Analysis Date2015-02-03 04:41:56
MD522c02acc075409043fa42c65dd2bb206
SHA1ab5055abe7fa5ba034d7c63263e715733d55ebd5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b1143f9dcb041ed6b510f9350ba321be sha1: 01cd1a26d030ad873282292bb872b4633ddfb1a3 size: 6144
Section.rdata md5: 91cdd43326473ed6f99019d5dd621395 sha1: d4d22647346710aed9a7be7dc2417cdbf1cc6000 size: 3584
Section.data md5: 699c4b7eea8f2eef8f780312eb4e0836 sha1: e4984d9eefb98f92ca3cc2b5db4a28520943f463 size: 2560
Section.rsrc md5: d671eaab1e9de3a3ed349dd00e471d1d sha1: 7f2d9f1958b6aa057ada565bf463f4a1f5795cf0 size: 15360
Section.reloc md5: 39e5f50457e0cbe67b56d55d5a7426f3 sha1: 98abcf65fe283da14c0f91d4783d777a4be6080a size: 2560
Timestamp2010-02-20 03:59:54
PEhash7fd1c4910c8dc9f12bbf7e991aa959ea47f25fa8
IMPhash032237d350f6b8b702a00f2e14c713ce
AV360 Safeno_virus
AVAd-AwareTrojan.Agent.BHHW
AVAlwil (avast)Downloader-VQV [Trj]
AVArcabit (arcavir)Trojan.Agent.BHHW
AVAuthentiumW32/Trojan.DCHR-1307
AVAvira (antivir)TR/Cabhot.A.109
AVBullGuardTrojan.Agent.BHHW
AVCA (E-Trust Ino)Win32/Tnega.UEJOAQB
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Agent.BHHW
AVEset (nod32)Win32/TrojanDownloader.Elenoocka.A
AVFortinetW32/Kryptik.CVBD!tr
AVFrisk (f-prot)W32/Trojan3.NEW
AVF-SecureTrojan.Agent.BHHW
AVGrisoft (avg)Downloader.Agent.16.AA
AVIkarusEvilware.Outbreak
AVK7Trojan-Downloader ( 00499db21 )
AVKasperskyTrojan-Downloader.Win32.Cabby.cbtu
AVMalwareBytesTrojan.Ransom.FileCryptor
AVMcafeeDownloader-FAMV!22C02ACC0754
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis
AVMicroWorld (escan)Trojan.Agent.BHHW
AVRisingno_virus
AVSophosTroj/Agent-ALFQ
AVSymantecDownloader.Ponik
AVTrend MicroTROJ_CRYPCTB.SME
AVVirusBlokAda (vba32)Trojan.FakeAV.01657

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ab5055abe7fa5ba034d7c63263e715733d55ebd5.rtf
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_75437.cab
Creates File\Device\Afd\AsyncConnectHlp
Creates Mutex56730099
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.192.91
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Flows TCP192.168.1.1:1031 ➝ 134.170.58.222:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520372e 303b2057   ble; MSIE 7.0; W
0x00000040 (00064)   696e646f 7773204e 5420362e 30290d0a   indows NT 6.0)..
0x00000050 (00080)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000060 (00096)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000070 (00112)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000080 (00128)   6c6f7365 0d0a0d0a                     lose....


Strings
...7g.DT
...[A3K.Q.<....
..5.G.;Ii..I
.u\......J.^.X.c..2..i..x<{..H..
..Z.....n$W
....}...').z<&....S8}F...o.f.
...qj
0#0-030>0C0K0a0e0k0u0
0#01050;0D0J0c0i0s0y0
<0<5<<<A<F<L<V<`<e<k<u<z<
> >*>0>8>>>B>H>O>V>i>o>t>y>
1!1'1<1J1O1T1\1g1s1y1}1
1'1.171>1C1H1N1X1_1f1m1s1w1}1
:$:+:1:A:F:M:R:W:]:h:p:u:}:
2&2-242<2C2I2O2V2[2a2k2t2z2
2"242:2N2\2`2i2r2
3#32373?3M3V3^3b3v3
3!3'3,343=3C3Q3X3]3b3h3t3z3~3
?!?(?/?3???E?R?W?\?i?o?t?|?
4'42494>4C4I4Z4b4h4n4
4!4'43494B4H4L4R4Y4f4y4
;-;4;A;E;N;T;k;y;
4cp9<E
5 5&54585=5C5J5T5Z5`5g5l5q5w5
5 5&5,505:5@5F5Z5`5e5k5p5u5}5
6 6&61676=6A6G6T6`6g6n6s6{6
6+676?6F6V6\6a6g6p6u6{6
7#7,757;7S7X7_7d7i7o7
=!=7===F=K=P=X=g=n=s={=
8+0F`AaZ
8!8,858<8I8Q8`8g8p8w8~8
9#91989?9D9S9h9n9t9z9
#$a|#$
ADVAPI32.dll
AlphaBlend
Bxwa?-
CACloseCertType
CADeleteCA
CAEnumFirstCA
CAEnumNextCA
certcli.dll
ControlService
CreateNamedPipeA
CreateServiceA
@.data
DeviceIoControl
drvCommConfigDialogA
drvSetDefaultCommConfigA
ePtBOULzYmDJVhcts
f1~\'}
FindResourceA
FormatMessageA
GetBinaryTypeA
GetConsoleTitleA
GetCurrentProcess
GetDateFormatA
GetFullPathNameA
GetGeoInfoA
GetModuleHandleA
GetPrivateProfileStructW
GetProcAddress
GetProcessHeap
GetProcessId
GetStringTypeA
GetTickCount
GradientFill
HeapValidate
hFR.sQ
H~-G=|
iHCir 
I'lJJ(
InitializeSid
InvokeControlPanel
IsTextUnicode
IsValidAcl
IsValidSecurityDescriptor
IsValidSid
i]usQ+_S1,j
kernel32.DLL
KERNEL32.dll
klospad.pdb
ldYNsefvMqlGae
modemui.dll
msimg32.dll
nddeapi.dll
NDdeShareAddA
NDdeShareDelA
NDdeShareEnumA
NDdeShareGetInfoA
nWQB^p
OBCYYPUpACotTu
PathCombineA
PathCommonPrefixA
PathCompactPathA
PEovQ %NfqhVt
qgHVlqek
`.rdata
ReadConsoleA
ReadFile
RegDeleteKeyA
RegEnumKeyA
RegFlushKey
RegOpenKeyExA
RegSaveKeyA
@.reloc
RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SetCurrentDirectoryW
SetFilePointer
SHLWAPI.dll
sQk	mK
THfLLh-@T]f	Yp	S$VA+\*
!This program cannot be run in DOS mode.
)TmN3k
UqsWpBiVnGkb
UrlCombineA
UrlCompareA
UrlCreateFromPathA
UrlEscapeA
UrlGetLocationA
UrlGetPartA
UrlHashA
UrlIsA
UrlIsNoHistoryW
UrlIsOpaqueA
UrlUnescapeA
V4%lnL
V6?Weo!H
V<9g^*!XNK)=dw
VirtualAllocEx
WaitForSingleObject
Wf)|Z.
WTSAPI32.dll
WTSEnumerateProcessesA
WTSEnumerateServersA
WTSFreeMemory
WTSQuerySessionInformationA
WTSSendMessageA
WTSUnRegisterSessionNotification
WTSVirtualChannelClose
WTSVirtualChannelPurgeInput
WTSVirtualChannelQuery
WTSVirtualChannelWrite
WTSWaitSystemEvent
Y7E#Z8
#ywU/%