Analysis Date | 2015-01-17 17:40:04 |
---|---|
MD5 | 8e418896982b799befee43a85824200f |
SHA1 | f12f5e081ae1f6ca509a94d67c354c81225046c9 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: e37def91a1a570a864b6372fc2b1d790 sha1: b0a66c84415bc4672de9c9eef7bf9f887a276457 size: 13824 | |
Section | .rdata md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024 | |
Section | .data md5: 90a767364c861679a1045fa8a9a64faf sha1: 7cd065b6cc579e7cb9ea4517593946e109d325a7 size: 113152 | |
Section | .rsrc md5: f2814ec3ef9326940fb4f02244e83beb sha1: a70dd0b58b182446eaaf9480a8556714add41e6c size: 5120 | |
Timestamp | 2010-01-20 09:40:00 | |
Version | LegalCopyright: Copyright © 2010 z PC Tools. E All rights reserved. A InternalName: Rvertum0 FileVersion: 7.0.0.61 CompanyName: PC Tools LegalTrademarks: Comments: ProductName: y ProductVersion: 7.0.0.61 FileDescription: Spyware Doctor ComponentT OriginalFilename: Rvertum0 | |
PEhash | be59610fb5a67f3f3bf9daff3cd7490d0836992f | |
IMPhash | 54ad6e7c960129ea2e4510a951bdb22a | |
AV | 360 Safe | no_virus |
AV | Ad-Aware | Gen:Heur.IPZ.7 |
AV | Alwil (avast) | Renosator [Cryp] |
AV | Arcabit (arcavir) | Gen:Heur.IPZ.7 |
AV | Authentium | no_virus |
AV | Avira (antivir) | TR/Crypt.XPACK.Gen2 |
AV | BullGuard | Gen:Heur.IPZ.7 |
AV | CA (E-Trust Ino) | Win32/Renos.D!generic |
AV | CAT (quickheal) | Trojan.Renos.LN |
AV | ClamAV | W32.Trojan.Skor-7 |
AV | Dr. Web | Trojan.DownLoader2.39064 |
AV | Emsisoft | Gen:Heur.IPZ.7 |
AV | Eset (nod32) | Win32/Kryptik.AEUK |
AV | Fortinet | W32/Diple.IZ!tr |
AV | Frisk (f-prot) | no_virus |
AV | F-Secure | Gen:Heur.IPZ.7 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Ikarus | Trojan.Win32.Jorik |
AV | K7 | Trojan ( 002456451 ) |
AV | Kaspersky | Trojan.Win32.Generic |
AV | MalwareBytes | Trojan.Downloader |
AV | Mcafee | Downloader-CEW.ap |
AV | Microsoft Security Essentials | TrojanDownloader:Win32/Renos.LX |
AV | MicroWorld (escan) | Gen:Heur.IPZ.7 |
AV | Rising | Trojan.Win32.Generic.128B8EC1 |
AV | Sophos | Mal/FakeAV-IZ |
AV | Symantec | Downloader |
AV | Trend Micro | TROJ_RENOS.SMRK |
AV | VirusBlokAda (vba32) | Malware-Cryptor.Limpopo |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates Process | C:\malware.exe |
---|---|
Creates Mutex | Global\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1} |
Creates Mutex | {A14B1A1D-023F-40dc-BBFE-208B1DAD2F82} |
Process
↳ C:\malware.exe
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝ C:\malware.exe |
---|---|
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝ NULL |
Registry | HKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝ xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00 |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | Global\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1} |
Creates Mutex | WininetConnectionMutex |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Creates Mutex | {A14B1A1D-023F-40dc-BBFE-208B1DAD2F82} |
Winsock DNS | lacvictoria.com |
Winsock DNS | qqplot.com |
Network Details:
DNS | wsj.com Type: A 205.203.132.1 |
---|---|
DNS | wsj.com Type: A 205.203.132.65 |
DNS | wsj.com Type: A 205.203.140.1 |
DNS | wsj.com Type: A 205.203.140.65 |
