Analysis Date2013-09-26 01:27:11
MD52cb890578efeca51651f2e3e87c5c002
SHA1e8f90d27757a53d6709a3ae2206cb70b725f7d01

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dde3467b9d1557c83e3d8c7cc42231ed sha1: 85ba83bbd4f26b5bee3dbcd7df14664b48c57929 size: 512
Section.rdata md5: d8f1229d527c6bfc493069dbdd1a8824 sha1: 40ed4cde6410d12150004acc0d865b23ef595ed8 size: 512
Section.data md5: 5c30f2448da617573bb2c90e7166c5a1 sha1: 85a47c87578b4607e0affd6c1b99aa52a9be6815 size: 512
Section.rsrc md5: c8a1f84815716cf7ad3d19d94f124fde sha1: ee19604958e851dccab755240a571e479c891432 size: 35840
Timestamp2006-08-14 13:43:32
VersionLegalCopyright: Copyright © 1987-1996 Microsoft Corp.
InternalName: WebImage.Ocx
FileVersion: 5.00.2810
CompanyName: My Company Name
LegalTrademarks: Put Legal TradeMarks here ...
Comments: April 10, 1996
ProductName: WebImage Object Library
ProductVersion: 5.00.2810
FileDescription: WebImage
PEhash251c132905d9dabfc31b7b36fd137b63fe8d7a12
AVavgBackDoor.Generic17.APIR
AVaviraTR/Dropper.Gen
AVmsseTrojanDownloader:Win32/Cutwail.BS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\femomvirsife ➝
C:\Documents and Settings\Administrator\femomvirsife.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\femomvirsife.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexfemomvirsife
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSgotomy.com
Winsock DNScharter.com
Winsock DNSgodpeople.com
Winsock DNSzoomnet.net
Winsock DNSt-online.de
Winsock DNSpassagen.se
Winsock DNSiol.it
Winsock DNSpolikert.biz
Winsock DNSlyuchta.org
Winsock DNSipa.net
Winsock DNSalumni.ubc.ca
Winsock DNSoakland.edu
Winsock DNSsprintmail.com
Winsock DNSpicsnet.com
Winsock DNSuymail.com

Network Details:

DNSvampirefreaks.com
Type: A
38.106.205.131
DNStdn.com
Type: A
192.104.182.209
DNStdn.com
Type: A
192.104.182.109
DNScomporium.net
Type: A
208.104.2.209
DNSchello.nl
Type: A
213.46.242.72
DNScytanet.com.cy
Type: A
195.14.130.176
DNSsurewest.net
Type: A
64.8.70.120
DNSo2.pl
Type: A
193.17.41.103
DNSwalla.com
Type: A
192.118.82.157
DNSmarchmail.com
Type: A
50.22.218.215
DNShustler.com
Type: A
173.45.161.122
DNSbrick.net
Type: A
209.145.128.4
DNSaol.com.com
Type: A
208.73.211.69
DNSit.dk
Type: A
212.242.42.44
DNSaol.com.au
Type: A
205.188.100.58
DNSaol.com.au
Type: A
205.188.101.58
DNSaol.com.au
Type: A
207.200.74.38
DNSaol.com.au
Type: A
64.12.79.57
DNSaol.com.au
Type: A
64.12.89.186
DNSinjersey.com
Type: A
159.54.242.139
DNSpicsnet.com
Type: A
184.168.81.139
DNSgoldcockerelbooks.co.uk
Type: A
127.0.0.1
DNSdicksmail.com
Type: A
127.0.0.1
DNSmckessonhboc.com
Type: A
143.112.128.124
DNSentel.cl
Type: A
200.12.171.52
DNSyahoo.com.tw
Type: A
106.10.165.51
DNSyahoo.com.tw
Type: A
68.180.206.184
DNSzd.com
Type: A
64.30.224.118
DNSintelnet.net.gt
Type: A
200.6.192.206
