Analysis Date2014-08-04 18:45:34
MD52cefa0ae2f593e0016e3149cd0f1d2f3
SHA1a6bbbd8f6525ff89ba3e4aa96931cc3fa1397151

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2c302c720fc6bc405e207031598cf49b sha1: b9d999f4de458355177eb79b169b6b1906a1704d size: 1024
Section.rdata md5: 8013970f7c52c4cb5b3c11a726a2b2cb sha1: 40c0fd764dd27d6db6a647212efa7199534468cf size: 512
Sectioncode2 md5: a2828793777103275fc7aee40ab8fe54 sha1: f140b6098acd2ddda0d477885483ecbddf0ae64a size: 512
Sectionzdata md5: 2447b871343f93a6f5b737ce06f13660 sha1: d8ef9cebcdf1446ca3d1fcffb1b87b6128e6edae size: 512
Sectioncodej md5: 72aab3599727f9b7622a9dfc918c6b55 sha1: 92b58cb13201716372059595293b1caaaa9fc8a0 size: 512
Section.rsrc md5: 63d7463c033b87aa2c3f849ee58b2358 sha1: 4f862448852d087aa05539643f12e944b30db9da size: 58880
Timestamp2055-05-25 18:10:40
VersionLegalCopyright: Copyright (C) 2003
InternalName: welled
FileVersion: 4,1,4,24
ProductName: welled Application
ProductVersion: 2,3,2,5
FileDescription: welled Application
OriginalFilename: welled.exe
PackerPE Diminisher v0.1
PEhash1b7065ed712ccfce74657ced2aae0372b2d7711f
IMPhasheaeaf27597bb0523389a72cda6281fd0
AV360 SafeGen:Variant.Zusy.89319
AVAd-AwareGen:Variant.Zusy.89319
AVAlwil (avast)Kryptik-NRD [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.VVVA-4364
AVAvira (antivir)TR/Dropper.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDownloader.Cutwail.r6
AVClamAVno_virus
AVDr. WebBackDoor.Bulknet.1150
AVEmsisoftGen:Variant.Zusy.89319
AVEset (nod32)Win32/Kryptik.BZQQ
AVFortinetW32/Agent.APDJ!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.89319
AVGrisoft (avg)Crypt3.JFW
AVIkarusTrojan-Downloader.Win32.Cutwail
AVK7no_virus
AVKasperskyTrojan.Win32.Agentb.apdj
AVMalwareBytesTrojan.Cryptor.XGen
AVMcafeeDownloader-FAEL!2CEFA0AE2F59
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Zusy.89319
AVNormanwinpe/Cutwail.CRD
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend MicroTROJ_CUTWIL.SM1J
AVVirusBlokAda (vba32)Trojan.Agentb

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\xulirgandagw ➝
C:\Documents and Settings\Administrator\xulirgandagw.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\link-list-uk[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rodeoshow.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\penavision.co[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\photoclubs[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\selldoor[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bethisraelcenter[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\automa[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\vandeks[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ziuabarbatului[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\stecom[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\re-wakefield.co[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bethisraelcenter[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\vandeks[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\link-list-uk[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\automa[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rodeoshow.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\stecom[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ziuabarbatului[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\re-wakefield.co[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\selldoor[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSphotoclubs.com
Winsock DNSautoma.it
Winsock DNSrodeoshow.com.au
Winsock DNSchristybarry.com
Winsock DNSle-mariage.com
Winsock DNSziuabarbatului.ro
Winsock DNSvitalur.by
Winsock DNSeasygen.com
Winsock DNSlink-list-uk.com
Winsock DNSbethisraelcenter.org
Winsock DNSservico-ind.com
Winsock DNSisp-h.com
Winsock DNSre-wakefield.co.uk
Winsock DNSfrederickallergy.com
Winsock DNSpenavision.co.in
Winsock DNSvandeks.com
Winsock DNSdbcomponents.com
Winsock DNSselldoor.pl
Winsock DNStoddpipe.com
Winsock DNSstecom.nl

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSrodeoshow.com.au
Type: A
103.28.250.103
DNSrodeoshow.com.au
Type: A
103.28.249.103
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25

