Analysis Date2014-10-13 21:23:20
MD5705f1e40089debbb88063200cc7613dc
SHA1b2c189220e1ef07d52c072f163bcb3459da59258

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 067763a8582efdd801432748685320f9 sha1: 2eacb16644f8609d3de5e63f54b0e3008633e70c size: 3072
Section.rdata md5: 9f54fed295c5bf23b793d759a4f7f487 sha1: 1c417c12270e375a4af290ba3c37c2463a8fec6b size: 1024
Section.data md5: 1205206d88340b9f0289fd001fabb56c sha1: 93a7347331b6f74d28cae14c7a222b0a42795c8b size: 1536
Section.rsrc md5: 51beaf1d2463f1bc8046996572f6d387 sha1: 3af4141a437559e03eaeaae53cc4e44ef636bf9f size: 40960
Timestamp2014-06-12 06:28:23
VersionLegalCopyright: Copyright (C) 2008
InternalName: sickly
FileVersion: 7,2,4,19
ProductName: sickly Application
ProductVersion: 6,3,4,31
FileDescription: sickly Application
OriginalFilename: sickly.exe
PEhashaa08b345557f392f5cf9a25e767913eb6eda649a
IMPhashcabb308efe69c2b97bdbdd5c98e96b1c
AV360 SafeTrojan.Dropper.Agent.VNI
AVAd-AwareTrojan.Dropper.Agent.VNI
AVAlwil (avast)Kryptik-NXT [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardTrojan.Dropper.Agent.VNI
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Generic.r4
AVClamAVno_virus
AVDr. WebTrojan.MulDrop3.14959
AVEmsisoftTrojan.Dropper.Agent.VNI
AVEset (nod32)Win32/Kryptik.CEET
AVFortinetW32/Kryptik.CEET!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Dropper.Agent.VNI
AVGrisoft (avg)Crypt3.WOP
AVIkarusTrojan.Dropper.Agent
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent.ED
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Trojan.Dropper.Agent.VNI
AVNormanno_virus
AVRisingno_virus
AVSophosTroj/Loader-N
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Cutwail
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\beazyfnofire ➝
C:\Documents and Settings\Administrator\beazyfnofire.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bcalex[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nashsolar[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\brolton.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\frieve[1].htm
Creates FileC:\Documents and Settings\Administrator\beazyfnofire.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\paravision[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\cjborden[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\chaseinternet[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\horch-museum[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\baanukulele[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\americangeriatrics[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hirose-aa[2].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\office-gita[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\oseuadvogado.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ljecmetal.com.didtheyreadit[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ingimex[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hirose-aa[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nashsolar[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\office-gita[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\brolton.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\frieve[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\oseuadvogado.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\paravision[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\chaseinternet[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\cjborden[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\horch-museum[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\baanukulele[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\americangeriatrics[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexbeazyfnofire
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNScjborden.com
Winsock DNSamericangeriatrics.org
Winsock DNSbrolton.com.au
Winsock DNSbaanukulele.com
Winsock DNSoffice-gita.com
Winsock DNSchaseinternet.com
Winsock DNSthelavenderpatch.com
Winsock DNSingimex.com
Winsock DNSljecmetal.com.didtheyreadit.com
Winsock DNSnashsolar.com
Winsock DNSfrieve.com
Winsock DNSbcalex.com
Winsock DNShorch-museum.de