DNShawaiiantel.net
Type: A
64.8.70.102
DNShanmail.net
Type: A
114.108.157.117
DNShanmail.net
Type: A
114.108.157.116
DNShanmail.net
Type: A
180.70.93.57
DNShanmail.net
Type: A
211.244.82.108
DNShanmail.net
Type: A
180.70.134.19
DNShanmail.net
Type: A
180.70.134.91
DNShanmail.net
Type: A
180.70.93.55
DNShanmail.net
Type: A
61.111.62.35
DNShanmail.net
Type: A
180.70.93.56
DNShanmail.net
Type: A
117.52.2.25
DNShanmail.net
Type: A
211.244.82.179
DNShanmail.net
Type: A
117.52.2.26
DNShanmail.net
Type: A
117.52.2.237
DNShanmail.net
Type: A
117.52.2.238
DNShanmail.net
Type: A
110.45.215.15
DNShanmail.net
Type: A
114.108.157.155
DNShanmail.net
Type: A
180.70.134.9
DNShanmail.net
Type: A
211.244.82.180
DNShanmail.net
Type: A
211.244.82.107
DNShanmail.net
Type: A
61.111.62.165
DNSnetscape.com
Type: A
207.200.74.38
DNSnetscape.com
Type: A
64.12.79.57
DNSnetscape.com
Type: A
64.12.89.186
DNSnetscape.com
Type: A
205.188.100.58
DNSnetscape.com
Type: A
205.188.101.58
DNSexcite.com
Type: A
74.113.233.95
DNScollegeclub.com
Type: A
66.150.124.66
DNScomcast.com
Type: A
69.252.217.83
DNScomcast.com
Type: A
68.87.16.142
DNSsapo.pt
Type: A
213.13.146.140
DNStartarus.uwa.edu.au
Type: A
130.95.128.3
DNStartarus.uwa.edu.au
Type: A
130.95.128.3
DNSpandora.be
Type: A
195.130.131.38
DNSpandora.be
Type: A
195.130.131.39
DNSstupid.com
Type: A
75.126.29.212
DNSstupid.com
Type: A
198.144.18.63
DNSstupid.com
Type: A
198.144.18.62
DNSstupid.com
Type: A
198.144.18.64
DNSstupid.com
Type: A
198.144.18.61
DNSwww.optonline.net
Type: A
66.54.17.31
DNSzoomnet.net
Type: A
207.69.200.22
DNSzoomnet.net
Type: A
207.69.200.21
DNSwhitbreadhotels.com
Type: A
212.53.89.138
DNScharter.com
Type: A
24.176.92.1
DNSipa.net
Type: A
207.69.189.26
DNSipa.net
Type: A
207.69.189.27
DNSipa.net
Type: A
207.69.189.28
DNSipa.net
Type: A
207.69.189.21
DNSipa.net
Type: A
207.69.189.22
DNSipa.net
Type: A
207.69.189.23
DNSipa.net
Type: A
207.69.189.24
DNSipa.net
Type: A
207.69.189.25
DNSuymail.com
Type: A
50.22.218.215
DNSalumni.ubc.ca
Type: A
142.103.166.167
DNSgotomy.com
Type: A
173.62.209.11
DNSstaples.com
Type: A
170.37.25.140
DNSpolikert.biz
Type: A
5.9.61.148
DNSsprintmail.com
Type: A
209.86.93.130
DNSsprintmail.com
Type: A
209.86.93.131
DNSsprintmail.com
Type: A
209.86.93.132
DNSsprintmail.com
Type: A
209.86.93.133
DNSsprintmail.com
Type: A
209.86.93.134
DNSsprintmail.com
Type: A
209.86.93.135
DNSsprintmail.com
Type: A
209.86.93.136
DNSsprintmail.com
Type: A
209.86.93.126
DNSsprintmail.com
Type: A
209.86.93.127
DNSsprintmail.com
Type: A
209.86.93.128
DNSsprintmail.com
Type: A
209.86.93.129
DNSlyuchta.org
Type: A
50.116.32.177
DNScnet.com
Type: A
64.30.224.118
DNSwagged.com
Type: A
184.106.55.45
DNSgodpeople.com
Type: A
114.31.57.141
DNScentrum.cz
Type: A
46.255.224.60
DNSembarqmail.com
Type: A
208.47.185.65
