Analysis Date2015-10-09 08:33:21
MD5099230f4599d92fb37b94e83fa71b150
SHA1b106acfb217bed35357b8a00c1fdd688deaae134

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8f8538677f7f41bbc237b4bda0d8dafe sha1: a75423d3cf22aa6e8be232752dd8193e8c9082f4 size: 45056
Section.rdata md5: c433a533a99ffecb49488d7d49bd2bdd sha1: 998a81a113de5e2ccf6f183d910574cf4d983896 size: 33792
Section.data md5: 0d1c1c7cd19e98c69faa193b2d8f6b30 sha1: 319ea886b8fd275ddbdff44e1a887cb4a17d55d4 size: 12800
Section.rsrc md5: a9c23ff5cd643e301c3f34473b172730 sha1: 44ad1e7a3d390c6d853b1d4e21e3036b51f4d7d3 size: 1024
Section.reloc md5: 356cc19751a9d33ce690df6c0d3c639d sha1: 044785f44ee7e5f784041f92febf2e2a7004e9f2 size: 7168
Timestamp2007-05-06 10:23:50
PackerMicrosoft Visual C++ ?.?
PEhash19c645ff63f55b689b619b892452030d687d92ef
IMPhashd2dca94809c70bc3f33efa06004120c4
AVFrisk (f-prot)W32/Trojan2.OJNQ
AVAd-AwareTrojan.Foreign.1
AVArcabit (arcavir)Trojan.Foreign.1
AVVirusBlokAda (vba32)Backdoor.Androm
AVBullGuardTrojan.Foreign.1
AVKasperskyTrojan.Win32.Generic
AVPadvishno_virus
AVMalwareBytesno_virus
AVAuthentiumW32/Trojan.IOAR-2879
AVBitDefenderTrojan.Foreign.1
AVMicroWorld (escan)Trojan.Foreign.1
AVEmsisoftTrojan.Foreign.1
AVCAT (quickheal)TrojanPWS.Zbot.A5
AVEset (nod32)Win32/Kryptik.CEAI
AVAvira (antivir)TR/Crypt.Xpack.67717
AVSymantecno_virus
AVDr. WebBackDoor.Andromeda.22
AVMicrosoft Security EssentialsVirTool:Win32/Obfuscator.ALX
AVIkarusno_virus
AVK7Trojan ( 0049b88b1 )
AVZillya!Backdoor.Androm.Win32.9156
AVFortinetW32/Generic.CEAI!tr
AVF-SecureTrojan.Foreign.1
AVClamAVno_virus
AVRisingno_virus
AVMcafeeGeneric-FAVF!099230F4599D
AVCA (E-Trust Ino)Win32/Gamarue.WLFDKdB
AVAlwil (avast)Zbot-UCB [Trj]
AVTwisterTrojan.Cap1461814.qllc
AVTrend Microno_virus
AVGrisoft (avg)Win32/Cryptor

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\mscula.exe\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\mscula.exe
Deletes FileC:\B106AC~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.158
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwww.update.microsoft.com
Type: A
DNSyaybit.net
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.50.158:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53

Raw Pcap

Strings
00-+ 
 
CC
\
.
!
.

- abort() has been called
ACONOUT$
April
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
change names
check file
choose base types
constract base
- CRT not initialized
dddd, MMMM dd, yyyy
December
DOMAIN error
error
February
- floating point support not loaded
Friday
                                 H
         (((((                  H
         h((((                  H
HH:mm:ss
January
July
June
March
@Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
mscoree.dll
nKERNEL32.DLL
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
(null)
October
Program: 
<program name unknown>
- pure virtual function call
put files acrosses
R6002
R6008
R6009
R6010
R6016
R6017
R6018
R6019
R6024
R6025
R6026
R6027
R6028
R6030
R6031
R6032
R6033
runtime error 
Runtime Error!
Saturday
September
SING error
Sunday
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
Thursday
TLOSS error
Tuesday
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Wednesday
WUSER32.DLL
                          
