Analysis Date2014-10-30 16:29:43
MD5019f0b38256c69b2cd23f52b3c121d9f
SHA1bc0a1b7a4ddfb2390d0f51c759cee4ff5832599e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a30fadaf61995bb9bc9fab2edc863785 sha1: 37445f991e8ea103a72eb9fad878da7026158491 size: 1024
Section.rdata md5: 5e001465d8cd3c885bc984c952e08cb6 sha1: 32ee3ee5d774fd02de6c2a88102ae2ee5e5e4e06 size: 1024
Section.data md5: fc7eb756c1f4b17f16449816cc3cec81 sha1: 2617518e49202d532dae1af9ba05aecfefd1e75b size: 512
Section.rsrc md5: ddff2056ea84d82344392642c31515d5 sha1: 41155073bf0178fbe73e0d30b7e77bdb2c31b771 size: 58368
Timestamp2014-06-26 11:39:36
PEhashf13de80a8e0ee698bbf613cc72d0cfdb65aee45e
IMPhash4ca0a0adb97211d9334271ded971bdde
AV360 SafeGen:Variant.Kazy.327123
AVAd-AwareGen:Variant.Kazy.327123
AVAlwil (avast)Cutwail-CM [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.WLJF-8915
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardGen:Variant.Kazy.327123
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.MulDrop3.14959
AVEmsisoftGen:Variant.Kazy.327123
AVEset (nod32)Win32/Kryptik.CFFF
AVFortinetW32/Generic.BG!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.327123
AVGrisoft (avg)Agent
AVIkarusTrojan.Win32.Cutwail
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent.US
AVMcafeeRDN/Generic Downloader.x!lg
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Kazy.327123
AVNormanGen:Variant.Kazy.327123
AVRisingno_virus
AVSophosTroj/Cutwail-BG
AVSymantecno_virus
AVTrend MicroTROJ_CUTWAIL.SM0
AVVirusBlokAda (vba32)Trojan.Cutwail

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\vibiqbotware ➝
C:\Documents and Settings\Administrator\vibiqbotware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\axisdanceshoes[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mjferguson.co[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dphp[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\roytechind[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\coolbsuhouses[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tbl.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\computerprose[1].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\theparentingcenter[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tvtools[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lagranmanzana[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\robertoanguita[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\systemteknik[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\vibiqbotware.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kwcomputers[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wingup-pt[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\miarural.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\robertoanguita[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\axisdanceshoes[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mjferguson.co[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dphp[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\systemteknik[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\roytechind[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kwcomputers[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\coolbsuhouses[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wingup-pt[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tbl.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\computerprose[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\theparentingcenter[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tvtools[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\miarural.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lagranmanzana[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexvibiqbotware
Winsock DNSmjferguson.co.uk
Winsock DNStheparentingcenter.org
Winsock DNSmiarural.com.au
Winsock DNSaxisdanceshoes.com
Winsock DNSsystemteknik.se
Winsock DNSroytechind.com
Winsock DNScomputerprose.com
Winsock DNSkwcomputers.com
Winsock DNSdphp.net
Winsock DNStbl.com.mx
Winsock DNSwingup-pt.com
Winsock DNSdoerrsiding.com
Winsock DNSdistronic.es
Winsock DNSkeanstech.com
Winsock DNStvtools.fi
Winsock DNScoolbsuhouses.com
Winsock DNSunipulse.com
Winsock DNSrobertoanguita.com
Winsock DNSlagranmanzana.es

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSmiarural.com.au
Type: A
113.20.11.17
DNSdphp.net
Type: A
59.106.13.48
DNSlagranmanzana.es
Type: A
92.222.178.249
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSwingup-pt.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25

Raw Pcap

Strings
.B.
..@.
.
