Analysis Date2015-02-12 14:54:09
MD511d9729ace5403b436559e221d70fe87
SHA1ad50e098c0596c1c921c5750c5f7973fb9973508

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ee50c3541b3eacf81fbfbede5ce95f73 sha1: 13d36cf47d3f686f5722f135b29670c7acee43a4 size: 78848
Section.data md5: 379c1ec8a2f77169f589f2e14453f74d sha1: 1eabeaee989153d54eead6775c674457a07462d8 size: 2560
Section.idata md5: 0feb592cbb9d4a251455311f1bfbefb7 sha1: 6072a4a84d315514e064f5df89d4b05877d71974 size: 4096
Section.rsrc md5: 2fc40f7f13fb042c4243fef20798156c sha1: 6f5d946dd8def5a522c9d49150b1e215178b032a size: 31232
Timestamp2007-01-08 18:08:52
PackerRAR SFX
PEhash39d91f7d41d0f5037fefea67ff59b03a1a858948
IMPhash87b324a67e18fb2e1d12308b06fa8d4f
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Agent.IRC.n4
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)NSIS/TrojanDownloader.Chindo.E
AVFortinetW32/Chindo.B!tr.dldr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)Dropper.Generic_c.ADMA
AVIkarusno_virus
AVK7Trojan ( 00071a9a1 )
AVKasperskyDownloader.NSIS.Agent.ot:HEUR:Downloader.NSIS.Feasu.heur
AVMalwareBytesno_virus
AVMcafeeError Scanning File
AVMicrosoft Security EssentialsSoftwareBundler:Win32/Chindo
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecBackdoor.Trojan
AVTrend MicroTROJ_SPNV.01KH13
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:


Raw Pcap

Strings
/
 
%
"
\
YRCN
..._ 
\"
01A0__
\\
\
.
:
.
x
....
333f3
(&A)
about:blank
ASKNEXTVOL
</b> 
 <b>
(&B)...
<br><br> <lI>
b<style>body{font-family:"Arial,
(&C)
(&D)
DVCLAL(
(&E):
f3fff
";font-size:12;}</style><ul><li>
GETPASSWORD1
hmsctls_progress32
jjjj
(&L)
</lI>
</li><br><br>)<li>
LICENSEDLG	RENAMEDLG
</lI></ul>
(&N)
(&R)
REPLACEFILEDLG
Rs$@
 %s 
"%s"
 %s CRC 
%s CRC 
Shell.Explorer
STARTDLG
(&W)...
 Windows 
WinRAR 
(&Y)
;|$ }-
?*<>|"
###!!&&&
###!&!&&
\+003-
03Ik3OY
04fMT{:
 (08@P`p
0A1WF+
0C89<-
0 +me*
^0Pla{A"
-"0rd|
?0{"t%
0	<uWP8mN
18]@A"_
^_1`]V*
<~1wa5
21""";;;
211"";;;
2@6I%@:
28U[QL*g
2D gjQ
2&E=43
2Nw#t%
3537-,
3XcK>|
414l389l1.exe
414l389l1.sfx.exe
-44|||
49coDl
4A~V,V'n__
`?.4+N
|4q8FX
4T5g'-
4X>?KQ
4Y_cOW
4Y_cOW	
4}yZ29
\5)bkDv
[5+d7c^=N
5	 `=>hE
5Zh|`.U0
:5;zPU
6:2.>JFffnh	
63yh']
6a/.>%
6P"XJs
6z[0P)(:
7\[1>V
7331-%!
7gBo^j
7~}$_kC<p
7QPt-D
7WU:/.
7XLF r
7%y :UR
82GGGS8888F
8FL+%&o
#8F#~VQ
8~I"vn
8;oNA(3
8Xb|w 
8)xj+JI
/999	T
9-H(3N
9|(hR|
/?9m&Z
=>9:>,o/
9sNpYNx
9{tPV\
@*9ZUK%
|*.@?a
-a99m;
/,;:AB6
AdjustTokenPrivileges
ADVAPI32.DLL
+ae!@4F
A^GCVv
AQRPhD
ASKNEXTVOL
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+auj!V
A)#uw"S
A^Ye'z
A^z+G_D
@b	gck(W
__BjES)
bqkyyygg
C9:.Xa
Carl Kessler
C,;C$s/
<CCxei
ceQ&^	gdk
cGLJKd
cGLxA@zwI
CharToOemA
CharToOemBuffA
CharUpperA
CHLov+
c&j-|I
CloseHandle
CLSIDFromString
}~[Co'
CoCreateInstance
COMCTL32.DLL
COMDLG32.DLL
CommDlgExtendedError
CompareStringA
CopyRect
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileW
CreateStreamOnHGlobal
CreateWindowExA
c<<.sa
c!$sJU
)c_X%!z
|$|;|$d
D$8+D$D
`.data
D$`;D$\}
D$,;D$0u	
D$`;D$T|