0 0@0`0|0
0#0-0@0d0
0"0,020
0=0Q0W0
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0@3D3H3L3P3T3X3\3i3{3[4e4r4
040D0H0X0\0`0h0
0(6(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
)0T0b0r0
^-0w$Q
;);1;~;
10262B2y2
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
1'1-141Q1^1f1r1
1'1-171=1G1M1W1`1k1p1y1
1,1=1G1M1
1D1X1`1h1p1t1x1
1V1F2V2[2r2
202P2p2
2%2:2O2Y2_2
2/292Q2_2w2}2
2$3*323=3K3V3\3
=,=2=7=E=J=O=T=d=
2+cVVk
;2;G;Q;W;
?+?2?G?X?b?h?
2sr5e"^
3-323<3B3I3X3i3u3
3 3@3`3|3
3!3&3.3>3H3N3b3z3
3!3*3/353?3H3S3_3d3t3y3
3/3H3d3m3s3|3
343I3R3X3
3)4P4^4
='>,>3>8>?>D>R>
=3=D=N=T=
3v4a8s8
4(0\c!4
4282<2@2D2P2T2h2l2p2t2x2|2
4%4+434H4Y4b4h4
4 4@4L4h4
4 4A4}4
4,5<5P5d5p5x5
4\5b5k5
4$5W5c6j6d7
<$<,<4<<<D<L<T<\<d<l<t<|<
4M4R4\4
4]*z2zDIr
5#5(5,505Y5
5 5:5I5V5b5r5y5
5*595?5G5\5m5v5|5
5#5F5Y5
5+"U]B
>6>;>"?)?1?
6"6(6:6@6H6]6r6|6
6*6]6l6u6
6"6H6N6x6
6$6J6\6
6 7*7U7m7
6	797@7L7R7^7d7m7s7|7
:&:/:6:F:L:Y:`:k:q:y:
?6?=?G?Y?_?h?o?
6H6P6T6l6p6
717:7F7}7
7*727>7D7Q7W7y7
7 7&7.7A7Z7o7y7
797@7D7H7L7P7T7X7\7
;7|G;p
|7K=.g}
:.:8:>:
828r8x8
8%8.858E8_8t8}8
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8
8B8H8\8a8
? ?8?H?L?\?`?d?h?p?
8K:m(U<8
92:8:N:S:[:a:h:n:u:{:
9(939;9K9Q9b9
9$959?9E9
9"9*9/969F9`9q9{9
9)9;9M9_9q9
9(9L9X9\9`9d9h9
9(9V9\9a9g9x9
9@<D<H<L<P<T<X<\<`<d<
9gFks:
9L$H~#
9OS45nR
A4310+//0
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
ao-U_^
AppendMenuA
AppendMenuW
aQ\AWI5q
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
August
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
.?AVexception@std@@
;A<V<\<i<p<
a'vK;Y
.?AVlength_error@std@@
.?AVlogic_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
bad allocation
bad exception
 Base Class Array'
 Base Class Descriptor at (
__based(
=B>b>k>
BeginPaint
BG	 o-
BitBlt
<==B=N=X=k=
&/bO&~L
Button
CallNextHookEx
__cdecl
;#;(;/;>;C;I;R;r;x;
 Class Hierarchy Descriptor'
CloseHandle
__clrcall
CoInitialize
COMCTL32.dll
COMDLG32.dll
 Complete Object Locator'
ConvertStringSecurityDescriptorToSecurityDescriptorW
`copy constructor closure'
CorExitProcess
CreateCompatibleDC
CreateFileA
CreateFileW
CreateSolidBrush
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
 delete
 delete[]
DeleteCriticalSection
DeleteObject
DestroyCursor
===D=H=L=P=T=X=\=`=
:,;D;N;i;q;w;
:=;D;N;U;Z;`;r;
D$PF;5
D$TF;t$
D_y4L3	(
`dynamic atexit destructor for '
`dynamic initializer for '
__eabi
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
<'<<<E<K<
EncodePointer
EndDialog
EndPaint
EnterCriticalSection
EnumWindows
ET'si<
e[-_Utc
Ev$NL1N
ExitProcess
ExtractIconExW
__fastcall
February
>F?L?P?T?X?
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FreeEnvironmentStringsW
Friday
GDI32.dll
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCompressedFileSizeA
GetConsoleCP
GetConsoleMode
