Analysis Date2015-01-16 07:40:19
MD54161ce8528307292cef640c04fddca69
SHA1e44179077e474caf236f89df8d0cc8fc84eec48b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 48d1d099c7aea0051a6e11a71ba3d2a8 sha1: a28e164c39489f7e62cb00f18fa97be9cadd3289 size: 48640
Section.rdata md5: f90366e6e39f0f983a5b68e36aadcdc0 sha1: 415954f41b40b0d79232b872f80debd611bc1a13 size: 6656
Section.data md5: c5c653dd925ddfa044b22ce9205fc583 sha1: bcaa1708496445ca3f816eac94c442d0506a2665 size: 310272
Section.rsrc md5: f6e3c519ca5e7bc141d98420b4cd5c7a sha1: 5e9a721c0b5c3c368fd5d5dcf5e065367757e387 size: 15360
Timestamp2013-01-15 12:51:20
PackerMicrosoft Visual C++ 5.0
PEhash94cdf794f3c896507f1b648d6073188d63b52424
IMPhashabf2c5b7c247d1697bb1d43f2a2f3955
AV360 Safeno_virus
AVAd-AwareGen:Variant.Zusy.33253
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Zusy.33253
AVAuthentiumW32/A-79740ee1!Eldorado
AVAvira (antivir)TR/Agent.382234
AVBullGuardGen:Variant.Zusy.33253
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.Agent-140204
AVDr. WebTrojan.PWS.Ibank.456
AVEmsisoftGen:Variant.Zusy.33253
AVEset (nod32)Win32/Kryptik.ASHU
AVFortinetW32/Kryptik.UUD!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.33253
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Shiz
AVK7Trojan ( 0040f0751 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Simda
AVMicroWorld (escan)Gen:Variant.Zusy.33253
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen
AVTrend MicroTROJ_SPNR.35BR13
AVVirusBlokAda (vba32)Backdoor.Shiz

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:Windows Explorer\\x00
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\c059900a ➝
DM\\xbd\\xa7c\\xb18\\x8a\\xaf\\xe9q\\x89Z\\x8e\\x1c\\xdd^\\x84\\x8396W\\xd8\\x85\\xda\\xd75>\\xf6z\\xe9P\\x15\\x93\\xf1\\x07\\xaa\\xeb\\xc8\\xcc\\x0f\\xae\\xb8\\xe0\\x0b\\xaa\\xe0\\x935\\xe5\\xfb\\x1b\\x7f\\x15\\x8fi\\x11-\\x9C:\\xbd\\xde\\xa2\\xcd\\x8ds\\xb66\\xc3\\x02+\\xd1\\xefb\\xfd\\x15.\\xd3n.\\x0b\\xb3z.\\x86\\x03\\x83V9\\xde\\x0e\\xde.\\xc5\\xea\\x8b\\x9d\\xcf\\xde"\\x0b6n9\\x96Y\\x9d\\xc3\\xab_6\\xf9^\\xcf:}1\\x9a\\xce\\xa1\\x95\\r\\x9a\\x85%9\\xd1B\\xfa\\x8f\\xcb\\xd5\\x8fv\\xabka\\t>\\xd2-\\xf6\\xbb\\x0f\\xb3\\x87K\\xc9\\xde\\x15\\xf1\\xcfq\\xc5\\xb5~\\xf6\\x11\\x86E~\\xbe/\\xed\\xbe=\\xc2\\xfd\\x1e\\x19\\rVfy\\xd5\\xb2\\x05\\t%\\xd5\\xfa\\x817F\\x96\\x93\\xf9}vr\\xea\\x06\\x8dW\\x95%\\x86\\xdfn\\xf3\\x1f\\xb25\\xf6\\x93\\x82\\x91c\\x7f~\\x07\\xf6E\\x8eM\\xc9>\\x06\\xc1\\xa3"\\xddk:\\xef\\x86\\xab\\x1a\\x86K\\xb9S\\xde\\x86\\xcd\\x8a\\xabN\\xee\\xf3S\\xee\\xad\\xdf\\xda\\xb6\\xa5\\xe6\\x157\\x96\\xeds\\x0e\\xb2\\xa1\\xf5[\\x86\\x89
Creates FilePIPE\lsarpc
Creates MutexMicrosoftSysenterGate8

Network Details:

DNSany.edge.bing.com
Type: A
204.79.197.200
DNSwww.bing.com
Type: A
DNSdiviguw.info
Type: A
DNSgahepas.info
Type: A
DNSkeromij.info
Type: A
DNSjecukyn.info
Type: A
DNSfotavoz.info
Type: A
Flows TCP192.168.1.1:1033 ➝ 204.79.197.200:80

Raw Pcap

Strings
.
