Analysis Date2014-08-06 07:30:42
MD5375236ad088aa6a97597d5929fcc3c6d
SHA1d5f428675f8e0b7603fe4d4b3410c3be1d4e5db5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4ba5d41ed71fbb71dc89364fb2291de1 sha1: 0c1fc396ab7a459c1b8406a24cec997e1e9a915e size: 1024
Section.rdata md5: 8013970f7c52c4cb5b3c11a726a2b2cb sha1: 40c0fd764dd27d6db6a647212efa7199534468cf size: 512
Sectioncode2 md5: a2828793777103275fc7aee40ab8fe54 sha1: f140b6098acd2ddda0d477885483ecbddf0ae64a size: 512
Sectionzdata md5: 2447b871343f93a6f5b737ce06f13660 sha1: d8ef9cebcdf1446ca3d1fcffb1b87b6128e6edae size: 512
Sectioncodej md5: 72aab3599727f9b7622a9dfc918c6b55 sha1: 92b58cb13201716372059595293b1caaaa9fc8a0 size: 512
Section.rsrc md5: c79e9fefc2cc6eb25e3b78021703f3b5 sha1: 3ae14f0e1f6f8054105186c1d02fb8d30fb9b8be size: 58880
Timestamp2007-12-17 17:25:18
VersionLegalCopyright: Copyright (C) 2003
InternalName: welled
FileVersion: 4,1,4,24
ProductName: welled Application
ProductVersion: 2,3,2,5
FileDescription: welled Application
OriginalFilename: welled.exe
PackerPE Diminisher v0.1
PEhash39c2d72cc72e68a6b9209920574e3eaebc54c154
IMPhasheaeaf27597bb0523389a72cda6281fd0
AV360 SafeGen:Variant.Zusy.89319
AVAd-AwareGen:Variant.Zusy.89319
AVAlwil (avast)Kryptik-NRD [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Agen.r6
AVClamAVno_virus
AVDr. WebBackDoor.Bulknet.1150
AVEmsisoftGen:Variant.Zusy.89319
AVEset (nod32)Win32/Kryptik.BZQQ
AVFortinetW32/Agent.APDJ!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.89319
AVGrisoft (avg)Crypt3.IXB
AVIkarusTrojan-Downloader.Win32.Cutwail
AVK7no_virus
AVKasperskyTrojan.Win32.Agentb.apdj
AVMalwareBytesTrojan.Cryptor.XGen
AVMcafeeDownloader-FAEL!375236AD088A
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Zusy.89319
AVNormanwinpe/Troj_Generic.VDSIQ
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend MicroTROJ_CUTWIL.SM1J
AVVirusBlokAda (vba32)Trojan.Agentb

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\raxeapuncepe ➝
C:\Documents and Settings\Administrator\raxeapuncepe.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\floridadoubled[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wsipowerontheweb[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\frederickallergy[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\krafthaus[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nasz-sklep[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\berkshirebusiness[1].htm
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\floridadoubled[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\frederickallergy[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\berkshirebusiness[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nasz-sklep[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSberkshirebusiness.org
Winsock DNScelebikalip.com.tr
Winsock DNSxing-group.com
Winsock DNScabooseonline.com
Winsock DNSnasz-sklep.pl
Winsock DNSwww.traderush.com
Winsock DNSboundbydesign.com
Winsock DNSwsipowerontheweb.com
Winsock DNSbigtopmultimedia.com
Winsock DNSkrafthaus.com
Winsock DNSfrederickallergy.com
Winsock DNSfloridadoubled.com
Winsock DNSs2s.fr
Winsock DNSchocolatecovers.com
Winsock DNStrinity-works.com
Winsock DNSacicinvestor.ca
Winsock DNSsolutioncorp.com
Winsock DNStessera.co.jp
Winsock DNStoutenmeuse.com
Winsock DNSorion-networks.net

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.163.152:25
Flows TCP192.168.1.1:1032 ➝ 63.250.193.228:25

Raw Pcap

Strings
.
...

