Analysis Date2015-04-29 00:33:09
MD50be340b9e8ab30cf869ed1be079cb54f
SHA1de2f66d264d067906dad79d7658a34632b378317

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhashbe852aca8ba13aa00b8a70e08f7bb9ef7695b546
IMPhash1ab50c1213cfb4577705be0af19a6905
AVAd-AwareGen:Variant.Symmi.43792
AVAlwil (avast)Agent-ATVN [Trj]
AVArcabit (arcavir)Gen:Variant.Symmi.43792
AVAuthentiumW32/Backdoor.BOSZ-0199
AVAvira (antivir)TR/Patched.Gen
AVBitDefenderGen:Variant.Symmi.43792
AVBullGuardGen:Variant.Symmi.43792
AVCA (E-Trust Ino)Win32/Tnega.AUYL
AVCAT (quickheal)Trojan.Zbot.AM4
AVClamAVno_virus
AVDr. WebTrojan.DownLoad.64914
AVEmsisoftGen:Variant.Symmi.43792
AVEset (nod32)Win32/Wigon.PH
AVFortinetW32/Zbot.AAU!tr
AVFrisk (f-prot)W32/Backdoor2.HVEQ
AVF-SecureGen:Variant.Symmi.43792
AVGrisoft (avg)SHeur4.BXOU
AVIkarusTrojan-Dropper.Win32.Dorifel
AVK7Trojan ( 0040f8c71 )
AVKasperskyTrojan-Dropper.Win32.Dorifel.alqn
AVMalwareBytesSpyware.Zbot.VXGen
AVMcafeePWSZbot-FAAB!0BE340B9E8AB
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Symmi.43792
AVRisingno_virus
AVSophosMal/Ransom-CV
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterTrojanDrop.Dorifel.alqn.xzqp
AVVirusBlokAda (vba32)Malware-Cryptor.ImgChk

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\xapkexhydyha ➝
C:\Documents and Settings\Administrator\xapkexhydyha.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\xapkexhydyha.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexxapkexhydyha

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.163.152:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25

Raw Pcap

Strings
040904B0
   1997
6, 1, 4
Asyjy Mopyhu Ifef Ujepo Gamipyr Idyqyh Wivezej Ixoni Etosi Alysuto
CompanyName
FileDescription
FileVersion
GARMIN Corp.
Hebas Ahynyga Ufisudu
InternalName
LegalCopyright
LegalTrademarks
Omtrlqlq.exe
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
Vifuti
VS_VERSION_INFO
Yvegywo
0"0'0,01060;0@0F0K0P0U0Z0_0d0i0o0t0y0~0
0$0)0.03080=0B0H0M0R0W0\0a0f0l0q0v0{0
0'00060B0S0\0e0k0w0
0 0)020;0D0M0V0_0h0q0z0
0!0*030<0E0N0W0`0i0r0{0
0%0.03090B0H0Q0W0`0e0k0t0y0
0?0E0N0W0`0f0l0{0
0>0J0S0_0e0}0
= =%=+=0=5=:=?=D=I=N=S=X=]=c=h=m=r=w=|=
< <%<+<0<5<:<?<D<I<N<S<Y<^<c<h<m<r<w<}<
?!?&?+?0?6?;?@?E?J?O?U?Z?_?d?i?n?s?x?}?
07}lyMu
<'<0<9<B<K<T<]<f<o<x<
>'>0>9>B>K>T>]>f>o>x>
09!\tM
0i	yA6"
='=0=k=
0Xp@'#19
1"1'1,11171<1A1F1K1P1U1Z1_1e1j1o1t1y1~1
1#1)12181A1G1P1V1_1e1n1t1}1
1%1.171@1I1R1[1d1m1v1
1&1/181A1J1S1\1e1n1w1
1"13191?1q1w1
>">'>,>1>6>;>@>E>J>O>U>Z>_>d>i>n>s>x>}>
<"<(<1<7<@<F<O<U<
;";(;1;7;@;I;R;[;a;g;
>(>1>:>C>L>U>^>g>p>y>
1#@lbjt
1P1V1\1b1h1n1
2"2(21272@2F2O2U2^2d2m2r2x2
2"2'2,21272<2A2F2K2P2U2Z2_2d2i2o2t2y2~2
2!2*232<2E2N2W2`2i2r2{2
2"2+242=2F2O2X2a2j2s2|2
2'232?2E2N2Z2`2u2{2
2 3&3O3[3d3j3u3~3
="='=-=2=7=<=A=F=K=P=U=Z=_=e=j=o=t=y=~=
:":(:-:2:7:<:A:F:K:P:U:Z:`:e:j:o:t:y:~:
;#;(;-;2;7;=;B;G;L;Q;V;[;`;f;k;p;u;z;
 2*h39
3'30393B3K3T3]3f3o3x3
3"3+313:3@3I3O3X3^3g3m3v3|3
3!3&3+30363;3@3E3J3O3T3Y3^3c3i3n3s3x3}3
3&3/383A3J3S3\3e3n3w3
383>3I3O3U3^3m3
<#<(<-<3<8<=<B<G<L<Q<V<[<`<f<k<p<u<z<
?$?)?.?3?8?=?B?H?M?R?W?\?a?f?l?q?v?{?