DNStalktalk.net
Type: A
193.118.251.141
DNSaeroinc.net
Type: A
216.82.160.146
DNSmania.com
Type: A
69.64.153.150
DNSmts.net
Type: A
65.55.206.154
DNScarolina.com
Type: A
64.135.147.142
DNSchickensys.com
Type: A
199.27.134.74
DNSchickensys.com
Type: A
199.27.135.74
DNScaramail.com
Type: A
213.165.64.170
DNSiol.it
Type: A
151.1.67.216
DNSiol.it
Type: A
151.1.67.221
DNSiol.it
Type: A
151.1.67.227
DNSiol.it
Type: A
151.1.67.215
DNSmotivators.com
Type: A
173.239.47.198
DNSt-online.de
Type: A
217.6.164.162
DNSt-online.de
Type: A
62.153.159.92
DNSpassagen.se
Type: A
91.196.241.10
DNSwww.optonline.com
Type: A
DNSmuscanet.com
Type: A
DNStinet.org
Type: A
DNSoakland.edu
Type: A
Flows TCP192.168.1.1:1036 ➝ 192.118.82.157:25
Flows TCP192.168.1.1:1037 ➝ 64.8.70.120:25
Flows TCP192.168.1.1:1038 ➝ 193.17.41.103:25
Flows TCP192.168.1.1:1039 ➝ 208.104.2.209:25
Flows TCP192.168.1.1:1040 ➝ 38.106.205.131:25
Flows TCP192.168.1.1:1041 ➝ 195.14.130.176:25
Flows TCP192.168.1.1:1042 ➝ 192.104.182.209:25
Flows TCP192.168.1.1:1043 ➝ 213.46.242.72:25
Flows TCP192.168.1.1:1045 ➝ 208.104.2.209:25
Flows TCP192.168.1.1:1046 ➝ 50.22.218.215:25
Flows TCP192.168.1.1:1047 ➝ 173.45.161.122:25
Flows TCP192.168.1.1:1048 ➝ 208.73.211.69:25
Flows TCP192.168.1.1:1049 ➝ 209.145.128.4:25
Flows TCP192.168.1.1:1050 ➝ 212.242.42.44:25
Flows TCP192.168.1.1:1051 ➝ 205.188.100.58:25
Flows TCP192.168.1.1:1052 ➝ 159.54.242.139:25
Flows TCP192.168.1.1:1053 ➝ 209.145.128.4:25
Flows TCP192.168.1.1:1054 ➝ 208.73.211.69:25
Flows TCP192.168.1.1:1055 ➝ 184.168.81.139:25
Flows TCP192.168.1.1:1058 ➝ 143.112.128.124:25
Flows TCP192.168.1.1:1059 ➝ 200.12.171.52:25
Flows TCP192.168.1.1:1060 ➝ 106.10.165.51:25
Flows TCP192.168.1.1:1061 ➝ 192.104.182.209:25
Flows TCP192.168.1.1:1062 ➝ 193.17.41.103:25
Flows TCP192.168.1.1:1063 ➝ 64.30.224.118:25
Flows TCP192.168.1.1:1064 ➝ 200.6.192.206:25
Flows TCP192.168.1.1:1065 ➝ 64.8.70.102:25
Flows TCP192.168.1.1:1066 ➝ 114.108.157.117:25
Flows TCP192.168.1.1:1067 ➝ 207.200.74.38:25
Flows TCP192.168.1.1:1068 ➝ 64.8.70.120:25
Flows TCP192.168.1.1:1069 ➝ 74.113.233.95:25
Flows TCP192.168.1.1:1070 ➝ 66.150.124.66:25
Flows TCP192.168.1.1:1071 ➝ 69.252.217.83:25
Flows TCP192.168.1.1:1072 ➝ 192.104.182.209:25
Flows TCP192.168.1.1:1073 ➝ 213.13.146.140:25
Flows TCP192.168.1.1:1074 ➝ 130.95.128.3:25
Flows TCP192.168.1.1:1075 ➝ 195.130.131.38:25
Flows TCP192.168.1.1:1076 ➝ 75.126.29.212:25
Flows TCP192.168.1.1:1077 ➝ 66.54.17.31:25
Flows TCP192.168.1.1:1078 ➝ 75.126.29.212:25
Flows TCP192.168.1.1:1079 ➝ 207.69.200.22:25
Flows TCP192.168.1.1:1080 ➝ 207.69.200.22:80
Flows TCP192.168.1.1:1081 ➝ 212.53.89.138:25
Flows TCP192.168.1.1:1084 ➝ 66.54.17.31:25
Flows TCP192.168.1.1:1085 ➝ 50.22.218.215:80
Flows TCP192.168.1.1:1086 ➝ 207.69.189.26:80
Flows TCP192.168.1.1:1087 ➝ 24.176.92.1:80
