Analysis Date2014-04-22 22:07:38
MD58019ff4d6581f88c3d107686727b18e0
SHA1d5a8d7442ea5e28b084b1db0ac1d5a47c82bc13d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 7fb5669bea090a66da0ed9c7f2b10786 sha1: d3938fae01eb385d32ee961c25973cccbc6acdc3 size: 141824
Section.rsrc md5: 5f149cd6e276809cbe788e11545d90a8 sha1: 62c03a5603bd4cb11be8c5f661772058b9f9343d size: 2048
Timestamp2029-10-13 15:59:23
VersionLegalCopyright: Microsoft Corporation
InternalName: kernelsNT
FileVersion: 3.00
CompanyName: Microsoft Corporation
LegalTrademarks: Microsoft Corporation
Comments: kernelNT
ProductName: kernelNT
ProductVersion: 3.00
FileDescription: kernelNT.exe
OriginalFilename: kernelsNT.exe
PackerUPX -> www.upx.sourceforge.net
PEhashc52afbe3719adb879a738aef790321b91535bc64
IMPhashe029f98a2da83608852f59fa44f95f0e
AVclamavTrojan.Bancos-122
AVaviraTR/Crypt.FKM.Gen
AVmsseTrojanSpy:Win32/Bancos
AVmcafeePWS-Banker.gen.i
AVavgWin32/DH{fABnYjUlVy4gJCIP}

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\windows\kernels32.exe
Creates Processc:\windows\kernels32.exe

Process
↳ c:\windows\kernels32.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Service System ➝
"c:\windows\kernels32.exe"\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Run\Service System ➝
"c:\windows\kernels32.exe"\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFFF70.tmp
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\ieupdate.dat
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSwww.supernet.speedserv.com
Winsock URLhttp://www.supernet.speedserv.com/downloads/winlockdll.dll

Network Details:

DNSsmtp.mail.eu.am0.yahoodns.net
Type: A
188.125.69.59
DNSwww.supernet.speedserv.com
Type: A
DNSsmtp.mail.yahoo.com.br
Type: A
Flows TCP192.168.1.1:1032 ➝ 188.125.69.59:25
SMTPeujogocs16@bol.com.br

Raw Pcap
0x00000000 (00000)   48454c4f 20434f4d 50555445 522d5858   HELO COMPUTER-XX
0x00000010 (00016)   58585858 0d0a4155 5448204c 4f47494e   XXXX..AUTH LOGIN
0x00000020 (00032)   0d0a616d 396e5957 4e7a4d67 3d3d0d0a   ..am9nYWNzMg==..
0x00000030 (00048)   6332466d 5a585235 0d0a4d41 494c2046   c2FmZXR5..MAIL F
0x00000040 (00064)   524f4d3a 3c6a6f67 61637332 40796168   ROM:<jogacs2@yah
0x00000050 (00080)   6f6f2e63 6f6d2e62 723e0d0a 52435054   oo.com.br>..RCPT
0x00000060 (00096)   20544f3a 3c6b696b 30393140 7961686f    TO:<kik091@yaho
0x00000070 (00112)   6f2e636f 6d3e0d0a 52435054 20544f3a   o.com>..RCPT TO:
0x00000080 (00128)   3c65756a 6f676f63 73313640 626f6c2e   <eujogocs16@bol.
0x00000090 (00144)   636f6d2e 62723e0d 0a444154 410d0a46   com.br>..DATA..F
0x000000a0 (00160)   726f6d3a 20434f4d 50555445 522d5858   rom: COMPUTER-XX
0x000000b0 (00176)   58585858 40666269 73702e63 6f6d2e62   XXXX@fbisp.com.b
0x000000c0 (00192)   720d0a54 6f3a2069 6e766573 74696761   r..To: investiga
0x000000d0 (00208)   72406662 6973702e 636f6d2e 62720d0a   r@fbisp.com.br..
0x000000e0 (00224)   44617465 3a205475 65736461 79202c20   Date: Tuesday , 
0x000000f0 (00240)   32322041 70722032 30313420 30383a33   22 Apr 2014 08:3
0x00000100 (00256)   373a3039 20504d0d 0a537562 6a656374   7:09 PM..Subject
0x00000110 (00272)   3a204176 69736f20 21202120 21202032   : Aviso ! ! !  2
0x00000120 (00288)   322f3034 2f313420 32303a33 370d0a58   2/04/14 20:37..X
0x00000130 (00304)   2d4d6169 6c65723a 204d6963 726f736f   -Mailer: Microso
0x00000140 (00320)   66742043 6f72706f 72617469 6f6e202d   ft Corporation -
0x00000150 (00336)   204d6963 726f736f 66740d0a 0d0a2020    Microsoft....  
0x00000160 (00352)   0d0a4572 726f3a20 6e6f2061 67756172   ..Erro: no aguar
0x00000170 (00368)   646f2064 6f207061 672e2064 6f20646f   do do pag. do do
0x00000180 (00384)   776e6c6f 61642c20 65207661 69207061   wnload, e vai pa
0x00000190 (00400)   6761722e 2e2e0d0a 4d736720 64612076   gar.....Msg da v
0x000001a0 (00416)   657273e3 6f2e3a20 332e302e 300d0a0d   ers.o.: 3.0.0...
0x000001b0 (00432)   0a2e0d0a 0d0a5155 49540d0a            ......QUIT..