DefWindowProcA
Delete
DeleteFileA
DeleteFileW
DeleteObject
</dependency>
<dependency>
  </dependentAssembly>
  <dependentAssembly>
<description>WinRAR archiver</description>
DestroyIcon
DestroyWindow
d$FYrb*F
d|[&h&
DialogBoxParamA
DispatchMessageA
DKnx}L
D-o r*
DosDateTimeToFileTime
d,pc-U
D$T;D$\|
;D$Tt\
[(.-dU
EEESTT	H
	EEESTTT
EENNNN
EESTTTH
	EESUUUTFS
EgR+lK
e*j+Mn
e/Km*&7n
-el -s2 "-d%s" "-p%s" "-sp%s"
EnableWindow
EndDialog
eNPn+*
ENSTSE
ENSTTTH
	ENSUUUTFS
	EONSOOEEE
ePILW\\XIGTu
"E	S2E
e)s}!9
ESTTTH
	ESUUUTTSS
e*u;M_}O
ExitProcess
ExpandEnvironmentStringsA
$:*{>F
F2888MGGGMYYYSF
F28Y8SMMMSSSSSF
F^4JX>
F8882GGMGGS888F
F8888888888888F
F8888SGGGMS882F
F8888SGGGS88YSF
F888MGMGGGM888F
fbc:N:
FCcHdi/
FFF))EE	FFFF))))))
FFFFFFFFFFFFF
FFFFFFFFFFFFFm
FFFNOESOON
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceA
FindWindowExA
FKw# "
F&LRRLLLMMMM&&%Fn
FMoLRRLLFLFMMM&&F
FOOESOON
FPDW?N
FreeLibrary
FSSSSSSSSSSSSMF
FSYYYYYSSSSSSSF
FTTT"U
FV=Alj^
G;|$ |
]g04>o
/G3eJ'E/U
Gc@b);:@>
GD`4Cp
GDI32.DLL
GetClassNameA
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetDateFormatA
GetDlgItem
GetDlgItemTextA
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetNumberFormatA
GetOpenFileNameA
GetParent
GETPASSWORD1
GetProcAddress
GetProcessHeap
GetStdHandle
GetSysColor
GetSystemMetrics
GetTempPathA
GetTickCount
GetTimeFormatA
GetVersionExA
GetWindow
GetWindowLongA
GetWindowRect
GetWindowTextA
gj-_S`B
GlobalAlloc
gmrr`I
gppp***
GssmFa)
;g%UcD
h1UAs2u
h2>vx5
<head><meta http-equiv="content-type" content="text/html; charset=
HeapAlloc
HeapFree
HeapReAlloc
|hg~\QLQ8?
HHHT	S
HHTF*S
HHTTSE
HMHBHts
=HmiQ:e
	HTFSEESES
</html>
<html>
HTSEEESU
HTSESFF
HUTSESST
h?-U"y
h-WFde
hz=Js^
I4R[Y=
-i754b
iB}Gko
i@B}Gy
-]	&IC
.idata
iIs\O/W
i}~/?I,U\
i+Lm]<
Im3j6u
"i@MV(
InitCommonControlsEx
Install
IsDBCSLeadByte
IsWindow
IsWindowVisible
Iw3i5V6Y
%i~yLO
J~ $}!
j2jTb~
JJ>7L!
J-r@itq
Jtiq5r
jVF>Fa
'Jvgz'
_$"Jw.
/_/`JX
:K3J?m
k6!(kB
;K~,Az
KC0i!X
KERNEL32.DLL
,K	fedC_&pR%8
kFK=wz5
	~kk#/
~k&.^o
)KYpp@
,-$;l-
?L`0N 
L11188821
L888821/-OO./0R2888888RKn
);l$8u
      language="*"/>
lF!	 N
Li6?Aga
License
LICENSEDLG
L*jKRc
lkOOO788L
L$\)L$T
LoadBitmapA
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
LocalFileTimeToFileTime
|lod}8
LookupPrivilegeValueA
{/	lp,pK
LSSM28Y^
lstrcmpiA
lstrlenA
lX888K
>LX\L`lzk]YXJFcu
LY^8RKn
M95:%0
MapWindowPoints
MessageBoxA
*messages***
mjhhzzza
mjzzza
ML[VLY\^R
MNF+\R
MOR|ON
MoveFileA
MoveFileExA
mqq}~aza))33
=MQQVWY`t
MultiByteToWideChar
**%mWI
mw)T+-
M;Z4s+;Z,s
;mZr=c08
m~zzaa
N4Y_cOW
      name="Microsoft.Windows.Common-Controls"
  name="WinRAR"
nb9f>P#N
&nbsp;
]#[n@E(
n(h#e[J
.N*%JE>
NOSSSOOFTSE
nRS28Y^
n%rx)@
NsQD|O_a
NSSTTT
@[nwZ=
N_^[Y]
'#/-!O
O!cJx)
OemToCharA
OemToCharBuffA
`O/f&Tnx
$O{fZ.
OgIZ$+
O^hbCH
OLE32.DLL
OleInitialize
OleUninitialize
OO./08RLRtt
OOEEETTSEEE
///OOOESS
OOSFFF
OOSOOE
OOSSSOOFTTTS
OOTH	T
OpenProcessToken
Oqf%z|&S
Overwrite
(oWY{.T
p6j.=B
p<|aH	I
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXRar!
