Analysis Date2014-10-13 21:22:16
MD5f74dea612173999d3e0874575231991f
SHA1b9c31835cc409a1ddf44331b2dd355713094eb73

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b0d10d36029269ced03704910fd8f342 sha1: a1c68e8ff308a41cf3e58375fedd3f5d026b02de size: 3072
Section.rdata md5: 9f54fed295c5bf23b793d759a4f7f487 sha1: 1c417c12270e375a4af290ba3c37c2463a8fec6b size: 1024
Section.data md5: 1205206d88340b9f0289fd001fabb56c sha1: 93a7347331b6f74d28cae14c7a222b0a42795c8b size: 1536
Section.rsrc md5: a57c7f4883ec86602d475d4addf0d5c9 sha1: 7d280392aba0c1ad500376f49c1b0d009f1e0355 size: 40960
Timestamp2014-06-17 19:19:15
VersionLegalCopyright: Copyright (C) 2008
InternalName: sickly
FileVersion: 7,2,4,19
ProductName: sickly Application
ProductVersion: 6,3,4,31
FileDescription: sickly Application
OriginalFilename: sickly.exe
PEhashaa08b345557f392f5cf9a25e767913eb6eda649a
IMPhashcabb308efe69c2b97bdbdd5c98e96b1c
AV360 SafeTrojan.Dropper.Agent.VNI
AVAd-AwareTrojan.Dropper.Agent.VNI
AVAlwil (avast)Kryptik-NXT [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardTrojan.Dropper.Agent.VNI
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Generic.r4
AVClamAVno_virus
AVDr. WebTrojan.DownLoad.64914
AVEmsisoftTrojan.Dropper.Agent.VNI
AVEset (nod32)Win32/Kryptik.CEET
AVFortinetW32/Kryptik.CEET!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Dropper.Agent.VNI
AVGrisoft (avg)Crypt3.AAPJ
AVIkarusTrojan.Dropper.Agent
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent.ED
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Trojan.Dropper.Agent.VNI
AVNormanno_virus
AVRisingno_virus
AVSophosTroj/Loader-N
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Cutwail
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\vixopweatysi ➝
C:\Documents and Settings\Administrator\vixopweatysi.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\allamericanprintinginc[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sqdog[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\paravision[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\roytechind[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\smallfuel[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tractusservices.co[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\heigl-holz[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\leads.com[1].htm
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bouchon[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\eurofilms[1].htm
Creates FileC:\Documents and Settings\Administrator\vixopweatysi.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\urivit[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\atre-ebisu-6fdental[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\re-tek.co[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\yorkmfg[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lovelaceinteriors[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\winstedapts[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fosh[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\higienika[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\prudentialsavingsbank[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\allamericanprintinginc[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sqdog[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\paravision[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\roytechind[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\smallfuel[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\heigl-holz[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tractusservices.co[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\leads.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\eurofilms[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\urivit[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\atre-ebisu-6fdental[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lovelaceinteriors[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\winstedapts[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\yorkmfg[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fosh[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\higienika[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\prudentialsavingsbank[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexvixopweatysi
Winsock DNSwinstedapts.com
Winsock DNSprudentialsavingsbank.com
Winsock DNSfosh.cz
Winsock DNSroytechind.com
Winsock DNSurivit.com
Winsock DNSleads.com.my
Winsock DNSeurofilms.com
Winsock DNSlovelaceinteriors.com
Winsock DNSsmallfuel.com
Winsock DNSgreciahouse.it
Winsock DNSallamericanprintinginc.com
Winsock DNShigienika.pl
Winsock DNSatre-ebisu-6fdental.com
Winsock DNSbouchon.de
Winsock DNSparavision.org
Winsock DNSyorkmfg.com
Winsock DNStractusservices.co.uk
Winsock DNSheigl-holz.at
Winsock DNSsqdog.com
Winsock DNSre-tek.co.uk

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSleads.com.my
Type: A
208.91.198.111
DNSurivit.com
Type: A
211.202.2.19
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSheigl-holz.at
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 63.250.193.228:25
Flows TCP192.168.1.1:1035 ➝ 208.91.198.111:80
Flows TCP192.168.1.1:1036 ➝ 211.202.2.19:80

