Analysis Date2014-06-29 07:31:55
MD57cc0f000028f36764823df89ed198175
SHA1c097e52c90e4a59a9cda6a2b2406ec56cc264814

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1b1a4df6b05fb5c1975bf1c279ca3444 sha1: 936bf86d29ca92a3349eb22575bf178eed2d9393 size: 17408
Section.rdata md5: ee617cc839f7610f6a46594f83b3bbbc sha1: 78620d6765e0aceef63ce76f66cb04a1fd29ca88 size: 112640
Section.data md5: e27a44fbd355de41b99d332f209359a2 sha1: 68eef11cf33cb473ffa30bd068e871ae68890509 size: 3072
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.reloc md5: f8398fc9a0b895d4aeaab2679d01e226 sha1: c8fcc2f2e2a1d4cf067a92df104434097f36d234 size: 2560
Timestamp2014-04-21 08:03:04
PackerMicrosoft Visual C++ ?.?
PEhashc5ee1b32bde88f32ce8da1e38c8b7b4e1cdf73e6
IMPhash9f6fbf34abd659426cbc0dc8bc1dd107
AV360 SafeGen:Win32.ExplorerHijack.iuW@aqX3hLj
AVAd-AwareGen:Win32.ExplorerHijack.iuW@aqX3hLj
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.PWS.Ibank.825
AVEmsisoftGen:Win32.ExplorerHijack.iuW@aqX3hLj
AVEset (nod32)Win32/Korplug.BY
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureGen:Win32.ExplorerHijack.iuW@aqX3hLj
AVGrisoft (avg)Agent4.BVHX
AVIkarusTrojan.Agent4
AVK7no_virus
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Win32.ExplorerHijack.iuW@aqX3hLj
AVNormanno_virus
AVRisingno_virus
AVSophosTroj/Inject-AYG
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\DRM\Dbgview\Dbgview.exe
Creates ProcessC:\Documents and Settings\All Users\DRM\Dbgview\Dbgview.exe
Creates MutexGlobal\ojkpqkdpzjecn

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\All Users\DRM\Dbgview\nprqyjadoqkp
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexKr
Creates MutexGlobal\000000010000000000000100
Winsock DNS221.148.80.57

Process
↳ C:\Documents and Settings\All Users\DRM\Dbgview\Dbgview.exe

Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates MutexGlobal\ommdvtuqnjwvdfajh
Creates MutexGlobal\crkfavsfawggh
Creates MutexGlobal\ssmuagced
Creates MutexGlobal\mschu
Creates MutexGlobal\ehiwunegkkhcp
Creates MutexGlobal\aabhnqurdbfoh
Creates MutexGlobal\stuxkwabijxwwaxrh
Creates MutexGlobal\wubqw
Creates MutexGlobal\uedwlumdteeih
Creates MutexGlobal\uimnyxkbx
Creates MutexGlobal\mxunbqgir
Creates MutexGlobal\cqbbiuronrddi
Creates MutexGlobal\mwmjwuuwpuvcczsph
Creates MutexGlobal\aelgflwcvvytstumy
Creates MutexGlobal\qclkvonpovvoztjdf
Creates MutexGlobal\ojkpqkdpzjecn
Creates MutexGlobal\egbhmpyceumde
Creates MutexGlobal\cunknusho

Network Details:

HTTP POSThttp://221.148.80.57/7863929783BA050BA20ACE86
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows TCP192.168.1.1:1031 ➝ 221.148.80.57:80
Flows TCP192.168.1.1:1031 ➝ 221.148.80.57:80
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows TCP192.168.1.1:1033 ➝ 221.148.80.57:80
Flows UDP192.168.1.1:1034 ➝ 221.148.80.57:80

Raw Pcap
0x00000000 (00000)   bdef2896 897bdb67 ce13c0a0 3c145bb1   ..(..{.g....<.[.
0x00000010 (00016)   8f5f3154 6ebe2676 0e5fc9a0 75         ._1Tn.&v._..u