Strings
040904B0
3.00
Comments
CompanyName
FileDescription
FileVersion
InternalName
kernelNT
kernelNT.exe
kernelsNT
kernelsNT.exe
LegalCopyright
LegalTrademarks
Microsoft Corporation
OriginalFilename
ProductName
ProductVersion
sa\CONFIG~
StringFileInfo
Translation
")UM
VarFileInfo
VS_VERSION_INFO
 $.' ",#
}; }<!~="
 (08@P`p
0+cq%HTL
/0dmm5}
}0f	dv
0{	,P!
0T;4!4
11s!!h
1]25a./r
_1minh
,!,1N N
/1=tX+
2(2$	d
`2^3^M
2^9^b_i
2a?9Y]U
2Quaw}
3333337p
3!'D@@
{[3gqRz
	3u7Sa3{
3wg1B{
%&'()*456789:
4a'<2L
4:CG/+43a
4!^gb<
4k Fi[
56n7)(9:
#5DH@q
5hk&@`{
5XG(thH
"654d-
6.OLB7n
(7),01
7natM 7 thd
7UnKaM
8]0.JfuRr0@k
8`H.9@
+8n=-/;kB=
8s<e@;i
'9=82<.342
-99400
9 CpD?
9!H[NR
"9PEs(
A 0BuC
a3X)]/
a7exibir
AA>ZQG
^aciln
adj_fptan?4
?A,FiG
aJ~a@c
? a-lp:
AltTab1y
~	Amar
)|aM'y
anjafT
`_`ao$a]_[
AQ?DT)
:ar*aum,
[AspackDie!]
.+/.azf
=B G{?
b`-l(]
Bounds_^,U
.	bPA(
B$pa7U
bPoO"P
B$RTbE
btn4_~0
c1.0.M-
c5kZCHV
CAPE2.0
C:\ArivX
CC)c)A>X
cDZ#_B
cEach1
}C`f_^h_
(!CG@"
Ckel9S
/cmdLimp
c!oGEebaG
co Ita
  cone
Cour[r0m*`mg
%(*.CRT
cUDaM7.mQ{
cUrQpMw
Cz}wsW6
dBD.k<'
DE2b2]q
: digit
dlWinsock
d mEha
?D_p$&G
DQGpf3
d^Resp
@D+UaUTE?
;Dup+`
dzF<Ed
eB&3K"R
eec)\=$ 
Ef.ffM
ERRO! ( G03WF$
E~uq__
ExitProcess
]\_]#f
FcT(k!
fd|ECn10f! _
F^dp#t
FFFFXH
FGHIJSTUVWXYZcdefghijs
fhPv[4o
F.nL"2
fOm6jc
 FYwl - I,
g?B?^A
gCN7<Q
gD"J9X
GetProcAddress
@gic.I4o
gIEXPLORE.
GIF89a
GJ@"[\
Gkernels32
g.Kv.$w
/GumChildq
GV `-{k
_gwkwz
< 'GX 
!G!xG&A
h'>'&(
(h3	D!
'h3tby
-h!7O'=
#H.I`A2A
\hS99N
HUQ%B%
h]wYH%kvL
hXddddH8(
H[ZPhy
i6~Ui/
I=b	9H
icOsofta7,
/I de 
iDWHOL
IEO"BV
IF&y!`XP
ihK&agR
ijhqps
i#Jk&l