5WA	
&about highnesses
absolutely tribulations enticing
&accent
actress sufferance
&admire ambition
advice
&advise matter
affair
&affair
again
&aggressive rolled
&ahead;
&alone before
&always
&Americas Sherringham
amused
&angry unburdened
antidote eyeglass
&anything
appealed
&appear else--the
&artistic everything
&artist remained
aspirant gloves
&assent
august;
&beautiful expressed
&beauty
&because
before
&before
Before
&Before
&before rested
&belongs shouldnt
benevolent
better
&between perfectly
blowing
&bottom
&bright preference
&broken femmes
brother pockets delicate
brought
bungled abroad caring
business
&business moment
&canvas myself
&career
&career action--for
&carried continuance
&case--well daresay
challenge
character
&charmed
&charmed Biddy
&cherished no--everythings
&coachman
&coming
&companion
&compelled pleasure
competent engaged
comprehensible
computers
&comrades
comrades everything
conceded unhappy
&connexions
&conscious
&consented
&consideration Sherringham
contradicted assumed
&counted
&country-houses
&country should
covered
&creatures medals
&curiosity
curiosity synonymous
curve;
cushioned clever Better
Dashwood window charming,gentleman staring to-day; imputing presently	surprised
&dazzling
&deceit
&deeper novels
&definitely
degree
delighted
&delightful improper
&deluded laughed
&demonstration
&describe--if
destined
&device fondness
&dining
&disaster talent;
&disclaimers interests
&discouraging
&dispersal
&Dormer
&Dormer worthy
&drama;
&draught
droll vision produced audibly
&dropped hastily
During simpler stockbroker version
easily
&education
&effort
embodied
embraced
&embroidery lingered
enough
&enough
enough dreadful memory:health before anything perform expenses minister literally
entity
&epitome
essence
&events
everything
&Everythings proposed
&exactly
&exasperated
excellent Carr?? casual
&exertions
explained returned
extraordinarily
&face--in moving
&failed straight
&father delightful
&favour
&felicities before
&fellow
figure
&figuring began
flatness
&flowers
fondly celebrated
&forbore
formats bravely
formed
&Foundation effective
frankly library
functionaries
&further
future
&Gabriel humbugging
Gabriel question
general action
&general appearance
genius--he
&gentility suspicion
getting fondly struck esteemed'memories forward course invitation--and(protection abreast humiliations derision$lingering looked precisely observing2Fran?ais come--to proofs because morning pretended0domestic rudiment before during Martins reportedEthree-quarters learned indebted electricities otherwise theres excess
&gowns flaxen
graces though
&grind
&hand-bills
handsome disagree seemed
&Harsh Nicholas
&havent interesting
havent thing
hearing
heroic
&herself
herself seemed mornings never--never
&himself excuse
history
&honour Madame
house
&house
&houses
how--but definitely
however
&however tasteful
hundred
hushed paradoxical
&imagination
immediately mother
impugn are--and
&impugned impression
&inferior
&infinitely
&innocent absolutely
&inscrutably dreadful
&insistently again
&interesting
&interesting bargain
intrude
irrepressible should yours--and
&irresistible reflexion
Juliet
&junior retract
&justice--something
&justly smiling
&kindly volume
knew--I however
ladder
&ladies
&large really
&lawn-tennis returned
&leaning ardent
&length regarded
&letters Havent
LIABILITY
&liberty middle
&life--shes inanity
likely Biddys
&Little
&little short
living Beauclere
London
&London brought
&looked;
looking
&lumped
madam
mainly repeat
&making
masquerade
matter
&matter beside
&matters
means
&meant
&measurements having
&member--am analysis
&mince-meat rooms
&minds holding
Miriam
Miriams
&misfortune
&modest
&modulation
moment
moment tawdry
morning agitated
&morning picture
morning truth
&mother
&mother rather
mothers Gabriel
MS Shell Dlg
&mystery
&neither
nothing
&nothing
nudity smiled
&nutshell
object--a hoping
obstructed
obtaining
&occasion tongue
&occupied
&occurred
opposition believe
&overlooked predecessor
&Paris
particular
&particular
parts friend
patience echoed activity
&people actuality
&perfectly certain--that
performer
&perhaps greater
&personage
&persons behalf
&persuade understood
&Peter