Flows TCP192.168.1.1:1088 ➝ 142.103.166.167:80
Flows TCP192.168.1.1:1089 ➝ 173.62.209.11:80
Flows TCP192.168.1.1:1090 ➝ 170.37.25.140:25
Flows TCP192.168.1.1:1091 ➝ 5.9.61.148:80
Flows TCP192.168.1.1:1092 ➝ 209.86.93.130:80
Flows TCP192.168.1.1:1093 ➝ 130.95.128.3:25
Flows TCP192.168.1.1:1094 ➝ 207.69.200.21:80
Flows TCP192.168.1.1:1095 ➝ 50.116.32.177:80
Flows TCP192.168.1.1:1096 ➝ 64.30.224.118:25
Flows TCP192.168.1.1:1097 ➝ 184.106.55.45:25
Flows TCP192.168.1.1:1098 ➝ 114.31.57.141:80
Flows TCP192.168.1.1:1099 ➝ 207.69.189.27:80
Flows TCP192.168.1.1:1101 ➝ 46.255.224.60:25
Flows TCP192.168.1.1:1100 ➝ 50.22.218.215:80
Flows TCP192.168.1.1:1102 ➝ 24.176.92.1:80
Flows TCP192.168.1.1:1103 ➝ 142.103.166.167:80
Flows TCP192.168.1.1:1104 ➝ 208.47.185.65:25
Flows TCP192.168.1.1:1105 ➝ 209.86.93.131:80
Flows TCP192.168.1.1:1106 ➝ 195.130.131.38:25
Flows TCP192.168.1.1:1107 ➝ 173.62.209.11:80
Flows TCP192.168.1.1:1108 ➝ 193.118.251.141:25
Flows TCP192.168.1.1:1109 ➝ 207.69.200.22:80
Flows TCP192.168.1.1:1110 ➝ 114.31.57.141:80
Flows TCP192.168.1.1:1111 ➝ 216.82.160.146:25
Flows TCP192.168.1.1:1112 ➝ 207.69.189.28:80
Flows TCP192.168.1.1:1113 ➝ 50.22.218.215:80
Flows TCP192.168.1.1:1114 ➝ 24.176.92.1:80
Flows TCP192.168.1.1:1115 ➝ 142.103.166.167:80
Flows TCP192.168.1.1:1116 ➝ 69.64.153.150:25
Flows TCP192.168.1.1:1117 ➝ 65.55.206.154:25
Flows TCP192.168.1.1:1118 ➝ 200.6.192.206:25
Flows TCP192.168.1.1:1119 ➝ 209.86.93.132:80
Flows TCP192.168.1.1:1120 ➝ 173.62.209.11:80
Flows TCP192.168.1.1:1121 ➝ 207.69.200.21:80
Flows TCP192.168.1.1:1122 ➝ 64.135.147.142:25
Flows TCP192.168.1.1:1123 ➝ 114.31.57.141:80
Flows TCP192.168.1.1:1124 ➝ 207.69.189.21:80
Flows TCP192.168.1.1:1125 ➝ 74.113.233.95:25
Flows TCP192.168.1.1:1126 ➝ 199.27.134.74:25
Flows TCP192.168.1.1:1127 ➝ 213.165.64.170:25
Flows TCP192.168.1.1:1128 ➝ 151.1.67.216:80
Flows TCP192.168.1.1:1129 ➝ 173.239.47.198:25
Flows TCP192.168.1.1:1130 ➝ 209.86.93.133:80
Flows TCP192.168.1.1:1131 ➝ 207.69.200.22:80
Flows TCP192.168.1.1:1132 ➝ 184.168.81.139:80
Flows TCP192.168.1.1:1133 ➝ 217.6.164.162:80

Raw Pcap

Strings
0/B{E3
~.0t<[
(2$F()t
5LUt^6
6`\,km
9i5oDG"
a=+2DF
AboutBox
aMZL.D
B2ZtNN
.B]EYRt
b[FfQs
_?B<_s3	
BtNbGF
c(C CX:
[cY?7^
?-|?= d
d-vaf*
DWebImageEventsW
EO{6kQ
ExitProcess
E~XrDH
f{M?;1Q
gdi32.dll
GetModuleHandleA
GetObjectW
GetProcAddress
GetVersion
{.%Gq*c
g;zk"dh
ImageWWW
IWebImageWWWd
#J:M	z
k3+8786
kernel32.dll
KNuk`.g
kspercentDoneW
LC`s:J
LoadImageA
lOQc7`
Mj5\C6
mnmTXs
M^Q.`Y
NWebImage
OnProgressWW
o@]t3%
]-p^&$H
P&%O[e
P'Qb[boi"
qBg4In
=QrEiOp
,#R\9k
.rdata
Scrambled
s!fe?0M
SuR3,`
:t"Cfj
!This program cannot be run in DOS mode.
thl&VY
/T(`lD
U&pbo[
user32.dll
uvF^2,
VFS.X 
V;'G$Z
]vi:r 
WebImage Control LibraryWW
WebImage ControlWW
;|}wji
WTWebImageObjectsW
,!/XtL
yDL7+A4m
YfuxyY
"],[Yl
^z=b5n