Analysis Date2014-08-28 22:40:32
MD53bb969d1f658984e8655b3d64ea6a4e5
SHA1eeb71f3e381b7dd5d4156006f68d8726abfee641

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b2f5f9c7c2b4ee72a2da122577eb5a8f sha1: 3eceb71930ef14d6800a22473c68278a7e0c6111 size: 37888
Section.data md5: b76a02247ae8bf0bf7dbe1530cab33ec sha1: 55c9bccbe3faf79f48e75037fb57f0384451abd0 size: 512
Section.too1 md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.too5 md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.too2 md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.too7 md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.too3 md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.too4 md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.too6 md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.reloc md5: c12882bb02d2ace8ac81a79bc6e206e1 sha1: 27aac90cfff6a191216a26484a1acf7fc7507e71 size: 1024
Timestamp2011-08-10 20:20:58
PackerBorland Delphi 3.0 (???)
PEhash7ad494c3ec418fffddfa9dc158742c74c783c8f7
IMPhash6de3ced721f7d91bf245e48c4d0aa226

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\plugs\mmc150.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\shed\thr1.chm
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\plugs\mmc65.exe
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\Documents and Settings\Administrator\Application Data\Adobe\shed\thr1.chm
Winsock URLhttp://olivarobain.gv.vg/showthread.php?t=482641

Network Details:

DNSadobe.com
Type: A
192.150.16.117
DNSolivarobain.gv.vg
Type: A
208.73.211.171
DNSolivarobain.gv.vg
Type: A
208.73.211.176
DNSolivarobain.gv.vg
Type: A
208.73.211.196
DNSolivarobain.gv.vg
Type: A
208.73.211.199
HTTP POSThttp://adobe.com/geo/productid.php
User-Agent: Opera/10.60 Pesto/2.2.30
HTTP GEThttp://olivarobain.gv.vg/showthread.php?t=482641
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
HTTP GEThttp://olivarobain.gv.vg/showthread.php?t=482641
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
HTTP GEThttp://olivarobain.gv.vg/showthread.php?t=482641
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://olivarobain.gv.vg/showthread.php?t=482641
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
HTTP GEThttp://olivarobain.gv.vg/showthread.php?t=482641
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://olivarobain.gv.vg/showthread.php?t=482641
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Flows TCP192.168.1.1:1031 ➝ 192.150.16.117:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.171:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.171:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.171:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.171:80
Flows TCP192.168.1.1:1037 ➝ 208.73.211.171:80
Flows TCP192.168.1.1:1038 ➝ 208.73.211.171:80

Raw Pcap
0x00000000 (00000)   504f5354 202f6765 6f2f7072 6f647563   POST /geo/produc
0x00000010 (00016)   7469642e 70687020 48545450 2f312e31   tid.php HTTP/1.1
0x00000020 (00032)   0d0a486f 73743a20 61646f62 652e636f   ..Host: adobe.co
0x00000030 (00048)   6d0d0a55 7365722d 4167656e 743a204f   m..User-Agent: O
0x00000040 (00064)   70657261 2f31302e 36302050 6573746f   pera/10.60 Pesto
0x00000050 (00080)   2f322e32 2e33300d 0a436f6e 74656e74   /2.2.30..Content
0x00000060 (00096)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000070 (00112)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000080 (00128)   6c656e63 6f646564 0d0a436f 6e74656e   lencoded..Conten
0x00000090 (00144)   742d4c65 6e677468 3a203231 0d0a0d0a   t-Length: 21....
0x000000a0 (00160)   69643d5f 365f3234 345f2d31 30363738   id=_6_244_-10678
0x000000b0 (00176)   37323234 36                           72246

0x00000000 (00000)   47455420 2f73686f 77746872 6561642e   GET /showthread.
0x00000010 (00016)   7068703f 743d3438 32363431 20485454   php?t=482641 HTT
0x00000020 (00032)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000030 (00048)   743a2055 7365722d 4167656e 743a204f   t: User-Agent: O
0x00000040 (00064)   70657261 2f31302e 36302050 72657374   pera/10.60 Prest
0x00000050 (00080)   6f2f322e 322e3330 0d0a486f 73743a20   o/2.2.30..Host: 
0x00000060 (00096)   6f6c6976 61726f62 61696e2e 67762e76   olivarobain.gv.v
0x00000070 (00112)   670d0a43 61636865 2d436f6e 74726f6c   g..Cache-Control
0x00000080 (00128)   3a206e6f 2d636163 68650d0a 0d0a656e   : no-cache....en
0x00000090 (00144)   742d4c65 6e677468 3a203231 0d0a0d0a   t-Length: 21....
0x000000a0 (00160)   69643d5f 365f3234 345f2d31 30363738   id=_6_244_-10678
0x000000b0 (00176)   37323234 36                           72246