&0--0--4 declaims
041904b0
1'AN
2,3,2,5
2DWM
4,1,4,24
5little thrust Italian sashes secluded looking Company
A-6>
&abandon pearl
&about VOICES
abroad
accordion different
&addresses fashion
&Adonai
&affected Lion's
affirm volumes
afternoon tastefully
&again didn't
&again little
&Alderman KEYES
alive
amalgamated Hawkins upcast wife's
&Anch'io unusual
&apoplexy
&Arbour strode
&Armagh
Assuming
&Astronomy
&astute ville
&attack Cuckoo
&attention answered
Aubrey
Awaiting
&Battersby
bearded
&beating pawnbroker's
beautiful
&beauty
&because
bedrooms
&before
before's proprietor
&beggar wheels
&behind
benefit
between proposed
&bicycle
&birdsnies perceive
&blackbeetles
blessed
&bloody
&BLOOM
&BLOOM paper
&blowing
bluecircled
boatbearers symmetry
&Boylan
&bring
&bringing
&bronzed again
brother because
&brotherhood smooths
brow fleshpot
brushes
&buccal
&Buckley's
&Buddha
bunched mixture
&buries
business commonly opening
&buttocksmothered finger
&Caballero amours
cacophonous
Caffrey
&Caffrey through
&cagework hyenas
Cameron
&cassock
Castile Ireland remember yanked
&castor
&catechism
&catechism What's
&Celestine
&centrifugal
cesspools whereas
&Chacun please
&chair
&champions
&chancre
Changing hubbub
&chap's property
Chaste
children
&circumcised
&cityful
coarse
cocked
&cohesion poison
&colleagues
&combings described
coming
&composed Mulligan
&condition immense
connected wonder tabinet
&Conscious Crofter
constellation
&continental
Copyright (C) 2003
&corner weeks
&corporation ground
Costello
Costello posthumous constancy
costumed
&couldnt
&Couldn't
countries depicted planted It's
&cover babyish
&Cranly's
cried
&cried clapped
&croak
&crooked thunders
&crushed
&Cuckoo premium
Cunningham
&Cunningham George's
&dainty
&dancing
&dateshaped though
daughter
&days
&deeply
deficiency
&degrees staunch
delights indeed
depravatio
Desire's unless socialist
devil's
&didn't
&didn't municipal
different Richmond staring
&Dignam
&distinctly
&doesn't
drifting
Drink
drooping street
Dublin Stephen
&eddies
&embroidery facile
Emperor's
entwined
&envelopes
&equilibrium
&esplanade brother
&evening
evening hissing
&Examiner
&excited
excursion
&experience
&extension
&Exuberant STEPHEN
&faded division
fastened
&father Roscommon
&featherskins student
&fellow eunuch
&field looking
FileDescription
FileVersion
&finespun
first polished halldoor
&fjords
&flambeaus confession
flies
&following smouldered
&forgetmenot cures
&forming
&fortnight
&forward
&foundation
foundered
&fraction
&friendly permeates
&Garryowen
&general
gestures
giving
&Glendalough Oxford
&glitter height
&Gloomily
&goodness Mulligan's
&Goulding
&grace
&grammar Dorans
&grass
&Greeks gorgeous
&green
Green bawling
&greenhouses
&greenish moustache
&grief
ground
&habits Bringing
&hackle
&hairbrush
&halfclosed BLOOM
&halldoor
&hand
&hangdog wenching
Hanukah sentiment
happens
harking
&health
&Higgins Runs
&himself
&hither people
Holles
&horns
&horsenostrilled minutes
hoses
hotwaterjar trailed
&house timehonoured
&howled
&Hungary Williamites
&immodest
&imprint
incrispated
&indeed
&individual right
inserts
InternalName
&involving Crawford
&jessamine
&jogged
kings'
&kissed change
&kitchen Murmurs
kneecap
&knives constant
&Lambert
&Leahy's unascertained
LegalCopyright
&Lenehan edition
Leopold
&lifted Martin
little
Little group Whelan WATCH
&Livermore
&living eleven
&loincloths sidling
&Lombard
longed bright
&looked
&MacHugh Dinner
&magnetic weekly
major housetops
&Many
&married
married Fraidrine longest
Martin
&Martin William
&masses
master
master excitement
&matron
matter
&mattress
&mavourneen's thurible
meaning
&meaning
&measure
medals Greenwich
meeting wife
&mention
Mervyn flight
methods
&mirror address
mirror plaited
&missed boomerangs
&mockery family
&mollify
moment unbuttoned
&Moore's benign
&morbous night
morning
motorcar
&mourners Armagh
&mourning
&mouth
MS Shell Dlg
&Murphy's bliss
&Myles
napkin money
&nation advertisement
&natural
&nearer
&nipples
noise
&noodly
&obituary
offers scarlet little others
&oilskin ladylove
O'Neill's always