Inic9lizacao>frm_Se
I*NVTkR
INx*iP$"
IQ%dKP
J^\."@
j}2]Vj	FLz
j`$5Mk'u.|
j7:`/1`02
jEEsdY
j_iFN)E
JLpSG*
jlyQR/
=jnJV'i
j QNeY
JslkbaT
jSUV/W
j	)[VP
jxl-7r~3
j#zWvw
K()<\%
KC1	z~
KERNEL32.DLL
kFoR9\
&khCx{;^XX
=\K<|K
k,tT1`%
l3?oT.
L8E+t@p
l8(<ph
lblAg[
LdRfw8
l"Fjyz6
LGjh/m
L{}O,/.
LOADER 
LoadLibraryA
!LtP!CU
,	;LwBX
&;M33'
m"8F1]
MAAlloc
?/.m^d
)meEVENT_SINK_
m#EndIdiv_m647
`M&G$.(Qx
miSRXX
MKeyEx
M#MD#Z
M<nMz?{
,_!Mod
mod_VariaveisFuncoe
mQ0j!K
msvbvm60
MSVBVM60.DLL
m?t?-@4
mtvaa`a2a
N5:zpn_
[$$na]
NGAgZNp
Nh \k`
n&id!e
nn|\m<
n_PtC-w
	N	Xp%
#n*;Xt;
\N]ygB
o23~pP
o(6si$
O76 ]!
o`A^H^hj
?<OC1 
Offse@
o&h*hP
O-h$$X
ok6\k$
:O{LpwFoAV^M
"OLU!:
&:ON!,
opr	*.
oReadyStat
O!rflX
O@ZJPF
P1_(DI
/ -&Pa
")pCBDAD
pchj=i
\]^pE2
P?-haC
(PK>,U 
@PN1D~
pOq5v>O^
Pq+7@U
Projeto3_1
pxdH.9
QIf`?@
Qkg4X`
:}< Q=mpoY
'q%OC .
qrt]Qu
;qssag
qw88_rl'4R
rAnsiT
rC?"Wh
recvr 
\*rFjZV
r\]hKg
Rhp	A7
RIG?gC
r:JR:{
]@?R:n'm
R|[_Ovo
rrL&B<
RtlMov
rv+o>SMTP
^-(R{YXY7
!$s-2MP
SE3UlM
.sgPlayS
S#-"h8/B
shdocvw.dl^
SIEAVS
s`\J%7X
Sxvvwy{
SY;b# 
SZt ESWp'
TelaBl;
%]t_@#F
!This program cannot be run in DOS mode.
<tMs!O|
TOA51"
tPBK T
tRMtorio
;!^?T`S?
 tSysCo
)T=w2a
t{wJBH
~*u@!2
@u," 5
"U_Bqa
`udvw8y
U! (Ex: Token,
uGVTTc?*,
Uh	V;$O
uld no
uleHanEeA$LoadL
UL;OUo
uQ Studio\VB98
UUOwvl
\u Vis
$V+\2m
.v'2n?
]V 5!f]
__vbaF
:VGiSB5!
vkaTk%
Vlk+Vb
v P< Vo
vqLab36oL'B
Vu&Wo]
VwCtl.WebB
+w6ezYk
]"`WBX9G2
]WduP8
=#wHA@g
wMRI2/F4T=
wnBl*BOk
WS\e32\Vl
wwwwwwp
	X022)
 X0tL;
xcvb<a
+XM\JWg6
x{}mqr~
x\^]]qoy]
x%)&"Um
!#xyVRv
Y9	v	y2`
.y\m`dd
yM	hPkRm
YwcQ#p
YY~XX~
,:zAe/
zI _1h!'>
	Zjm&C
ZN{_ev
'zttw{~(