Analysis Date2015-05-06 22:22:53
MD536e0eea9fb4bf50eb2f5c01529f32a59
SHA1a1e6f97a6cb6e0811a8315327ea05adbc80e2c63

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c0ea2fc3eb1b5c466439cab6243d09c7 sha1: 4c94c0b1d38dea1cf955731653a46d656b37789e size: 58880
Section.rdate md5: 105d28c2017227d58d4c2a702bca774f sha1: 68ed54817c9c0809d36525e4f3a6afcef7d4b9b6 size: 8704
Section.rsrc md5: 8c497056442151dabecae37e566a88fa sha1: 3cf19935c58dd448f3ae2e40ef198635a62b625d size: 4608
Section.idata md5: 629aeaa5731f63d9f4d757908e667ea8 sha1: 971b1279222964a53e48decaa4651f4629cc5ad9 size: 22016
Section.data md5: a1c578b02cec9d5799a3d96aa716b343 sha1: 67fb2103f167a2f1905f6c7710a30cc49e7a50d2 size: 512
Section.data md5: a6b2317c0c388c87d36f9b48287fce5e sha1: a2e64c14872d119ad38d0a7bb486b958ad0eac4e size: 1024
Section.rdato md5: a7b165769199dc49ea083ff5ab8940c9 sha1: e5345535d421a3022b9a6763307490990fb07be6 size: 1024
Section.data md5: ee62e510bb5afe6320b3923c8bf8cb6a sha1: 303de054c0f88306a284bd7f128edb9aa58848bc size: 247808
Section.reloc md5: b1bcabb635a3528143343c833d770d4a sha1: 9a816044420b12dc6f364d52d2a3a1df56a45ebc size: 1024
Timestamp2015-02-24 04:09:24
PEhash186c35baedc8e8944d3f57586375e113b72f2936
IMPhash7d4bed94cb2696ed54a5f8cfb55a1897
AVAd-AwareGen:Variant.Kazy.569663
AVAlwil (avast)Crypt-RVM [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.569663
AVAuthentiumW32/S-ef00ff19!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.94148
AVBitDefenderGen:Variant.Kazy.569663
AVBullGuardGen:Variant.Kazy.569663
AVCA (E-Trust Ino)Win32/Tnega.ZIOAEPC
AVCAT (quickheal)Trojan.Generic.r9
AVClamAVno_virus
AVDr. WebTrojan.Kovter.15
AVEmsisoftGen:Variant.Kazy.569663
AVEset (nod32)Win32/Kryptik.DBAV
AVFortinetW32/Kryptik.DBAV!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.569663
AVGrisoft (avg)Crypt3.CKVE
AVIkarusTrojan.Win32.Kovter
AVK7Trojan ( 004b7d861 )
AVKasperskyno_virus
AVMalwareBytesTrojan.Krypt
AVMcafeeRDN/Generic.dx!dql
AVMicrosoft Security EssentialsTrojan:Win32/Kovter!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.569663
AVPadvishno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterTrojan.Girtk.DBAV.rkae
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Process"svchost.exe"

Process
↳ "svchost.exe"

RegistryHKEY_CURRENT_USER\SOFTWARE\3F9B8234\1 ➝
C:\Documents and Settings\All Users\Application Data\Microsoft\{b3a8599d-759a-98f8-f499-316c8c8c25fa}\{b3a8599d-759a-98f8-f499-316c8c8c25fa}.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\3F9B8234\1 ➝
C:\Documents and Settings\All Users\Application Data\Microsoft\{b3a8599d-759a-98f8-f499-316c8c8c25fa}\{b3a8599d-759a-98f8-f499-316c8c8c25fa}.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\{b3a8599d-759a-98f8-f499-316c8c8c25fa} ➝
"C:\Documents and Settings\All Users\Application Data\Microsoft\{b3a8599d-759a-98f8-f499-316c8c8c25fa}\{b3a8599d-759a-98f8-f499-316c8c8c25fa}.exe"\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\svchost.exe ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{b3a8599d-759a-98f8-f499-316c8c8c25fa} ➝
"C:\Documents and Settings\All Users\Application Data\Microsoft\{b3a8599d-759a-98f8-f499-316c8c8c25fa}\{b3a8599d-759a-98f8-f499-316c8c8c25fa}.exe"\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\svchost.exe ➝
NULL
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\{b3a8599d-759a-98f8-f499-316c8c8c25fa}\{b3a8599d-759a-98f8-f499-316c8c8c25fa}.exe
Deletes Filec:\malware.exe
Creates Process"C:\WINDOWS\system32\svchost.exe"
Creates Process"explorer.exe"
Creates Process"C:\WINDOWS\system32\svchost.exe"
Creates Mutex3F9B8234C1
Creates Mutex3F9B8234

