Analysis Date2015-02-03 07:33:28
MD5a24051595257bf983d7f5d973dfce273
SHA1e1fba541e6fa4d8d40fb71aaa908f3460d575a61

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: be43ce9705786d901bfff49783ca6a9f sha1: ed68fcd85a095a1e2dff33438999b61b9065ec93 size: 6144
Section.rdata md5: 6eb7aa63ed8ce1dbd8b84aaeed8c2f5e sha1: d3d9bfb224dcfffb94a31c8b59968d8d6dafaa13 size: 4096
Section.data md5: 7a237414bca17cc7bb7b17d1c88a14e5 sha1: 949eefe07340bd245c7c3f6217eb4807721dfc26 size: 2560
Section.rsrc md5: 140cc7d2885474cc4204c51bf28248f6 sha1: b0f1a169c6a5c652140499fbe21c0e4944bf4120 size: 15360
Section.reloc md5: 5447435c5f649e64a9adff717eef33fb sha1: e6f281c806fabae6d36301474dc9581ea8d25663 size: 2560
Timestamp2005-07-07 03:02:38
PEhasha6850475c05b3c440e153ddd260e7ad46206919f
IMPhash85c49d241c2cf8347788e334157735ee
AV360 Safeno_virus
AVAd-AwareTrojan.Agent.BHHY
AVAlwil (avast)Downloader-VQV [Trj]
AVArcabit (arcavir)Trojan.Agent.BHHY
AVAuthentiumW32/Trojan.HXRH-3471
AVAvira (antivir)TR/Cabhot.A.111
AVBullGuardTrojan.Agent.BHHY
AVCA (E-Trust Ino)Win32/Tnega.MCXRWHB
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Agent.BHHY
AVEset (nod32)Win32/TrojanDownloader.Elenoocka.A
AVFortinetW32/Kryptik.CVBD!tr
AVFrisk (f-prot)W32/Trojan3.NEX
AVF-SecureTrojan.Agent.BHHY
AVGrisoft (avg)Downloader.Agent.16.AA
AVIkarusTrojan-Downloader.Win32.Elenoocka
AVK7Error Scanning File
AVKasperskyTrojan.Win32.Agent.ieba
AVMalwareBytesTrojan.Ransom.FileCryptor
AVMcafeeDownloader-FAMV!A24051595257
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis.C
AVMicroWorld (escan)Trojan.Agent.BHHY
AVRisingno_virus
AVSophosTroj/Dalexis-A
AVSymantecDownloader.Ponik
AVTrend MicroTROJ_DALEXIS.VG
AVVirusBlokAda (vba32)Trojan.FakeAV.01657

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_74421.cab
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\e1fba541e6fa4d8d40fb71aaa908f3460d575a61.rtf
Creates Mutex56730099
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.192.91
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Flows TCP192.168.1.1:1031 ➝ 65.55.192.91:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520372e 303b2057   ble; MSIE 7.0; W
0x00000040 (00064)   696e646f 7773204e 5420362e 30290d0a   indows NT 6.0)..
0x00000050 (00080)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000060 (00096)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000070 (00112)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000080 (00128)   6c6f7365 0d0a0d0a                     lose....


Strings
..9.5.h....
..aw.-k-2....d..q.
.>... +..........
...7...
v.=}.1.6.gc...
Z.....
.D
....V..}6\V.H.t ......
....
..3\....0YW.
....
0!0-040;0?0E0K0Q0W0]0q0w0}0
0!070=0B0G0M0Z0`0f0m0q0w0}0
1#1(1.141;1E1N1R1X1^1g1v1|1
1+11161;1A1L1Y1_1g1l1s1y1
2 2*21282=2C2I2O2U2\2d2i2o2~2
:!:%:+:2:=:S:\:b:j:o:u:{:
3"3,32383?3C3I3Q3W3]3d3y3
3:3?3D3K3Q3]3d3h3n3w3
;-;3;9;F;K;Q;_;k;r;v;
3sL%] 
4*404=4B4I4O4U4[4h4p4t4z4
4$4+454;4A4E4M4T4_4e4k4v4|4
?"?'?.?4?:?A?G?P?V?Z?g?l?r?x?
="=&=.=4=F=L=Q=V=\=i=p=u={=
5$5*50585B5I5[5d5k5q5z5
5%5.52585>5D5Q5\5a5g5w5
6%6)6.646:6@6Q6W6]6d6i6n6t6
6G6n6t6
7 7%7/757;7A7Q7\7c7k7t7}7
<#<'<7<=<U<\<a<f<m<s<y<
8#888<8H8U8\8a8h8m8s8|8
(8G*E#
=8qeO^
9 9)92989G9N9[9b9i9n9t9|9
9"xwU.$
aCh\uS
ADVAPI32.dll
AlphaBlend
>$>)>/>;>B>H>N>T>X>^>d>j>p>
CharToOemA
ClearEventLogA
CloseHandle
ControlService
CountryRunOnce
CreateDirectoryA
CreateNamedPipeA
CreateServiceA
CreateWindowExA
@.data
DialogBoxParamA
DispatchMessageA
DllInitialize
DrawIcon
drvCommConfigDialogA
drvGetDefaultCommConfigA
drvSetDefaultCommConfigA
{f{E#1h
GemuFeHEsh
GetBinaryTypeA
GetComputerNameA
GetConsoleAliasW
GetCurrentDirectoryA
GetFullPathNameA
GetFullPathNameW
GetGeoInfoA
GetLongPathNameA
GetMessageA
GetModuleHandleA
GetNumberFormatW
GetPrivateProfileIntA
GetProcAddress
GetProcessHeap
GetProcessId
GetPropA
GetWindowLongA
GetWindowTextA
InvokeControlPanel
IsDialogMessageA
IsValidAcl
IsValidSecurityDescriptor
IsValidSid
IsWindow
IsZoomed
kernel32.DLL
KERNEL32.dll
klospad.pdb
LoadCursorA
LoadImageA
lstrcmpiA
lstrcpynA
modemui.dll
msimg32.dll
nCGrPKBBfGHa
nddeapi.dll
NDdeShareAddA
NDdeShareEnumA
NDdeShareSetInfoA
~+N"hF
OpenServiceA
PathCombineA
PathCommonPrefixA
PathCompactPathA
PostMessageA
P.Q>}[
`.rdata
ReadConsoleA
ReadFile
RegCloseKey
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegFlushKey
RegOpenKeyExA
RegQueryValueA
@.reloc
RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
RU}&`T>
S1(=Y7
SetCursorPos
SetFilePointer
SHLWAPI.dll
sT6ma.v
!This program cannot be run in DOS mode.
TransparentBlt
ugkNfIDOoXnyLOj
UpdateResourceA
UrlCanonicalizeA
UrlCombineA
UrlCompareA
UrlCreateFromPathA
UrlEscapeA
UrlGetLocationA
UrlGetPartA
UrlIsA
UrlIsNoHistoryW
UrlIsOpaqueA
UrlUnescapeA
user32.dll
\:uUE#
VirtualAllocEx
WaitForSingleObject
WriteConsoleA
wrmf-u5\"P7`5we/
	wsprintfA
WTSAPI32.dll
WTSEnumerateServersA
WTSEnumerateSessionsW
WTSFreeMemory
WTSLogoffSession
WTSRegisterSessionNotification
WTSSetSessionInformationW
WTSSetUserConfigW
WTSUnRegisterSessionNotification
WTSVirtualChannelOpen
WTSVirtualChannelRead
WTSVirtualChannelWrite
WTSWaitSystemEvent
!zzM;xG%