Analysis Date2016-02-03 17:36:17
MD5a431a0fcb45bec29adfa9e022e3bd950
SHA1c165c777b25711aa01297f45572fa0b328f81ef4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 15acbb8fe871d5deec00d41bcf8c0b5f sha1: fe29a2a0a8982d3c6e3a0516b6575e7a841c923d size: 7168
Section.rdata md5: c20890377d15ce2dc509d6e291f52c65 sha1: 5b048ae453335151d8e479fc1535e51193d799a7 size: 3584
Section.data md5: 5b579014e31b7c75372671f0bd606028 sha1: d185e1e1818c5b839a71baa527f5687ad1defde8 size: 2560
Section.rsrc md5: be524792d964afc696bba5078f7d5723 sha1: 8d5154ae684128a897ebd2528e19a2dfaecbbffb size: 20480
Section.reloc md5: caa541fe65e3d3964722d40bd0d4d201 sha1: 962fb2ede487faa3cf6f851e22c64ea7688a148f size: 3584
Timestamp2010-03-04 12:04:24
PEhash56272c695cf3e7b78f4f462ce8d06a9c00542232
IMPhasha15124486db62937438227bf2a31287a
AVCA (E-Trust Ino)Win32/Tnega.EUYaEC
AVRisingNo Virus
AVMcafeeRansom-CTB!A431A0FCB45B
AVAvira (antivir)TR/Dalexis.ujwfe
AVTwisterTrojanDldr.Elenoocka.A.ujto
AVAd-AwareTrojan.Ransom.Dalexis.A
AVAlwil (avast)Crypt-RSC [Trj]
AVEset (nod32)Win32/TrojanDownloader.Elenoocka.A
AVGrisoft (avg)Generic36.ARSG
AVSymantecDownloader.Ponik!gen11
AVFortinetW32/Kryptik.CVBD!tr
AVBitDefenderTrojan.Ransom.Dalexis.A
AVK7Trojan-Downloader ( 00499db21 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis.C
AVMicroWorld (escan)Trojan.Ransom.Dalexis.A
AVMalwareBytesTrojan.Email.FakeDoc
AVAuthentiumW32/Trojan.PJPG-2490
AVEmsisoftTrojan.Ransom.Dalexis.A
AVFrisk (f-prot)W32/Trojan3.NFN
AVIkarusTrojan-Downloader.Win32.Upatre
AVZillya!Downloader.Cabby.Win32.795
AVKasperskyTrojan-Downloader.Win32.Cabby.cccy
AVTrend MicroTROJ_CRYPCTB.SMD
AVVirusBlokAda (vba32)TrojanDownloader.Cabby
AVCAT (quickheal)TrojanDownloader.Dalexis.A3
AVBullGuardTrojan.Ransom.Dalexis.A
AVArcabit (arcavir)Trojan.Ransom.Dalexis.A
AVClamAVWin.Trojan.Dalexis
AVDr. WebTrojan.DownLoad3.35539
AVF-SecureTrojan.Ransom.Dalexis.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\c165c777b25711aa01297f45572fa0b328f81ef4.rtf
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_73406.cab
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Mutex93031785
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.221
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Flows TCP192.168.1.1:1031 ➝ 134.170.58.221:80

Raw Pcap

Strings
.
`+..6tU....*r
n..4..](.R....1v...c..E...lz1I.....3^B.N...^.o.
..
....S>.q...'V.......E..3&.z....F.$....R..
.g.clG.=....._J.
....zx...z.u3
eT
.D6....y..,..
..b5.H.\}.
..
.