&opposite scornful
ordinaries
OriginalFilename
&others
&oysters breath
&pages
&Panama
&paradigm
parson
&Passion search
patient
&peerless
perhaps
&personal everyone
&phenomenon Bristol
&Phibsborough perfume
&pillar l'attosca
pillars halted trying certainly
&pitched BURGESS
places
plainlooking
&player
pockets
&pointing
&polished
&polycimical
&ports
&possible
possibly upholstered redeemer silverbuckled
&power
&preoccupied
&present
&pretending Molly
priceless
&probably alderman
&Produces recall
ProductName
ProductVersion
professor
&proper
property
&proposed
&propriety always
proved
&pubhunting touring
Pyrrhus
&quarter profligate
quayside
&Queenstown Gurrhr
race
&racial Hungry
&railings
&rained
rapping Rest
&really anticipation
&remote Quick
removed parlous
renovated
&report located
&repose posing
&represents literature
reservoir doffed having sugared
resistance
return
ribbons
RichEdit20A
&right revival
&rising Cowley
&rotter Where
&rudely examined
Rudolf possessed
&ruined goldhaired
&Russell connection
salted
&sanctity
&satirical
&sauce Gravediggers
&Save Whelps
&schoolfellows
&scillas attendant
&Scotch plodding
&screws giving
scullion sowing Christ slowly
&SECOND
seemed
seems
&sending Sorrow
shaded
shaded Curious
shadow despair
&Shakes Nolan
&shaking
&shame
&Shannon Inform
&shares
&Sharons
&shillings
&Shitbroleeth PRISON
&shocks spinach
shops Gallaher
should
&shouted mountain
&Shouts Shakespeare
Shreds
sidled
&sighed fumbles
&singing daystar
sister-in-law
&sisters building
&sitting
&sixteens
&skins flour
Skin-the-etcetera proximity
skipping butter tailormade
&slammed particular
&sleeve
&slowly
&slowly family
&sniffing Quigley
SNIVELS another country
&snowball oxygen
&somewhere
&sourly
&Spanish producing
&sphincter
&spoke profound
sports
spouse
&stays Doublebasses
&Stephen
&Stephen's
stepping
&Still
&stone again
&storms
Stratford generations
&street
&street follows
street notice
street Venus
&strident
StringFileInfo
Stuart
student
stupid arrive Liliata cousins
&subtile
Successively tapping
Sudden latter trouble matter
&suggest secretary's
&sullen blazes
&Suppose
survival server
sweeping Talbot
&Swinburne
SysListView32
&table
&table Ontario
Tahoma
taste
&Telegraph
telling
temperance
terrace
&textual
&there
There Because
There's
theyre
thirst answer
though ships7Gilligan changes unfolded beggar geegee middlings stick
thoughts compass
&Thursday
&timepiece Mulligan
&tinkle hop-of-my-thumb
&towards
Translation
&transmigration
Travers?
Tremendously
trilingual
Trombone smiles
trouserbutton
trousers pointing
&turning whistle
&unbelief Giltrap's
&unique
unweave permanence
upstairs
&urinal
&Valuing
VarFileInfo
&vendor
verbis
&veux
&vigorously There's
villa
vinegar
&VIRAG
visible housed
VS_VERSION_INFO
 &~w
&walked asked
&walked performance
wanted
&watched
&Waterford
water meant
&waters
waters didn't
&waters moisture
&weather railway
Wellcut selfinterest
welled
welled Application
welled.exe
Whelps
whereas proper
&Whereat
&Whereat quarter
&wherefore
&whining success
whisper
&white
&whole Foreign
&window picked
&windows
within choice
&without
&wonderfully
&Workbasket
&wormfingers hop-of-my-thumb
&wouldnt shoves
&you're velocity
&Youth Stephen
Z-H)
11xxxxxxxCreateWaitableTimerA
17q%Sw
1qA7KmQV
1"QQv.
2\^Uq4
)*~4D5
<5|	q|c
744@)C2
:<7E%X
	):7ugY
7z5Ux2
9m,.spLoadImageA
agkvHxR
a<J{bw*
b.f>+s
@code2
CreateThread
^D=gHj
-DmpE?
>D?T	E
-)e1HY
E	b_[Q
eZ[f<l
fdh37s 9llGetObjectA
-=Foo2z7
g/-b+oY
%,'gdi32.dll
gdi32.dll
GetModuleHandleA
GetObjectA
GetObjectW
Gfq-R#
?gJOE5K
GU^&r\"
i#C$j>
iDn>Wg
#i=NB*i
InterlockedIncrement
i{pBM(
j5dx:[
!JScEhvi
/_^JtioD
kernel32.dll
 ;kG$=&
K`iRVV
kRichn
LoadImageA
LoadLibraryExA
M*	g@{
m^oAy=W
\O.}JYIn
on6:$a
o=vh4~
oyF <;x
PQ[E:p
.rdata
R:\jfndh8883.dat
r!r+PQ
\ry4Gtr
Rz1r+l
s83hfn257635936459350fgdgdfgdsgsdGetProcAddress
SetWaitableTimer
Sj1cHO
SleepEx
s,zaYrC7S
!This program cannot be run in DOS mode.
user32.dll
>>v f?
:vo"}5
vo/v'#q\
vqCj!`@8G
$vQQru.
=vu_gY*w1
WaitForSingleObject
Wam&tC
wSBb5k
W:upG8
#x5?eC
@xmNdk
_y bm\
zojt	S"
zxc098iuser32.dll