Analysis Date2015-08-01 20:28:25
MD50cfbe2b0e025ebf860fb36db07408c0e
SHA1f02538931694606162125bd934de3fbe3844d4c4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b25fad76c6bd12d3f4a824ec8abd2eae sha1: 44424d110ba670682d9a85fa9d164e4f96a993ef size: 176640
Section.idata md5: f11b9e2c42c091784e463b5ec396944b sha1: 9641acc67f55b0946881a53408b7eccb3f9b7613 size: 2048
Section.data md5: f991de7a3be5eb8d61813aca31049db6 sha1: cd181c92a6e46a89f6ed5cb7eb41396e813e1dc8 size: 68608
Section.rsrc md5: b807ed7ba34001c35dfa2700e1f46e9a sha1: 3c2a173dbe057b036beddbbadbd0cbd63687cf7f size: 7680
Timestamp2005-07-26 00:36:20
PackerBorland Delphi 3.0 (???)
PEhash713f6944f87e8c5c91b1c4f2a4bd2d20aa37a7e5
IMPhash1493028e43b68981b07d022ccba98ca1
AVMalwareBytesno_virus
AVEset (nod32)Win32/Kryptik.JIL
AVVirusBlokAda (vba32)Trojan.Purple
AVZillya!Trojan.FakeAV.Win32.39007
AVGrisoft (avg)FakeAlert.WI
AVIkarusPacker.Win32.Krap
AVSymantecTrojan.FakeAV!gen39
AVDr. WebTrojan.Fakealert.19914
AVAd-AwareGen:Heur.Cridex.2
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVMcafeeGeneric FakeAlert.amb
AVF-SecureGen:Heur.Cridex.2
AVArcabit (arcavir)Gen:Heur.Cridex.2
AVK7Backdoor ( 04c50a241 )
AVAuthentiumW32/FakeAlert.JW.gen!Eldorado
AVCAT (quickheal)FraudTool.Security
AVTrend MicroTROJ_FAKEAV.SMID
AVAvira (antivir)TR/Crypt.XPACK.Gen3
AVBitDefenderGen:Heur.Cridex.2
AVBullGuardGen:Heur.Cridex.2
AVTwisterTrojan.D6CA59075D4B2812
AVRisingTrojan.Win32.Generic.12746222
AVFortinetW32/FakeAV.PACK!tr
AVKasperskyTrojan.Win32.Generic
AVAlwil (avast)MalOb-EY [Cryp]
AVFrisk (f-prot)W32/FakeAlert.JW.gen!Eldorado
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVEmsisoftGen:Heur.Cridex.2
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVPadvishno_virus
AVClamAVWin.Trojan.Fakeav-28976

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\mbwnsanxqd.exe
Creates Processcmd.exe /c taskkill /f /pid 1228 & ping -n 3 127.1 & del /f /q C:\malware.exe & start C:\Documents and Settings\Administrator\Local Settings\Application Data\MBWNSA~1.EXE -f
Creates Mutexi'm here

Process
↳ cmd.exe /c taskkill /f /pid 1228 & ping -n 3 127.1 & del /f /q C:\malware.exe & start C:\Documents and Settings\Administrator\Local Settings\Application Data\MBWNSA~1.EXE -f

Creates Processtaskkill /f /pid 1228
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Application Data\MBWNSA~1.EXE -f
Creates Processping -n 3 127.1

Process
↳ taskkill /f /pid 1228

Creates FilePIPE\lsarpc

Process
↳ ping -n 3 127.1

Winsock DNS127.1

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Application Data\MBWNSA~1.EXE -f

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Security Shield.lnk
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexi'm here
Winsock DNS94.63.246.14

Network Details:

HTTP GEThttp://94.63.246.14/cb_soft.php?q=251de6c0e122be1ed43ab8ada9efbb39&bq=0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
HTTP GEThttp://94.63.246.14/cb_soft.php?q=251de6c0e122be1ed43ab8ada9efbb39&tb=0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 94.63.246.14:80
Flows TCP192.168.1.1:1031 ➝ 94.63.246.14:80
Flows TCP192.168.1.1:1032 ➝ 94.63.246.14:80

Raw Pcap
0x00000000 (00000)   47455420 2f63625f 736f6674 2e706870   GET /cb_soft.php
0x00000010 (00016)   3f713d32 35316465 36633065 31323262   ?q=251de6c0e122b
0x00000020 (00032)   65316564 34336162 38616461 39656662   e1ed43ab8ada9efb
0x00000030 (00048)   62333926 62713d30 20485454 502f312e   b39&bq=0 HTTP/1.
0x00000040 (00064)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000050 (00080)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000060 (00096)   61746962 6c653b20 4d534945 20352e35   atible; MSIE 5.5
0x00000070 (00112)   3b205769 6e646f77 73204e54 20352e30   ; Windows NT 5.0
0x00000080 (00128)   290d0a48 6f73743a 2039342e 36332e32   )..Host: 94.63.2
0x00000090 (00144)   34362e31 340d0a43 61636865 2d436f6e   46.14..Cache-Con
0x000000a0 (00160)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f63625f 736f6674 2e706870   GET /cb_soft.php
0x00000010 (00016)   3f713d32 35316465 36633065 31323262   ?q=251de6c0e122b
0x00000020 (00032)   65316564 34336162 38616461 39656662   e1ed43ab8ada9efb
0x00000030 (00048)   62333926 74623d30 20485454 502f312e   b39&tb=0 HTTP/1.
0x00000040 (00064)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000050 (00080)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000060 (00096)   61746962 6c653b20 4d534945 20352e35   atible; MSIE 5.5
0x00000070 (00112)   3b205769 6e646f77 73204e54 20352e30   ; Windows NT 5.0
0x00000080 (00128)   290d0a48 6f73743a 2039342e 36332e32   )..Host: 94.63.2
0x00000090 (00144)   34362e31 340d0a43 61636865 2d436f6e   46.14..Cache-Con
0x000000a0 (00160)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x000000b0 (00176)   0d0a                                  ..


Strings