;!;*;3;<;E;N;W;`;i;r;{;
3x=S~Gg
4"4+414:4@4z4
4 4&4+40454:4?4D4I4N4T4Y4^4c4h4m4r4x4}4
4"4+444=4F4O4X4a4j4s4|4
4!4*4/454>4D4M4R4X4a4g4p4v4
4#4,454>4G4P4Y4b4k4t4}4
>$>*>/>4>9>>>C>H>M>R>W>]>b>g>l>q>v>{>
:$:*:/:4:9:>:C:I:N:S:X:]:b:g:l:q:w:|:
:%:.:4:=:C:L:R:[:a:j:p:y:~:
<4<=<C<O<a<j<s<|<
; ;%;*;/;4;:;?;D;I;N;S;X;];c;h;m;r;w;|;
="=+=4===F=O=X=a=j=s=|=
;";+;4;=;F;O;X;a;j;s;|;
4V4_4k4q4z4
5'50595B5K5T5]5f5o5x5
5(515:5C5L5U5^5g5p5y5
5 5)525>5J5S5Y5e5q5}5
5!5&5+50555:5?5D5I5N5T5Y5^5c5h5m5r5x5}5
5$5)5/585=5C5L5R5[5a5j5p5y5
5!5-595B5H5W5]5o5{5
5<6B6r6x6
5bsS=e
5C6L6R6^6
5@~FuF
=#=,=5=>=G=P=Y=b=k=t=}=
?#?,?5?>?G?P?Y?b?k?t?}?
5Kdx|+
<5r1-!
>!>*>6>
6#6)62686A6G6P6V6_6e6n6t6}6
6#6,656>6G6P6Y6b6k6t6}6
6!6&6+61666;6@6E6J6O6T6Z6_6d6i6n6s6x6}6
6$6-666?6H6Q6Z6c6l6u6~6
6,959L9X9^9g9m9v9|9
6cg2F7V
6cgcm5K
?$?-?6???H?Q?Z?c?l?u?~?
*/6qb2
7(717:7C7L7U7^7g7p7y7
7#7,71777@7E7K7T7Y7_7h7m7s7|7
7 7)727;7D7M7V7_7h7q7z7
7!7'7,71767;7@7E7J7O7T7Z7_7d7i7n7s7x7}7
7$7_7e7x7
7$7C7O7U7
7>7J7S7\7e7n7t7
;(;.;7;<;B;K;P;V;_;e;n;t;};
7EjI>LA
 |7g^]
:%:.:7:@:I:R:[:d:m:v:
?%?.?7?@?I?R?[?d?m?v?
7L8X8d8m8y8
80898B8n8w8
8$8*808
8"8+818:8@8I8O8X8^8g8l8r8{8
8$8-868?8H8Q8Z8c8l8u8~8
8%8.878@8I8R8[8d8m8v8
8!8&8+80858:8?8D8I8N8S8Y8^8c8h8m8r8w8|8
<&</<8<A<J<S<\<e<n<w<
:&:/:8:A:J:S:\:e:n:w:
8H9ahL
 8I8_:
]8lz^id
9"90999?9u9{9
9 9)929;9D9M9V9_9h9q9z9
9!9*939<9E9N9W9`9i9r9{9
9%9+949:9C9I9R9W9]9f9k9q9z9
9"9'9,92979<9A9F9K9P9U9Z9`9e9j9o9t9y9~9
9 9%9*9/94999>9C9I9N9S9X9]9b9g9l9q9v9|9
"9h,kB
9w5iNM
a0H;DX
AccessibleObjectFromEvent
AccessibleObjectFromPoint
acmDriverAddA
acmDriverClose
acmDriverDetailsA
acmDriverEnum
acmDriverMessage
acmDriverPriority
acmFilterChooseA
acmFilterChooseW
acmFilterTagDetailsA
acmFormatChooseW
acmFormatDetailsA
acmFormatDetailsW
acmFormatEnumA
acmFormatEnumW
acmFormatSuggest
acmFormatTagEnumW
acmGetVersion
acmMetrics
acmStreamConvert
acmStreamMessage
acmStreamPrepareHeader
acmStreamReset
acmStreamUnprepareHeader
AddIPAddress
AddPortA
AddPrinterConnectionW
AddPrinterDriverExW
AddPrintProcessorW
ADVANCEDSETUPDIALOG
AF|n]8
`Ah4!B
AllocateAndGetIpAddrTableFromStack
*)AOA!
