Analysis Date2013-11-24 00:12:28
MD5646eb8dfe01853688f07cbff577a24ad
SHA1ac804d4a5740cb73eb8a69b900fbdb78696d9d60

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fa06bbb6490c2901ace47f3d3484a251 sha1: 973ca25865274583e28d7d589a7ce329a5689152 size: 39936
Section.rdata md5: 517b8e4c0d250262adace44379dc8aff sha1: e46df227d0e11c17e0bea895d136286bc76e17d1 size: 12800
Section.data md5: 5f32a94bfe214b85c230b726a06c2395 sha1: cdfa51af5a870464b8e90914fb2916768f8633d7 size: 8704
Section.rsrc md5: da624b45ccf5e7b0ca71ced2debcbc52 sha1: cac0ec7ed51310a3653e383479ca91f694a7743a size: 1024
Timestamp2011-04-28 12:44:55
VersionCompanyName: 123 Corp.
FileVersion: 1.0.2.2
ProductVersion: 1.0.2.2
PEhashc353e50faa6afb3f22909b08f3b32429bbbea0e2
AVavgGeneric_r.DDG
AVmsseTrojanDownloader:Win32/Cutwail.BS
AVaviraTR/Dldr.Cutwail.BS.350
AVmcafeePWSZbot-FIT!646EB8DFE018

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\coquctabvymu ➝
C:\Documents and Settings\Administrator\coquctabvymu.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hartmultimedia[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\woodlandhillwinery[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\trinity-works[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\geodecisions[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\photoclubs[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\eurasia[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\d-j-b[1].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\c21edu[1].htm
Creates FileC:\Documents and Settings\Administrator\coquctabvymu.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\leadershipforum[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\asj.co[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\areafor[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\screaminpeach[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\naijagurus[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\redconeretreat[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sortedorganizing[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\e-kagami[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hartmultimedia[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\woodlandhillwinery[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\trinity-works[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\geodecisions[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\eurasia[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\photoclubs[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\d-j-b[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\c21edu[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\leadershipforum[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\areafor[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\asj.co[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\screaminpeach[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\naijagurus[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sortedorganizing[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\redconeretreat[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\e-kagami[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexcoquctabvymu
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSgeodecisions.com
Winsock DNSwoodlandhillwinery.com
Winsock DNSphotoclubs.com
Winsock DNSsortedorganizing.com
Winsock DNSctr4process.org
Winsock DNSc21edu.com
Winsock DNSnaijagurus.com
Winsock DNSd-j-b.net
Winsock DNSasj.co.jp
Winsock DNSscreaminpeach.com
Winsock DNShartmultimedia.com
Winsock DNSfrederickallergy.com
Winsock DNSwesthillsstl.org
Winsock DNSeurasia.it
Winsock DNStrinity-works.com
Winsock DNSminatech.net
Winsock DNSareafor.com
Winsock DNSredconeretreat.com
Winsock DNSe-kagami.com
Winsock DNSleadershipforum.us

