Analysis Date2014-01-10 11:32:07
MD58a1b7afe52479ccba7ee3327b682f272
SHA1c7e5c318d042e5096bd57c562d54f4d442441872

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0c43d51de290116f49f20728cab00e89 sha1: 064768dfbf549baa00958f91642e92b33c9f2a9f size: 60928
Section.rdata md5: 57d842a5ad7c241969e0b78f81373c75 sha1: 13f47d08ee8775f5eedd68578cbf809357f373cd size: 8704
Section.data md5: e1bdc7e23aef0f17c9b932cfdbe9b9e5 sha1: c379cb96f3f5cc2f36fe5c574e19f5e8bf510f94 size: 12800
Section.rsrc md5: a8e3f90d3c5b5866766a59be9bbec860 sha1: d60612122d7553175c00ae51de895f9ede3d13fe size: 2048
Timestamp2011-04-28 12:44:57
PackerMicrosoft Visual C++ v6.0
PEhash052cf8bd975fd2dfd4bffd2ca1792c8c88dd337c
AVavgCrypt_s.FDC
AVaviraTR/Crypt.XPACK.Gen7
AVmsseTrojanDownloader:Win32/Cutwail.BS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\zasbogaxruby ➝
C:\Documents and Settings\Administrator\zasbogaxruby.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\zasbogaxruby.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kaufthal[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kaufthal[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexzasbogaxruby
Winsock DNSempordalia.com
Winsock DNSgolfpark-moossee.ch
Winsock DNSbuzzkillmedia.com
Winsock DNSwww.traderush.com
Winsock DNSatr-technologies.com
Winsock DNSaccel.lt
Winsock DNSbigtopmultimedia.com
Winsock DNShartmultimedia.com
Winsock DNSbapasitaramsevatrust.org
Winsock DNSguberman.com.br
Winsock DNSxuanxiao.com
Winsock DNSkaufthal.com
Winsock DNSszostka.com
Winsock DNSaudio-direkt.net
Winsock DNSmeridies.org
Winsock DNSulcndsu.org
Winsock DNSkorta-sa.com
Winsock DNSmastechn.com
Winsock DNSsspackaginggroup.com
Winsock DNScgc-england.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.96.11
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.96.11:25