DNS | fastclick.com Type: A 64.156.167.84 |
DNS | nifty.com Type: A 210.131.4.217 |
DNS | qqplot.com Type: A 209.99.40.219 |
DNS | lacvictoria.com Type: A |
DNS | paulo-fg.com Type: A |
DNS | bonreligion.com Type: A |
HTTP POST | http://qqplot.com/borders.php User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) |
Flows TCP | 192.168.1.1:1031 ➝ 209.99.40.219:80 |
Raw Pcap
0x00000000 (00000) 504f5354 202f626f 72646572 732e7068 POST /borders.ph 0x00000010 (00016) 70204854 54502f31 2e310d0a 41636365 p HTTP/1.1..Acce 0x00000020 (00032) 70743a20 2a2f2a0d 0a436f6e 74656e74 pt: */*..Content 0x00000030 (00048) 2d547970 653a2061 70706c69 63617469 -Type: applicati 0x00000040 (00064) 6f6e2f78 2d777777 2d666f72 6d2d7572 on/x-www-form-ur 0x00000050 (00080) 6c656e63 6f646564 0d0a5573 65722d41 lencoded..User-A 0x00000060 (00096) 67656e74 3a204d6f 7a696c6c 612f342e gent: Mozilla/4. 0x00000070 (00112) 30202863 6f6d7061 7469626c 653b204d 0 (compatible; M 0x00000080 (00128) 53494520 362e303b 2057696e 646f7773 SIE 6.0; Windows 0x00000090 (00144) 204e5420 352e3029 0d0a486f 73743a20 NT 5.0)..Host: 0x000000a0 (00160) 7171706c 6f742e63 6f6d0d0a 436f6e74 qqplot.com..Cont 0x000000b0 (00176) 656e742d 4c656e67 74683a20 3334310d ent-Length: 341. 0x000000c0 (00192) 0a436f6e 6e656374 696f6e3a 204b6565 .Connection: Kee 0x000000d0 (00208) 702d416c 6976650d 0a436163 68652d43 p-Alive..Cache-C 0x000000e0 (00224) 6f6e7472 6f6c3a20 6e6f2d63 61636865 ontrol: no-cache 0x000000f0 (00240) 0d0a0d0a 64617461 3d2f436a 45665a44 ....data=/CjEfZD 0x00000100 (00256) 53767871 43694b30 6c74554d 31757932 SvxqCiK0ltUM1uy2 0x00000110 (00272) 2f797534 55355970 4e6d3176 2f2f6a54 /yu4U5YpNm1v//jT 0x00000120 (00288) 6e675663 2b774d73 2b2b5a42 6a375a53 ngVc+wMs++ZBj7ZS 0x00000130 (00304) 59547233 69426b47 2f672b37 5643432f YTr3iBkG/g+7VCC/ 0x00000140 (00320) 31396b66 694f4870 37655263 48506959 19kfiOHp7eRcHPiY 0x00000150 (00336) 6f393930 4d55756a 67555734 62765449 o990MUujgUW4bvTI 0x00000160 (00352) 644e2f6a 50587547 506a6142 7a786c63 dN/jPXuGPjaBzxlc 0x00000170 (00368) 63356d70 4e303161 36742f51 69535858 c5mpN01a6t/QiSXX 0x00000180 (00384) 77707a39 486d306b 7a396642 6661556e wpz9Hm0kz9fBfaUn 0x00000190 (00400) 3130782f 474c636f 66526948 344c7646 10x/GLcofRiH4LvF 0x000001a0 (00416) 73416947 59467361 696f4d57 30374b30 sAiGYFsaioMW07K0 0x000001b0 (00432) 4533726b 6b334d65 5a557967 44654c47 E3rkk3MeZUygDeLG 0x000001c0 (00448) 77327331 322b6f50 4d4e726e 4a5a637a w2s12+oPMNrnJZcz 0x000001d0 (00464) 687a5a38 78694e57 75355467 4f687134 hzZ8xiNWu5TgOhq4 0x000001e0 (00480) 4f715553 30424d54 644b3262 5a792f68 OqUS0BMTdK2bZy/h 0x000001f0 (00496) 7833546e 6d477954 464c4868 4c635266 x3TnmGyTFLHhLcRf 0x00000200 (00512) 2b76417a 494f424e 6d763433 43444b32 +vAzIOBNmv43CDK2 0x00000210 (00528) 51303541 56636d41 38324b68 54665573 Q05AVcmA82KhTfUs 0x00000220 (00544) 732f476f 6c77786c 6d396b4c 6e726e6c s/Golwxlm9kLnrnl 0x00000230 (00560) 49367034 366e3336 642f3334 6b705656 I6p46n36d/34kpVV 0x00000240 (00576) 32623651 672f413d 3d 2b6Qg/A==
Strings
