Analysis Date2015-04-26 06:44:28
MD5a7f3c910b90350f1d1f80f558fef1a3b
SHA1bf6b5ec3a571d0667394224a566f18582a62dcad

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: aa44efb9f575f039882e31e818013127 sha1: 8ca49930fe56f58a9876bfe468ec4bc24dbce4b0 size: 69120
Section.data md5: 4656e0aa8ea6ee97483210d8268553de sha1: 060634c6650b6a1ccc9609a1e90e8a2ac04195a1 size: 9728
Section.rdata md5: 18b29d28755a7d787c6d549a91670c5f sha1: 15d0e50e09c91d7877f74538310e6eef0e256e79 size: 8704
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 3f94baab1c969f8d721bc0f5afff5336 sha1: 3de7f94e00032299878f05d843b7f5d677132f9b size: 1536
Section.9938263 md5: 00f7b684a368ead06473ed6e2d271865 sha1: 929ad88d583a226ec07e5f3069b3275a00c90aed size: 59904
Timestamp2013-09-03 13:05:24
PackerMingWin32 GCC 3.x
PEhashe38294665abf3f55442ea35024fb54e3d875ca7e
IMPhashdef5f2796857086b11eddf83f9dd66f3
AVAd-AwareTrojan.Minggy.N
AVAlwil (avast)Injector-BJZ [Trj]
AVArcabit (arcavir)Trojan.Minggy.N
AVAuthentiumW32/Trojan.WGFT-6562
AVAvira (antivir)TR/Dldr.Cutwail.53
AVBitDefenderTrojan.Minggy.N
AVBullGuardTrojan.Minggy.N
AVCA (E-Trust Ino)Win32/Fareit.UV
AVCAT (quickheal)Trojan.ZAgent.r6
AVClamAVno_virus
AVDr. WebBackDoor.Bulknet.1105
AVEmsisoftTrojan.Minggy.N
AVEset (nod32)Win32/Injector.AMBX
AVFortinetW32/Zbot.PLZN!tr
AVFrisk (f-prot)W32/Trojan2.NXNA
AVF-SecureTrojan.Minggy.N
AVGrisoft (avg)BackDoor.Generic17.BGXX
AVIkarusTrojan-PWS.Win32.Fareit
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent.BH
AVMcafeePWSZbot-FEM!A7F3C910B903
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail
AVMicroWorld (escan)Trojan.Minggy.N
AVRisingno_virus
AVSophosTroj/Inject-AKN
AVSymantecTrojan.Zbot
AVTrend Microno_virus
AVTwisterBackdoor.712CA53FB372540F
AVVirusBlokAda (vba32)TrojanSpy.Zbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\navopnasalso ➝
C:\Documents and Settings\Administrator\navopnasalso.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\navopnasalso.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexnavopnasalso

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.138.105.21
DNSsarahdavid.com
Type: A
162.159.246.248
DNSsarahdavid.com
Type: A
162.159.247.248
DNSmidwestga.com
Type: A
96.45.83.43
DNSmidwestga.com
Type: A
96.45.83.230
DNSmidwestga.com
Type: A
96.45.82.61
DNSmidwestga.com
Type: A
96.45.82.225
DNSrueggeberg.com
Type: A
81.209.182.37
DNSmeridies.org
Type: A
67.225.202.20
DNSmsasys.com
Type: A
205.186.132.26
DNSkorta-sa.com
Type: A
91.200.116.222
DNSwlf.louisiana.gov
Type: A
184.106.119.164
DNSmalagacorp.com
Type: A
162.159.244.191
DNSmalagacorp.com
Type: A
162.159.243.191
DNSscreaminpeach.com
Type: A
198.41.249.164
DNSscreaminpeach.com
Type: A
162.159.240.165
DNSziuabarbatului.ro
Type: A
194.50.126.226
DNScolourprint.nl
Type: A
46.30.212.230
DNScabooseonline.com
Type: A
192.138.20.228
DNSkvadratoff.ru
Type: A
188.93.212.32
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSthesergery.com
Type: A
DNSkamaruka.vic.edu.au
Type: A
DNScoopsupermarkt.nl
Type: A
DNSmeubles-jacquelin.com
Type: A
DNSisp-h.com
Type: A
DNStollefsondesign.com
Type: A
DNSkromeng.com
Type: A
HTTP POSThttp://msasys.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://midwestga.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://sarahdavid.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://meridies.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://rueggeberg.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://malagacorp.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://wlf.louisiana.gov/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://screaminpeach.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://korta-sa.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://ziuabarbatului.ro/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://colourprint.nl/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://cabooseonline.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://kvadratoff.ru/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 63.250.193.228:25
Flows TCP192.168.1.1:1041 ➝ 96.45.83.43:80
Flows TCP192.168.1.1:1042 ➝ 205.186.132.26:80
Flows TCP192.168.1.1:1043 ➝ 162.159.246.248:80
Flows TCP192.168.1.1:1044 ➝ 67.225.202.20:80
Flows TCP192.168.1.1:1045 ➝ 81.209.182.37:80
Flows TCP192.168.1.1:1046 ➝ 162.159.244.191:80
Flows TCP192.168.1.1:1047 ➝ 184.106.119.164:80
Flows TCP192.168.1.1:1048 ➝ 198.41.249.164:80
Flows TCP192.168.1.1:1049 ➝ 91.200.116.222:80
Flows TCP192.168.1.1:1050 ➝ 194.50.126.226:80
Flows TCP192.168.1.1:1051 ➝ 46.30.212.230:80
Flows TCP192.168.1.1:1052 ➝ 192.138.20.228:80
Flows TCP192.168.1.1:1053 ➝ 188.93.212.32:80