=)atr6
Au'+Yf
av5U]j
Av.l{>9
}a=xX{@L
BackupClusterDatabase
BackupRead
~BQJ'p
<#<]<c<
C4nrWT
~C}b.H
cEa]Rz.
ChangeClusterResourceGroup
CLIPFORMAT_UserUnmarshal
CloseClusterGroup
CloseClusterNetInterface
CloseClusterNetwork
CloseClusterNode
CloseClusterResource
CLSIDFromProgID
CLSIDFromString
CLUSAPI.dll
ClusterGroupEnum
ClusterNetworkCloseEnum
ClusterRegDeleteValue
ClusterResourceTypeCloseEnum
C/MU/'
<cN	Au s
CoFreeAllLibraries
CoGetCallContext
CoGetInstanceFromFile
CoImpersonateClient
CoInitializeSecurity
COMCTL32.dll
ConfigurePortA
CoRegisterMallocSpy
CoSuspendClassObjects
CoTaskMemAlloc
}}c$OX
Cqh,gB
CreateClusterResource
CreateClusterResourceType
CreateIpNetEntry
CreateNamedPipeW
CreateStreamOnHGlobal
CreateTimerQueue
CreateToolbarEx
CryptUIDlgCertMgr
CryptUIDlgViewCRLA
CryptUIDlgViewCRLW
CryptUIDlgViewCTLW
CryptUIDlgViewSignerInfoW
CRYPTUI.dll
CryptUIFreeViewSignaturesPagesA
CryptUIGetViewSignaturesPagesA
CryptUIWizBuildCTL
CryptUIWizExport
CryptUIWizFreeDigitalSignContext
%C=V?.A
_(d0eIP.
D0PzhH
D<a89~
@.data
DDMGetPhonebookInfo
DefMDIChildProcA
D|EhfB
DeleteClusterGroup
DeleteClusterResourceType
DeleteIpForwardEntry
DeletePrinterDataW
DeletePrinterDriverExA
DeletePrintProcessorA
DeletePrintProvidorW
DeviceCapabilitiesA
DeviceMode
DEVICEMODE
DevicePropertySheets
DevQueryPrintEx
DllDebugObjectRPCHook
>D>M>V>_>h>q>z>
dpY\33
DrawInsert
DsDeregisterDnsHostRecordsA
;:-"e4
ecdwENP
ed18w=
e.%Jhl
:E:K:{:
/$:e:l
EmptyWorkingSet
EndPagePrinter
EnumDeviceDrivers
EnumPrinterDataA
EnumPrinterDataExW
EnumPrinterDriversW
EnumProcesses
EnumResourceLanguagesW
:':?:E:N:Z:c:o:x:
!+et|M
FFWV^_ZH
FileTimeToSystemTime
FindClose
FindFirstVolumeMountPointA
FindNextVolumeMountPointW
FindResourceExA
FlatSB_GetScrollInfo
FlatSB_GetScrollProp
FlatSB_SetScrollRange
FlushFileBuffers
fOl;[U
F-u$Lm@[
+Fx"EF
gC~	hP
GetAdapterOrderMap
GetClusterFromResource
GetClusterGroupKey
GetClusterInformation
GetClusterNetInterface
GetClusterNetInterfaceKey
GetClusterNetworkKey
GetClusterNetworkState
GetClusterResourceState
GetConvertStg
GetDeviceDriverBaseNameA
GetDeviceDriverBaseNameW
GetDeviceDriverFileNameA
GetDeviceDriverFileNameW
GetEnvironmentVariableA
GetFileTime
GetFormA
GetFormW
GetIfEntry
GetIpForwardTable
GetModuleBaseNameW
GetModuleFileNameExA
GetModuleFileNameExW
GetNodeClusterState
GetNumberOfInterfaces
GetOleaccVersionInfo
GetPrinterDataExW
GetProcessShutdownParameters
GetStateTextA
GetStateTextW
GetStringTypeExA
GetTimeFormatA
GetUdpTable
GetVolumeInformationA
GetWsChanges
GIZ~IQ
@; gJ~
(GQ_e'G>
g$^TF7
*gv.V(
+?_GvV
h.18|U
H3U;cm
HBITMAP_UserMarshal
HDC_UserMarshal