Process
↳ "C:\WINDOWS\system32\svchost.exe"

Creates Mutex3F9B8234C2

Process
↳ "explorer.exe"

Process
↳ "C:\WINDOWS\system32\svchost.exe"

Network Details:


Raw Pcap

Strings
..
q
8
[.
.
].
..F..
.
.."w..I
.
k
...
L
.
B.q,.}.
.
@
...

;"-@ ^
0a6/P:
0r.	<B
1%141i1
1Cpyhr
1i-k-t
1K6I4B
1@oH`j
1QS`GZ
1{wHqJ
1zU!sp
2>2M2c2m2t2
2B~c}F
2^bnQlc
@2e\Lgm
!2,eoT
2pQ1HB6s
\2R}R/ct?}7
2r&yS@2g
_>2_x@
3eC"[7
3/=lU,	
3nT5XV
3r^(dRq
) 3-Vw
4,1h!WP
497Dfv
`4d*B,
/*-,4f F
~4jnJq
4j`Q.u
4OyIs}
# 4"tz
4Z,)Wd
501kjnl
5B"f{T
5h2S*Mx
5ikKXs
5MBG7Q
5?MRX]
5xuT!%
5Y*{~p)
5z66I-
6E5F"ZO
6g|#8D
6G,>vA o
|6U?+8
-[78q+Oh
7\R-Ts
7t_!<8
${(7|Z
'8|f	lS
8(J^[~
8POHD&
8X2R[!
9(kBl]
9N ;p5
<9) pX
9[wj4	
`9{yj*R?
9y~u4_t
|A6*~b<
a<7^j"
+A88HD
advapi32.dll
AH]&m"o
<#.AHRaJrX
ahrGA0
]&Ahse
a'sF,X
A#\sH{Nvj
/\>_aSM
_A#??u
.aul;X
{Au~yP
aV;`{Ye
|~b	]0J$
;b8KX>
B!HAGh
{BnBx3
>&BN<D
Bs}2rD
bZRe{e
c14W$i
C7yw$m
CB02Ojt
Cj=;tNMP:,
#cK@`J
!C.m,^
CVYa.P
CyztH7P
cz[`<6
d0]<q}
-	d2^A
D7'7)^
D}g}I"
*^\dGQ
$|D,Is
dIU]4B
DJ@gNB
DK g@G
DM>!N7
Dn*p+$D]X
doe4Ri
~dPmQ7
-d(SH.
DT21,3
-Du\/M
dVO	^@
dVru;Bl0u
[D^WK?8
]D$Y#`
e`5/pZU"
e6agti{^
E7:(O7(
e954P~
Ee-7*Dx
EEBAs]
-EfcPB
_E	g(1
EN>!bv_
EnumUILanguagesA
Eom4?(VK
E$	r[D
\Esa%]
^e:T5X
euizW3
Ew.^:A
Ex9C3]
EYukup
E.?zK)
EZpMlA
F2*z?-
F3XJX7
F4* Ab
F&&7z3(0
F8]I($6
f)dlPcq
*\F(e8
FillConsoleOutputCharacterA
!f(~J}
fJ=r]%
)fOywMs
FRar7#n
fW`.fb
~-gDEm
GetConsoleCursorInfo
GetSystemTime
GetTapeStatus
GetVolumeInformationA
>g?F[fbTk
|GI%cJ6J
G%IcO_%
<G){kj
glN#O\
GlobalSize
&g?}nb
}!Gp[1
g p)7[
gQgn+&M
&GqUjz6|
gR9!vJ
Gu6u-)
)GvK/V
!G@W\;
^Gw!wX
g#{;yg
H"0i/W
`H@^d8)
([.\]He
HeapCreate
HeapDestroy
[H~'@F
%;_h!In
HJQ)GD
Hs2(0~
H^Tm!?
hv7UA{
H~Z?An
i6WPy^
|%i990
I9}jP/
I$a&S	
.idata
'IDnH=
I)$G|&
IgBE..
IggLeS5
i<>-ib
$ij.cF/
IL/6^-
^IL9j1)z
$is{fg)
\I&(X_>
i,X'4h&
iyW#=]
j=1c_	
J1e327i[
J4h`~8
j/#8{W
J9+SH3
