Analysis Date2015-03-17 13:13:43
MD556a24e84e68a0206c575320a540f9a08
SHA1e6ec25934126c5dd3fee8499b1f8693e439265f7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ca918a58c33287b2ffe6ed0e55907dd0 sha1: af7e80a03087691a95d48cba7b25773fb3571753 size: 47104
Section.data md5: 0ab9af22d853bce433fc42029089c3b0 sha1: d40a8e74a57adea1f6d2c21ddd61813de064ab93 size: 115200
Section.tls md5: 6953c29da502c99246f61bbfb0531669 sha1: 51162f1337e204f8961a09694404e034d5b5b02a size: 6656
Section.edata md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
SectionDATA md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Timestamp2009-01-27 07:06:09
PEhash452b62db9ec7bf74a99dfcca96cae08b8a450374
IMPhash15525416e7574ad3bfe5edbb6f92258e
AV360 Safeno_virus
AVAd-AwareGen:Variant.Renos.12
AVAlwil (avast)MalOb-AS [Cryp]
AVArcabit (arcavir)Gen:Variant.Renos.12
AVAuthentiumW32/FakeAlert.FT.gen!Eldorado
AVAvira (antivir)TR/PWS.Sinowal.Gen
AVBullGuardGen:Variant.Renos.12
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.MJ
AVClamAVWin.Trojan.Renos-2535
AVDr. WebTrojan.DownLoader1.4092
AVEmsisoftGen:Variant.Renos.12
AVEset (nod32)Win32/Kryptik.GGS
AVFortinetW32/CodePack.CX!tr
AVFrisk (f-prot)W32/FakeAlert.FT.gen!Eldorado
AVF-SecureGen:Variant.Renos.12
AVGrisoft (avg)Win32/Cryptor
AVIkarusPacked.Win32.Krap
AVK7Trojan ( 700000061 )
AVKaspersky 2015Packed.Win32.Katusha.n
AVMalwareBytesno_virus
AVMcafeeDownloader-CEW
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.KF
AVMicroWorld (escan)Gen:Variant.Renos.12
AVRisingTrojan.Win32.Generic.11EC6ABC
AVSophosMal/FakeAV-CX
AVSymantecTrojan.FakeAV!gen29
AVTrend MicroTROJ_RENOS.SMD
AVVirusBlokAda (vba32)BScope.Trojan.MTA.0506

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ozysaa.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates ProcessC:\WINDOWS\Ozysaa.exe
Creates MutexGlobal\{605597AE-F8FB-416c-BFB5-0A0F1C9CA90E}

Process
↳ C:\WINDOWS\Ozysaa.exe

RegistryHKEY_CURRENT_USER\Software\WEK9EMDHI9\OluK ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{605597AE-F8FB-416c-BFB5-0A0F1C9CA90E}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNStooldawn.com
Type: A
204.11.56.45
DNStheastic.com
Type: A
DNSwarhe.com
Type: A
HTTP POSThttp://tooldawn.com/ad_type.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 204.11.56.45:80