HDC_UserSize
{/^h eB
HMENU_UserFree
HMETAFILEPICT_UserFree
HPALETTE_UserMarshal
Hpt^E>
>?>H>Q>W>
HR#shL[E
HWND_UserFree
HX*1>5Y
^?hx!B
~)hX+B
\i4cB#[
I_BrowserQueryStatistics
I_BrowserResetNetlogonState
ImageList_Add
ImageList_DrawEx
ImageList_GetBkColor
ImageList_SetFlags
ImageList_SetImageCount
IMM32.dll
ImmAssociateContext
ImmCreateSoftKeyboard
ImmDestroyContext
ImmDestroyIMCC
ImmEnumInputContext
ImmEnumRegisterWordA
ImmGetCandidateListA
ImmGetCandidateListW
ImmGetCompositionStringA
ImmGetCompositionStringW
ImmGetConversionListW
ImmGetDescriptionW
ImmGetHotKey
ImmGetImeMenuItemsW
ImmGetRegisterWordStyleA
ImmGetRegisterWordStyleW
ImmInstallIMEW
ImmIsUIMessageA
ImmLockIMC
ImmRequestMessageA
ImmRequestMessageW
ImmReSizeIMCC
ImmSetCompositionFontA
ImmSetCompositionFontW
ImmSetStatusWindowPos
ImmUnregisterWordW
I_NetLogonControl
I_NetServerPasswordGet
InitializeProcessForWsWatch
InterlockedIncrement
InternalGetIfTable
InternalGetIpForwardTable
InternalGetIpNetTable
InternalGetUdpTable
InternalSetIfEntry
InternalSetIpStats
InternalSetTcpEntry
IPHLPAPI.dll
IpReleaseAddress
IpRenewAddress
I_RpcPauseExecution
I_RpcReallocPipeBuffer
I_RpcTransConnectionFreePacket
IsDebuggerPresent
IsValidCodePage
IUnknown_QueryInterface_Proxy
I_UuidCreate
~.:;jE
JGb &Jg
|jh0#B
>jo/}H
-JRL;x
jS ,bu][+
JS!fa1
KERNEL32.dll
k>Jil7
;LedTP_
l'(f1	
@l$h,iB
Lm	h''
LocalFree
LqhleB
"Mhh&B
Microsoft Visual C++ Runtime Library
"""Mjm
MPR.dll
MSACM32.dll
mszK"Uk`lok?
M}];{u
MultinetGetConnectionPerformanceW
mWbsg4
:M:Y:_:h:t:}:
n6do!s
n8![4l
n9GDhT
NDRCContextMarshall
NdrComplexStructFree
NdrConformantVaryingArrayBufferSize
NdrContextHandleInitialize
NdrDllGetClassObject
NdrFixedArrayBufferSize
NdrFullPointerXlatInit
NdrInterfacePointerMemorySize
NdrPointerBufferSize
NdrServerInitializeNew
NdrSimpleStructFree
NdrVaryingArrayFree
NdrXmitOrRepAsFree
NetAlertRaiseEx
NETAPI32.dll
Netbios
NetDfsGetInfo
NetDfsRemoveStdRoot
NetErrorLogRead
NetFileGetInfo
NetGetDisplayInformationIndex
NetGroupAdd
NetLocalGroupAdd
NetLocalGroupDelMember
NetLocalGroupSetMembers
NetQueryDisplayInformation
NetReplExportDirSetInfo
NetReplGetInfo
NetReplImportDirEnum
NetReplImportDirLock
NetReplImportDirUnlock
NetServiceEnum
NetShareGetInfo
NetUseGetInfo
NetUserAdd
NetWkstaGetInfo
NetWkstaTransportEnum
NotifyRouteChange
NTTimeToNTPTime
nzAd8-w[
\%O'| 
ObjectFromLresult
od]TMt
OfflineClusterGroup
O<h0nB
@[oH~3
^oh<	B
OLE32.dll
OLEACC.dll
OleBuildVersion
OleGetIconOfFile
OleSetClipboard
OpenClusterNetwork
OpenClusterNode
OpenProcess
OpenSemaphoreW
{(Ow$,
p}3&qY
p5<GWg<$
p@){'6
Pai5\v
pc{EW^X
,Pd10!s