Winsock DNSoseuadvogado.com.br
Winsock DNSbigbluetours.com
Winsock DNSparavision.org
Winsock DNShoteljoyfull.com
Winsock DNShirose-aa.com
Winsock DNSworklifesupport.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSparavision.org
Type: A
176.31.224.186
DNSoseuadvogado.com.br
Type: A
69.163.168.99
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSthelavenderpatch.com
Type: A
HTTP POSThttp://paravision.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.163.152:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25
Flows TCP192.168.1.1:1034 ➝ 176.31.224.186:80
Flows TCP192.168.1.1:1036 ➝ 69.163.168.99:80

Raw Pcap
0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000020 (00032)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000030 (00048)   6e2d7573 0d0a436f 6e74656e 742d5479   n-us..Content-Ty
0x00000040 (00064)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000050 (00080)   6f637465 742d7374 7265616d 0d0a436f   octet-stream..Co
0x00000060 (00096)   6e74656e 742d4c65 6e677468 3a203539   ntent-Length: 59
0x00000070 (00112)   340d0a55 7365722d 4167656e 743a204d   4..User-Agent: M
0x00000080 (00128)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000090 (00144)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000a0 (00160)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a207061   ; SV1)..Host: pa
0x000000c0 (00192)   72617669 73696f6e 2e6f7267 0d0a436f   ravision.org..Co
0x000000d0 (00208)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000e0 (00224)   6c697665 0d0a4361 6368652d 436f6e74   live..Cache-Cont
0x000000f0 (00240)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000100 (00256)   0a303973 544d7552 69564268 4e473173   .09sTMuRiVBhNG1s
0x00000110 (00272)   57663942 69774c64 6a623869 63426374   Wf9BiwLdjb8icBct
0x00000120 (00288)   56574c62 46576474 6c2b7866 38775633   VWLbFWdtl+xf8wV3
0x00000130 (00304)   67735067 4244642b 64303031 416a712f   gsPgBDd+d001Ajq/
0x00000140 (00320)   570d0a4f 702f6955 6d507571 6a393651   W..Op/iUmPuqj96Q
0x00000150 (00336)   6b486f70 48436331 4d6b7531 5265552b   kHopHCc1Mku1ReU+
0x00000160 (00352)   41787236 45324b56 58557a53 54447336   Axr6E2KVXUzSTDs6
0x00000170 (00368)   694e4d63 6a516c45 6e5a3050 77526549   iNMcjQlEnZ0PwReI
0x00000180 (00384)   6a4d610d 0a456454 5465584f 466b5475   jMa..EdTTeXOFkTu
0x00000190 (00400)   4b704e71 6139434a 46536435 3663676a   KpNqa9CJFSd56cgj
0x000001a0 (00416)   37364270 3864522f 6a484d33 78397343   76Bp8dR/jHM3x9sC
0x000001b0 (00432)   614e2b71 71734d69 66594742 6c723135   aN+qqsMifYGBlr15
0x000001c0 (00448)   71373451 730d0a6b 42357451 47326b63   q74Qs..kB5tQG2kc
0x000001d0 (00464)   7a2b7239 58716574 4f425259 79633177   z+r9XqetOBRYyc1w
0x000001e0 (00480)   6a366454 30704f4f 53565a6b 33357257   j6dT0pOOSVZk35rW
0x000001f0 (00496)   6775534d 6d4e3733 435a592f 4e4c655a   guSMmN73CZY/NLeZ
0x00000200 (00512)   37685839 6248430d 0a507950 38494f53   7hX9bHC..PyP8IOS
0x00000210 (00528)   4c526442 39583634 4533676e 7062305a   LRdB9X64E3gnpb0Z
0x00000220 (00544)   48555369 2b78575a 33667348 38317747   HUSi+xWZ3fsH81wG
0x00000230 (00560)   69515765 47553538 304b4662 70596e55   iQWeGU580KFbpYnU
0x00000240 (00576)   2f4c6174 67515064 750d0a5a 71364667   /LatgQPdu..Zq6Fg
0x00000250 (00592)   36703453 3732416e 74667363 33625157   6p4S72Antfsc3bQW
0x00000260 (00608)   554b6241 39387144 58556149 38667270   UKbA98qDXUaI8frp
0x00000270 (00624)   4c644654 69533037 6b544962 3272436e   LdFTiS07kTIb2rCn
0x00000280 (00640)   374e6a4a 76576b38 2f44530d 0a4a4463   7NjJvWk8/DS..JDc
0x00000290 (00656)   34526a39 64576235 31556342 696c6278   4Rj9dWb51UcBilbx
0x000002a0 (00672)   63722f31 6f523863 49377537 5a2f566f   cr/1oR8cI7u7Z/Vo
0x000002b0 (00688)   37527063 4e4a7738 78723144 4e457a49   7RpcNJw8xr1DNEzI
0x000002c0 (00704)   4b50652f 475a3931 4b7a7a53 380d0a34   KPe/GZ91KzzS8..4
0x000002d0 (00720)   762b6b76 75514c6d 33793756 442b6346   v+kvuQLm3y7VD+cF
0x000002e0 (00736)   3963766e 30664e65 35614667 5a684c79   9cvn0fNe5aFgZhLy
0x000002f0 (00752)   7a626a6b 72586354 55502f64 72763031   zbjkrXcTUP/drv01
0x00000300 (00768)   48743148 43555a30 63536343 6267620d   Ht1HCUZ0cScCbgb.
