Analysis Date2014-04-20 23:31:51
MD58bbfb3918569a44fbe2f4a53f754a04d
SHA1e3b6df3b66adfcc27152fe75ae613adda93e308f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 561991799eddc88b0d428957b6026a8a sha1: 1a056fdb185b80d8efc0b0f1141c455bec16dd2d size: 117760
Section.rsrc md5: 39142d40d2b72afef23a86fa59a8611e sha1: 8de34dcc9c26fc707bcdfa01068b92a930c2e462 size: 10752
Timestamp2029-10-13 15:59:23
VersionLegalCopyright: Microsoft Corporation
InternalName: charmapnt
FileVersion: 1.00.0006
CompanyName: Microsoft Corporation
LegalTrademarks: Microsoft Corporation
Comments: Mapa de caracteres NT
ProductName: Mapa de caracteres NT
ProductVersion: 1.00.0006
FileDescription: Mapa de caracteres NT
OriginalFilename: charmapnt.exe
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhash222748817c7c8e82bdbfaa98302d3b6f7686c188
IMPhash09d0478591d4f788cb3e5ea416c25237
AVclamavTrojan.Spy.Banker-977
AVaviraTR/Spy.Banker.Gen
AVmcafeepacked
AVavgGeneric19.BAMC
AVmsseTrojanSpy:Win32/Bancos

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\windows\charmapnt.exe
Creates Processc:\windows\charmapnt.exe

Process
↳ c:\windows\charmapnt.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Mapa de caracteres para NT ➝
"c:\windows\charmapnt.exe"\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\AsyncSelectHlp
Creates FileC:\WINDOWS\ieupdate.dat
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFCAD2.tmp
Creates File\Device\Afd\AsyncConnectHlp

Network Details:

DNSsmtp.mail.eu.am0.yahoodns.net
Type: A
188.125.69.59
DNSsmtp.mail.yahoo.com.br
Type: A
Flows TCP192.168.1.1:1031 ➝ 188.125.69.59:25
SMTPalten003@bol.com.br

Raw Pcap
0x00000000 (00000)   48454c4f 20434f4d 50555445 522d5858   HELO COMPUTER-XX
0x00000010 (00016)   58585858 0d0a4155 5448204c 4f47494e   XXXX..AUTH LOGIN
0x00000020 (00032)   0d0a646e 4a686257 397a4d54 45304e41   ..dnJhbW9zMTE0NA
0x00000030 (00048)   3d3d0d0a 4d544530 4d7a6334 0d0a4d41   ==..MTE0Mzc4..MA
0x00000040 (00064)   494c2046 524f4d3a 3c767261 6d6f7331   IL FROM:<vramos1
0x00000050 (00080)   31343440 7961686f 6f2e636f 6d2e6272   144@yahoo.com.br
0x00000060 (00096)   3e0d0a52 43505420 544f3a3c 7061636f   >..RCPT TO:<paco
0x00000070 (00112)   74343434 40626f6c 2e636f6d 2e62723e   t444@bol.com.br>
0x00000080 (00128)   0d0a5243 50542054 4f3a3c61 6c74656e   ..RCPT TO:<alten
0x00000090 (00144)   30303340 626f6c2e 636f6d2e 62723e0d   003@bol.com.br>.
0x000000a0 (00160)   0a444154 410d0a46 726f6d3a 20434f4d   .DATA..From: COM
0x000000b0 (00176)   50555445 522d5858 58585858 4070726e   PUTER-XXXXXX@prn
0x000000c0 (00192)   2e636f6d 2e62720d 0a546f3a 2070726f   .com.br..To: pro
0x000000d0 (00208)   636c6965 6e746540 70726e2e 636f6d2e   cliente@prn.com.
0x000000e0 (00224)   62720d0a 44617465 3a205375 6e646179   br..Date: Sunday
0x000000f0 (00240)   202c2032 30204170 72203230 31342030    , 20 Apr 2014 0
0x00000100 (00256)   393a3436 3a313920 504d0d0a 5375626a   9:46:19 PM..Subj
0x00000110 (00272)   6563743a 20417669 736f2021 20212021   ect: Aviso ! ! !
0x00000120 (00288)   20203230 2f30342f 31342032 313a3436     20/04/14 21:46
0x00000130 (00304)   0d0a582d 4d61696c 65723a20 4d696372   ..X-Mailer: Micr
0x00000140 (00320)   6f736f66 7420436f 72706f72 6174696f   osoft Corporatio
0x00000150 (00336)   6e202d20 4d696372 6f736f66 740d0a0d   n - Microsoft...
0x00000160 (00352)   0a20200d 0a457272 6f3a206e 6f206167   .  ..Erro: no ag
0x00000170 (00368)   75617264 6f20646f 20706167 2e20646f   uardo do pag. do
0x00000180 (00384)   20646f77 6e6c6f61 642c2065 20766169    download, e vai
0x00000190 (00400)   20706167 61722e2e 2e0d0a4d 73672064    pagar.....Msg d
0x000001a0 (00416)   61207665 7273e36f 2e3a2031 2e302e36   a vers.o.: 1.0.6
0x000001b0 (00432)   0d0a0d0a 2e0d0a0d 0a515549 540d0a     .........QUIT..