:JCMH,
}jfSx1:
J@fUq}
Jh!UP7
:JHxUB
	jh?y_
jik.yw
JJKm$ 
Jrk07&
^JvbbBQ
k,734+
ka{bSy
,Kcw?_
kD$or\6`
kernel32.dll
KI,-KlP
KI.Qu']
k]Jc-z
KNkXsG
K:o]%3rT
Ko72oc]I
k}pg)|#
krl*$Q
\K.%*S
+$k sG
<K~	vY5
l2gig3R
_L4s~%
%=l6O"
l\<8"Jf
LBSDY:
?)lD%p
L""fQu5
!lL'r)
L)Ml+L
]?Lu:]C
&;(:lWj
L/+XN-
M)[;=	
m2?t`]
\M3iPZ
m4W`vC
	m*/b	F
mbG^Wx
 "Mf60
M/"I76B
)MI;Ey
$${MJ8^
M,_mCD
mr=qk<
m<rzI~N'
ms1rg-T
M!s6a9.
MyF]Ef$
m,Z2nX
_<N/=!=
} ]N#^
N1RsQ=u
N3Ak`vC
N5G</M
N7wU"{
N8>FR.
N='8 jC
N93(<C
n~:'aMG
	naxh|a.P(
n!~G.C
N)P5LcU
NPAddConnection3
}+n%qr/41I
ntlanman.dll
 nu;XT<
N\v(N*|
/,o;$[
*\?<O)
o00&(3
O09h@.
O0TEm+
O:7OU*
o}9K`!f
ObAGO{
o+|eW	'
=oHSgC
(o@L}#
~OMCad
?@OM n
OP*K$L
OrVM\t
}o^;$S
OSnEv#
-O{!t%
]O(?T:
(OtI?/+
owU!2<v
%-<p&`
P>[76Q
pB#)xO
)pgQpA
,p@hH,?F
p)r,{8
P|rZVn
PXysQs-
q.8cV,
q[<.b5
>QB'X/
"q='^f
`q?%~H
<Q)*]h
Qi~ Q%A
%QI{qKt
q]jLE;
QKeln,
QouYLpV
QpS;3	|
q*Q &F
`q})qw<Q
Q,R|'M
$q'_[S
qV7g4	
$,qVqN
$^'`{R
\R28.F$
R9BWgL
=\RAOF
Rd6pBC
.rdate
.rdato
r D"o/
RegCloseKey
RegisterWaitForInputIdle
RegOpenKeyExA
RegOpenKeyExW
ReleaseMutex
.reloc
rmY$N]
rN-9II
rN HySI|w
rN?oI&$Q
ROF">p
|r_P 46(
rpg`+	
RP}YN@
rtr%rA
	(Ru8D
rVDC\Z
#s4'ho
sbqXeE
s/C\.$
SetLastError
;S i:9
]sJDYt
SKH5ME7
{SMcWX*
Sml{7'
^Sm!mk
sTGQ[E
T9MXBF
td;`SfBE
'tFH;!7
.T;;$Fs
!This program cannot be run in DOS mode.
TMWh-6
\tP~nx
T$qg@1J{
TUQI|%
Tv=ysE
twUA7g
[u%4t~3
u?=8TUu
u)A	9d
U`e0]h/
UE:jfp*
Ui13{V
$UJT'Q
u_OIO]g&\
uqf+Ms
US`17%
~.,USx
uVB-rg
u.VNTT
u}ZD70
,V4k1:
{V7E\N
^vcm=^F
vcWIx{~
vE,``G
}vHb	=
VirtualAlloc
VMM)/O
=\vOk:
VSq3<'i
V(ts[?tC|
VV]SdEKtlt[W
'V?}zZ!
.W4[32
~#W7iD
wBw~BMPO
	_WE)QP
W[GNdck
Wlg_PI
W^?q,'s
wu~g;hj
wVn#k"c"
x4%/M9
XEzY$V
`x	QZq
X!UpZ~
X{Z*}D*
_+y7a.
yBz3j#j
y_c$74
yd4Tvqx
yDOO;[
yFzMk3
YrIz-Y
y>st5`zn
yT",Z~
yU./HE='^Ko
YX|:C:
z0w)!u
z6fV(c
Z6l`y/
Zjy=!Nai
Z&^K8(
*z(K@I
Zm#lvHQ
z:t>4A
,] z`uu
"ZVxso
[Z]YHQ
`zzG9*)]