Analysis Date2014-03-02 11:15:03
MD56cc74195d6090471d66f70400fd932f3
SHA1b6afb0a7d3746b5d8c81cd051e46b5c618849006

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c7fcfd0ceb40deb591c332826a3d0cb2 sha1: 5da3cd4100388df8ebe031ab471948bb005b1bce size: 78336
Section.rdata md5: 00914d838cf69804ac6be9d71c846e34 sha1: 00f9b2e2a82f73f29314c9afc83f98ad28057b52 size: 10752
Section.data md5: b2e0ae008c6059a5e248e7c141da308d sha1: 012c6ad5229e0814448d08854a4f962af75db6cc size: 8704
Section.rsrc md5: fb6ffb5fa7394a8694c5dd6b591fb076 sha1: cba65464995f7dffa85cde02af8f108e869b6a4a size: 512
Timestamp2011-08-08 17:24:54
PackerMicrosoft Visual C++ 8
PEhash65ca2c496e18576849b7cc636ab11e5e7cd0ceca
IMPhash8a201ed9b9ff1347582ec82f96d395f8
AVmsseTrojanDownloader:Win32/Cutwail
AVavgBackDoor.Generic18.RXY

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\xagidepdonda ➝
C:\Documents and Settings\Administrator\xagidepdonda.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\xagidepdonda.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexxagidepdonda

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.172.254
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.172.254:25