Strings
040904B0
1.00.0006
charmapnt
charmapnt.exe
Comments
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
Mapa de caracteres NT
Microsoft Corporation
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
																														
)`0G|h)
0m	q'z
1c4)F:
1],cc'
1od.k{
|$209|=d
2Cke_l
" 2~~e
~2:L1Q
)	$2LU]}'
2M@GP.
2ywpl]k
3e|+|He
3sq[yyI
;4/h!]
4I!z*t
4qsUOVd
4wrR&C	
,6}O,,-
761.yc7
7Z\1p]
83pqBk
8@\3$Y 
8dp&ti
_#8FgC
8PPhY!
/8x0a5`n
8!`ZGR
&&9 &M
A?.grv
,al 3Fil*8
[AspackDie!]
.B2K+:|
bB4F> 1
Bjb/{[
b$KIv+
BlNI<r
C2|0:v
#C}61.;
C9w3[{
C|;cu	
'cu@_~
c&?u4o
!D0E!q:
D_0"_O
D4K]=GG~b{
d6@eIFZ
dMn`TR7
do9"]>
][D*'U:
{Du<ET
Dx\i/*
dxXY2T
"E\adX
E$=HTt`ch
eMP=1\ .g
eX{ %,Q
]f5p5r
fCFK#^
fD[A[>
FhU7XY
?F`+h:Y
F+Mj|F>
FSgm{	
]FVS8C$
g26nOrb<
G6mf.w6l
GetProcAddress
gL/yel
gMkSLg
Gnu75q
gqo./%
g?ZT^]
h{%,Cx^
hd	3{y
h+dR?O
Hi<w	C
hp}2)e^2B
hq()iA
h*tbDk
hupzcR
hWog)%E\;O
"'HX^01
% i0>L=
?'ianY
"$I%\mn
irtualFe
iVj,N0
@$I~VW;
j_38)c
{'j4"1p
[j*7Yh
+JBSPn
)JCMI0
jR2] [
({>^jt
$^%\?k
:<#k)9
kernel32.dll
kernl32.d
K-gLQx	L
k{h/Fp
{KI)l_
>k%pa`
k/pB[ATh
K!Qf>g
(KSAjx
kU?/DF
KvMk`}
Kvs*2GK
.l0"\{
:L-_cgT
!,lGnK
)LHWZ<
LI:=nA6
'#lnyc
LoadLibraryA
M~~aI~10
<}&<m/e
|MEgD*`,!
MeL9 0/
m?P>pRT
Msiok&
MuBvJo
nF(}o7
Nj;;o_
N,T:@E9
N\vSaj
N]Z0Ie
NzD_[#
N*ZJxG
o{0;!bu
o1"V\M
Om65+2
o>sP>..
$OUy9X
oV"LR~
o_xi)pF,
p1)R@=
P%{e2&1>
PECompact2
pi+6CM
P,IM<@
pTW0y+?
!{PWQS
,q;	22Q^
Q23^&U
Qb}$+_
qjv/aQ]
 ]:QKt
qplicaton er
Q>^}#rw
q|SDLG.5xd
?.r@[:
r5@C7e
r65ME',Dl
^rIqg|
Rz2#e~
sC%eKs$
SgVapQB
sicC6f
s+}OAL@h#
*=SO'q
sUp;'r
S`YRB)
,sz~*X
t6[3eso
]T[6iy6
T+hG	V
!This program cannot be run in DOS mode.
] ;t/l
/Tm*7#
TU3sG/9Z
.u;&=+
UBCt34
,uDaZLrFaU
U\gU%,
'{u`_l*
u*[.^o
USQWVR
.[[uz0
Uz%%H?
.#VB$tm;
VirtualAlloc
VirtualFree
-VMoL_
v|v<SY
w41_-D
W5EL!t<
*@W@cr
(wd5:d
w"IiXX
WKBUO6Q
W\Sc((7=K
WtO,)Mu
Wwmlr@
W	xOmH
_|x?!2^
x4zxJG
x"}H}!
x.J<R!
#X!P-mFz
"X?	Qr
XYUdGjbb
Y,4{5BZnx
`"!y 8
/YA5</
yeA.H]
yN(ap8
ynZAyW
^y$w<;P
Zaj"e:m|u"
 'z$h<
zTwboJ~z
zWA@xu
:ZxOdj
Z^_Y[]
#Zyb4B