Analysis Date2014-10-12 23:07:43
MD56bee7d314a885a6805aad2b970141067
SHA1a2326693f5176ada3b749c48470088bec8df01ce

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: dd3d767afd5e98fbfcec3075a3197986 sha1: e452a6a2bfca8341ca3c9d0cc455327a244ea9c5 size: 12800
SectionDATA md5: d8f482ace7c2ab31a18234b04d04474c sha1: f48077f65d892dba3c7bfe6cba8a4ec0c26bdcee size: 60928
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 69a5924f52ab9614d3b8ca1789a30a24 sha1: c70e8f4b3a61a9520e781463f618bbaf9970a4e7 size: 1536
Section.edata md5: b232b688716161525f498e694ed3df56 sha1: bef56a153c280a7ce7a9d4daa2087cef73f93d0d size: 512
Section.reloc md5: 94d1cdc7e448ab9ee61fafdafe631083 sha1: 04d1ec837effc1dac1954a36c8d8cb89a70aad03 size: 512
Section.rsrc md5: 20bc5d68255cfbaad88c1c1ff6acdba6 sha1: edce6483c2b73629026ec95f770b279094b3ca47 size: 1024
Timestamp1992-06-19 22:22:17
PEhash9b685d9c1644600af47ea7208eda68aa02bed2ef
IMPhashfc4583085d0f8f80a5d49534f809ed35
AV360 SafeGen:Heur.Conrox.2
AVAd-AwareGen:Heur.Conrox.2
AVAlwil (avast)Downloader-GTQ [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.NH.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Heur.Conrox.2
AVCA (E-Trust Ino)Win32/Renos.CFE
AVCAT (quickheal)Trojan.Renos.PG
AVClamAVTrojan.Downloader-110713
AVDr. WebTrojan.DownLoader2.42380
AVEmsisoftGen:Heur.Conrox.2
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BBT
AVFortinetW32/CodecPack.ATMJ!tr
AVFrisk (f-prot)W32/FakeAlert.NH.gen!Eldorado
AVF-SecureGen:Heur.Conrox.2
AVGrisoft (avg)Crypt.AHRQ
AVIkarusTrojan.SuspectCRC
AVK7Trojan-Downloader ( 002495b51 )
AVKasperskyTrojan-Downloader.Win32.CodecPack.asec
AVMalwareBytesTrojan.FraudPack.Gen
AVMcafeeDownloader-CEW.ba
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PG
AVMicroWorld (escan)Gen:Heur.Conrox.2
AVNormanwinpe/Kryptik.NP
AVRisingno_virus
AVSophosMal/FakeAV-IV
AVSymantecTrojan.FakeAV
AVTrend MicroTROJ_KRYPTK.SMCA
AVVirusBlokAda (vba32)TrojanDownloader.CodecPack
AVYara APTno_virus
AVZillya!Trojan.FakeAV.Win32.230189

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ "C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Deletes FileC:\malware.exe

Network Details:

DNSrepubblica.it
Type: A
213.92.16.101
DNSseesaa.net
Type: A
59.106.98.139
DNSseesaa.net
Type: A
59.106.28.139
DNSyelp.com
Type: A
198.51.132.180
DNSyelp.com
Type: A
198.51.132.80
DNSeitinvalid.in
Type: A
DNSwebdatum.in
Type: A

Raw Pcap

Strings
 
x!
...
nu
m...&...N.1U>y..O.n"

~?],
0UfK
*2[0
2VXb
-'$8
 acqI
Dzs 
f$]1
&F2V
Hbjv&
i3|&
IA>%
`iw9$
kT|f{
lKF'd
mL!1
OOKjm
p+ h
;PtGi
qGqU8
r@KQ
T3uc
tFG@
tSVC
tZ>X
]Yc?'
.YEqV
!0(0}3
3&3.363>3F3V3^3f3n3v3~3
3(4.4=4Z4a4
42969:9>9B9F9J9N9R9V9[9e9o9y9
4&4.464>4F4N4V4^4f4n4
:4<><G<M<
?#?)?/?5?;?A?G?M?S?Y?_?e?k?q?w?}?
6_8f85:
8364913
AddPrintProvidorW
admparse.dll
AdvancedSetupDialog
  </application> 
  <application> 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
B 85#P@
B8;m$s-
BJIGGJ
BX85#P@
ChangeTimerQueueTimer
CharLowerBuffA
ci2;	O
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CreateMenu
CreatePrinterIC
DeactivateActCtx
DeletePortA
DeviceMode
DialogBoxParamA
.edata
EnterCriticalSection
EnumMonitorsA
EnumMonitorsW
EnumPrintersW
EnumPrintProcessorsW
GetFileSizeEx
GetMenuItemID
GetPrinterDriverDirectoryW
GetProcAddress
GetStartupInfoW
GetWindowInfo
GlobalAlloc
GlobalFree
H:-&P@
.idata
=,=J=U=\=d=k=w=~=
kernel32.dll
KI;m$s-
>,>;>L>`>
LoadLibraryA
LoadLibraryExA
LocalSize
OpenPrinterA
PathFindSuffixArrayA
PerfClose
P.reloc
P.rsrc
Q4eO*/
ReadPrinter
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
      </security>
      <security>
SetMenuContextHelpId
SetPrinterA
SetPrinterDataExA
SetThreadPriority
SetUserObjectInformationA
shlwapi.dll
SHRegDeleteEmptyUSKeyW
StrChrIA
StrChrNIW
StrCSpnIA
StrNCatW
StrRStrIW
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
UnregisterHotKey
UpdateResourceW
UpdateWindow
UrlUnescapeA
user32.dll
VirtualAllocEx
VirtualFreeEx
winspool.drv
WriteFileGather
,xb('''
xmax.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>