAssembly>
	<dependentAssembly>
D.@e@q
DFBw@@Hch;@)s
-dGVIg
__dllonexit
Dmig!Y 
D:%Oo<]
DP@D|@$
DqrtFTA
Ds=bA(
DTbeg*LdC=@
&DU)eO*bK-o,4s|@
@dWNX@
=/d	xD
E8A|88
%,E\}A,
e@@aD4
EA`GD,@BB
@eCy&@b
Ed@3D(CF
#eeLA| 
e@giH8q
(EG|@X@@
EHAlsA
 Ejb4H
'@Ejm!CD
E,kAO@J
EnableWindow
E"PdBy
EsC@}e
EtwR(=YFr
_except_handler3
}EXORf9
e'&Y{vf
F@a0Ae\3
)fAL?ACy
fbB@%bO
#:FbB$O
FC0<h'
@FcVKD@
.fDAAG	
FH=<s@
/FjO@Ja3&
`g}5O@@
gcrbUv(E
gD5cHu
__getmainargs
GetModuleHandleA
GetStartupInfoA
gHvVBJ
*gI0$*w~I}4
|(gJ<4O
@GO3=@
gS@H:@"D "+
h4&u4>@@
H@5~T@
h)%=A@
H@$AAX'
,HA@o2$<)
H#"A@X|A
HBUXAI
@hC`nA
(hg0bG~
HK$D=L
H:Narb
i!_A}d
$Ibevf
*!i@@c
iFT5r4h@]
II}[@z
_initterm
I:.,\OR
iP@b J
iRichu
#(@iVS
i[yySD
(&"[/J
j6Cr]Z
jA=Hvf
jA@p82Q
*`jARB;
@jB@_@
jb,b@`B
@j\Cu|@
J	efyAy
@'J?h%
j== hA
j$=	He3RBB
jmHtdE,mJz
JPb<6M
jRB9g+
JTH{P2
@@JU1`
JWR bD<
kab}b_
,kBAp+Bv
kBb`2D@
@k{%bdH<
KD,E@@
kE~cxI^cD
KERNEL32.dll
\kH.ct
Ki@5BwD
@kmCbd
@KMo`E4A
KP5@:bc
k|wZvf
L2A(0t]0
lAMA	i-
~L/@bA
LbEcE{
L-bW5@YCvB
LDDDDDDD
@LE	{	
'@%le@e
&)%:LgAvv2-S
LgDg34
LLDDLD
LoadCursorA
LoadIconA
L'OHnL
LO@Jv(w
@Lr@	AP
lss2FKcb
LXO$foq
@@@@m<1
m`2C=z
MA0Qbm4
mB1UUd$
mB%ix)4
MC46Lh
MFC42.DLL
|<((,_,<mG
mR8/@@>
MSVCRT.dll
	   </ms_windowsSettings:dpiAware>
	   <ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="http://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
m@XfCwJ)m
]#MZLLNH
n3\T'b
Nai/E2GF
NAIsI8
Nb|DhRgF
'%nepu
@NHb<h
/=nI*JdJ20c
Np@I34Db&fJ
NrV@+,@
\N$U6E
nURbcN
o4Dgb@
O4u<@JRyJ
oA@&49*G
O<,E(R
O@gP9E
 OgPJ@
@Oh@RA
OND>@;H
_onexit
@*?o@TBu
OX)4Ji
p0,C@T x
P6, R(26
PA}&{J
pAOx.E
__p__commode
PDA0Ax
Pdgm7 M
@@pE=9
__p__fmode
@pg$@?
PLBqLj|
P\L!NAk
@@pMbb
p!@Qb7AD
@'@	ptm
Pz@L3<
%~&QAF
q,AORA
q@%Bbl8
"QC4$ph
qC%<cI0
q@]D@c
@q|@"E
(q/IcU7@
q[JC%.u
q(@Kt[QX
qu"A(|
@#R7H<@KA
#`(RA@
+@RbM@
RDA@s@7
`.rdata
		  </requestedExecutionLevel>
		  <requestedExecutionLevel level="asInvoker" uiAccess="false">
	   </requestedPrivileges>
	   <requestedPrivileges>
r@jIEy,
RROU,g)%
RSbfk@vEE*Avf
rSbx^cAJ
Ry}m b@Id
s3A@DCB
S7bU5 @
Sansay
@SdbcT,
sDJKCO
	</security>
	<security>
SendMessageA
__set_app_type
_setmbcp
__setusermatherr
sh@H:84
SO{@BOEd
SQm4Y%db
stuQAJ
s>vM@	
SysListView32
T4=FL@@
@t5dASd$
@tAb(W
@tACPC
@tbB*H
>@*T-bN
@t@B@PH
@tCn:b
tEC$s@-
Te,K,4!cb1A\
!This program cannot be run in DOS mode.
T=@,<L
tOJOM@}
@tOXa8z7
tp4_eOvf
T(P `nhC
@tR+*Ba
@t,@rMD
 </trustInfo>
 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t@vf@@@
@tV%LZ
U[@,~)B
U@%Bvf
UC%=E5
U@L5YZ
UpdateWindow
USER32.dll
UsWX8 C
U+vSc<UU
v/%AYU
V@@>>b>@@
VBEy'7
@$@VDS
vja](~E
vk(<`G
vmbD(jK
VP5@b@
V(@PdbA
!v<PpO,
@:w: 0
W0z`Dvf
wAII$*|
wCU@L}
$W@\)@E
	</windowsSettings>
	<windowsSettings>
wjGxfb4vf
wm@6kc
~wP\PDBX
@W@RbkO
<Wwcx+Le&
xC/lAL>U
_XcptFilter
@{X<;D(B@
_xdvL@@
<XHALC
XL@n%g
.@XtpA
XXO4PU
XyA<4+
y-CzA=I)
)y@GXX
yNSF-OD
@y^*OA\l
yU@r *
z2`_O*
z@2Siy
z4TH@=fz
z_$bR0H~i
Z@dqO<0
	_Z*FuD
@/@ zP$
ZR<Jiytl[
->@`zT