C::::% BbmHpAadYySMI-- 
"X......
*.*
F
.
r
d.
.
(
.@
.
.
...l
.
g9
*
*..
..J
.J......
*.**
         (((((                  H
jjjj
\-+:_=
0<4H5<
08tH88tH
"0f_>l
0H{kAW
0NLhINK}?
"%_0R;
0##VXA
0Xm-j:
0Y \p<
;<%0zY_
^"@1*{
1AABBf
1e]S5^
1*!kA"
1r`Niga.
 ~]&1v|
2~?j;'=
2#V^Pc
;2. wf
2!+`xm
|3K2_U\{
[3>/%o
3T2LMM
3XWH[n`
]3Y}83-
"3y[V&
4P\2+q
4[P>\/8
4xW)L^"
 56;S+
58k!58{?
5'c1pP
5c*C/dG
_5/%lQ
5qgX8h
5RJD	d
5U1p-_
@5YUW\
6,3&U	P
69xxaN'u
6l{wc.
6LxH9Z
74<v^h
7\@#I'
7*VA7o^
!7ZcG5`
8&{nGZ
,|%8O-
}8U,+r
8W8~2Y
8|Yg|#
8zB|[ Q
%#99L"
9K6&(-d^
9l^3E@
9L5.9|@
9l\83lq`
!9m5p~
9"n~X7
9<[*+P
9=Sc}v
9U/3&{
'^&A& 
$'	+AB
abnormal program termination
AdjustTokenPrivileges
ADVAPI32.dll
A!Fe<2
aGtd'|
america
american
american english
american-english
AM~eua
%<amg%+T+
Ami^Hb$
amsAy*<xW|
]A%*q-
aq(p2,
Argentina
August
Australia
australian
Austria
av&viM\
a	WJP%
b8YcT5
BackupEventLogA
Basque
BBm,%m
bCeCT%
"Beh,|/
belgian
Belgium
Bg}o]y
(bgq^-
bhZ1nV
:'>/bi
b>ig.t;#d(
Bl]lJr2`
bootdisksig
b>,':P"
?bpuMvZ
bQ~;vF
britain
bS3%e;p
bT<RYG
bVTgYb
BY4lf[jpM:
{>}/\C"
c0YR^ 
C3dT|r]~
Canada
canadian
CC,X&>
cF:W\L<[
|:CGs+
Cg?Zu 6
chinese
chinese-hongkong
chinese-simplified
chinese-singapore
chinese-traditional
CLK_SYN_STOP
cO3f_z
Colombia
CompareStringA
CompareStringW
Costa Rica
CPRich
CreateEventA
CreateEventW
CreateFileMappingA
CreateMutexA
CreateSemaphoreA
>Cu28V
cw)DNe-Q
c&>~}z
,"cz;o
,D`0*s
D,3Fb\
d9uc1Q
@.data
>DataModeInData
dddd, MMMM dd, yyyy
December
DeleteCriticalSection
DeleteFileW
dHH84H
]dHSjl`t
>dK2b>
! ^D;l
d|n?>#X
DOMAIN error
Dominican Republic
d^R00Lq
DuplicateToken
dutch-belgian
	DYg(~}
e6/*bV
Ecuador
eh*M@FO1u
EJsaW:'Y
*#En9&
Ending TRN: MSE = -%d.%d dB
england
English
english-american
english-aus
english-belize
english-can
english-caribbean
english-ire
english-jamaica
english-nz
english-south africa
english-trinidad y tobago
english-uk
english-us
english-usa
EnterCriticalSection
EnumServicesStatusA
EnumSystemLocalesA
EQT\hy
ET{=\Z
?+EvO<wV0w,
{[e\xc
ExitProcess
e)yp)^
	f(54u*
{-{f6&6
,f9=<I
FatalAppExitA
F)dfb_L
February
")'Ff<
>,FF8	
f H*s+
F)i_94J
FindCloseChangeNotification
FindNextFileW
Finland
Finnish
F@j@Ph
&F.l@^
- floating point not loaded
F ORE`
FPgUzN
F PjPWj
F$PjQWj
F.PjRWj
F*PjTWj
F+PjUWj
F,PjVWj
F-PjWWj
France
FreeEnvironmentStringsA
FreeEnvironmentStringsW
French
french-belgian
french-canadian
french-luxembourg
french-swiss
Friday
FrSL=p\s
)fxE=u~r
F'}XnL+
f+>Z$	w
g 7/P.
