Analysis Date2013-10-27 12:11:44
MD592cc7f00ebab9a4f52897136b1928195
SHA1a7313694d654a96baaee68cab76fad2c25d1bb3c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 24ec3ccc0be1c52e3576ac7c98a01c17 sha1: 3bb0150bb7526014925e26934f0e7189e9951e33 size: 136704
SectionDATA md5: dacc5a98b2feb44d8cdb914ba4dfdeeb sha1: 4c7f0b78c7bacd8438ca81df28488ae3cc5eea03 size: 2048
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: ee35fb9add664350e05f0c8824507009 sha1: ef874b37da6d42707348f329d62f84084ec598fa size: 3072
Section.tls md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: 3bcc0571d516f6f512e0c7fdd52edfdb sha1: 4a07f879204eca9466814e07453048a57c08c2c5 size: 512
Section.reloc md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 6f52d696c5e02d0fe12418160304a6a3 sha1: 9b390be8f6f363d42bf8561789f4453143f48f3d size: 5120
Section.aspack md5: 3b4d10ff6d4954ca4fb2822f830b0edd sha1: 03472695a552517c40720865174029c7ba1aa9f8 size: 7168
Section.adata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp1992-06-19 22:22:17
PackerASPack v2.1
PEhash1081f8d23e2d32e98b61d3299a253c07407131f4

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\mscj\setup ➝
yes\\x00
Creates FileC:\WINDOWS\system32\distributer.txt

Network Details:


Raw Pcap

Strings
3f333
DVCLAL
fff3f
MAINICON
PACKAGEINFO
TFORM1
\:\;\<\
*05jTf
 (08@P`p
0wiX3K
12En$!tf
(}17FD
1bB]TD?
1K&^.$
1Nrs8&
1rc~Y{I
=]2t"6
2)x4y@>
%3%4$|Kl%&$~I
`3$bi9
3CU(X;
3qd#}J
[3?xm9
:4n`th
4ONp4V
4QCG{d[T
-)5!\?
5	2	N_
~5*F_$
5{iUQC
5LujbW
5N,>IS
!5u [Q
[5@.xG$
{=}!#6
6J"u|]2
-6lF<[
6&oF{z\
%/=$7	
(7;2Iw
7DG(z1ur
7UjJa^
7v	7<\
~8<0<@?
8B+Tzp
/8de!0
8gg vy
:&8g$j4N
8'{@)h
8TY;YD
(95/x:?
}9(g8#
9WWk[C
A1=$CSP
a%7K%K
.adata
advapi32.dll
Aggjfg
aI,]MT
aKf{f[(
AM)M-O
++Ao1tw
aRPb%lt
.aspack
AwqNc>	
A-Y)|2}I,
A,Zy8`
B 69Ib
BAp5l5?]
/b][l!
bL-7:/
?`CcTRm
cIxM5(i!z
cJD>HZ
c'lZFL
comctl32.dll
ct+7GVFC
cTQy9(Du
$Cv!-g
Cx#InJ_<
cZ5@>6
D">(=:
D1Vua#LaUr
D--C9\Z
D(D%S;/L
&df_;e
d?gOO%
D.kWz3
?,Dp0q
dS89]p$
d}Wihc
@D]|y:
`e0z8e0=o
.E*(>A
%e%e%e%e%e%yJs
EG0mE@n#
eh!D.33%
E(*htV
EklV''
eP>~#h
ExitProcess
"e )Z%*
F0F4Fh#5
*=f4;f>
&^#fI3
fJb/Lh
FmMtD+:
"]g![[
ga4d	Go!
gdi32.dll
GetKeyboardType
GetModuleHandleA
GetProcAddress
Gffnn;"
~)<Gj+
G"<l^IE
Grp&>G
 _,GT1
gTAI9a
G(td$~
"gxeeQ
@/gY~@
h1jJ;R!
H30___}f
hEt1pA
HfGm %
h`fYUU
H	iu/kB&csf
HJ	I0&cw
HKU$jH
+hLq\X
HOs-;&
hQ{	P/
hRgS9+Gv
/i$(3F
I8|{`V
<!iBS0tn
.idata
IfPvhle
IK^/~DY
ImageList_SetIconSize
InKqRT&
ipWwzp
Iu<QLV
J2^~JH
j)89aij
J9gho%Z
JaUlKw
jC{OsQ
+j_e2d
Jq.Uny
Jtl#lL
k@1+na
k-,<5l
K]c7hQ
kernel32.dll
K@Fm*	
KWz&{A
K|ycSK
>l7* 	
Lf,3h&D+;j
= =_LfDj$
l|f]E2
LFHQg4>W
L}Han6
lI96GT#
LOADER ERROR
LoadLibraryA
`lp*F;`
L pr6J
=+L]Qp
LvM.Zo
m4t;Gj
M 5nTe
MessageBoxA
mf#D;-
!MGrSu=xq]
!mLZRQ
mM][;*
?mmL4	
M'pN!eha
m}r<V?O
mYFHWV
,+n76Vu
n/D+Z-
Nhut5/
nP?=D$"
~ntJ'vnA^,
+nU,)C
O/ =5u
OA[k	Qk
%oB9>4
O>b	UK$%(P	Z
oDtKNr
;oH8Ge%
O?#i;\
O.Iw\T
oleaut32.dll
oo}`	M
	OP?tJ
OUF\[.
{`oV5Z
P,$,-!
 p\4U3
Pby/MFTNJ$
pC9TAJ-
Pmn._2
[Pp4zp
pQSp!?
:pr4)V
PSC)J{
pulL%p
PUOt'+QV(
Pwr{gaga3
P@x^-LBofv
PxU`P?!
^PY59o)
Q1brzD
$=QF"%B
"Qq37Ui
Qrq]3+c4
 Qrrf9h
q;X)%|
#([R')
"R'}19
.rdata
RegQueryValueExA
RegSetValueExA
.reloc
r~JI,jDR~tI
rJp:rA
	$"RrR
r(|uZ2
r`VF!J%+.
rxEka#J
	R<z^`
SafeArrayPtrOfIndex
S*)_d+w
SEzy\T
<SfX~9G
>Sg^O,
SJ4	:^
SysFreeString
T3AH2)
tdj:?9
tDsY"Le
tEdG&$
T?$FnT	H
TGt'Jp
tg!U q
?th3%_
,"tH-c/
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
This program must be run under Win32
tOH.K&2
|T$r=;
TUm9H;
t^uti3
+t}$Wk
#uCZz/
u[ePB^
UnrealizeObject
UNT>h?
->uqgP
/=Us2,[
user32.dll
uw7G\P
U=ynd!
]u[Zb*sh'
;v:;g3U{
V\i)G=
VirtualAlloc
VirtualFree
&v{OuJ<
!v!R.TY
/vuSX~
V:y~k?
vz~5pG
w19A25=
_?w5K;
way(C3
WC4R5R6R7aX
Wcsk2Q
WindowFromPoint
,WkGr7
W'MgLt
wsprintfA
`XFZ[ya
Xg#7J`D
x+#Hnv
x<OdRX
x%q#HeN}f
x:Rh1m
XTdAu0
X	`:Tp
xU.},.
"!Y.AF
]yBitp
#YImy>
YKf^:&
yKrAj@
yM \!P
y|oL)D
Y!pgA5
y^P&_KmZ
ypT';YsZ(
)Y/tJXJZJ\I
Y%Uy_lc
Y!V  X
 y]zJ'0V
Z/22R1E
Z5i?'~
zCJcf/
Zp1sOw
<Z'U}x
"ZX~/2