Raw Pcap

Strings
Arial
Armenian
Armenian : 
benefit
button
Chinese
Chinese : 
edit
ERROR
Georgian
Georgian : 
Greek
Greek : 
Hindi
Hindi : 
however
is dancing
Japanese
Japanese : 
Korean
Korean : 
LANG2
megadid
MS Sans Serif
MultiLing Support
proudest
Russian
Russian : 
Serbian
Serbian : 
static
TABLE
to return
Vietnamese
Vietnamese : 
worth
0123456789
0g3wwv)
]0KT`%&
\0-uZm$</A_uy
%0WkV$
%0YaU$
10%}j)r
1#D6$$
*1%$k*hw|$'%
1p*A]%
^1WP''N2
238498
&2-/r#&
&/$#>'3
3%0uL15
3mI*:$
++3U5ru[$
{3Y-HE
4UP-)7
^;582A
@%5<b^LMvE
5EXZE`L
@5Ha's
_5JU-N%$
5Q$(!$
5u*C6@w.#
*5UOe$
5V:xX-dF`
5Z%r7o
%632&A5
6;542A
[] 6IP
6(UxO>
8%( PA
9,j.tg
'%9kza$
9~-l_%Ku
9%MHh$
9]Qb%/
%9YZ'r
]a %%%
% &a$&
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abnormal program termination
AppendMenuW
a systematic development
AVWAf9
	A=yX"
A_$zT*
bathing
bdhd'Q
be stepping
b%%h&<
bJsq*s)2
%'b-&L
%@bPE^
brief descriptions of the more common terms
$bUTUk
@]b`%Y
c-A[21/
C=b"w$
CC%3!l
c%EQO`
C%H,PO
%ClkL%
)-CM&%
Cm+q"!
coreDestroy
CreateDialogIndirectParamW
CreateWindowExW
C$UaPX
C%Yu~H
%D0{hY
(%%%da5"u
@.data
DefWindowProcW
!([d'i
d%]%i`
DispatchMessageW
D kIANj
DOMAIN error
/dP,`JS
D.!PP/
'DP-%XA:%
DQ%`(Rp I$
'-.dS~
DSUVWh
& -%>E$%
E%& &%]!
)Ed~*]#PPu
ef!.$9*Q
Eps00P
ev"&"%
$E#vI0x
!\E#&X
ExitProcess
- floating point not loaded
f$'Q!$
FreeEnvironmentStringsA
FreeEnvironmentStringsW
%fu&%[
&G5W$`
GetACP
GetActiveWindow
GetCapture
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetLastError
GetMessageW
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetVersion
GetVersionExA
GGGGFFFFItI
%g-|%JM
__GLOBAL_HEAP_SELECTED
%h%5f`$
h8K%!	
hD*"oE%
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
h%`',F
?,+ hVc
h!V#XM%
&h!x=3K
,^h%X9
"I!a[%
IJIXIIV
$i%KC'%
?#i$P2
%(&I&P9
=^I%'Q
'IvQ&%
$!Jbqu%X
JCxOdp$
jk@D!`
J$@Pv)
?%"%j``t
$Jz!#M*
KA$!~Jo
KERNEL32.dll
KJ*'um
%	K=L$q
klx%5%`<
-K$M`	
K%'P$Eki}<,
`kx&3=M
!l$&aD
LCMapStringA
LCMapStringW
LL*Wu$
LoadLibraryA
%m<B$S
MessageBoxA
MessageW
Microsoft Visual C++ Runtime Library
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
m')*$`ve
mw$z%0
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
##nTN70
N*'Y$s
o7,Y u
O%%:>]g-
$O$-H)
on delivery
O"|s:\]
&@!P'%
P$%]`%
p46st$
PHa`fQuN
PIk`%)
places must
PLQCD]&s
PostQuitMessage
Pq-S%ke
Program: 
<program name unknown>
;"*&$%Pu
- pure virtual function call
pV'NI 
Px(EWX
Pz5XM4sNh Q@
\-Q%*{
*^QhH@
`?QKU%%
q\%%)	O` 
%(-Q=Q
`.rdata
RegisterClassExW
ReleaseCapture
rEz}V$
 rG\hX%Pa
RtlUnwind
runtime error 
Runtime Error!
}&%$$-S
!S5cQ$
s*8~yQ
SendMessageW
SetHandleCount
ShowWindow
SING error
skill qualifications necessary
#SP%Ne
SS@SSPVSS
TerminateProcess
terran
!This program cannot be run in DOS mode.
TLOSS error
TQ$`47$
TranslateMessage
t#SSUP
t.;t$$t(
t$$VSS
"%']	U$
u>%0z$
u54y1r
u;5@%50
$u5z%Xu
u6I5u0
u):7$MP !
uC@ 0M95
uL5|M?
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
`UOh$so
u'`<P>
UpdateWindow
&@u{s`(
user32.dll
USER32.dll
uXD:T6y
(&U/%y}*
u!|y%'x
.V--%%
v0%t&}
%-v!c!
VC20XC00U
]%vhv\
Vindow
VirtualAlloc
VirtualFree
%	v(%raB
%v'RUY[`I
VuPjQP
VWuBhp
v*Y/X&
%w6! $
(%WFsAz
while still fighting for quality and pride
WideCharToMultiByte
 >`Wn%1
WriteFile
_^w*WC
"WWSh{
WWSSSSh
(-`@XcCUDV
>!X@Ea\\
$xh#]V"
-$XL7E
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>
XM%|MD
XN`MIu
<x,`%$q(
Xq%&&u
Y;51{A
{y-!h%
$$yj%)
Y'K"KvY
Y$%Lcpq
y!QPss
=!y)%s
[y?@X9)
_^][YY
zf0DMM
z!i3$P
Z-QY%sXQ
}ZS03`