p	Ff:^
PropStgNameToFmtId
PSAPI.dll
;";p;y;
pzUZCb
qa7*	 
qaf8ar
%QDaB/
,?q-ef
q~hXfB
QH]\Y,
qHYh<eB
Ql\y( k
QL?]&	}z
~+Q	M	
q^!]*P
[q=R=D
|=QtWP
QueryColorProfile
QueryWorkingSet
qUiwP*
R9#4hPmB
_rA^CrfPO~E
RASAPI32.dll
RasConnectionNotificationA
RasCreatePhonebookEntryA
RasDialW
RasEnumConnectionsA
RasEnumConnectionsW
RasEnumDevicesW
RasFreeEapUserIdentityW
RasGetConnectStatusW
RasGetEapUserDataA
RasGetEntryHrasconnW
RasGetSubEntryHandleA
RasGetSubEntryPropertiesA
RasHangUpA
RasQuerySharedAutoDial
RasQuerySharedConnection
RasSetCredentialsA
RasSetCredentialsW
RasSetEntryDialParamsA
RasSetEntryPropertiesW
RasSetSubEntryPropertiesW
ra]VM[
`.rdata
@.reloc
RemoveClusterResourceNode
ResetPrinterA
RpcAsyncGetCallStatus
RpcBindingFromStringBindingW
RpcCancelThreadEx
RpcEpResolveBinding
RpcMgmtEpEltInqDone
RpcMgmtSetCancelTimeout
RpcNetworkInqProtseqsA
RPCRT4.dll
RpcServerUnregisterIf
RpcSmClientFree
RpcSsSetClientAllocFree
RtlZeroMemory
~S,2iC
ScheduleJob
SetClusterResourceName
SetCurrentDirectoryA
SetFileAttributesW
SetFormW
SetHandleInformation
SetIpStatistics
SetIpTTL
SetMessageWaitingIndicator
SetPortW
SetPrinterDataExW
SetSystemTime
SetTcpEntry
SetTimerQueueTimer
:SGv*GJ
SLRJSub
SNB_UserMarshal
!s(rPp#.8M!
StgConvertVariantToProperty
StgCreateDocfileOnILockBytes
StgIsStorageFile
StgPropertyLengthAsVariant
StringFromCLSID
SWDD'B
s'XEhT
@t-)2(
T45fXN
!This program cannot be run in DOS mode.
#tJ)Jc
t%Lh"%
TOh\(B
TowerExplode
_TrackMouseEvent
tzc"mvTD
uAG.hL$B
:-]u[C
U@l.lj
UpdateResourceA
USER32.dll
UuidToStringA
U!y	j|
v5nS(3
?V?\?d?m?y?
VFa-h,fB
vJ#|78(
}|VkR	
vLr;Lc
V@-z"ci
WaitForSingleObject
WaitNamedPipeA
"@W,,d(
wDN=!@
wgiPd	
^w"Hf(>'
WINSPOOL.drv
WNetAddConnection2W
WNetAddConnectionA
WNetAddConnectionW
WNetCancelConnection2W
WNetCloseEnum
WNetConnectionDialog1W
WNetDisconnectDialog
WNetDisconnectDialog1W
WNetEnumResourceA
WNetEnumResourceW
WNetGetConnectionW
WNetGetNetworkInformationA
WNetGetResourceParentW
WNetGetUniversalNameW
WNetOpenEnumA
WriteStringStream
WRLwa5N
WTSAPI32.dll
WTSCloseServer
WTSDisconnectSession
WTSEnumerateProcessesA
WTSEnumerateProcessesW
WTSEnumerateServersA
WTSEnumerateServersW
WTSEnumerateSessionsW
WTSFreeMemory
WTSLogoffSession
WTSOpenServerA
WTSOpenServerW
WTSQuerySessionInformationA
WTSQueryUserConfigA
WTSSendMessageW
WTSSetSessionInformationA
WTSSetUserConfigA
WTSSetUserConfigW
WTSShutdownSystem
WTSTerminateProcess
WTSVirtualChannelClose
WTSVirtualChannelPurgeOutput
WTSVirtualChannelRead
WTSVirtualChannelWrite
WTSWaitSystemEvent
WV^__WV^_
wW$a/?@7
XCp8_W
XcvDataW
X[<W=D
YArjxfz
yieg7.z
z\h`gB
(Z	IW@