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDlgItemTextW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetFileAttributesA
GetFileSize
GetFileTitleW
GetFileType
GetLastActivePopup
GetLastError
GetLastInputInfo
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleW
GetOEMCP
GetOpenFileNameW
GetParent
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetScrollInfo
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemMenu
GetSystemMetrics
GetSystemTimeAsFileTime
GetTextMetricsW
GetThreadDesktop
GetTickCount
GetUserObjectInformationW
GetWindowLongA
G}ZpN>
`h````
>>?_?h?
H0L0P0T0X0\0`0d0h0l0p0t0x0|0
hag7P8
hD(Pm8
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
`h`hhh
HH:mm:ss
HHt$HHt
=">->H>O>T>X>\>}>
h+TP3!T
>/>H>Y>c>i>
I0X UQ
?If90t
ImageList_Create
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
invalid string position
;$;;;I;O;r;y;
IsDebuggerPresent
&iSNBs
IsProcessorFeaturePresent
IsValidCodePage
IsWindow
January
jb`,$$
j,h06A
j@j ^V
jQZ!y8
KERNEL32.dll
-kjky'
kY,C{14
kY$qDo
}L`,(2\
LCMapStringW
LeaveCriticalSection
LoadBitmapA
LoadIconW
LoadLibraryW
LoadMenuW
LoadStringA
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
lstrcatA
LY|~(!
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
MessageBoxW
MM/dd/yy
Monday
MoveToEx
MultiByteToWideChar
&nB0la
 new[]
November
N]q2}u
(null)
October
ole32.dll
`omni callsig'
operator
OutputDebugStringA
PA<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
__pascal
`placement delete closure'
`placement delete[] closure'
PPPPPPPP
__ptr64
QQSVWd
QueryPerformanceCounter
RaiseException
`.rdata
ReadFile
Rectangle
RegCloseKey
RegisterRawInputDevices
RegOpenKeyExA
RegQueryValueExA
@.reloc
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
__restrict
}`?rh5
r`mM}i:
RtlUnwind
Saturday
`scalar deleting destructor'
    </security>
    <security>
SelectObject
SendDlgItemMessageW
SendMessageA
September
SetClassLongW
SetDlgItemTextA
SetDlgItemTextW
SetFilePointer
SetHandleCount
SetLastError
SetMenu
SetMenuItemInfoW
SetRect
SetStdHandle
SetUnhandledExceptionFilter
SetWindowTextW
SHELL32.dll
SHGetFileInfoW
SMwmvXF
^SSSSS
__stdcall
`string'
string too long
Su()0\
Sunday
]T0Jc\
TerminateProcess
__thiscall
!This program cannot be run in DOS mode.
T$hRVf
Thursday
< tK<	tG
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
T$l)T$
T$P;T$
tR99u2
t*=RCC
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t"SS9] u
t$<"u	3
Tuesday
;t$,v-
 Type Descriptor'
`typeof'
u5N)z2r
`udt returning'
uE}rpN>
__unaligned
UnhandledExceptionFilter
Unknown exception
UQPXY]Y[
URPQQh
USER32.dll
uTVWh~x@
`vbase destructor'
`vbtable'
`vcall'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
`virtual displacement map'
v	N+D$
Wednesday
WideCharToMultiByte
W;~$Ky
WriteConsoleW
WriteFile
WS2_32.dll
wsprintfA
:X11_]
:xdG#o
xiJX\]
xppwpp
xpxxxx
}>~--{Y
_y4LG9
_y8L'{O
Y;=hYA
Y^x{ut
zcpp%1