Analysis Date2013-12-27 23:30:26
MD5d450a16c7a634d3fd14b803a8d9c2785
SHA1c03ad3fd2cfbb2afea14fbf1a03e9169c2a3a6c5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bcf3c699a1dd7da0515e13ddbdd5b8ee sha1: 9915d85df9c50c448d333141a95cefcb125e7227 size: 60928
Section.rdata md5: eec5e89081d7d632204b838082bc21e0 sha1: 8935141c73e7b60331ab162dcc19ba1ab51aa36e size: 8704
Section.data md5: 9bd73efde945075d7c5a8cdcf6f1ed0e sha1: c7c7e44bab920001180883a79474fdb3b5c1a3d2 size: 12800
Section.rsrc md5: 4c4a877f3999aa8ef7e3c38e533f5300 sha1: f025e6a0ad9ac503354efe5448320a0b8fa4448b size: 2048
Timestamp2011-04-28 12:44:57
PackerMicrosoft Visual C++ v6.0
PEhash7d4d3fa06d55d5bb47e55f8330e1f95e8b573116
AVavgCrypt_s.FDC
AVmcafeePWSZbot-FOF!D450A16C7A63

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\vinukykeapud ➝
C:\Documents and Settings\Administrator\vinukykeapud.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\vinukykeapud.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexvinukykeapud
Winsock DNSkvadratoff.ru
Winsock DNSempordalia.com
Winsock DNSberkshirebusiness.org
Winsock DNSniray.com.cn
Winsock DNSacsmedioambiente.com
Winsock DNScoe.pku.edu.cn
Winsock DNSezmedi.com
Winsock DNSpcpeds.com
Winsock DNSbigtopmultimedia.com
Winsock DNSisp-h.com
Winsock DNSshs-sales.co.uk
Winsock DNSbapasitaramsevatrust.org
Winsock DNSagence-des-druides.com
Winsock DNShifuken.com
Winsock DNScbsprinting.com.au
Winsock DNSplus.ba
Winsock DNSdbcomponents.com
Winsock DNSarquiteturadigital.com
Winsock DNSchurchclothes.com
Winsock DNSmeubles-jacquelin.com
Winsock DNSsarahdavid.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.162.200
DNSsmtp.mail.eu.am0.yahoodns.net
Type: A
188.125.69.59
DNSacsmedioambiente.com
Type: A
50.97.221.19
DNSempordalia.com
Type: A
5.56.61.199
DNSagence-des-druides.com
Type: A
213.186.33.3
DNSchurchclothes.com
Type: A
97.74.42.79
DNSshs-sales.co.uk
Type: A
193.36.43.104
DNSsarahdavid.com
Type: A
198.41.191.66
DNSsarahdavid.com
Type: A
198.41.184.67
DNSsarahdavid.com
Type: A
198.41.188.66
DNSsarahdavid.com
Type: A
198.41.189.66
DNSsarahdavid.com
Type: A
198.41.190.66
DNSarquiteturadigital.com
Type: A
208.113.187.143
DNSberkshirebusiness.org
Type: A
64.99.80.30
DNSdbcomponents.com
Type: A
66.147.244.241
DNScbsprinting.com.au
Type: A
141.101.117.74
DNScbsprinting.com.au
Type: A
141.101.116.74
DNSplus.ba
Type: A
141.101.117.246
DNSplus.ba
Type: A
141.101.116.246
DNSkvadratoff.ru
Type: A
188.93.212.32
DNSisp-h.com
Type: A
210.172.144.22
DNSezmedi.com
Type: A
218.150.78.243
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNShifuken.com
Type: A
DNSbapasitaramsevatrust.org
Type: A
DNSmeubles-jacquelin.com
Type: A
DNSniray.com.cn
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.162.200:25
Flows TCP192.168.1.1:1032 ➝ 188.125.69.59:25
Flows TCP192.168.1.1:1036 ➝ 5.56.61.199:80
Flows TCP192.168.1.1:1038 ➝ 213.186.33.3:80
Flows TCP192.168.1.1:1043 ➝ 193.36.43.104:80
Flows TCP192.168.1.1:1044 ➝ 193.36.43.104:80
Flows TCP192.168.1.1:1046 ➝ 50.97.221.19:80
Flows TCP192.168.1.1:1047 ➝ 97.74.42.79:80
Flows TCP192.168.1.1:1048 ➝ 198.41.191.66:80
Flows TCP192.168.1.1:1049 ➝ 208.113.187.143:80
Flows TCP192.168.1.1:1050 ➝ 64.99.80.30:80
Flows TCP192.168.1.1:1051 ➝ 66.147.244.241:80