H
0!0&0+010;0J0N0V0\0c0m0v0
0$0*0/040:0I0P0U0Z0`0j0o0u0}0
1"1(111B1K1X1a1h1t1z1
1!1(1-12181J1P1W1^1d1i1o1z1
:%:*:1:6:<:K:O:U:[:a:g:u:{:
:#:*:1:7:=:G:Z:`:f:m:r:y:~:
;!;&;+;1;;;A;F;K;Q;^;e;k;q;x;|;
2 222:2C2I2O2V2]2p2|2
2#2(2.262<2F2U2
3!3(30393@3H3Z3m3s3{3
3!3'32373=3A3M3T3[3a3i3o3t3~3
4"4(474=4C4G4M4T4Z4`4f4
<$<*<4<G<W<]<b<g<m<w<}<
=$=)=.=4=?=N=R=g=o=v=|=
?!?'?.?4?:?Q?V?\?m?t?x?~?
5#5/565;5@5F5Q5W5]5c5g5m5s5y5
5%5.575P5W5]5h5o5t5y5
6&6,61686=6C6O6b6f6l6r6y6
6#6'6-636<6B6I6W6m6t6y6
7,73787?7D7J7U7\7e7i7t7z7
7$757<7C7G7M7S7Y7_7e7u7{7
8&878=8C8J8O8T8Z8x8~8
8(8.848:8Q8\8b8i8n8s8y8
8wkI-)b@
9$959C9\9b9h9m9t9y9
9"9'9,929H9N9T9X9k9r9{9
ADVAPI32.dll
AlphaBlend
aO64P;
B W/G%
CACloseCA
CACloseCertType
CADeleteCA
CAEnumNextCA
certcli.dll
;';.;<;C;H;M;S;^;g;k;q;{;
C!iTdB
ClearEventLogA
ControlService
CountryRunOnce
cpsj&%
CreateProcessAsUserA
@.data
dByrP/D
DllInitialize
@DR	4ql
drvCommConfigDialogA
drvGetDefaultCommConfigA
drvSetDefaultCommConfigA
><>E>J>Q>V>[>a>t>x>~>
eMWGgPdEZvqCtzK
GetComputerNameA
GetConsoleAliasW
GetCurrentDirectoryA
GetCurrentProcess
GetDateFormatA
GetFullPathNameA
GetGeoInfoA
GetModuleHandleA
GetNumberFormatW
GetPrivateProfileIntA
GetPrivateProfileSectionA
GetPrivateProfileStructW
GetProcAddress
GetProcessHeap
GetProcessId
GetTimeFormatA
GradientFill
HeapValidate
InitializeSid
IsTextUnicode
IsValidSid
jHrfxV
kernel32.DLL
KERNEL32.dll
kgzUuYjnNDaOvXT
lokitar.pdb
lstrcmpiA
lywUsnIMaXJio
m-C-_'$`
M+{I'G
mKqRtR
modemui.dll
msimg32.dll
nddeapi.dll
NDdeShareAddA
NDdeShareDelA
NDdeShareEnumA
NDdeShareSetInfoA
n:lEaD_s{I
PathCombineA
PathCompactPathA
`.rdata
RegCloseKey
RegDeleteKeyA
RegEnumValueA
RegFlushKey
RegOpenKeyExA
RegSaveKeyA
@.reloc
RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1
rP]5wU
S1B.tR
S(%b@@
SetEnvironmentVariableW
SetFilePointer
SHLWAPI.dll
!This program cannot be run in DOS mode.
TMxWUDswpJCWjmk
]:UdsO
UpdateResourceA
UrlCanonicalizeA
UrlCombineA
UrlCreateFromPathA
UrlEscapeA
UrlHashA
UrlIsA
UrlIsNoHistoryW
UrlIsOpaqueA
VirtualAllocEx
WaitForSingleObject
WriteConsoleA
WTSAPI32.dll
WTSEnumerateServersA
WTSFreeMemory
WTSLogoffSession
WTSOpenServerW
WTSQuerySessionInformationA
WTSRegisterSessionNotification
WTSSetUserConfigW
WTSVirtualChannelClose
WTSVirtualChannelOpen
WTSVirtualChannelPurgeInput
WTSWaitSystemEvent
XCs[X/
Y7RNG%
YUJdzYsVPB
yWo{G%1q