0x00000000 (00000)   504f5354 202f3738 36333932 39373833   POST /7863929783
0x00000010 (00016)   42413035 30424132 30414345 38362048   BA050BA20ACE86 H
0x00000020 (00032)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000030 (00048)   202a2f2a 0d0a4848 56313a20 300d0a48    */*..HHV1: 0..H
0x00000040 (00064)   4856323a 20300d0a 48485633 3a203631   HV2: 0..HHV3: 61
0x00000050 (00080)   3435360d 0a484856 343a2031 0d0a5573   456..HHV4: 1..Us
0x00000060 (00096)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000070 (00112)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000080 (00128)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000090 (00144)   646f7773 204e5420 352e313b 202e4e45   dows NT 5.1; .NE
0x000000a0 (00160)   5420434c 5220322e 302e3530 3732373b   T CLR 2.0.50727;
0x000000b0 (00176)   20535631 290d0a48 6f73743a 20323231    SV1)..Host: 221
0x000000c0 (00192)   2e313438 2e38302e 35370d0a 436f6e74   .148.80.57..Cont
0x000000d0 (00208)   656e742d 4c656e67 74683a20 300d0a43   ent-Length: 0..C
0x000000e0 (00224)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000f0 (00240)   416c6976 650d0a43 61636865 2d436f6e   Alive..Cache-Con
0x00000100 (00256)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000110 (00272)   0d0a                                  ..


Strings
.CC
 
.I
G
@
- abort() has been called
April
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
- CRT not initialized
dddd, MMMM dd, yyyy
December
DOMAIN error
February
- floating point support not loaded
Friday
                                 H
         (((((                  H
         h((((                  H
HH:mm:ss
January
July
June
KERNEL32.DLL
March
@Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
mscoree.dll
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
October
Program: 
<program name unknown>
- pure virtual function call
R6002
R6008
R6009
R6010
R6016
R6017
R6018
R6019
R6024
R6025
R6026
R6027
R6028
R6030
R6031
R6032
R6033
runtime error 
Runtime Error!
Saturday
September
SING error
Sunday
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
Thursday
TLOSS error
Tuesday
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Wednesday
WUSER32.DLL
                          