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.162.200
DNSc21edu.com
Type: A
76.74.254.123
DNSc21edu.com
Type: A
76.74.254.120
DNSc21edu.com
Type: A
192.0.80.250
DNSc21edu.com
Type: A
66.155.11.238
DNSc21edu.com
Type: A
66.155.9.238
DNSc21edu.com
Type: A
192.0.81.250
DNSredconeretreat.com
Type: A
173.204.163.136
DNSsortedorganizing.com
Type: A
74.220.199.6
DNSeurasia.it
Type: A
54.229.116.65
DNSe-kagami.com
Type: A
54.249.238.243
DNSleadershipforum.us
Type: A
66.39.30.185
DNSwoodlandhillwinery.com
Type: A
198.252.69.69
DNSphotoclubs.com
Type: A
209.50.251.101
DNSscreaminpeach.com
Type: A
108.162.204.235
DNSscreaminpeach.com
Type: A
108.162.203.235
DNSnaijagurus.com
Type: A
192.64.112.193
DNSareafor.com
Type: A
185.2.130.31
DNSgeodecisions.com
Type: A
216.174.25.93
DNSwesthillsstl.org
Type: A
108.162.196.220
DNSwesthillsstl.org
Type: A
108.162.197.220
DNSctr4process.org
Type: A
108.162.203.164
DNSctr4process.org
Type: A
108.162.204.164
DNSfrederickallergy.com
Type: A
64.203.75.13
DNSminatech.net
Type: A
202.181.97.93
DNStrinity-works.com
Type: A
219.94.206.70
DNSd-j-b.net
Type: A
210.172.144.247
DNSasj.co.jp
Type: A
219.118.206.4
DNShartmultimedia.com
Type: A
196.210.116.196
DNSsmtp.live.com
Type: A
HTTP POSThttp://eurasia.it/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://leadershipforum.us/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://redconeretreat.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://c21edu.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://sortedorganizing.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://photoclubs.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://screaminpeach.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://woodlandhillwinery.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://e-kagami.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://naijagurus.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://areafor.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://geodecisions.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://westhillsstl.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://ctr4process.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://frederickallergy.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://minatech.net/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://trinity-works.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://d-j-b.net/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://asj.co.jp/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://hartmultimedia.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.162.200:25
Flows TCP192.168.1.1:1038 ➝ 54.229.116.65:80
Flows TCP192.168.1.1:1039 ➝ 66.39.30.185:80
Flows TCP192.168.1.1:1043 ➝ 173.204.163.136:80
Flows TCP192.168.1.1:1044 ➝ 76.74.254.123:80
Flows TCP192.168.1.1:1046 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1045 ➝ 209.50.251.101:80
Flows TCP192.168.1.1:1047 ➝ 54.249.238.243:80
Flows TCP192.168.1.1:1048 ➝ 108.162.204.235:80
Flows TCP192.168.1.1:1049 ➝ 198.252.69.69:80
Flows TCP192.168.1.1:1051 ➝ 192.64.112.193:80
Flows TCP192.168.1.1:1052 ➝ 185.2.130.31:80
Flows TCP192.168.1.1:1053 ➝ 216.174.25.93:80
Flows TCP192.168.1.1:1054 ➝ 108.162.196.220:80
Flows TCP192.168.1.1:1055 ➝ 108.162.203.164:80
Flows TCP192.168.1.1:1056 ➝ 64.203.75.13:80
Flows TCP192.168.1.1:1057 ➝ 202.181.97.93:80
Flows TCP192.168.1.1:1058 ➝ 219.94.206.70:80
Flows TCP192.168.1.1:1059 ➝ 210.172.144.247:80
Flows TCP192.168.1.1:1060 ➝ 219.118.206.4:80
Flows TCP192.168.1.1:1061 ➝ 196.210.116.196:80