Raw Pcap

Strings
b.
\
.CC
 
.
                                 H
         (((((                  H
         h((((                  H
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
$=05x5
0A@@Ju
?0#G=b
0J9I){BLy@
0MXdZ]
0SSSSS
1<	Gb@
1=W@;8ob
'24bAD
2HX*Lc
2j,0Hb@
@3Id%|Y
3KOq@P@
4n5|.T
4.ODKA
4WP @(
4X-#~e$`
5goNMcH
6l5ZO@
@6~sX|
70b@@fb
 $7@Ay
7b,E9&{
@7bg4@
8{.bn@v
8CJAF[Bb|L
8FOU8+RUd
9G@Bf=
@A*@]@@@
/A\6KE
@AAH	Po/:@
AB}C@8
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
AD@bB{
A`dd=<m
"@A:dH@@
@}adk%I
ADLb!@
A&E2bBJ
AFVAHw
`>Ag\@
{A@&iT
A|j#A2
AN443D
An application has made an attempt to load the C runtime library incorrectly.
@ARBhW
A=)R@Xq
.A!Sd<@
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
AUY0@@
Av@0,1O
AVWAf9
@@B`@'
@b@4bD4@
@b@4y@A
@b@5W;
B65D"zRkGL
b7$FIJ
b)8(s}
B8sdk{
@b@b8C-
bBB_@C
@b@bC*z@
@,bbD"a
(BBfIb@
bBH@&#
B}brmCb@
@b@CAc
@b@cfD
bDA!xi
@.bdCp
@b@Dy2B
b@EBb@
bE{Lv@"8
@.&BI}
>@bib@
bJ,9A6
*@bKh4
:$%BL,
@b@}l4
BLOAy@
@BL]YA
@b@O3*(
<b|O@x@
@b@q,BA
bRich~
b@$Tb}F
@b@tc(
@b@+t+D@v@B
@@b/T&H@
@b@U~i%
burrow
button
@b@@Uv
BwdQ*@
@C*[@(
CiL}py
%cjBkb
COMCTL32.dll
CommandLineToArgvW
CorExitProcess
@c|qpf
CreateWindowExA
- CRT not initialized
csvzG@(v
c=	"TFw
curation
CzrLT^@
@@$@<%@D
%D5B@=
D94:Cn
@.data
d@b@@y
@D @c@
dC(95!
dc DM>
dddd, MMMM dd, yyyy
December
DecodePointer
DefWindowProcA
DeleteCriticalSection
DispatchMessageA
dJA@v#=G5
.DKk@>
dLzA?B
DOMAIN error
DPEb @
dPNfA@*b
dP@qFh
DS]IB*
d=XU<@
\D@z!b
+,EdD@
EHfMc*
EncodePointer
EnterCriticalSection
@Erh|V
&( )ERP
ET9I4H
eu@Y0%
ExitProcess
	Fb2C]
FBX7O0dc
February
FFFFOu
F=H4y4
- floating point not loaded
Flq8U&d
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
&Fq5myg@
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
F@T+fC	Jk d
FVhPeA
FY(D!@
G2L0b K
gangclass
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
GhM,8Cbf
g@oIgAOs
GWhPeA
gXUc{D}
}H(45@
_H7.C@gd
@|@HCE
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
h@@J6Xg
hLI@`T
H-L	Phsm=2=b
H$L{Ut@
Hp?nJg`
<H- sHR
HVVPSVVh
@I7x*OH
ib"[b@
@i=h1r
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
intentional
InterlockedDecrement
InterlockedIncrement
@iryyn
IsDebuggerPresent
 ?{I@@uy
j0dALS
JanFebMarAprMayJunJulAugSepOctNovDec
January
J*<dbH
j(j ^V
Jqdx@Q
j{R{U,2
jTh0oA
k@4:@H
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
KjPvh2
 $kjvr
)<<KPs
k sAd4
l?@3rz`@&
#_l4@79
l4\r@L
@@#L4z@
L+85@B
l @CEC@:
LCMapStringA
LCMapStringW
lc)O<Gx
?l~<d4
LeaveCriticalSection
LE?@b0
L`HQA%
LISTBOX
Lj{8*@
Ln-A@A
LoadCursorA
LoadIconA
LoadLibraryA
Lvh({A%@
Lx0ldE*
@@@@)^m
masquer
masses
mb8k2S
@MC,C5J
M@DPP7
@mEK@A
MessageBoxA
@MH4X4d
Microsoft Visual C++ Runtime Library
@@Mj(@
MM/dd/yy
Monday
mscoree.dll
MultiByteToWideChar
*ND=@@
n`|H]z
@NnD+&
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
O3bUBH~D@7x
;O8F55
October
O`fn@3D
(#OH02B
'O@Lby}
Or)@Ptg
O&S4IKF
@P/0H+&
@@%p4A
participator
@($PBLt
,(@=pD
pDw/AI
P@,f@g
pKp4Hb
Please contact the application's support team for more information.
@pOhgR
PostQuitMessage
PPPPPPPP
P%@PUq'
Program: 
<program name unknown>
PropertySheetW
- pure virtual function call
PVhtQA
PVhyQA
~<Q39B
@*{Qni
qOIcQqst 
QueryPerformanceCounter
qw~l.)
r8AAtb
r.`|8y@
[-_R)bO
`.rdata
RegisterClassA
RhBOb@
(rI0o*
RiFRBt
RtlUnwind
runtime error 
Runtime Error!
Saturday
s@[dj|D@
segmented
SendMessageA
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
SetWindowLongA
sg{	o%@|
SHELL32.dll
SING error
stench
Sunday
SunMonTueWedThuFriSat
t5{rYp7bd
t^9(uZ
tactics
TBb@`@h	@F
tD9(u@
TerminateProcess
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
t!hPdA
Thursday
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t#SSUP
TtG$<3
t$<"u	3
Tuesday
;t$,v-
t$$VSS
t+WWVPV
@@T@zq
UAH;@e
u,hxdA
@~^}UL
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
ux y2f
-	V0P@
}vB8l0A
VD9-s|bl(
VirtualAlloc
VirtualFree
v	N+D$
VNN0)F<DQ
@	vp|B
Vp$R@BH
WA,MQ<-G$
W/[bL}
w@d\b@
Wednesday
WideCharToMultiByte
@Wq0Obd
WriteFile
@wu$G),
@x#;A.
@X@C@$
@X(D~:
!xDiO@
XFb@He#
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>
@Xpv@kAC
x>Q?6UV
/Y4HM;
Y5O.mB,
yb=CSA
>=Yt/j
_^][YY
YYu-9D$
YYuTVWh
Z4 XTx
&Z@{b@
zbL{VyH
Zb+QL{g\
(zDAZ4
Z%=\L8
Zuh(A63s8
Zzc*5i