German
german-austrian
german-lichtenstein
german-luxembourg
german-swiss
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetComputerNameA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileSecurityA
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocaleInfoW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetTimeZoneInformation
GetUserDefaultLCID
GetUserNameW
GetVersion
GetVersionExA
GetVersionExW
GlobalAlloc
GlobalFree
__GLOBAL_HEAP_SELECTED
GlobalLock
GlobalUnlock
great britain
Guatemala
:gv(<4HbX
%g]`X#
H 8TH 0TH
(/h",aI#
h%bN@^v
Hc#cI})C
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
h@g>67
HHtiHtGH
-HJ53}
HjC@?o
HjdQd+
"Hl$|M
H:mm:ss
holland
hong-kong
h ;r3q
HtHHt(
HtOHt)H
?*H;,W
I4H6ab!
Iceland
Icelandic
I%CG:}
!I:[Ek0
If]X{i&
ig$g'}
I{;hKE
~*IJ'3
ij}}?w
IKzh$uu
il61jj
i_]\mH
InitializeCriticalSection
InterlockedCompareExchange
InterlockedDecrement
InterlockedIncrement
irish-english
is"(61
IsBadWritePtr
IsValidCodePage
IsValidLocale
IsValidSid
italian-swiss
It[IItM
IxM	)8
{J0"3Q
]J1V"^
Jaig`[\
JanFebMarAprMayJunJulAugSepOctNovDec
January
jdOK#2^
jeCd[KLX
jEpX(L
<,)Jf`
jF((Wi
jgyA[l$
jgz6E	
j(ikv(y
Jj>vH6
jKEpC	Ex
jKo:DN
j#}o0h
Jr(0%nV
,!$JR9*
!J$$Z&#
=j?Z4#
(K9t`P
:>$^kB5
KERNEL32.dll
KG7zoOA}
kJ);W`
K ki28
kK@zH6
kL:%np
Kp}U.~
K&t61T1
!ku|<T
LC_ALL
LC_COLLATE
LC_CTYPE
LCMapStringA
LCMapStringW
LC_MONETARY
LC_NUMERIC
lCR^)B
lCs<&	
LC_TIME
le2{09
LeaveCriticalSection
L'ePA]
l<+@-g
ljsI\~
LoadLibraryA
LocalAlloc
LockResource
L+#QnX
L	R^s{>
l)~="s!
*l\TP,
Luxembourg
l#z{FJ
M/d/yy
MessageBoxA
Mexico
M[H"@[2
Microsoft Visual C++ Runtime Library
MJ&GOB/.
mmSSw9
%m*n`{
Monday
Mp_{9c
=M_}?Q
M!@%r`3
mr=o}m
__MSVCRT_HEAP_SELECT
(mtP\a
Mu30Yc
MultiByteToWideChar
mW45]0
mZ2umX
.>n&/4
('@N4'
N6AdZTz
nb@"(tO
new-zealand
N|H;(tq
norwegian
norwegian-bokmal
norwegian-nynorsk
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
nQfl<?