Raw Pcap

Strings
041504B3
1.0.2.2
123 Corp.
CompanyName
FileVersion
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
<%%$%%
>%%$%%
,%=$`$
.%%$%%
&%%$%%
%|%%$%%
%  $%%$
%"=%,%
%$%%`%
%$%%>=
%$%%%%
%%&%$$-
%%%$-%`
%%%$,	!
%%%%%$%%
%%%%%%
	%%$%%
]0%5^"
0as$PDC
0aUCo3
%$0]HIn8
0L%%%%
~@0n$?Q
0uL15i
%%%0z\
1%%$%%
@`1"[l
1&@!P'
1=~U%%$%%
#]2(`A
>2An?Y$;&
3-K$M`
3/"s9q
4<0rQ%
4hW$d`
4Wb0r*
5]$$d%	
5Q$(%$
*5UhG 7Q5%$
%5V%%@
%6j %3
%$%%6vz
%`6"W)U
 75uu#
%$%%7D"@%/p
7p"%O/
7 W!G[[%
%')8<$
$9%%%%
9!m%%$%%
.$9*Q<j%$_
9x'KEs
%%%$%A
a$0&p68,'
$%`a4@
A!4A{u
AaU@EM5Re
accessible locally
$&aD%%
%%%$ADh
aDm[$P#
{=`_ag
aQ:tfx@&
a!s[9E%
AuV%%$
	A=yX"
B-%%$%%
%$%%B%D
bE#vI0
BitBlt
bK${%q
%@bPEur
BqZS03`\
.bSrc%Q
button
B`@XcCQEe
%{`C%%
C@ 0M%@
%%#C#%Q
CreateWindowExA
-CT`%$
!D%%%%
%$%%%$D
@.data
DefWindowProcA
Destroy
DispatchMessageA
/dP,`J
DQ%5%%
DQ%`H&
$%D%QM
dS~!M:\
%%%DtI#
&E%%%%
%$%%E%
%%%$E 
E0F%	0;%%%%
$%:-eF
E$%f@T']	U${sO
E%(&I&P
E%& &%k
eSMA5')
E	S>QL
ev"&n%
<\.?F$
%F`K`y 
following statements
FRO%%%$%%
fsHun;Fh/
%fu&%q>%
$f%ZQb
|"'g%%$
%$%%g_
!G<+5%-
g632J>
gdi32.dll
GetCommandLineA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetFileVersionInfoA
GetLastError
GetMessageA
GetModuleHandleA
GetWindowRect
GGGGBBBBIu
GH/%y}*H/%
%%%g$%X:%
%"!{h~
%$%%&H
H-AOYOm
Hi`!%%
Hk@D!`
hP]&hgA
	\h%Q%&
$!<hR%
H%s%%$%%
,^h%X9
&h!x=)U
I'@D?7!
i%KC'%eE
I$M,p@
initial
isq*s)5
i(u'`%%
'IvQ&%A
$)]J)'
`J$9Sf
[JApO`
Jew$z%0
J$MP !
%%jN70
%_j%Qvp
JuL5|M
%%%$|k
%%%$K*
K%%$%%
%k{9%r
KA$!~,
kernel32.dll
KillTimer
KJ*'u8
%%%$K{y
l-0A%$
`[l27L
lhw|$'%
lk$UaPX
LoadCursorA
LoadIconA
`LOo*A
L-p%%+
=L$qO%f
L$%u%%%%
=LU)u`%#
LvA%F%%
%%%<-m
%%m')*$
%$%%M)
M8/cv'#
%%m/i!5 
MoveWindow
MPpTy70
%MuM`C9pI
must it search
|#'N%%
N"%%%$
N8%( P
%%%noY
:)N]P%<[
n%%v1%
%%%o%[ 
~]%%)	O
O-%%%%
O%%%$%%
]O'0r$
%%%O)a
o, AYk
other usage will mark you
{/+p0)v
PDsHV%$
pIr%%$
%%"pL,$g);%
PostQuitMessage
{*]#PP@
!P%qDOQ
pql%	@
%%PUu0<
$@Pv)>
Pv%%%%
 -py |
=p.Y%S
-Q%*{%
%%%^%$Q
%%%$%Q
Q2%%%%
QKU%%V_
/!Q*M2
%%%$!QPssW
`QQuM"
]-Q=Qz
%$%%Q%rx
%$%%qU
q%&&u>Z
Qw%%%%
qY!v'%
 r%%%%
-/r#&	
)r%%%%
]]_)(r
%$%%r%~!
%%%$&r
%%_]	R%
R%%$%%
%%%$$r5
r&6$y*
@ra`+$#
(%raB%
`.rdata
RegisterClassExA
%Rh!V#X
Rich\{
@-RK&%
r&M %8
rO!@v"
Rr%%$%%
%%%$rv
%%ry>x
@s% &&/$#>'
*-s-%]
%%%)#s
S6I5u0
SendMessageA
SetFocus
shfolder.dll
SHGetFolderPathA
ShowWindow
%-sk$t\
Tahoma
talking about
tb"-Or
!This program cannot be run in DOS mode.
 to override such
TQ$`42
TranslateMessage
t.V--%%$%%
 %%\u'
%%%$,U
U.0P4@
,u-|7*
ufGo%$
uF%Wq`'
]+UL#Y!
uM-+M6
]UOg@N@
%%uP%]
UpdateWindow
%%%%U_Q'J
user32.dll
ut %%$%%
>U!&&/u6
u%zp%%$%%
%$%%-$v
v_%%$%%
#vC?%~%%
version.dll
@]%vhv
v`p>%'
%$%%$v%^v5z
%%Vx;$
~}V&XYs
V*'Y$s
vY%sXQ
%%|,vz%#$M
|/\%w5
%whPaM
Window
''%~-%wj5V
%$%%$Wm9"
WQL`'@
*'%W)S'A-z%$
%%%$x%
^>!X%$
~x%5%`
?@X9)%%
@!-$XL7E
$#$xM<J
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>
X%#S`L
%%x%uw
-Xu$W'
,Y%%%%%
%(Y2&A5
@{y>c&
$$yj%$
yUc %WO
=]%y	z`
%%%$[yz
/Z%%%{!
]Z1\,Q-
Z4UP-)
!zbi/Ls
zl,Y u
%$]z%p
%"zsq)%7%
Z%%tu0
%zu%A5p{%
z!#(xVGh!