Analysis Date2015-08-02 00:49:48
MD593aac8c4de27ae8dd10be18e1b4068a2
SHA1d83fb1feb6b95c8e756fde00fe434f54b265d08a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.code md5: 1ab160713eb94b626d50becceafe8cc9 sha1: 631a0cd4c95263b1fd126b2c48d04de6ed4344e9 size: 512
Section.text md5: ea4908d7eda44eb20ea3016a06731066 sha1: 8aa0f90fc92824fe0f81394396f78489fe44c05c size: 36352
Section.data md5: 788d6b89c386954405b8932a6c53f557 sha1: ce9e29d9e8ea52f39e4bdf9c82f956cc6a51d415 size: 4608
Section.idata md5: 48c858949fe5c27a1404472fb086f487 sha1: d076f5de332ff7e04c470b4ad6831412231d9165 size: 1536
Section.rsrc md5: ed207acba98fd35a472827ef87963397 sha1: e330cb75111e2c06a5b312ce9732e526ea31ee05 size: 36864
Timestamp2004-10-14 04:38:19
VersionLegalCopyright: Copyright (C) 2011
InternalName: calc.exe
FileVersion: 2.1.1.2
CompanyName: MSFT Corp
SpecialBuild:
LegalTrademarks:
FileDescrsiption: calc.exe
Comments:
ProductName: Calc
ProductVersion: 3.1.1.3
PrivateBuild:
OriginalFilename: calc.exe
PEhashf9f20ab52fc398e6e4a92c5983e4cb859ef0bb54
IMPhash731679601c856adef7f532ff8eb87d13
AVBullGuardGen:Variant.Dropper.95
AVK7Spyware ( 0040f78b1 )
AVPadvishno_virus
AVAvira (antivir)TR/Crypt.XPACK.Gen7
AVClamAVno_virus
AVAd-AwareGen:Variant.Dropper.95
AVFortinetW32/Zbot.QNYM!tr
AVAlwil (avast)Dropper-gen [Drp]
AVEset (nod32)Win32/Kryptik.BNYA
AVTrend MicroTSPY_ZBOT.SMXJ
AVZillya!Trojan.Kryptik.Win32.688175
AVMicroWorld (escan)Gen:Variant.Dropper.95
AVArcabit (arcavir)Gen:Variant.Dropper.95
AVMcafeeTrojan-FDFY!93AAC8C4DE27
AVF-SecureGen:Variant.Dropper.95
AVDr. WebTrojan.Packed.24872
AVGrisoft (avg)Crypt2.BSTH
AVRisingno_virus
AVVirusBlokAda (vba32)TrojanSpy.Zbot
AVAuthentiumno_virus
AVCA (E-Trust Ino)Win32/Cutwail.EEBdPH
AVFrisk (f-prot)no_virus
AVSymantecTrojan.Zbot!gen71
AVBitDefenderGen:Variant.Dropper.95
AVTwisterTrojan.64FF3530000000@2F.mg
AVMalwareBytesBackdoor.Bot
AVEmsisoftGen:Variant.Dropper.95
AVKasperskyTrojan.Win32.Generic
AVCAT (quickheal)TrojanDownloader.Upatre.A5
AVIkarusTrojan-Downloader.Win32.Upatre
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\gadamyciqhoz ➝
C:\Documents and Settings\Administrator\gadamyciqhoz.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\altonhousehotel[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\gadamyciqhoz.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\stormwildlifeart[1].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\stormwildlifeart[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\altonhousehotel[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexgadamyciqhoz
Winsock DNSrewardhits.com
Winsock DNSphotoclubs.com
Winsock DNSsigmametalsinc.com
Winsock DNSaltonhousehotel.com
Winsock DNSvitalur.by
Winsock DNSlockerlookz.com
Winsock DNScath4choice.org
Winsock DNStopex.ro
Winsock DNSmerceorti.com
Winsock DNShoyuu.com
Winsock DNSespace-hotelier.com
Winsock DNSstormwildlifeart.com
Winsock DNSchoice-select.com
Winsock DNSyamamoto-sr.com
Winsock DNSfigabara.com
Winsock DNSaudio-direkt.net
Winsock DNSdbcomponents.com
Winsock DNScoopsupermarkt.nl
Winsock DNSbeechwoodmetalworks.com
Winsock DNSe-storming.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 63.250.193.228:25

Raw Pcap

Strings