.[_... . . ..Go. .. . 040904E4 2010 z PC Tools. E All rights reserved. A 7.0.0.61 7qDp BBABORT Cannot open file "%s". %s Comments CompanyName Copyright DVCLAL Error reading %s%s%s: %s Failed to get data for '%s' fdT9 FileDescription FileVersion InternalName Invalid argument to date encode Invalid argument to time encode Invalid data type for '%s' List capacity out of bounds (%d) Invalid property element: %s Invalid property path Invalid property type: %s Invalid property value Invalid stream format$''%s'' is not a valid component name LegalCopyright LegalTrademarks List count out of bounds (%d) List index out of bounds (%d)+Out of memory while expanding memory stream MS Sans Serif OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value OriginalFilename Out of memory PC Tools ProductName ProductVersion Property is read-only Property %s does not exist Resource %s not found Rvertum0 Spyware Doctor ComponentT %s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group Stream read error Stream write error StringFileInfo TEXTFILEDLG Translation VarFileInfo VS_VERSION_INFO yJGDC =0>1KO %'02x;)?# }0AJt$ 0oY3`> 0uD4o@8]c-~ 13*2557s _17ovpUHy3VjYGG@8 1[dhXg }1gB`+ 1WoQpj 2a`9)Y|yc 2aWqj=he 33333333?333333 333333333333333333 3333333333333338 3333339 333338 33333833 333838 48<[.t 4|Bg?t[ |=4FQ^uNN 5%5\^)W ~$5(7, 6Rt:. `72;pDtg 7eb,8n9f 7=lSa>& !:7*MX "<^8fP 8nbM|vj| 8)P7;% 8q'D%v 8_)$tEYP 8XWU+5|9 96,[KtS 9A!t2P 9ok!6"5 _9^(u!! >Alp?a/ <aNt## a#P~=-i AP"o:O q'R AwR8C_7YF aZMHvK9366@4 {%b(=| &b\9;8 ,BD^[R BeginPaint B.EIP.D bk"rNlf b#X6Rdq c6/0HYc CallNextHookEx CallWindowProcA CharLowerA CharNextA cr19xH CX[YZq CYJ~%; cYn5G2Tze c&z;c7 D8yMp][o?/ @.data dg,ZOi dh+Zn}r )DmnvW d-nuLD dr#saV Du47RL DZOLkc e28BR" E~~J?< epn0Yt eQgPt@ esaH6pmm ExitProcess =;!F\} f\a}[L<gI F,^F \Y ]!`fHV" FindFirstFileA ]fI)!rS FMeznb` FormatMessageA F<Pc8a FU+AQPoSR #\'G7+ gDyAPK GetCurrentThreadId GetMenu GetModuleHandleA GetProcessHeap GetTickC-ounD GetWindow GlobalAlloc g"n!PUA GNv]E& GQcY5} _H85hmM Hb?lA;T hhjDY13 `H$*P} hpS5`.rd HuTMBa h!vl{5pV HV V5 ~ hXn61o I} 8i90 idjAcJ _iQkCD@12 i:Ufv, '-)%j@ jFq`Q> j>h8E%J (J J "3 jMA,}z}Mj& k%[7=s k_9p%4tTe KERNEL32.dll *k'hcK K%W8]> KXx.1WrY; L:#) #! lcOCURdt lInS[mu Lj5y7x) LoadIconA LoadLibraryA LRq~LM &!ls=jks lstrlenA _L*U]w$Ki LV\1w< LWysx, @lzm}Y M"B`:Sjf@{8 _MNMMQKh0W50Xt@8 MTau:' mV[+3} ]mYQa, ;MZu{\ nb}Xc8 nexg#8 ~N^F. nfYjSbZ n;MO|Y5x NQJtbqA n"(:sK *nVG#%%] O?aNHR| +~OL9EAUTi o:RTJ5 ;oX!tF OY1PX@16 p0T&#{ &P%8q`ekY p`~G23 pKjyWCW p)sa79 p)v6?+N ^Q4D1s #qFeCr Q<IP)|X qJ\6QQ @:Qm6t qqX{rs ?q:R0* qT,OSlXg Qv;LJrQ R6wc8T R7TNx6 `.rdata rHT/PPoc rj|zF1 _R_lY2SZ r/q=}ui _rsJfQog Rvertum0 RVj6j( _rydl4@20 s4.m18 SCNUymZ SgAP8S shlwapi SRQ2PWja ,s.tex .S%UKaf s YUBvsS `Sz18; |sZ;n} t(20\$ t/bRSPX tb!tlQu This program must be run under Win32 t{kZlz trrQHA tWa^[whOXu 'tYK|_ ^U054LbV UN4IQSTRm updrPXJx7kO6 u[Q_'} user32.dll *@V0uV V1K-bB5+ V6; H VirtualAlloc VirtualAllocEx vQ"|cw^ +vxXS%, w6i?Uc WDSFv@12 wF:O6O *WIN7E =$wJKu ~$W@Kk ?WSAKF W"xf W x{_/0C X{cjp: \ {Xe-2I %Xfq[dU+ x$g"Zm; x;=h"8t? XJd'92m <?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly> X:%PSJ Xq&$)7' xSjt'92}[T X{tiY7*ux$ xtMImF Xw,TK| xwVq3' xWWYwG y;D"'d $y'j<! YkWHcg YO3TEGiVuBDJ _yPBF7GbS@4 yqdBMr Ytn!8B z8g4'k8 Z8uHLk zGKcH; ZgWvxOcqi ZiByi-ToW.d ZjMdE4u0zj8 zNB BW ZQLr6O& ZtXlV'2M zUIM 2 Z.v;*}