Raw Pcap

Strings
.
&(
...
041904b0
]\4"
6,3,4,31
7,2,4,19
absence express different daughter
&accompanied Miriam
&adjuration--words dramatic
&agreeable
&always certain
amendment worrying
angelic
&answer continued
appears hours
&asked; experience
attempt Peter
&audibly spirit
&ballet--a
better Harsh
&caution
conscious
considered
conviction
Copyright (C) 2008
cried particular
Dallow silence
&damned richly
&dangerous
&declared necessity--without
degree simply
&differently
&diversion
drawing Grace believe intimate
effect nothing
&elapsed
electronically demands
&enough behind--Im
entered
entirely
&evidently moustache
&exhibitions
&existence reason
expressed
&expressed
fellow
field crabbed
FileDescription
FileVersion
&general
Harsh
her--if
&herself accused
herself perform
&himself
humbugging
hundred actress mother chin--a
&ill-timed prefers
imperturbably
importunity
&inquiries nature
inquiry
intended
interesting
&interesting encouragement
interests ridiculous
&interfere living
InternalName
interval should
&itself
kindly
large
&leaned
LegalCopyright
like--doing
meeting naturally
&mingled
Miriam
&Miriam
&misunderstood
&mouth
MS Shell Dlg
oddest
OriginalFilename
&outsider
&passion
Peter
picture
piece
&please Sometimes
portents
possible erect
prize simplified something
ProductName
ProductVersion
&propositions vehicle
public
rehearsal imperious penalty
&remember
&repeated--go
returned
&returned
RichEdit20A
&risked
&river to-morrow
should
sickly
sickly Application
sickly.exe
&sometimes crumble
sought truth;
&sounds
speech Project chance doubts
spending
steps
StringFileInfo
&stupid entertainer
suggestion
&surprised
SysListView32
Tahoma
&telling
&terribly should
&theatre
&things;
&thinks tendency
&thorough beautiful
&thrown
&together success
Translation
turned
understand
urgent beautifully beribboned
&uttered
VarFileInfo
VS_VERSION_INFO
&wanted
&way--so
&Wheatsheaf Rooth
&whether
which
window chance
&winter scene
wishing consciousness
&without
&woefully youth
wouldnt
"'1fk5M@
1g}>7A
1.Rgr-
1Z}8-_
2{*i%_Q
,-'">39
$6)QZx
,-%,.+7281! *
	?>*79
88-9`'
-% "';:89
aM.}&1
( AwjNS%
=B*<@	
C.	\8f
c\_C%!
CreateWindowExA
d'4i\*\V
%|dCi%
DefWindowProcA
DispatchMessageA
.Emh69
EqCr|J
ExitProcess
e>"Y-yF
fcWbcH^
FindResourceA
FL`@$>
f nrd9
F@P&=y
GE@p=+
GetCurrentProcessId
GetMessageA
GetModuleHandleA
GetProcessHeap
g_l&C,
Gl>,F7
HeapAlloc
I[/h)%
JxlHH?1	>
kernel32.dll
KillTimer
k\}k6n
KxxhXU
/l=1,ad
leM;Zr
LoadCursorA
LoadIconA
LoadResource
	M9gG7q
M)TG`z
$m`U! 
nB9kdgfrwerbbbmddd
O5AL`l
o8-jl$
OF67{[
Oj\iCZ
oZF7!8
!>p^O_
PostQuitMessage
?p^v{=_
PVQ20b
{QFziC
.rdata
RegisterClassExA
`!rOD>
SetTimer
ShowWindow
t;chC3G
!This program cannot be run in DOS mode.
TranslateMessage
[Tz}T#N
"+U@\f
Ul9_SA
UpdateWindow
user32.dll
VW*GY[!
Wc@BJ+\
Ww\0NI
y0s2|ve
Y27AMSQ
YeneL)
yyxzgcnl]]LN['"0qa`
z0VlZ8
z#>{d*WbnR}