0x00000000 (00000)   47455420 2f73686f 77746872 6561642e   GET /showthread.
0x00000010 (00016)   7068703f 743d3438 32363431 20485454   php?t=482641 HTT
0x00000020 (00032)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000030 (00048)   743a2055 7365722d 4167656e 743a204f   t: User-Agent: O
0x00000040 (00064)   70657261 2f31302e 36302050 72657374   pera/10.60 Prest
0x00000050 (00080)   6f2f322e 322e3330 0d0a486f 73743a20   o/2.2.30..Host: 
0x00000060 (00096)   6f6c6976 61726f62 61696e2e 67762e76   olivarobain.gv.v
0x00000070 (00112)   670d0a43 61636865 2d436f6e 74726f6c   g..Cache-Control
0x00000080 (00128)   3a206e6f 2d636163 68650d0a 0d0a656e   : no-cache....en
0x00000090 (00144)   742d4c65 6e677468 3a203231 0d0a0d0a   t-Length: 21....
0x000000a0 (00160)   69643d5f 365f3234 345f2d31 30363738   id=_6_244_-10678
0x000000b0 (00176)   37323234 36                           72246

0x00000000 (00000)   47455420 2f73686f 77746872 6561642e   GET /showthread.
0x00000010 (00016)   7068703f 743d3438 32363431 20485454   php?t=482641 HTT
0x00000020 (00032)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000030 (00048)   2f2a0d0a 41636365 70742d45 6e636f64   /*..Accept-Encod
0x00000040 (00064)   696e673a 20677a69 702c2064 65666c61   ing: gzip, defla
0x00000050 (00080)   74650d0a 55736572 2d416765 6e743a20   te..User-Agent: 
0x00000060 (00096)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x00000070 (00112)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x00000080 (00128)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x00000090 (00144)   313b2053 56313b20 2e4e4554 20434c52   1; SV1; .NET CLR
0x000000a0 (00160)   20322e30 2e353037 3237290d 0a486f73    2.0.50727)..Hos
0x000000b0 (00176)   743a206f 6c697661 726f6261 696e2e67   t: olivarobain.g
0x000000c0 (00192)   762e7667 0d0a436f 6e6e6563 74696f6e   v.vg..Connection
0x000000d0 (00208)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000e0 (00224)                                         

0x00000000 (00000)   47455420 2f73686f 77746872 6561642e   GET /showthread.
0x00000010 (00016)   7068703f 743d3438 32363431 20485454   php?t=482641 HTT
0x00000020 (00032)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000030 (00048)   743a2055 7365722d 4167656e 743a204f   t: User-Agent: O
0x00000040 (00064)   70657261 2f31302e 36302050 72657374   pera/10.60 Prest
0x00000050 (00080)   6f2f322e 322e3330 0d0a486f 73743a20   o/2.2.30..Host: 
0x00000060 (00096)   6f6c6976 61726f62 61696e2e 67762e76   olivarobain.gv.v
0x00000070 (00112)   670d0a43 61636865 2d436f6e 74726f6c   g..Cache-Control
0x00000080 (00128)   3a206e6f 2d636163 68650d0a 0d0a352e   : no-cache....5.
0x00000090 (00144)   313b2053 56313b20 2e4e4554 20434c52   1; SV1; .NET CLR
0x000000a0 (00160)   20322e30 2e353037 3237290d 0a486f73    2.0.50727)..Hos
0x000000b0 (00176)   743a206f 6c697661 726f6261 696e2e67   t: olivarobain.g
0x000000c0 (00192)   762e7667 0d0a436f 6e6e6563 74696f6e   v.vg..Connection
0x000000d0 (00208)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000e0 (00224)                                         

0x00000000 (00000)   47455420 2f73686f 77746872 6561642e   GET /showthread.
0x00000010 (00016)   7068703f 743d3438 32363431 20485454   php?t=482641 HTT
0x00000020 (00032)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000030 (00048)   2f2a0d0a 41636365 70742d45 6e636f64   /*..Accept-Encod
0x00000040 (00064)   696e673a 20677a69 702c2064 65666c61   ing: gzip, defla
0x00000050 (00080)   74650d0a 55736572 2d416765 6e743a20   te..User-Agent: 
0x00000060 (00096)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x00000070 (00112)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x00000080 (00128)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x00000090 (00144)   313b2053 56313b20 2e4e4554 20434c52   1; SV1; .NET CLR
0x000000a0 (00160)   20322e30 2e353037 3237290d 0a486f73    2.0.50727)..Hos
0x000000b0 (00176)   743a206f 6c697661 726f6261 696e2e67   t: olivarobain.g
0x000000c0 (00192)   762e7667 0d0a436f 6e6e6563 74696f6e   v.vg..Connection
0x000000d0 (00208)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000e0 (00224)                                         

