Analysis Date2015-10-01 08:05:00
MD5b0de89e3a19bfc6057a9df95d4322155
SHA1d04aa34d4d50df9cb87649b48cd99849d2a40abc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0c33acacc73c33a78503058a5ddd21fe sha1: 2272ee9d97ea659dc7acfed1ddfbfb061fa43ce4 size: 183808
Section.rdata md5: ca01cd1c001d51ec0c806bb444b77823 sha1: 924f031f3c7c12d2018dae1b9f43c0761874fcbb size: 2048
Section.data md5: 57e500c535048eb6b5d097362c61d954 sha1: 2d17a907fa11d6b5e42c58b5ba9437d6fca47884 size: 123392
Section.rsrc md5: a54f31b8dbdff8ef357a82aba6f34187 sha1: 93a922888a84ec8f1aa83bd744b14ed8048df5b4 size: 5120
Timestamp1970-01-01 04:28:14
PEhash3db9941df823bdf664e8e7dc8d1aaeaac1ce43e4
IMPhash3fd0fd2ceb1ea25d2b29c841dadb1c75
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVF-SecureGen:Heur.Cridex.2
AVDr. WebTrojan.Fakealert.20556
AVClamAVTrojan.FakeAV-5363
AVArcabit (arcavir)Gen:Heur.Cridex.2
AVBullGuardGen:Heur.Cridex.2
AVPadvishno_virus
AVVirusBlokAda (vba32)Trojan.FakeAV
AVCAT (quickheal)FraudTool.Security
AVTrend MicroTROJ_FAKEAV.SMID
AVKasperskyTrojan.Win32.FakeAV.btxt
AVZillya!Trojan.FakeAV.Win32.77386
AVEmsisoftGen:Heur.Cridex.2
AVIkarusTrojan.Win32.Pakes
AVFrisk (f-prot)W32/FakeAlert.LY.gen!Eldorado
AVAuthentiumW32/FakeAlert.LY.gen!Eldorado
AVMalwareBytesTrojan.Agent
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVK7Trojan ( 001e60c61 )
AVBitDefenderGen:Heur.Cridex.2
AVFortinetW32/FakeAlert.AMB!tr
AVSymantecTrojan.FakeAV!gen39
AVGrisoft (avg)FakeAlert.AAO
AVEset (nod32)Win32/Kryptik.MAP
AVAlwil (avast)MalOb-FY [Cryp]
AVAd-AwareGen:Heur.Cridex.2
AVTwisterTrojan.558BEC81C4DCFAFFF.mg
AVAvira (antivir)TR/FakeAV.btxt.7
AVMcafeeGeneric FakeAlert.amb
AVRisingTrojan.FakeAV!49B1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\Application Data\gIdAhMaIbOa05606\gIdAhMaIbOa05606.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a31C9.tmp
Creates FileC:\d04aa34d4d50df9cb87649b48cd99849d2a40abc
Deletes FileC:\d04aa34d4d50df9cb87649b48cd99849d2a40abc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\aD905.tmp"
Creates Process"C:\Documents and Settings\All Users\Application Data\gIdAhMaIbOa05606\gIdAhMaIbOa05606.exe" "C:\malware.exe"
Creates MutexDon't stop me! I need some money!

Process
↳ "C:\Documents and Settings\All Users\Application Data\gIdAhMaIbOa05606\gIdAhMaIbOa05606.exe" "C:\malware.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gIdAhMaIbOa05606 ➝
C:\Documents and Settings\All Users\Application Data\gIdAhMaIbOa05606\gIdAhMaIbOa05606.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\Application Data\gIdAhMaIbOa05606\gIdAhMaIbOa05606
Creates MutexDon't stop me! I give work and money for you!
Winsock DNS69.50.195.77

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\aD905.tmp"

Network Details:

HTTP GEThttp://194.28.113.214/lurl.php?affid=05606
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
HTTP POSThttp://69.50.195.77/i.php?affid=05606&v=2
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1032 ➝ 69.50.195.77:80

Raw Pcap

Strings