Analysis Date2014-07-02 06:20:02
MD531cc25fed16bcc7aaaee3c1e45dc5b46
SHA1de682ff672a71557e6d32f231a6c99cb28dab618

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cfecf1513bd3e018131e28475dde644e sha1: 08ed6b1e916a49a5be0eafe7f60933e84751778a size: 3072
Section.rdata md5: 9f54fed295c5bf23b793d759a4f7f487 sha1: 1c417c12270e375a4af290ba3c37c2463a8fec6b size: 1024
Section.data md5: 1205206d88340b9f0289fd001fabb56c sha1: 93a7347331b6f74d28cae14c7a222b0a42795c8b size: 1536
Section.rsrc md5: d0d5a8f5fb14a7c2b3cb23213275904d sha1: 5e4e19c9915079d206b6039c64fac9416078707a size: 40960
Timestamp2014-06-12 06:26:50
VersionLegalCopyright: Copyright (C) 2008
InternalName: sickly
FileVersion: 7,2,4,19
ProductName: sickly Application
ProductVersion: 6,3,4,31
FileDescription: sickly Application
OriginalFilename: sickly.exe
PEhashca00d69e4af8b337f91720bec6752ab2001b1a97
IMPhashcabb308efe69c2b97bdbdd5c98e96b1c
AV360 SafeTrojan.Dropper.Agent.VNI
AVAd-AwareTrojan.Dropper.Agent.VNI
AVAlwil (avast)Kryptik-NXT [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)Win32/Kryptik.CEET
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Dropper.Agent.VNI
AVGrisoft (avg)Crypt3.YLO
AVIkarusTrojan.Dropper.Agent
AVK7no_virus
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.grp!hi
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail
AVMicroWorld (escan)Trojan.Dropper.Agent.VNI
AVNormanwinpe/Suspicious_Gen4.GOLYG
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\weajalbuhena ➝
C:\Documents and Settings\Administrator\weajalbuhena.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\drkassis[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\buergerzentrum-engelshof[1].htm
Creates FileC:\Documents and Settings\Administrator\weajalbuhena.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\charteronerealty[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\quintesis[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\eurofilms[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\atis-sk[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\harunachiro[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\webbworlds[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\yorkmfg[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kin-sei[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\deringharborrealty[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\buergerzentrum-engelshof[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\harunachiro[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\webbworlds[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\quintesis[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexweajalbuhena
Winsock DNStakinoyu.net
Winsock DNStbssoft.com
Winsock DNScharteronerealty.com
Winsock DNSharunachiro.com
Winsock DNSderingharborrealty.com
Winsock DNSmanten-shirasu.com
Winsock DNSeurofilms.com
Winsock DNSbuergerzentrum-engelshof.de
Winsock DNSoseuadvogado.com.br
Winsock DNSdrkassis.org
Winsock DNSwebbworlds.com
Winsock DNScapacitacionypnd.com
Winsock DNShermann.cz
Winsock DNSatis-sk.ca
Winsock DNSyorkmfg.com
Winsock DNSquintesis.com
Winsock DNSbluecrushcommunications.com
Winsock DNSkin-sei.com
Winsock DNSmmnabytek.cz
Winsock DNSmakrocorretora.com.br

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25

Raw Pcap

Strings
.
..
\

041904b0
]\4"
6,3,4,31
7,2,4,19
absence express different daughter
&accompanied Miriam
&adjuration--words dramatic
&agreeable
&always certain
amendment worrying
angelic
&answer continued
appears hours
&asked; experience
attempt Peter
&audibly spirit
&ballet--a
better Harsh
&caution
conscious
considered
conviction
Copyright (C) 2008
cried particular
Dallow silence
&damned richly
&dangerous
&declared necessity--without
degree simply
&differently
&diversion
drawing Grace believe intimate
effect nothing
&elapsed
electronically demands
&enough behind--Im
entered
entirely
&evidently moustache
&exhibitions
&existence reason
expressed
&expressed
fellow
field crabbed
FileDescription
FileVersion
&general
Harsh
her--if
&herself accused
herself perform
&himself
humbugging
hundred actress mother chin--a
&ill-timed prefers
imperturbably
importunity
&inquiries nature
inquiry
intended
interesting
&interesting encouragement
interests ridiculous
&interfere living
InternalName
interval should
&itself
kindly
large
&leaned
LegalCopyright
like--doing
meeting naturally
&mingled
Miriam
&Miriam
&misunderstood
&mouth
MS Shell Dlg
oddest
OriginalFilename
&outsider
&passion
Peter
picture
piece
&please Sometimes
portents
possible erect
prize simplified something
ProductName
ProductVersion
&propositions vehicle
public
rehearsal imperious penalty
&remember
&repeated--go
returned
&returned
RichEdit20A
&risked
&river to-morrow
should
sickly
sickly Application
sickly.exe
&sometimes crumble
sought truth;
&sounds
speech Project chance doubts
spending
steps
StringFileInfo
&stupid entertainer
suggestion
&surprised
SysListView32
Tahoma
&telling
&terribly should
&theatre
&things;
&thinks tendency
&thorough beautiful
&thrown
&together success
Translation
turned
understand
urgent beautifully beribboned
&uttered
VarFileInfo
VS_VERSION_INFO
&wanted
&way--so
&Wheatsheaf Rooth
&whether
which
window chance
&winter scene
wishing consciousness
&without
&woefully youth
wouldnt
0sz|)?]
1 ^JO--
1]?T2J
#3<:5!.PW_PV)-",+KDR]YVH
^3#V0[
) ",43
5O@PW]".);4L{ifz}ghh
@\6KV/
6}&,,Vp
76L3 Z
78$3INNIK4(/-*RE_Plkq
78NQYVP/+$"=MBdk_PV
7Qn)|zU
=7SL)YB
7vc,{;
^8>6PA
?_8+uX
9mp5%|
a##bU+
a(HdzW
=#*B[]`
!Bf~N5
^b@y?w
c199Gt
cQn&&<9i
CreateWindowExA
c(T	O^
@.data
DefWindowProcA
Df&B}d0	
DispatchMessageA
)D}j+&
EDQ/vx	17'px
ELsCq32
ExitProcess
FindResourceA
GetCurrentProcessId
GetMessageA
GetModuleHandleA
GetProcessHeap
h.d}CN
HeapAlloc
hx+BFt
 I:gY,K
(isA,b
 \J-c?
JG?CBI
~j"Rn+
*.!:+K5n
kernel32.dll
KillTimer
KTMIej!
KyW9`q
%L~HXT
LoadCursorA
LoadIconA
LoadResource
l+r>(}>Q
<M?GkE)cv
mZGIeIT
NAJpm(
nB9kdgfrwerbbbmddd
!*?O\J
On}KLoI
ooGO)[
P^`^mG~#W,
p%?o5G
PostQuitMessage
P#%QDv
<p&U:.
`.rdata
RegisterClassExA
r$.f6N/
=rjMAd
!{r^Un
rz\b !4
S1Sa1"
s@C0Ss
SetTimer
ShowWindow
!This program cannot be run in DOS mode.
&_T]i$_
tj4&e+
TranslateMessage
u:2A!Ru]9
Ui?;pT
UpdateWindow
user32.dll
UU1]IX
v?{d1.jk}
VGOxWV9
)VllwA
vnN5D"y
Vu*nC~
!w&\])
:Xc~BS
*Zbhb^r
>ZNV&#
zPI!<6#'
Z+v#+o