Raw Pcap

Strings
.
&0--0--4 declaims
041904b0
1'AN
2,3,2,5
2DWM
4,1,4,24
5little thrust Italian sashes secluded looking Company
A-6>
&abandon pearl
&about VOICES
abroad
accordion different
&addresses fashion
&Adonai
&affected Lion's
affirm volumes
afternoon tastefully
&again didn't
&again little
&Alderman KEYES
alive
amalgamated Hawkins upcast wife's
&Anch'io unusual
&apoplexy
&Arbour strode
&Armagh
Assuming
&Astronomy
&astute ville
&attack Cuckoo
&attention answered
Aubrey
Awaiting
&Battersby
bearded
&beating pawnbroker's
beautiful
&beauty
&because
bedrooms
&before
before's proprietor
&beggar wheels
&behind
benefit
between proposed
&bicycle
&birdsnies perceive
&blackbeetles
blessed
&bloody
&BLOOM
&BLOOM paper
&blowing
bluecircled
boatbearers symmetry
&Boylan
&bring
&bringing
&bronzed again
brother because
&brotherhood smooths
brow fleshpot
brushes
&buccal
&Buckley's
&Buddha
bunched mixture
&buries
business commonly opening
&buttocksmothered finger
&Caballero amours
cacophonous
Caffrey
&Caffrey through
&cagework hyenas
Cameron
&cassock
Castile Ireland remember yanked
&castor
&catechism
&catechism What's
&Celestine
&centrifugal
cesspools whereas
&Chacun please
&chair
&champions
&chancre
Changing hubbub
&chap's property
Chaste
children
&circumcised
&cityful
coarse
cocked
&cohesion poison
&colleagues
&combings described
coming
&composed Mulligan
&condition immense
connected wonder tabinet
&Conscious Crofter
constellation
&continental
Copyright (C) 2003
&corner weeks
&corporation ground
Costello
Costello posthumous constancy
costumed
&couldnt
&Couldn't
countries depicted planted It's
&cover babyish
&Cranly's
cried
&cried clapped
&croak
&crooked thunders
&crushed
&Cuckoo premium
Cunningham
&Cunningham George's
&dainty
&dancing
&dateshaped though
daughter
&days
&deeply
deficiency
&degrees staunch
delights indeed
depravatio
Desire's unless socialist
devil's
&didn't
&didn't municipal
different Richmond staring
&Dignam
&distinctly
&doesn't
drifting
Drink
drooping street
Dublin Stephen
&eddies
&embroidery facile
Emperor's
entwined
&envelopes
&equilibrium
&esplanade brother
&evening
evening hissing
&Examiner
&excited
excursion
&experience
&extension
&Exuberant STEPHEN
&faded division
fastened
&father Roscommon
&featherskins student
&fellow eunuch
&field looking
FileDescription
FileVersion
&finespun
first polished halldoor
&fjords
&flambeaus confession
flies
&following smouldered
&forgetmenot cures
&forming
&fortnight
&forward
&foundation
foundered
&fraction
&friendly permeates
&Garryowen
&general
gestures
giving
&Glendalough Oxford
&glitter height
&Gloomily
&goodness Mulligan's
&Goulding
&grace
&grammar Dorans
&grass
&Greeks gorgeous
&green
Green bawling
&greenhouses
&greenish moustache
&grief
ground
&habits Bringing
&hackle
&hairbrush
&halfclosed BLOOM
&halldoor
&hand
&hangdog wenching
Hanukah sentiment
happens
harking
&health
&Higgins Runs
&himself
&hither people
Holles
&horns
&horsenostrilled minutes
hoses
hotwaterjar trailed
&house timehonoured
&howled
&Hungary Williamites
&immodest
&imprint
incrispated
&indeed
&individual right
inserts
InternalName
&involving Crawford
&jessamine
&jogged
kings'
&kissed change
&kitchen Murmurs
kneecap
&knives constant
&Lambert
&Leahy's unascertained
LegalCopyright
&Lenehan edition
Leopold
&lifted Martin
little
Little group Whelan WATCH
&Livermore
&living eleven
&loincloths sidling
&Lombard
longed bright
&looked
&MacHugh Dinner
&magnetic weekly
major housetops
&Many
&married
married Fraidrine longest
Martin
&Martin William
&masses
master
master excitement
&matron
matter
&mattress
&mavourneen's thurible
meaning
&meaning
&measure
medals Greenwich
meeting wife
&mention
Mervyn flight
methods
&mirror address
mirror plaited
&missed boomerangs
&mockery family
&mollify
moment unbuttoned
&Moore's benign
&morbous night
morning
motorcar
&mourners Armagh
&mourning
&mouth
MS Shell Dlg
&Murphy's bliss
&Myles
napkin money
&nation advertisement
&natural
&nearer
&nipples
noise
&noodly
&obituary
