Analysis Date2014-10-13 21:08:24
MD5c213eef9f73395f7c689f2ca9a004810
SHA1f16edf4d2917e54bab43059e6ca9eefff8da42c1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f0d2f9ef7fc2833a150959a0a94f5053 sha1: 56baa577c54473b68707fd0c096717c17c395d64 size: 3072
Section.rdata md5: 9f54fed295c5bf23b793d759a4f7f487 sha1: 1c417c12270e375a4af290ba3c37c2463a8fec6b size: 1024
Section.data md5: 1205206d88340b9f0289fd001fabb56c sha1: 93a7347331b6f74d28cae14c7a222b0a42795c8b size: 1536
Section.rsrc md5: 0b82000fe9c590c5808f7f491e543887 sha1: 8f83fb951bfab13161dc5a6be0d8d61ce8058964 size: 40960
Timestamp2014-06-12 06:27:26
VersionLegalCopyright: Copyright (C) 2008
InternalName: sickly
FileVersion: 7,2,4,19
ProductName: sickly Application
ProductVersion: 6,3,4,31
FileDescription: sickly Application
OriginalFilename: sickly.exe
PEhashaa08b345557f392f5cf9a25e767913eb6eda649a
IMPhashcabb308efe69c2b97bdbdd5c98e96b1c
AV360 SafeTrojan.Dropper.Agent.VNI
AVAd-AwareTrojan.Dropper.Agent.VNI
AVAlwil (avast)Kryptik-NXT [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardTrojan.Dropper.Agent.VNI
AVCA (E-Trust Ino)Win32/Cutwail.QEILdMB
AVCAT (quickheal)Trojan.Generic.r4
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Dropper.Agent.VNI
AVEset (nod32)Win32/Kryptik.CEET
AVFortinetW32/Kryptik.CEET!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Dropper.Agent.VNI
AVGrisoft (avg)Crypt3.YHL
AVIkarusTrojan.Dropper.Agent
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent.ED
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Trojan.Dropper.Agent.VNI
AVNormanno_virus
AVRisingno_virus
AVSophosTroj/Loader-N
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Cutwail
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\kutodgeaceho ➝
C:\Documents and Settings\Administrator\kutodgeaceho.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\kutodgeaceho.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\winstedapts[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\winstedapts[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexkutodgeaceho
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbethesdalutheran.org
Winsock DNSellislawpc.com
Winsock DNSwinstedapts.com
Winsock DNShamptonproton.org
Winsock DNShendersonranchprop.com
Winsock DNSroytechind.com
Winsock DNSkotohogi.net
Winsock DNSdoerrsiding.com
Winsock DNSsunandgolfhomes.com
Winsock DNSzon-business.com
Winsock DNSeurofilms.com
Winsock DNSallamericanprintinginc.com
Winsock DNShigienika.pl
Winsock DNSmpccontainment.com
Winsock DNSsamcons.com
Winsock DNSplastivan.pl
Winsock DNSwomeningold.com
Winsock DNSimaginationcelebration.org
Winsock DNSfruzel.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.163.152:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25

Raw Pcap

Strings
.
.

041904b0
]\4"
6,3,4,31
7,2,4,19
absence express different daughter
&accompanied Miriam
&adjuration--words dramatic
&agreeable
&always certain
amendment worrying
angelic
&answer continued
appears hours
&asked; experience
attempt Peter
&audibly spirit
&ballet--a
better Harsh
&caution
conscious
considered
conviction
Copyright (C) 2008
cried particular
Dallow silence
&damned richly
&dangerous
&declared necessity--without
degree simply
&differently
&diversion
drawing Grace believe intimate
effect nothing
&elapsed
electronically demands
&enough behind--Im
entered
entirely
&evidently moustache
&exhibitions
&existence reason
expressed
&expressed
fellow
field crabbed
FileDescription
FileVersion
&general
Harsh
her--if
&herself accused
herself perform
&himself
humbugging
hundred actress mother chin--a
&ill-timed prefers
imperturbably
importunity
&inquiries nature
inquiry
intended
interesting
&interesting encouragement
interests ridiculous
&interfere living
InternalName
interval should
&itself
kindly
large
&leaned
LegalCopyright
like--doing
meeting naturally
&mingled
Miriam
&Miriam
&misunderstood
&mouth
MS Shell Dlg
oddest
OriginalFilename
&outsider
&passion
Peter
picture
piece
&please Sometimes
portents
possible erect
prize simplified something
ProductName
ProductVersion
&propositions vehicle
public
rehearsal imperious penalty
&remember
&repeated--go
returned
&returned
RichEdit20A
&risked
&river to-morrow
should
sickly
sickly Application
sickly.exe
&sometimes crumble
sought truth;
&sounds
speech Project chance doubts
spending
steps
StringFileInfo
&stupid entertainer
suggestion
&surprised
SysListView32
Tahoma
&telling
&terribly should
&theatre
&things;
&thinks tendency
&thorough beautiful
&thrown
&together success
Translation
turned
understand
urgent beautifully beribboned
&uttered
VarFileInfo
VS_VERSION_INFO
&wanted
&way--so
&Wheatsheaf Rooth
&whether
which
window chance
&winter scene
wishing consciousness
&without
&woefully youth
wouldnt
0b5VGm#HFG$D
0[fBSS
0^#yP]
2ex6jw
.>2POvm
4wv{:57
8@6/~0f
8~L`4a
AGigoo
CreateWindowExA
DefWindowProcA
DispatchMessageA
DL=)G3W
Ed`InG
EKEmQp
ExitProcess
FindResourceA
GetCurrentProcessId
GetMessageA
GetModuleHandleA
GetProcessHeap
+~Gn;Y
H3{:E$
HeapAlloc
je,C2hJ
"Js`xS
kernel32.dll
KillTimer
K=pW:o,M
?L{?< 
LoadCursorA
LoadIconA
LoadResource
LPEtw.c
m}nXCG
Moix+f
M'	s2"HV
nB9kdgfrwerbbbmddd
n?+e29
nM@	r^
NM(S|%7u
No)[&$X
O?hGhI
or]c=y
PostQuitMessage
PPginb
PYWrv+%
r7GT|`#5
.rdata
RegisterClassExA
RH518j
RZ63Tm
SetTimer
Sg0Q{)#Z
ShowWindow
TeDZal9
#tew9?
!This program cannot be run in DOS mode.
TranslateMessage
tZx3EM
( ,u\[
[Un~ig
UpdateWindow
user32.dll
@u(zvj
V#9i!GH
VH#;0>-1
? VkPk
wchzB3.
:WJKh|)
*	~$xP(
\!%~:Y
y<.9;u
yn@[ZV
zj!o,3P