Raw Pcap

Strings
Armenian
Armenian : 
benefit
button
Chinese
Chinese : 
edit
ERROR
Georgian
Georgian : 
goodes
Greek
Greek : 
Hindi
Hindi : 
however
is dancing
Japanese
Japanese : 
Korean
Korean : 
LANG2
MS Sans Serif
MultiLing Support
o  o
proudest
Russian
Russian : 
Serbian
Serbian : 
static
TABLE
Vietnamese
Vietnamese : 
worth
!&%$$-
''%~-%!
$[/$/$)
&$|%\'
0123456789
0as$P_
0%kgpk
(-%%0O
0Pq-S%
10%NT)r
'11@u$
$*1%%92hw|$'&
1p*A]%x
1s-s;k
1WP''+M
1`yj%u
238498
&?%2=9
>2A/TY$;&/
%2X`'Q%
?.30rQ%
3/"s5Vb
3U5ru!0%W
>3Yl"!
[$4GTA
4%(&I&P
4mX%Pa
4UP-)\
`)5?&%
^;5(2A
5@%50G
(%!55KI
5c%%%{!n
5]$$d%
`5Ha's
~5)?Q=
6;5$2A
6(UxOZg
7;GA$A
7My#[7
7 W!19
!.$9*Qj
% &a$&
%+a%%]
$%A9a`LOo*
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abnormal program termination
AppendMenuW
a!%&)S
a systematic development
AVWAf9
AX5A#%
	A=yX"
b5JU-N%@
bathing
be stepping
brief descriptions of the more common terms
.bSr_%Q
@c$&%%
`C@ 0MCi
C0Q}Qv
#c68u$
c6'$v$
CMF*-U
coreDestroy
CreateDialogIndirectParamW
CreateWindowExW
-CT`%G
C%xHYH
Cyw-$XL7E
@% %d!
.D5 VI
@.data
Daz	M%!%u
DefWindowProcW
DestroyWindow
DG*u%A
D]HMPvQ
Dhw$z%0
%D+'hY
DispatchMessageW
D%j2/]
DOMAIN error
>d\oMPIC'
;|D]&s
DSUVWh
Dv"%u$
<$)e%]
&/$#>'*e)
%E*,,\
E5&dOt'
E	G>%r
eR*r&M
E%& &&u$
ExitProcess
FEM5Re
- floating point not loaded
FreeEnvironmentStringsA
FreeEnvironmentStringsW
`$F%$t
FTv`\+
GetACP
GetActiveWindow
GetCapture
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetLastError
GetMessageW
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetVersion
GetVersionExA
GGGGFFFFItI
__GLOBAL_HEAP_SELECTED
!gpU`K
H~^&1/)
h2$u1`1!/
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
hMKP@o$@
HUp%[h
h!V#X5%
=hW$d`
,^h%X9
&h!x=M!
`Hx`)w
)HZ]'d
"I!aJ$
}IgU+4$
IJIXIIV
i%KC'%
<iv=Au&
'IvQ&%
@.j)@=
\!]J)'
<J%%)	O`
?%"%j``P
#!JS0C
KA$!~lF
kEAR%$
KERNEL32.dll
KF5Q$(!&
kh6%@5@0S
KJ*'u$
-K$M`P
"=%,'l
LCMapStringA
LCMapStringW
l&dBo	
=)\L~N
LoadLibraryA
=L$qOw@V
M3tePQ
m')*$9
!m'+#BPsou
`#<MDQ%
MessageBoxA
MessageW
M%h_"*
Microsoft Visual C++ Runtime Library
M%|MD_
mm+q"!
M%]%Q$
M|r_u$
__MSVCRT_HEAP_SELECT
*M%%\u'%
MultiByteToWideChar
` MvGu$
NiuDh)a
N`MIu[5
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
n'Q@mQ%
n%%v1\$
Om-5`@!
on delivery
oTh%Q/	
O%%}u]g-
}	P?*%
P9o%[ 
$\pD kIX
%Pf2B%
%P]Fft
P,`J;v
places must
PostMessageW
pql%	$ 
Program: 
<program name unknown>
- pure virtual function call
%Pu&%z
$@Pv)*
~p%XA:%%
-Q%*{%
$) `Q%
?QE=e^
Q%h#7i
)QhAu!
?!QPss
`QQuM"
%Q!udG6%)
-/r#&3
R 75uu#7P
`.rdata
RegisterClassExW
ReleaseCapture
R~%(-Q=Q
RtlUnwind
r!&&/u
runtime error 
Runtime Error!
%%ry>xF
`s[#7%_u
'`SCT`_ag
s%DX~ 
SendMessageW
SetHandleCount
ShowWindow
${sH}YWs
SING error
SjMA5')
*-s-%K
skill qualifications necessary
SS@SSPVSS
!T?aqY
TerminateProcess
terran
!This program cannot be run in DOS mode.
TLOSS error
TQ$`4A
TranslateMessage
t#SSUP
t.;t$$t(
Tv'%9k
t$$VSS
.']	U$
U$%]`%_
uA"E$M$
`>U$%`B
u,DS6>
uL5|Mo8
+UL#Y!
)uM-+M
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UpdateWindow
@~'uRe
%@u{s`/2dI
user32.dll
USER32.dll
$%usPO@
!uv!z/
v0D$3Lw
$#v7~t
VC20XC00U
#vC?%a
.V--%%E=$
%vf U.%'
Vindow
VirtualAlloc
VirtualFree
V!O"%O&P
v%$&/p
vQ1;BW
%v'RF!
v*U%su
VWuBhp
Vx;$,@
`(}V&XY?
w#%5y&
W<%c%-
)w>h'$
while still fighting for quality and pride
WhT{u%
WideCharToMultiByte
[$Wm9"
-%W%<Q
WriteFile
"WWSh{
WWSSSSh
x%5%`X
=?@X9)
>!X@EO\
XlG1#$!$
x;l!Qx
xM<JL4
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>
+XNSI$
x-uZm$>j~_uy
Y;5qdA
,yp@fQC
yQ%u`!
)!y)%s
)%y)uQ
_^][YY
`(Z4&V'
%z		/v
ZY%-xt
@` Z~z