/%/,/@/?/
0(0.080A0L0Q0Z0d0o0
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0>1a1k1
:%:0:4:H:G:
0B0G0}0
0.;.?.J.
0JW|Jso
0?V{(8
_1{^1@
1$1(1H1h1
1#151=1H1
1&1A1I1Q1h1
@ @+@1@,@B@
1h~n~+
<#<'<2<
 _22	$
2#2*20272=2E2L2Q2Y2b2n2s2x2~2
2*2U2a2l3
@#@'@2@;@B@F@
>2>D>r>
2gAh}|
2X3`3s3~3
3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
3)3/3A3k3t3
343:3R3v3
.38|6=
40:0d0j0p0
434;4F4
4(43474B4
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
4#4*4.454>4
4(4.4?4x4
4&4,4D4
4:4=4H4
4[4_4j4
`4d4x4
:$:,:4:<:D:L:T:\:d:l:
4L4[4y4
4M4a4\4
4P4[4^4o4
4P4:7\7j7m7
4RAXAcAfAzA}A
4Z4f4v4
:):&:/:5:
5+53565K5
5-54585<5@5D5H5L5P5
5*5&525.5:5
5%5.53595C5L5W5c5h5x5}5
5!5%5-565
5"5%59545I5
5(5L5X5\5`5d5h5
5	6!6+6F6N6T6b6
585A5I5
^5d5{5
|5g)??
? ?&?/?5?>?J?P?X?^?j?p?}?
5M5X5W
:-5o;5z5
5R5V5]5p5{5
5w?3g_O
= =$=6=
6#61686?6f6#A2A6A=AP@
6(6,6;6
6(6'6C6
6 6:6I6Q6\6~A
667<7@7D7H7
6;6B6F6
686?6D6H6L6m6
6)A$A3A;A=AJA
^6d6$A2A
</<6<E<
6h6s6w6
@'@/@6@J
6N6a6e6p6u6|6
6P6_6g6r6u6
6P6O6]6u6
6P6T6h
6T6Z6_6k6r6|6
717.7A7E7
7%707/7A7>7G7
7+7&7I7
7.7A7E
7F7^7v8{8
$7gJ'	
7S7\7{7B6
7Y7]7h7>
7Z7^7e7
:$:8:7:
8)80848C8
8+8&8;8B8F8
8$8)898h8n8v8
8*8,8H8
8d8x8w8<;
8O8V8j8q8z8}8
|||8uf
)8ufR_
;8'upr
.94-/?
9,;7;K;F;
9#8)80878H8
9*919:9=9
9$98979
.$99949
.'9-9;9@9K9
9&9:9A9
9$9/9C9>9
.*9-9A9<9
9-9A9<9
9\9y9=8Y
=.>9>C>\>f>y>
9L9W9k9f
9N9b9i9
9N9U9^9q9u9
9O9Z9f9y9}9
9P9T9c9
9::T:e:
9X9W9d9o9
9Y9`9g9
<-<A<<<
;&;:;A;
A0A/A<A
A+A7ABAGA
A'A@?A
A A+A/A:A
A%A.AAAE
A[AqAxA|
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ALA[AVA^A
ALAkA$@D@
ANAaAhAfAmAxA
AO=j=s=z=
AQAMAYAUAaA]AiAeAqA
August
AYA`AgA
=?(B||
B2BCBG
B_BeBpB
BdBsBnBvBJ=
;;;B;F;
BkBtB(=
BuBC=J=
C$BABEB
C'C;C6C
;c;j;n;u;%:,:@:?:
Ck>I~w
COCcC^C
CorExitProcess
CSCNCVC
=#=(=-=D=
/D~*?~
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
/`/d/x/w/
:+:::>:E:
EK?~qH~
EncodePointer
EnterCriticalSection
E?~s?~
ExitProcess
||f%_<
F\=0k@
February
Fh=p%B
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
<f<l<w<
fN`NqNW
FreeEnvironmentStringsW
Friday
<g:|||
+)_g=!
~g38||
g4x||f
g$}||8
g#_B8u
g?Bt||
gD{}|_
g}e'}|
GetACP
GetActiveWindow
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationW
ghR||8
g<.!Jw
|GK+7?
g~k~Y	
gmd|?|0
}||gnl
goO	BE
g?)p}|f
gPj.oI
g@u~?O>~
=\=g={=v=7<
gV[?:o
gX'_)~
gXv||^[
H?8|_E
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
'H%F~(
HH:mm:ss
HO<z.Q
=;=H=R=`=i=s=
_)i*:]
I~07QI
/'/I/F/
IgfH~n<I~
I~K?~8
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
||?~~J{
_&J_0O
:_J^6>
J^7n}?
J_/Acg
January
Jc/8`gq
__)Jcg+
j@j ^V
|J{|Jw
|Jsf|}?||8
;!;(;,;;;K;
K8u~^Jw
Kernel32
KERNEL32.dll
k}||g<
k!}"Zp!-
=!=l= <+</<:<
=L=[=]=
LCMapStringW
LeaveCriticalSection
;L;`;_;g;n;t;
LoadLibraryA
LoadLibraryW
.L.`._.p.{.
@l@{@v@~C4CCC>CFC
:L:W:k:f:|:
:L:Z:a:\:x:}:
:m:"535
MessageBoxW
/Mg$zo
ml||p[K
MM/dd/yy
Monday
/M/r/<9G9
:M:T:h:g:x:
MultiByteToWideChar
n%:~<?
N5r5x5
@N@a@e@p@
;N;a;e;p;x;
N(gh`^
ngWlh|>
November
O.!|?>@
o0tt] u(?o
)o?1wg
o2|8';~y
O4dM4y
|O+8|?]
:.:=:O:/;9;F;
;O;b;g;x;};
OBVB}B
October
/O/c/^/u/
Og1/M$
oIg=fO
?*oouG
OrOxo/
<O<V<e<
#p1)<gK`S
PCZCFB
=,=>=P=i=
pry~gF
;];q;<:
<.<Q<d<k<s<
=Q=L=f=y=}=
QQSVWh
QueryPerformanceCounter
:q:x:w:
`.rdata
@.reloc
?r|N._
RtlUnwind
=R=U=h=~<
/R/V/g/
<.<@<R<x<
/R/Z/s/{/
=,=s=}=
Saturday
SBMiF`
/S/`/d/s/
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
^SSSSS
Sunday
SUN@MV=
:S:W:b:%5,5@5?5S5Z5^5e5n5
#|~t~/)|
TerminateProcess
tg`u||
!This program cannot be run in DOS mode.
Thursday
.T.i.d.v
t	j\Yf
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
T>MK>C
<T<_<s<n<
t"SS9] u
-tTC}|
Tuesday
;t$,v-
T+'Z*[
U\\2QK
;U;b;i;
U}e>(}
UnhandledExceptionFilter
@U@\@p@o@3C
	*]UqJ
UQPXY]Y[
URPQQh
@=@V@dC3B:B>BEB
^Vgg}#
VirtualAlloc
;[;V;s;z;~:
W8|gu>
Wednesday
~wg_	~E
wgq0>_
W'gUKi
WideCharToMultiByte
WriteFile
'wYb%(2
_\X4p#
xF4]2l
xgns||
=X>]>o>
x@v@bC
.Y.`.d.s.t.
Y;=h%B
Y}||Jw?
<Y<T<^<t<
=Z=a=j
@Z@V@b@^@j@f@r@n@7C