Analysis Date2014-03-27 17:38:11
MD5029e835495e26b877a73ca0678e719ed
SHA1ee57afedf4478d475e6b617d6f0a09fe9fc0222c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 308178dac0c188b5a5c3ccd8d9bec389 sha1: 91a092877c731f7d1373a99cf331692090eb325f size: 28160
Section.rdata md5: 70dfcfc58cb6110bb04c651c8828c566 sha1: f3bbe6f89c0da3c0e2c73742e9564ac85117368f size: 7680
Section.data md5: 867f757b7e14ad687bb3c25457b21fab sha1: ee6605cd93fc34e71e6166fca9e75002241b0306 size: 3584
Section.rsrc md5: b4f9be2923f5871777f01184d84110dc sha1: fa20368c8406ac9f948815abff392ac948925b14 size: 80384
Timestamp2014-03-17 08:55:37
PackerMicrosoft Visual C++ 8
PEhash66532a166ca5b69512b09de3dcc2b2ea8dc5a403
IMPhasha9747f95c1bb74e8900154779aa472c2
AVmcafeeRDN/Downloader.a!pm
AVmsseTrojanDownloader:Win32/Cutwail
AVavgSHeur4.BSOS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\synhubossepe ➝
C:\Documents and Settings\Administrator\synhubossepe.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\synhubossepe.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\impex.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\beechwoodmetalworks[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ctr4process[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kvadratoff[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ikfic[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bigtopmultimedia[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\impex.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\beechwoodmetalworks[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ctr4process[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kvadratoff[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexsynhubossepe
Winsock DNSal-mawared.com
Winsock DNSkvadratoff.ru
Winsock DNSarea72aa.org
Winsock DNSwoodlandhillwinery.com
Winsock DNStutuji-saitama.com
Winsock DNScabooseonline.com
Winsock DNSctr4process.org
Winsock DNSwww.traderush.com
Winsock DNSschiedel.it
Winsock DNSheliomare.nl
Winsock DNSeasygen.com
Winsock DNSbigtopmultimedia.com
Winsock DNSbredainternet.nl
Winsock DNSikfic.com
Winsock DNShoyuu.com
Winsock DNSstructives.org
Winsock DNSimpex.com.pl
Winsock DNSe-storming.com
Winsock DNSbeechwoodmetalworks.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.172.254
DNSsmtp.live.com
Type: A
DNSbredainternet.nl
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.172.254:25

Raw Pcap

Strings