Analysis Date2015-10-27 02:03:06
MD5e5b723fc22fea81a3ea9dfce99c16c22
SHA1bcfed17f104d18df0739a4a2d0ff884fea5482f7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f095169211655f559c445a3d30b8de8b sha1: 705a21fe856f2d0175cb92e26dd152623ee8080a size: 16384
Section.rdata md5: 66138462bee999644b34e5d2ee66cd34 sha1: 223054c20f05661e2bac2d1e886fb57cfb9a3d86 size: 2560
Section.data md5: 74017aa826b6b2b2a4992f50742fd9af sha1: 6f292b3012e0adea97530f64a3b9167c5597149e size: 2560
Section.rsrc md5: fab627a7ce4ebfa7689e8e2d37ef4148 sha1: fa26dfb9af0f5cccede2f4f588f0897bbb21c3e7 size: 7680
Section.reloc md5: 98e0e0754a5a341c90f27335e313d065 sha1: b4c4650f8261e8ebf17ef12b4aecf8f2e7bcabaa size: 512
Timestamp2008-08-04 08:17:48
PackerMicrosoft Visual C++ v6.0
PEhashf67acd7f49a21c4859e8a7b7f92d6ca99eb9eb6c
IMPhash8b76f15763a5001c84e7738224fac765
AVRisingno_virus
AVMcafeePWSZbot-FTY!E5B723FC22FE
AVAvira (antivir)TR/Crypt.Xpack.37395
AVTwisterTrojanDldr.Tiny.NKK.dcbl
AVAd-AwareGen:Variant.Symmi.41676
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/TrojanDownloader.Tiny.NKK
AVGrisoft (avg)Luhe.Fiha.A
AVSymantecDownloader.Upatre!gen3
AVFortinetW32/Tiny.NKL!tr.dldr
AVBitDefenderGen:Variant.Symmi.41676
AVK7Trojan-Downloader ( 004993d51 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis.A
AVMicroWorld (escan)Gen:Variant.Symmi.41676
AVMalwareBytesTrojan.Downloader.ECA
AVAuthentiumW32/A-c6bede7f!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan-Downloader
AVEmsisoftGen:Variant.Symmi.41676
AVZillya!Downloader.Tiny.Win32.3376
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_DALEXIS.SMF
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)TrojanDropper.Demp
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.41676
AVArcabit (arcavir)Gen:Variant.Symmi.41676
AVClamAVWin.Trojan.Downloader-62901
AVDr. WebTrojan.DownLoad3.33226
AVF-SecureGen:Variant.Symmi.41676
AVCA (E-Trust Ino)Win32/SillyDl.KceVNKB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\bcfed17f104d18df0739a4a2d0ff884fea5482f7.gif
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_73859.cab
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.158
DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Opera/9.25 (Windows NT 6.0; U; en)
Flows TCP192.168.1.1:1031 ➝ 65.55.50.158:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4f706572   User-Agent: Oper
0x00000020 (00032)   612f392e 32352028 57696e64 6f777320   a/9.25 (Windows 
0x00000030 (00048)   4e542036 2e303b20 553b2065 6e290d0a   NT 6.0; U; en)..
0x00000040 (00064)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000050 (00080)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000060 (00096)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000070 (00112)   6c6f7365 0d0a0d0a                     lose....


Strings
n-mO..

,/KPip
/ P6pL
/-P?pR
  !   
 ),.../////....---,,++ 
-,+,+++,,+,,-,...-
-***)'%$''*+,-,..////.//.-.----.-,,,+)()$
,/.///.--.,&
,/...-,%
',--.//--,-.--.+
'/....-.- 
'.........-.+
'')**))***++-------*
')&')*(***++,,-.-.-- 
'*((())***+*,..-/...../--.-.-.---,--,*!
'**)(*+-,.../.././/./..-,+))(''
'+**(''(())++,-..///.../..-...-.,,++**))
"(()(()*+,-..../.....././-,--,,*'&
")+,-..//..-.---,,,&
(+--.-.-.......-..--++*+(
(+,,.../..-.-,,)#
$-/-.+
*-++++,--,,,--,,--
*'&&(()))++-..././../..---..--.-,-,+(
&'&%#&(*,,,---///.-/...-...---,,,+*#
#*,))))+++,+,--...,(
%**++,---../.././.---,-+**+,$
	 .--,----,,,-..,-%
	"--,++*+,*+,--....-&
	&+*%%')*)+**+,--.-.-*
/..0././/.../..-(
.//0/.//./---..,,*
'///0./......----+
$-**'$%&')*+,,---../.0////....-,---.,,+*&'
*////0...&
*0,&+'
'.///./00//../'
'00//..-.-,+,--,,,) 
#*,./00-!
+///../000/-/
00/0......,,---+++
	"0//00.0///../.. 
,0////0000/&	
>$>,>2>9>@>K>R>X>c>h>r>
?4?:?@?F?L?R?j?t?z?
="=(=.=4=:=@=F=L=R=X=^=d=j=p=v=|=
\_#`9t!
_acmdln
_adjust_fdiv
CloseHandle
_controlfp
CreateDirectoryW
CreateEventW
CreateThread
@.data
DeleteCriticalSection
__dllonexit
EnterCriticalSection
_except_handler3
ExitProcess
FileTimeToSystemTime
FindClose
FindResourceW
FlushFileBuffers
FormatMessageW
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCommandLineA
GetCommandLineW
GetCurrentThread
GetEnvironmentStrings
GetEnvironmentStringsW
__getmainargs
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeW
GetVersionExA
GetVersionExW
HeapAlloc
HeapDestroy
HeapFree
HeapReAlloc
_initterm
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
IPHLPAPI.DLL
KERNEL32.dll
LCMapStringW
;(<.<L<j<t<z<
LocalFree
lstrlenW
MSVCRT.dll
MultiByteToWideChar
nvmpu.nvu
_onexit
__p__commode
__p__fmode
q$ydT!
RaiseException
`.rdata
ReadFile
@.reloc
ResetEvent
SCARDDLG.dll
__set_app_type
SetEvent
SetFilePointer
SetIpNetEntry
SetLastError
__setusermatherr
SHELL32.dll
SHFileOperationW
TerminateProcess
!This program cannot be run in DOS mode.
TlsAlloc
TlsGetValue
TlsSetValue
TryEnterCriticalSection
VirtualAlloc
w8Rich_
WaitForSingleObject
_XcptFilter
&XUYGYU