0x00000000 (00000)   47455420 2f73686f 77746872 6561642e   GET /showthread.
0x00000010 (00016)   7068703f 743d3438 32363431 20485454   php?t=482641 HTT
0x00000020 (00032)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000030 (00048)   743a2055 7365722d 4167656e 743a204f   t: User-Agent: O
0x00000040 (00064)   70657261 2f31302e 36302050 72657374   pera/10.60 Prest
0x00000050 (00080)   6f2f322e 322e3330 0d0a486f 73743a20   o/2.2.30..Host: 
0x00000060 (00096)   6f6c6976 61726f62 61696e2e 67762e76   olivarobain.gv.v
0x00000070 (00112)   670d0a43 61636865 2d436f6e 74726f6c   g..Cache-Control
0x00000080 (00128)   3a206e6f 2d636163 68650d0a 0d0a352e   : no-cache....5.
0x00000090 (00144)   313b2053 56313b20 2e4e4554 20434c52   1; SV1; .NET CLR
0x000000a0 (00160)   20322e30 2e353037 3237290d 0a486f73    2.0.50727)..Hos
0x000000b0 (00176)   743a206f 6c697661 726f6261 696e2e67   t: olivarobain.g
0x000000c0 (00192)   762e7667 0d0a436f 6e6e6563 74696f6e   v.vg..Connection
0x000000d0 (00208)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000e0 (00224)                                         


Strings
.hVUwV.

0A0D0Ab
0x=l*r(r
4.!.
4l(D0s.r
Fqonaa
Ldbbp =DS Or:k
L(g,lNo
oOrzkhr
r-frr-Ictpr
sllq
SYr4n*F$l(I;f2
uca^
V,rKi9eTn3o
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
?*?0?5?D?X?a?i?x?
<0<8<F<
<1SV:W
.2;2.3=
2$2M2V2d2z2
.23..3=
3#3,343=3F3N3W3`3h3q3z3
`3ndaaa
4&4,4C4Q4W4g4u4
49h0?@
52476234
5nmapVie1OfFile
5W3f1h
8+8>8B8G8L8
9 9&9,92989>9D9J9P9V9\9b9h9n9t9z9
ABN<EFRHI
AbortDoc
ADVAPI32.dll
;!;*;A;G;_;h;q;
>B>H>O>X>
c:'&0;&%
CallNamedPipeA
CDJ8DD5
CDR}DD
CDU8DDI
CheckMenuRadioItem
CheckRadioButton
ChildWindowFromPoint
ChildWindowFromPointEx
ClientToScreen
ClipCursor
CloseClipboard
CloseDesktop
CloseWindow
CloseWindowStation
CompareStringA
CompareStringW
CopyAcceleratorTableA
CopyAcceleratorTableW
CopyIcon
CopyImage
CopyRect
CountClipboardFormats
CreateAcceleratorTableA
CreateAcceleratorTableW
CreateCaret
CreateCursor
CreateDCW
CreateDesktopA
CreateDesktopW
CreateDialogIndirectParamA
CreateFileW
D850h4
`.data
DeleteDC
DeleteFileW
DR>..d
drl'103.0 ]
EnableWindow
EndDoc
EnumFontsW
:;F180=';;<';;=';;
FindClose
FindFirstFileW
GDI32.dll
GetACP
GetCommandLineW
GetCurrentThreadId
GetDateFormatW
GetDlgCtrlID
GetLastError
GetLocaleInfoW
GetLocalTime
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetSystemTimeAsFileTime
GetTextExtentPoint32W
GetTextFaceW
GetTickCount
GetUserDefaultUILanguage
GetWindowLongW
GetWindowTextLengthW
GetWriteWatch
GlobalAddAtomA
GlobalAddAtomW
GlobalAlloc
GlobalCompact
GlobalDeleteAtom
GlobalFindAtomA
GlobalFindAtomW
GlobalFix
GlobalFlags
GlobalFree
GlobalGetAtomNameA
GlobalGetAtomNameW
GlobalHandle
GlobalLock
GlobalMemoryStatus
GlobalMemoryStatusEx
HeapAlloc
HeapFree
hirtualAlloc
ho;'x-
I<D@	D
IDD@	D
InterlockedCompareExchange
iRichZ<
iSDCi[<
iSDFi[<
iSDTi[<
kernel32.dll
KERNEL32.dll
LoadLibraryA
LocalLock
LocalUnlock
lstrlenW
memcpy
MessageBoxW
msvcrt.dll
@#nsrn
_NvD$	
ole32.dll
OleRegEnumVerbs
PcVVV[VV
PeekMessageW
QueryPerformanceCounter
RegCloseKey
RegOpenKeyA
@.reloc
r:'&jni
rtb'2.
Sb{TQM
SelectObject
SetEndOfFile
SetErrorMode
SetLastError
SetScrollPos
SetUnhandledExceptionFilter
TerminateProcess
TextOutW
!This program cannot be run in DOS mode.
USER32.dll
vD$!yD$
VirtualAlloc
WideCharToMultiByte
WinHelpW
=W=^=k=w=
WriteFile
*WS5r$@
Y<D@	D
yirtualProtect