Analysis Date2014-12-09 22:17:57
MD5fd13605db5333ef2e8f0a9d048b131c6
SHA1c091fba42208ad1dcc312ee2932e30c782c258ff

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b1b186fbe841455d5ab777df9fbb713b sha1: 52624148ec4c9cb7b4f349acd0aa34fa04c28b7f size: 12288
Section.rdata md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.data md5: 6ddee87eb1568a23345ef32d746b4179 sha1: 5628f5ccab8d75d19eed65242df6fb35e70cfa14 size: 113152
Section.rsrc md5: d9ecc755db4ecf1e706c3e636dd5e141 sha1: 28529f10fb22be1f8d548d1657e0ad06139b50bd size: 5120
Timestamp2009-04-26 17:21:27
VersionLegalCopyright: Copyright © 2010 l PC Tools. All rights reserved. 2m
InternalName: tdama5
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName:
ProductVersion: 7.0.0.61
FileDescription: TMSpyware Doctor Component
OriginalFilename: tdama5
PEhashac8807590eeb04224817e3c5f3770a2811935204
IMPhashcefb05cae6fd6d53686dc1593922b63d
AV360 SafeGen:Heur.IPZ.7
AVAd-AwareGen:Heur.IPZ.7
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Ginerez.SE
AVBullGuardGen:Heur.IPZ.7
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVno_virus
AVDr. WebTrojan.Packed
AVEmsisoftGen:Heur.IPZ.7
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BGV
AVFortinetW32/Diple.IZ!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Heur.IPZ.7
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan-Downloader.SuspectCRC
AVK7Trojan-Downloader ( 001359961 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.IPZ.7
AVRisingno_virus
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV!gen52
AVTrend MicroTROJ_RENOS.SMRK
AVVirusBlokAda (vba32)BScope.Trojan.Zbot.11521

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSfalallen.com
Winsock DNStopkio.com

Process
↳ C:\malware.exe

Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Network Details:

DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSfalallen.com
Type: A
DNStopkio.com
Type: A
DNSphreeway.com
Type: A
DNStirefondn.com
Type: A

Raw Pcap

Strings
!.
...u.%
.m
^
040904E4
 2010 l PC Tools.  All rights reserved. 2m
7.0.0.61
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
gINJx
GWPv
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
K0xC
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PC Tools
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
tdama5
TEXTFILEDLG
TMSpyware Doctor Component
Translation
VarFileInfo
VS_VERSION_INFO
}WxwR
Z7NM
032Nwx
0*>4.Y
[0$AW	
(13L24
1pKfe(
1ToW2d
2w}kuJ
3?$+19
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3G2[sE
@3*=kQ
3t>kKj
42tHBa
46]3|#
4EU5kwj
4JeJ# 
52Ku^_
5D;kEc
5n#e73p
5&^V%j
5\W4$j
5&z!fZ
6&;}*/
6=9+7g8
)6c"Apr 
~6#nS=
6<>V/%
6X74Ve
6x78r\
7f>9u]
7G46WB
7nvvGbmwq
7`?($q
8	E}x\b
)8_$tAA
90)o,(
=9&1Y*
943Cy6x
9t:kOwd
!A,9CP$
_^a]gW
:-A<+kg
as3Erso
!^%b7`
BBf7Pc
~bc,QB
b.KNut
BR$*V`
[>B&-W`6
b\X"j0
C8kEWy
cev-8]
CF&uV{
cG&CLS
}|=c/l
CloseHandle
CompareStringA
CreateEventA
CreateFileA
CreateIcon
CreateMenu
CreatePopupMenu
CreateThread
c<R(rh
CwLLfDw
CxVHkyRj
D{4Uw4
d6qJHO
@.data
DefMDIChildProcA
D_faul
d+Ju-e
&-*D>L'T
d^\uW@
|E?~1M
e5@s2J
^e =M$
eNYBFG
ep'B,3'	
ExitProcess
e'^`YF
EzZ*cC*
!&;F\}<
f=}1omo
f7".tH
#.f9g}
F,&A>}
FfZ;.+
FpM^sky%2
F@poG2j|
f>SY;*
GetACP
GetDesktopWindow
GetMenu
GetMenuItemCount
GetOEMCP
GetThreadLocale
gh3NLw
gh	k`B?M
Gmm5{n
gm;	pD~
GqhziN$M
GrO7c46
\GV`m/
Gw6WIN+E	
GwQl9zg
}Heusd
H#F=)a
H	G^hu
hHrWhMD
HM'u-@
HqmEP7A
hYT_DB8V@12
i3.</\O:
!img'a
IsDlgButtonChecked
iSH}Y|X
IsWindowEnabled
j1*5j@
j9IBt=
j[g&{m
Jh';Ag
|'jw0t
JwRh.M|w8
>K~>({>
K\#]=`
k'$5DRj
_!KERNCL
KERNEL32.dll
ki7riNCi
%>:k?inh
#K[:ua
k&uKX0,c
@K.[Wn
L2oad)ibr
L4%g=u&~V
>L|<K9Pz6
llEx ay
LoadBitmapA
LoadLibraryA
LocalAlloc
LXrgDc
M9]=t2P
m>b"182
mExRj!
mj?m&$
Mo[Pp'
M>@u3$3	
mVWNW_T
mWcO:t
/mXva@
n{;0u6
^n9 =>*$
nAx0fM
N/@CPml
?_*NdyQ|
N~J01]
ohMofu
 ^OR!?@
p29sd4
pOOLEA
PoygzOv
P _uw9
qJ]j	p
QMw?=2
 .)`.rdat
`.rdata
Rq+Lf,
rWs xH
&%;\SD
SD^6,VR
s%EsmRTq)A
sioKn3C
SLNtwq
=SPnltN
SS`fGr
@s=wVeDW
_t8hilG9oa0MnD@4
t8"VS-k
tdama5
=tdPyz
TFswYQL
tgPtO1
This program must be run under Win32
tI LCIw
TJ8vIcPoiQ
Tj:h(S
tN9NnI
tQNs1bYf
tu)A75
t&>uN+
	-{.}U
>u*5jyF
u .AD+&P
:UC"kV
u<|eRt~K
UNIQSTR
UOUgS,}
urtpC3M
user32.dll
uU9sXW
uWhNrZ6
#v@6mrd
V7ePf6T
V8&'Od
vCPLzz4
VirtualAllocEx
_VP*jh
>W"'3?
{wft@f
wQvS>f
WRQPSja
wVxef9
WW0yijDU
=&:WX~oK
x2;*yu?
;x3B2 F
Xb7rFz
&xBdH3N
xB]FQg
xecQgf
Xf\ivT
XKwNu@iL
xm?AH]=T
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
xRj4Mvxxvl
%&XvX+
Xz3Fos
Y7'd1j
y82D*u
y8]E4R
_ygGR.
^YQCu.
Ys::<u
>Z0h>a
$	z	cy
ZU7AQPsSR
Zv"W^]
.z\y7H2