offers scarlet little others
&oilskin ladylove
O'Neill's always
&opposite scornful
ordinaries
OriginalFilename
&others
&oysters breath
&pages
&Panama
&paradigm
parson
&Passion search
patient
&peerless
perhaps
&personal everyone
&phenomenon Bristol
&Phibsborough perfume
&pillar l'attosca
pillars halted trying certainly
&pitched BURGESS
places
plainlooking
&player
pockets
&pointing
&polished
&polycimical
&ports
&possible
possibly upholstered redeemer silverbuckled
&power
&preoccupied
&present
&pretending Molly
priceless
&probably alderman
&Produces recall
ProductName
ProductVersion
professor
&proper
property
&proposed
&propriety always
proved
&pubhunting touring
Pyrrhus
&quarter profligate
quayside
&Queenstown Gurrhr
race
&racial Hungry
&railings
&rained
rapping Rest
&really anticipation
&remote Quick
removed parlous
renovated
&report located
&repose posing
&represents literature
reservoir doffed having sugared
resistance
return
ribbons
RichEdit20A
&right revival
&rising Cowley
&rotter Where
&rudely examined
Rudolf possessed
&ruined goldhaired
&Russell connection
salted
&sanctity
&satirical
&sauce Gravediggers
&Save Whelps
&schoolfellows
&scillas attendant
&Scotch plodding
&screws giving
scullion sowing Christ slowly
&SECOND
seemed
seems
&sending Sorrow
shaded
shaded Curious
shadow despair
&Shakes Nolan
&shaking
&shame
&Shannon Inform
&shares
&Sharons
&shillings
&Shitbroleeth PRISON
&shocks spinach
shops Gallaher
should
&shouted mountain
&Shouts Shakespeare
Shreds
sidled
&sighed fumbles
&singing daystar
sister-in-law
&sisters building
&sitting
&sixteens
&skins flour
Skin-the-etcetera proximity
skipping butter tailormade
&slammed particular
&sleeve
&slowly
&slowly family
&sniffing Quigley
SNIVELS another country
&snowball oxygen
&somewhere
&sourly
&Spanish producing
&sphincter
&spoke profound
sports
spouse
&stays Doublebasses
&Stephen
&Stephen's
stepping
&Still
&stone again
&storms
Stratford generations
&street
&street follows
street notice
street Venus
&strident
StringFileInfo
Stuart
student
stupid arrive Liliata cousins
&subtile
Successively tapping
Sudden latter trouble matter
&suggest secretary's
&sullen blazes
&Suppose
survival server
sweeping Talbot
&Swinburne
SysListView32
&table
&table Ontario
Tahoma
taste
&Telegraph
telling
temperance
terrace
&textual
&there
There Because
There's
theyre
thirst answer
though ships7Gilligan changes unfolded beggar geegee middlings stick
thoughts compass
&Thursday
&timepiece Mulligan
&tinkle hop-of-my-thumb
&towards
Translation
&transmigration
Travers?
Tremendously
trilingual
Trombone smiles
trouserbutton
trousers pointing
&turning whistle
&unbelief Giltrap's
&unique
unweave permanence
upstairs
&urinal
&Valuing
VarFileInfo
&vendor
verbis
&veux
&vigorously There's
villa
vinegar
&VIRAG
visible housed
VS_VERSION_INFO
 &~w
&walked asked
&walked performance
wanted
&watched
&Waterford
water meant
&waters
waters didn't
&waters moisture
&weather railway
Wellcut selfinterest
welled
welled Application
welled.exe
Whelps
whereas proper
&Whereat
&Whereat quarter
&wherefore
&whining success
whisper
&white
&whole Foreign
&window picked
&windows
within choice
&without
&wonderfully
&Workbasket
&wormfingers hop-of-my-thumb
&wouldnt shoves
&you're velocity
&Youth Stephen
Z-H)
0%u?Xj
11xxxxxxxCreateWaitableTimerA
,1I=hP
2}e~(0l
2j.-3=
3JeE{n
)$3"ws
4h'00-
5 0sxU
5;N<aMWVy
"~+67.
=6V@h@
7)'	!d
7o"nd<
8'3;+B
	8+#EC
9m,.spLoadImageA
$;<9Q~E
B:%O+V
|;{:CF
@code2
CreateThread
fdh37s 9llGetObjectA
fJW#!V
$F="u 
fx8	To
%,'gdi32.dll
gdi32.dll
GetModuleHandleA
GetObjectA
GetObjectW
&GxOm$
hqm)#Ww
[Icpt1"
InterlockedIncrement
j*c2lK
:jCZ N
JN6>7I
K0m>TS0
kernel32.dll
kRichn
\LKcz4@
LoadImageA
LoadLibraryExA
LOJMPZMs2
LPfe	Z
mvK~nm:
;o9&B?5
)oiQi!).
pI]Xu9,
.rdata
R:\jfndh8883.dat
rW.#N`
s83hfn257635936459350fgdgdfgdsgsdGetProcAddress
SetWaitableTimer
SleepEx
!This program cannot be run in DOS mode.
$tucIX'
UMg(vMe
user32.dll
=u=:>YS
v 6ckM
#Vc?+r
VVwdSi
W9]ay2
WaitForSingleObject
\+Y{Ah
=Y&O\Q
`Z"@cT
z	lI;I
zxc098iuser32.dll