Analysis Date2014-08-08 15:40:21
MD5075d9c444ec0afe05e82c3d2abca2f89
SHA1e443c5c05c2e02aa78f93ae10b558b3b89e8a510

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 15bc9d83c2a8aa80ed13307b100d294f sha1: cf369bb8f43a76f521d2758d5514cea81d908778 size: 1024
Section.rdata md5: 3b7e67fb1ccbaf9bb4216814816e91ba sha1: a504a5735b53f6fc5724d26ba09482a9b5a539e1 size: 1024
Section.data md5: 8589a20c5b7c3de3ece563f3962530f5 sha1: a560db31a64b2cb913c2f420f09dd8019f05ca82 size: 1024
Section.rsrc md5: 27a97e19a326b7c570a25d609cac1905 sha1: 3d5b48d74ced5a02b552cdc4028a85a300a360c5 size: 42496
Timestamp2014-06-30 05:03:51
VersionLegalCopyright: Copyright (C) 2009
InternalName: genius
FileVersion: 8,2,3,23
ProductName: genius Application
ProductVersion: 2,3,3,22
FileDescription: genius Application
OriginalFilename: genius.exe
PEhash6e64e2bc7e9c5734cb990f59fdf8338784c8987d
IMPhashf0855f86d5b3050322afa714b88b2ec1
AV360 SafeGen:Variant.Graftor.144167
AVAd-AwareGen:Variant.Graftor.144167
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDownloader.Cutwail.r4
AVClamAVno_virus
AVDr. WebTrojan.MulDrop3.14959
AVEmsisoftGen:Variant.Graftor.144167
AVEset (nod32)Win32/Kryptik.CFVL
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Graftor.144167
AVGrisoft (avg)Agent
AVIkarusTrojan.Win32.Kryptik
AVK7no_virus
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Graftor.144167
AVNormanwinpe/Kryptik.CEAM
AVRisingno_virus
AVSophosTroj/Cutwail-BG
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\cylgiwubnyxf ➝
C:\Documents and Settings\Administrator\cylgiwubnyxf.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\m-shin[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wex-americas[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\aydindisplays[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\uhsa.edu[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\darnellsresort[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bookfinder4u[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bouchon[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\takinoyu[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\aldacos[1].htm
Creates FileC:\Documents and Settings\Administrator\cylgiwubnyxf.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sakkoh-kiyota[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nathancurrin[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\soko[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nytc[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\distronic[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\southdev[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ronnmcfarlane[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\miarural.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\m-shin[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wex-americas[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\aydindisplays[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\uhsa.edu[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\darnellsresort[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bookfinder4u[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bouchon[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\aldacos[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sakkoh-kiyota[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nathancurrin[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nytc[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\soko[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\distronic[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\southdev[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ronnmcfarlane[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\miarural.com[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexcylgiwubnyxf
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbenfrostisdead.com
Winsock DNStakinoyu.net
Winsock DNSmiarural.com.au
Winsock DNSuhsa.edu.ag
Winsock DNSronnmcfarlane.com
Winsock DNSdarnellsresort.com
Winsock DNSaldacos.net
Winsock DNSsouthdev.com
Winsock DNSnathancurrin.com
Winsock DNSsakkoh-kiyota.com
Winsock DNSdistronic.es
Winsock DNShorch-museum.de
Winsock DNSmaccustoms.com.au
Winsock DNSaydindisplays.com
Winsock DNSsoko.nl
Winsock DNSnytc.org
Winsock DNSbouchon.de
Winsock DNSm-shin.ru
Winsock DNSwex-americas.com
Winsock DNSbookfinder4u.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsakkoh-kiyota.com
Type: A
210.172.144.27
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 63.250.193.228:25