Raw Pcap

Strings
0///a[zABN_yFJX`I|JL[F@A/A[KCC
0`.data
0///}JNK
1@8^tD
1///hJ[{G]JNKl@A[JW[/dJ]AJC
1///|J[{G]JNKl@A[JW[/dJ]AJC
1NVz,Wf
:1X%-,&@
2sI~c<
2_t]LM
(38!*H
3fzt?}
3///l]JN[J
3t7*A'4
3///yF][ZNCnCC@LjW/dJ]AJC
4626435693125550137
4fQl_I;
4u^6l3N"
5h%t=V
]5hYo>
5*%@j@
5///}J\ZBJ{G]JNK/dJ]AJC
5|q?(c
5///yF][ZNCnCC@L/dJ]AJC
6(35:nPJ
6fQl_I;
6///yF][ZNCi]JJ/dJ]AJC
`8fQl_I;
9:-..\
97isv=@
.9938263
-Ac'~@
AdjustTokenPrivileges
ADVAPI32.DLL
>A Hng
![ap`q
atexit
bfL AJY
`@.bss
CancelDC
_cexit
CloseFigure
Cn)AG^
COMCTL32.DLL
CreateColorSpaceA
CreateFontA
CreateMappedBitmap
CreatePropertySheetPageA
CreateToolbarEx
C#x..EF
D2-<Ka
DestroyPropertySheetPage
*dP2$5N^
	Dr"sA!
EndPath
;			E`ol)`z)hg)`ee|z`fg')Dp)}af|na}z)h{l)hg)`ee|z`fg6	
;			E`ol)`z)hg)`ee|z`fg')Dp)}af|na}z)h{l)hg)`ee|z`fg6	Zm
E{um ~
ExitProcess
F39Atwnh
>f|g'b
^fQl_I;
 fQl_I;
?fQl_I;
"fQl_I;
}fQl_I;
fQl_I;
FR}X\ -
GDI32.dll
GetEffectiveClientRect
__getmainargs
GetModuleHandleA
H41 zT
}hP#M!
;hy	LT
.idata
ifQl_I;
iLkNJY
ImageList_Add
iM,i&*
InitCommonControls
jc9;l&
			JefzlAhgmel	Bl{gle:;'mee	QY
JE.l55fP
J/`htA
JW/?&F9G
@-K)b&
KERNEL32.dll
k]fQl_I;
kfQl_I;
\kNp[2
L0n+;Z
L4Fu"Nf
l	akGv
]@LJ\\bJB@]V/dJ]AJC
]@LJ\\n/dJ]AJC
LookupPrivilegeValueA
malloc
MenuHelp
MqmWO$
mQq{M,0K
msvcrt.dll
nAIJ.Q
)			Nl}Dfm|elO`elGhdlH	Bl{gle:;'mee	QY
			Nl}JfddhgmE`glH	Bl{gle:;'mee	QY
}`Nr!~
'NY}R{
o+\6xX
O\[CVkG/
_onexit
OpenProcessToken
.^&_p0
__p__environ
__p__fmode
p'	I!%UT
PropertySheetA
PtX1rT@
QmJ,r~/
q_V:[)}
.rdata
R#fQl_I;
,/>rY/
s_2KRi
"sD5%z
__set_app_type
_setmode
SetUnhandledExceptionFilter
;`%s g]!z|
signal
sL(VNR
;sNJ\E
SUn1~J
TD	du}6
!This program cannot be run in DOS mode.
	#th"T
"?tTl0
u$6ubXF[
Ua~9P/n
^u{RMR
UUW09X
VirtualProtectEx
vi>sYg
$V= kX
@%vld?
v_w}0o1
wkr$OObh
wlu^=C#
wT_+ta
x6KMLI
///x]F[J
xfQl_I;
XfQl_I;
x:;l.EB
}Xss)<	vg
^$.-;y~5ZbD
"yLNvA
Z?]g.}