0x00000310 (00784)   0a4b4c63 6f306b42 3836364c 32626b31   .KLco0kB866L2bk1
0x00000320 (00800)   78694c47 562f2b36 51693777 36654f6f   xiLGV/+6Qi7w6eOo
0x00000330 (00816)   7a416c45 44453551 70436275 514b4a79   zAlEDE5QpCbuQKJy
0x00000340 (00832)   67315975 4d2b462f 65376a74 5a446138   g1YuM+F/e7jtZDa8
0x00000350 (00848)   3d0d0a                                =..


Strings
}.d
.
041904b0
]\4"
6,3,4,31
7,2,4,19
absence express different daughter
&accompanied Miriam
&adjuration--words dramatic
&agreeable
&always certain
amendment worrying
angelic
&answer continued
appears hours
&asked; experience
attempt Peter
&audibly spirit
&ballet--a
better Harsh
&caution
conscious
considered
conviction
Copyright (C) 2008
cried particular
Dallow silence
&damned richly
&dangerous
&declared necessity--without
degree simply
&differently
&diversion
drawing Grace believe intimate
effect nothing
&elapsed
electronically demands
&enough behind--Im
entered
entirely
&evidently moustache
&exhibitions
&existence reason
expressed
&expressed
fellow
field crabbed
FileDescription
FileVersion
&general
Harsh
her--if
&herself accused
herself perform
&himself
humbugging
hundred actress mother chin--a
&ill-timed prefers
imperturbably
importunity
&inquiries nature
inquiry
intended
interesting
&interesting encouragement
interests ridiculous
&interfere living
InternalName
interval should
&itself
kindly
large
&leaned
LegalCopyright
like--doing
meeting naturally
&mingled
Miriam
&Miriam
&misunderstood
&mouth
MS Shell Dlg
oddest
OriginalFilename
&outsider
&passion
Peter
picture
piece
&please Sometimes
portents
possible erect
prize simplified something
ProductName
ProductVersion
&propositions vehicle
public
rehearsal imperious penalty
&remember
&repeated--go
returned
&returned
RichEdit20A
&risked
&river to-morrow
should
sickly
sickly Application
sickly.exe
&sometimes crumble
sought truth;
&sounds
speech Project chance doubts
spending
steps
StringFileInfo
&stupid entertainer
suggestion
&surprised
SysListView32
Tahoma
&telling
&terribly should
&theatre
&things;
&thinks tendency
&thorough beautiful
&thrown
&together success
Translation
turned
understand
urgent beautifully beribboned
&uttered
VarFileInfo
VS_VERSION_INFO
&wanted
&way--so
&Wheatsheaf Rooth
&whether
which
window chance
&winter scene
wishing consciousness
&without
&woefully youth
wouldnt
>?0/4 
|1lE11
2-dxeG
5	&1}2t
},|5	[3'cCF
5&P_S`~
6XgXR-3TR
8zK!HZ?
agBJ\X6:
<ag}H?H
`~!aX|
Cca"tb2
Cjk6rG
cN/|p06
Co!|5D
CreateWindowExA
~DcWnUS
DefWindowProcA
DispatchMessageA
EO	g[q
%EU)l&|G&35
ExitProcess
fI3vD8
FindResourceA
fSZQ-u
f|u}`bo[ZHIYdns
;G}c4>Z
GetCurrentProcessId
GetMessageA
GetModuleHandleA
GetProcessHeap
]gsGeZS
gSN8QQ`f
HeapAlloc
/hkm:sh
>i87@n
i"Q0!Y
jC%M| .
J!fX^EP
}j'j9n8
k6}x?x
kernel32.dll
kfL5-$
KillTimer
Lb!jfur
l [?Gr
LoadCursorA
LoadIconA
LoadResource
%{,lp)
#]L,W!
&$]"|M
^_ML@]gjb[AHDykvv
]m&p+>
nB9kdgfrwerbbbmddd
nHK +F
NQiN~dZ
onQ[.u
oP^UMJ\_[TZYy~Hswhf
-p123w
pdN $#L
pG`b1a
PostQuitMessage
q1!%1:
#q	P*{
.rdata
RegisterClassExA
rq{d`kYVNUWh
S5f^4V
SCX.)-fp
SetTimer
ShowWindow
tgl7pLI
!This program cannot be run in DOS mode.
TranslateMessage
;T|THD
tu!%@c
UpdateWindow
user32.dll
UUVkmhz
VVt3$o
&>w}hdAKBZ
w-`O)M
WtZL!S
xKFv#sw
xzainDOKDN
[~ygl&
^Yg$	yu
YQ64+{^
ZF1JRH
ZYmS(e