Raw Pcap

Strings
m
.
041904b0
2,3,3,22
8,2,3,23
absolutely
accordingly exactly
adore pregnant ashamed
&always
&and--always surrender
apparently better
&appealed anything
beauty fruition windows
because people
Behind
between
&brute Elizabethan
business
Carr?? tenderness
church
&clever
completely
complying geography present
consider London sense casual
contained
Copyright (C) 2009
costume morrow
counted
cousins appearance
Dashwood
decent
demanded interesting
&desultory completely
different seeing
discomfort
distinctness seeing
document pittore
effect feelings
encourage brush
entanglements
everything
exclaim personage reason Peter2moment fairest elected haunted things Carr?? words
expressed sociable
FileDescription
FileVersion
genius
genius Application
genius.exe
gentlemen disappointment old-fashioned paint
greeted painter return gesture
happened
hard--it somewhere again
&her--he
holiday
Hoppuss observe yours speaking
&INDEMNITY
interlocutor
InternalName
&irritation
judged cousins--their
&knowledge
&knowledge intimacy;
least
LegalCopyright
&leisure spoken
&lovely
manners elements
&married triumph
matrons
method remember
moment
month bazaar
mother cleared
mother theatre Shakespeare
MS Shell Dlg
&opined
OriginalFilename
&other manifestation
otherwise
panels
people unmolested
Peters
&possibilities
ProductName
ProductVersion
&profanity that--he
&profit wished
&proved simple
public
question
quickly
&rather mother
&really
receiving London creations
&revelations magnificently
RichEdit20A
&Rosedale
'Rosedale things custom minute professed
&sentiment
+should ambitions--tremendous talked bargain%daughter say--Nick particular freedom
sitting
smiling stared;
&sort--I
statutes
Still
StringFileInfo
studio
&studio
sufficient things feared
SysListView32
Tahoma
theatre
&things
things brightly
&thought laughed
to-day
toward there sister inconsistent
Translation
travelled trifler
truths
turned
VarFileInfo
vision
visit presumably
volition(though particular vague moreover thought'lighter mirror everything on--in critic
voracity derive dropped strictness
VS_VERSION_INFO
weaken myself
whether
wonderful
would Calcutta
&would individually
wounds; Dormer
&write
+	0"C"
0{H3z2KS7%
1o Aw&
2]%Z~1
3VbjD=?(
*>4Vmk
6[#"{3
6/@S %L
9>6t(S
~|}axrwOJ@YEDFCOFteu
B,$[90Qm
B*_P0 C
c0aWM(
Ch2$RJj
{chn}yzDGGTRYM
CreateWindowExA
@.data
DefWindowProcA
DispatchMessageA
eOZ7@y$"
>fFU`~
FindResourceA
gatFFwewqyt qwje
GetCurrentThreadId
GetMessageA
GetModuleHandleA
GetProcessHeap
gQk!**
Gu+O<g
GUw-%'$
H#CSzf
HeapAlloc
kernel32.dll
KillTimer
kOEH	:
k`Z0WN
lJ-9u\
LoadCursorA
LoadIconA
LoadResource
LruZ#$
{@L*s$
[Mcc-)UV
"n\81-
n`{glRYIR\
@N]UVX#?tj
o~L_- 
PostQuitMessage
PVI=:SCa
]QYz%#
Q_ZfoA0 
>r.[2A
RcZ\S] ^
`.rdata
RDirm$GLML
RegisterClassExA
rkKTGP
RnEy-[sJY'
:S6=?J*
\|s7Co
SetTimer
sHogB#)
ShowWindow
!SJIPU
Sniv)T
S+onII
svchost
!This program cannot be run in DOS mode.
]{TPw$6
TranslateMessage
$U4c"A
UpdateWindow
U-@]S<
user32.dll
V8Nr;::
vG^<LgJ
_VlAR\
}vx{glRYYZT_
.:<`w;)
W~,35g
w\51"&y
wKo}]6q
wT$l{b
WYjS8~
xzkov|yILF_[JH
yT^UWM6
{z:eis
zU2|AD-