PB!8goz
pd#B`;
PeekMessageA
penc-N
P=Fo'0
PostMessageA
Presetup
      processorArchitecture="X86"
  processorArchitecture="X86"
ProgramFilesDir
      publicKeyToken="6595b64144ccf1df"
Q_-,bB
Q>He	cZ
qYnepZ
]%\#:R)
R1111111LLLL+LLLL++L
R111++++LS288881LLLL
R1.(EEP
R3F	3Kd
R|\5mb
R6;uAReM`$e
R8211111++LLL+++++1L
R882880EEOV[OO
R88MS821LL+++LL1188R
R8SMM88^88221MM8888R
__rar_
RarHtmlClassName
RarSFX
rBK9cK
ReadFile
.r@EF<
RegCloseKey
RegCreateKeyExA
RegisterClassExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RENAMEDLG
REPLACEFILEDLG
      <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
    </requestedPrivileges>
    <requestedPrivileges>
r~hhhzzzaall
Rhhjsr
riched20.dll
riched32.dll
RichEdit
R` Ls)
)rmUAi
rqs}~aa
rq~za)))3
RR2888881+K
RRProtect+
rrqs}~
rrqsxgyyg
rrsyyyg
rsmij[
@.rsrc
rtmp%d
/RuDzX
'	RVi(
s7@r6Q
SavePath
;SB+C$
%.*s(%d)%s
%s.%d.tmp
  </security>
  <security>
SendDlgItemMessageA
SendMessageA
SEO#!&&
SEOOOEF
SeRestorePrivilege
SeSecurityPrivilege
SESTTS
SESTTTFS
SetCurrentDirectoryA
SetDlgItemTextA
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetLastError
SetMenu
SetWindowLongA
SetWindowPos
SetWindowTextA
S+\'eZ
SFTTTT
sfxcmd
sfxname
s(G0/~r
SGS88888F
SHAutoComplete
SHBrowseForFolderA
SHChangeNotify
SHELL32.DLL
ShellExecuteExA
SHFileOperationA
SHGetFileInfoA
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
shlwapi.dll
Shortcut
ShowWindow
sIh\VA
Silent
Sl	,0	t
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
	SONSSOOSS
SOOSOOE
SOOSSOO
SOOSSOONNN
	SOOSSSOOF
SP0><@$
sQ7)`2_
sR8888+E(4Uq	
%s%s%d
SSEEES
SSOOSOOE
%s %s %s
SSSEES
SSSEESS
SSSFFF
SSSFTT
	SSSNOOOEF
	SSSOOSOOE
SSTTTT
STARTDLG
STTTEOESSSOO	T
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
.	S'Un2
sW":[v
:(%=`sy~MS
SystemTimeToFileTime
Szt}qQ
T$0+L$8
t8.4PL*
t88MM28YY888SMM8
t88MM28YY888SMMM2
t88MMS8YY882MMM88
	~t}~azzza
TempMode
tfkD$@)
TFSSSS
This program must be run under Win32
THUTSEES
tjzz9)))TTT
t Kt<Kt[
{t!l4=
tLLLLLLFEFFFn
__tmp_rar_sfx_access_check_%u
TNOOOESE
TQyYAm
TranslateMessage
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
TSESFFF
TSOOOE
TSOOOESSSOOONEE
T$(;T$,
TTHUUHHH+T	H
TTSEEE
TTSEESSSES
TTSESUU
TTSE	T
TTSETHTT
TTSETTHHTT
T$`;T$T
TTTUUTEESF
tvew~@
t]YMBC
      type="win32"
  type="win32"/>
u8>T~m
(u<-  H^my
UHSEES
UHSEESTTT
UHTTSEE
UHTTTFF
uoLFFFLLLFn
UpdateWindow
USER32.DLL
UT...5
utf-8"></head>
uTh=RA
UUFEES
UUSEES
UUUHHH
	UUUHSOOON
	UUUHTSSEE
}UywuW~]W
V08>q)x
}]V9"J
vA.0lj@S
  version="1.0.0.0"
      version="6.0.0.0"
VhocFm[
V_nkYx
/vrL%L
]&@&VW
w143}3u
WaitForInputIdle
WaitForSingleObject
_`wi7+)-
WideCharToMultiByte
;=)%wp
WQ#={TP,
WriteFile
ws9?$<
wsprintfA
wt@{Prc
^wUWUK
;w)V%}&HA
wvsprintfA
WWKZC\D
	wwwii
wwwiii((
(;X]9.
Xaq8LD
x"+Bc)G_
(`xDN	
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
!xPEG!e
xXj+h*
"=Xyba
Y1$P%]
?y_+<9j
y/EGk]
YNANRC
*,YpC~
{<:y&q?	
&Y	RS0
YSh|6@
yS_I5z
Yv3b3o
ywXS^48
Y\`XMX\]g
_^[YY]
$YZ_^[
YZ]_^[
y;$Z.K
z(959]S
_zbD#C_
Z~J#-1
zL77CV
.zqKp_
;Z$sa;Z
(ZV2#B
]^z{!w
$;ZY<j