Peters beyond gold-headed6compared delightful Hawthorne little emphasised wooden;finding engaged covertly vaguely dependent trains characterLinstinct mistake--it finished bewildered--there souffle English objurgations
phrased ignorance
please resistance
pleasure
&poets--he
point--he actress
points places wonderfully should
&prepared sacrifice
pressed however
&pressed superior
&pretend
privately suspicion
probably
produced continued
&professional laughing
&Project
&Project women
&pronounced
&proprietress favours
purest stick
pushed
&quantum
&rather
reached
&really Certainly
&recognise side--you
reflexion notice
&regarded preparations
rehearsals challenge gathered
relieve
remain displaying thicknesses
&remarkably recognise
&remember
&remembered
&remonstrance
&repeat determination
replied
&reproducing
resistance rather
&responsible
&resting before
resumed
&returned
returned showed
return snubbed expression
RichEdit20A
&rising
&routed styles
sadly;
&saloon
&salutation affair
satirists apartments
&scene jolly
screw
searched
&seated violently
second
sensibility torment
series discuss
serious
shameful American through critic
Sherringham
&should
&should stayed
&sickly relieved
&silent daresay
sister things burning loosened
situation
slight
smashed settle
&so--he slightly
&something
sometimes almost
&splashes picture
stage
&statesman easily
station remember
&stirred
&story encourage
&Street occurred
streets
&strong Biddys
&struck
&subject
&subtle
success
suffering simply
&suggest have--you
&superseded repeated
support
&support
&surprise
surprise3perverse struck dance liking things offered thought8mother theatres associated represent--societies remember
susceptibility public
SysListView32
&table
Tahoma
&taking
talking
&talking
taste
&tasted
&temper acquaintance
&tenderness
terrible myself
&theatrical admired
&them--they
there quick
theres
&Theyll
&Theyre comparatively
&things
&things ladies
&things result
thinking
think turned minute
though
?though scraping portrait profession discretion Section opposite#Julias extent abatements individual!beside impulse ridiculous recites:visitors standing inmates Gutenberg-tm Because deliciously%submissions irritation friend bon--ah1happened struggle added things--which little--you
&thought
&throb connexion
&through havent
&thrust
tormented watery
&touches
&tragedian again;
tragic
&travel pointed
&treatise earned
trees relaxed
tremendous
turned
&turned offer--to
&uglier mother
unannounced display
unexpected fellow
&uniform futile
vaguely turning
Vavasour thing
vehemence irritation moment needed
&veiled
&vicissitudes courage
virtue
vision determined
vividly mystifying
Voyons--do
&wandered
wanted added
wanted whatever
well--youve struck
which<him--told colour English Juliet--take behind exclusion crawl0night Sherringham--when settle fiercely choosing4expression quitted paragraph nothing dealings should:invent little charity--give younger alone clever--I looked,little extent--I pertinacity removing hardly3confidence recognised though goose something circle
&whirled
whole Archive coloured havent
&window putting
wiser little
without
&without account
&without within
woman culture contradicted tongue
&world daresay
&wouldnt natural
wounded curious
&written
yards Miriam
&you--I grossness
1OJumd:p
3zI9+%
4l@(JY
5	65V?
5`eoy`}$
62;_h$
6RX#su
"")74(+-.&%;
7>>mTSh
,'!">=;84
ADwYlq
$Aey[<
BitBlt
bjCC7O
CreateCompatibleDC
CreateWindowExA
@.data
?DEB0d
DefWindowProcA
DeleteDC
DispatchMessageA
dOQ+|42Kl
d~U7+{.
;E6gUtQ	xHQ
E[l0|P
EndPaint
]	f%7w
Feh:[:
FindResourceA
FOwpp5
FT_LM-6
gdi32.dll
GetClientRect
GetCurrentProcessId
GetMessageA
GetModuleHandleA
GetProcessHeap
G{hJG0W[,
g(-x5A
h7a48C`
HeapAlloc
#HE)grnC
i]v%R'B
JC]5fd
JenausisFalisious
+j-@OB
!JT#11
KBdZ.+
kernel32.dll
KillTimer
L7yLw9
<LH2Ko#
LoadCursorA
LoadIconA
LoadResource
lQ!(Kc
+(mbk!
}]"MFo
-mrlzdO
nd*pKV&
'n%KbAg[d
NKEnln
(OA\OV
o(c#kh
OH$U?8
|}OP"79.
PostQuitMessage
'Q9AUq	f
Q\GfG}>
=r$|~@
R5.k31:
`.rdata
rDi<K~#%
RegisterClassExA
*rV==8
S.[#E6
SelectObject
SetTimer
ShowWindow
!This program cannot be run in DOS mode.
TranslateMessage
T@Ui~oqh
UpdateWindow
user32.dll
v6iWJk
V !906+/"$
v<CZYU
VT.k\9]s
]X/qX*q
z\6V,<
^ZHsnr
"Zx<@#