Raw Pcap

Strings
.
n
R|.
.`$T
b4c8
bjCF
BLdz
bpjw
bVGn
CJer
GWoO
HFaur
lvWA
mYDP
o2LP
ovYx
tgzV
0QeAPaD7i
1FkDIe
!{1'M]
1nxyG3O
1tM]Qq
$1<XgQ~
22oGNBp
2Q6cgnEFlC
3[lM4~
3mL6cp
3OB1%e
3%s[jl
3V(1F+
3WYdMr
43U0z7HfP
4kYRZBg
4/pAe 
5.c0$_
5Oh7q6Zbz
5YdW81$
6 "AT=
6O1T	2
6QXbr^pv
(8* m@Zr
8rtL"@l
8WDXqK
95TeqY
9GG7t_]
~9m}L=
9TDFbA
9 WEG9
"9Z#=N
A50q~D
;"A5%N
A 7yMl
ABi5vA3LV
agoV9S7
aPC@Z{
,aR#1}
 #AyFt
BbjFvi
BeginDeferWindowPos
@ \b(gzkT
bIfuM6
BIsOiL9
BitBlt
blW;80
BnyrDq
calloc
CB2p7x
c&d/?\
CharLowerA
CharNextA
ClientToScreen
CloseHandle
CLR"v5
CL{$t+Y
CoCreateInstanceEx
CoGetContextToken
CoGetMalloc
CoRevokeClassObject
CoTaskMemFree
CreateBindCtx
CreateEventA
CreateMenu
CreatePopupMenu
|CR{i_
cVk,s6)We
d6	4%q
`.data
dedeaR
DeferWindowPos
DefFrameProcA
DKB_f}O
DkpOKt
dNDJqs
DrawEdge
DrawIconEx
DrawMenuBar
DrawTextA
 dtNqP
Du8UAr
e4}:4m
.edata
e@D^Vs
eEm/#b
emU)mi
EnableScrollBar
EnableWindow
en%cs6
EndPaint
e!NED8
EnterCriticalSection
EqualRect
eu>rOC
eWAcDO
ex2 }s
ExitProcess
ExitThread
F6LMdfz
F8$5im>
FarCj+
fCc',=)
FD1RBYTh
ffKeIJ
F"G<sw
FindWindowA
FreeResource
F?Ro@a
fsSZ2Ujmi
gdi32.dll
`GE@g]
GetACP
GetActiveWindow
GetClassInfoA
GetClipboardData
GetCPInfo
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetCursor
GetCursorPos
GetDateFormatA
GetDesktopWindow
GetDlgItem
GetEnvironmentStrings
GetFocus
GetFullPathNameA
GetIconInfo
GetKeyNameTextA
GetKeyState
GetLastActivePopup
GetLastError
GetMenuItemCount
GetMenuItemID
GetMenuItemInfoA
GetMessagePos
GetModuleHandleA
GetOEMCP
GetParent
GetProcessHeap
GetScrollInfo
GetScrollPos
GetStartupInfoA
GetSysColor
GetTickCount
GetUserDefaultLCID
GetVersionExA
GetWindowTextA
gG/|dX
GlobalAlloc
GlobalDeleteAtom
GlobalFindAtomA
\(gqp\<gqX\
gqX\`gq
HideCaret
!%hpgb
hRvQTZ
,hu4x(<q
H	v+B}
H:W4#G
hXqp*x
hYUeX@
)hyX~_
I82ivkd
Il\.d+w[
.i+m)<#
InitializeCriticalSection
iRD$@?'
IsChild
IsMenu
IsWindowEnabled
IsWindowVisible
IwWrVB
IYJ7}{
<jd>+e
\*jl&/,E
JMcU^`l
joj)2M
joV7RZ
+jZ#\N+
K3FCd>
kernel32.dll
KERNEL32.dll
<Kf,:`
kp4}	=|
KpOubyPUe
KtTs4Pp50my
k%w[CT
lAMRn9
lGj.IB
LineTo
LoadLibraryA
LoadLibraryExA
Ls``=m
lstrcatA
lstrcmpiA
LXEfEx
(|\M0`W
m=-!bk
memcpy
memmove
MessageBoxA
m@.FE(-
MfrCnj
}Mi\e	
mkRO$AL|k#^
MoveFileA
mq@rZB
msvcrt.dll
MZHduMzP
{nj/&+
o18iP0V
o2,il9
ole32.dll
;"oUpQ;
oxz>&!'
$o}YQ<E
p_1`QY
)P5RGJ
*(p'GK
pK3yBr
PLj( :
P)<MJ[
ptZ27H
PX5Ud@xL
	Q7Vh~
q`b1<n
QE}9<O!v
q\ gq0\8gq
qh\<gqP\
]q%(-q
q@#Yu2
R0|7N-
rb|/wj
rfj=9)
rIJq2c
rOC^3Yes
=[r'qX
RSam7j
R@XVc3%
s8v()!B
SelectPalette
SetBkMode
SetEndOfFile
SetErrorMode
SetHandleCount
SetThreadLocale
SetWindowPos
SetWindowTextA
sgic <
shlwapi.dll
sprintf
SRtQnPx
strcmp
strlen
strncmp
swprintf
SystemParametersInfoA
@T5v{_
TH0>*(i
!This program cannot be run in DOS mode.
tJIWWG
tLjHTe
tmCSsH
TrackPopupMenu
tsozl6
"?.!]*u-
u3C9DK
u8CChMcIyA0
U#H@ e
UK=/ja
"U	okkF
Uqo	4@
user32.dll
u	{tuG
UyjGdz4
VAcgWsUALk1eHY2E
version.dll
VirtualAlloc
VirtualAllocEx
VirtualFree
v`kW(p
Vq6e5J
vSg26y
v"t\}jp
VuXftZ3T
+W4u">
WI6hCQP
WideCharToMultiByte
WriteClassStm
WriteFile
x3BfU.
'xe[\3
X`eqQh=
%x]ORgr^VA
xS	ph>
^,XUU>
<%XxDd
y38tCq
y5zLVJt
yE>nqb
YpJl%m\
yzXqHwSD
ZdB`R.%
zFVif8Q
ZJ=Gjd
Z.kW,m
@zN<gj
zQPFWb
ZUwARq