?N=tH+
N,Tv5r
n"XL]fR0
%n	YKl
'&?*O2rm
 o5Z,B
&,Ob)So
 '!oC(
October
o:!~gXO?|^n
OhCQ.(
O_]H%M\R
O=mt%g>
OP|C$?PO
OrIL=)
][,O}X
Ox#3S)
OYn|tM
oz*cEWo
P\8XK~
Panama
Paraguay
p.A`T_
plm9gm
portuguese-brazilian
Po.z*e`
PPPPPPPP
P\/>Q})T
pr china
pr-china
Program: 
<program name unknown>
PS.z*q
puerto-rico
- pure virtual function call
p#vOQc
(qBXdk
QCt6{![
q=e?(g
=/Q>eJ
q?NjR 
QPu%W9h
Q?pvp#
QQSVW3
QQSVWj
qQzZ;z]
QueryServiceStatus
QwA.R{
!r4`N#
%R~'7v
\r /9aC
}[/ ra
RABzm]
/R D6j
`.rdata
RegCreateKeyExA
RegCreateKeyExW
RegDeleteKeyA
RegEnumKeyExW
RegOpenKeyExA
~-$RJ:
rJc^JUn[
<Rp 8TH
Rp"_8W
r^./}t
Rt4_}*>
r>]T6o
RtlUnwind
runtime error 
Runtime Error!
R;X>c}
=r	x~N
&Rz7\p
S6&UuG
s~9i:8
sAFd	J
Saturday
September
SetEnvironmentVariableA
SetFilePointer
SetFilePointerEx
SetHandleCount
SetLastError
SetMenuContextHelpId
SHELL32.dll
SHFileOperationW
SING error
slovak
south africa
south-africa
South Africa
south korea
south-korea
Spanish
spanish-argentina
spanish-bolivia
spanish-chile
spanish-colombia
spanish-costa rica
spanish-dominican republic
spanish-ecuador
spanish-el salvador
spanish-guatemala
spanish-honduras
spanish-mexican
spanish-modern
Spanish - Modern Sort
spanish-nicaragua
spanish-panama
spanish-paraguay
spanish-peru
spanish-puerto rico
Spanish - Traditional Sort
spanish-uruguay
spanish-venezuela
STATUS_COPY_PROTECTION_FAILURE
Sunday
SunMonTueWedThuFriSat
Sweden
Swedish
swedish-finland
Switzerland
s&xM,+z
Tcad~h#j
tDYiyV
tEj@Vh
TerminateProcess
,T"[GX
T(@He3
!This program cannot be run in DOS mode.
Thursday
tkz5}g
tl1FxNiE
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tn<%t2
?/t=O@
TOF?.IG
TOLO>]
trinidad & tobago
TT@a5_M,
t.;t$$t(
Tuesday
tu Rj|
;<)}tvZ
TW&7W.
t/WWUPj
T<X#yt&J
`*uE~|
uf9=`H
>:u#FV
u!/$H_
	U -"Hx
u,i<N(
)uJB?b
uK*1z"
	u?l]G
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
>:uNFV
UnhandledExceptionFilter
united-kingdom
united-states
unP#A$J
uo(U3X
Uruguay
user32.dll
USER32.dll
u+.t\QX
Uu*`oo
uy+%,[
v3?K`#q
v%3PDD%
V'a*M`
v*]Az*
VC20XC00U
ve8CT8f
Venezuela
VirtualAlloc
VirtualFree
VJZ4e~t~
vKz&*KR 
#V	;MG
vMO:xt
-	v,o"e.
vQeX2<
v.T=4i
Vtvj0j
W;0hP0
W/(0Sj
WaitForSingleObjectEx
wD&v&rk
WE+9gu
wED:].
Wednesday
w+H4R{
WideCharToMultiByte
W?k_(Kp
w|O6'R
>Wpb10qo
WQj1Pj
WriteConsoleW
WriteFile
ws8!@Bdn
	Ws+/Z
Wu|qS2
"WWShT
w:yc;{
^X1fk6
-,x	2*`s
xA>-dP=
x}lr0l
`^'=Xm
x&Mb}H
x"P,qi
XtE{M#
%YG=nfZ
~Yi;eak
yM# #_
yMty&!
yT-2W<
Y&wlIhp
:\`yzI
z2*>av
<zA]> 
(ZBw?l
Zc\!UT
"'Z`IO
zjkmVS
`zKR`B
^Z)omCgS
z*u.IL
zu^SSS
zx:"MD