Analysis Date2015-02-03 04:04:27
MD542f7c28bffb27baff85a8fa828295da8
SHA1f1717463c979f9ee52c3ea8d1e00b11543e3dd24

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 41cc7503f8566078aa9c7678d536d971 sha1: da6ab0f9f3622d5db2abf3a892b25f22c1e2f4fa size: 6656
Section.rdata md5: 6d7c656df2ac355a0ab38f145b3c1423 sha1: 09147ce5884b9cfddeaf6798fd5ae04dcd045756 size: 3584
Section.data md5: 7d51d2b2caa7765f12ec03d5bdaebb80 sha1: 7c9e96c2f33d86b24480f2fb5eb863b80c683a7b size: 2560
Section.rsrc md5: e559015acee84084879e74404d379b13 sha1: 8eec18b9dcb174c30ee235f333ceaa1dea33da2c size: 20480
Section.reloc md5: 9b41b42a952d61418e9fd50f31ee649a sha1: f83df168be772b43c0ddf4a345bb502847cd08a3 size: 4096
Timestamp2005-07-28 02:04:36
PEhash8c29d5f1944b0b73ccf086da62e57685146d4c5a
IMPhash88124532dfe93f74ae03513a6b4a6748
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKDZ.26798
AVAlwil (avast)Downloader-VQV [Trj]
AVArcabit (arcavir)Trojan.GenericKDZ.26798
AVAuthentiumW32/Trojan.GYOA-6162
AVAvira (antivir)TR/Elenoocka.plakj
AVBullGuardTrojan.GenericKDZ.26798
AVCA (E-Trust Ino)Win32/Tnega.JAHJBLB
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKDZ.26798
AVEset (nod32)Win32/TrojanDownloader.Elenoocka.A
AVFortinetW32/Kryptik.CVBD!tr
AVFrisk (f-prot)W32/Trojan3.NFK
AVF-SecureTrojan.GenericKDZ.26798
AVGrisoft (avg)Crypt3.BTOB
AVIkarusEvilware.Outbreak
AVK7Trojan-Downloader ( 00499db21 )
AVKasperskyTrojan-Downloader.Win32.Cabby.cbxq
AVMalwareBytesTrojan.Email.FakeDoc
AVMcafeeDownloader-FAMV!42F7C28BFFB2
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis.C
AVMicroWorld (escan)Trojan.GenericKDZ.26798
AVRisingno_virus
AVSophosTroj/Agent-AIRO
AVSymantecDownloader.Ponik
AVTrend MicroTROJ_CRYPCTB.SME
AVVirusBlokAda (vba32)Trojan.FakeAV.01657

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_77265.cab
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\f1717463c979f9ee52c3ea8d1e00b11543e3dd24.rtf
Creates Mutex93031785
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.221
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.192.91
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Flows TCP192.168.1.1:1031 ➝ 134.170.58.221:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520372e 303b2057   ble; MSIE 7.0; W
0x00000040 (00064)   696e646f 7773204e 5420362e 30290d0a   indows NT 6.0)..
0x00000050 (00080)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000060 (00096)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000070 (00112)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000080 (00128)   6c6f7365 0d0a0d0a                     lose....


Strings
@{V%zZW6...g.L...w..#.tg.
..6..9.....:..s./i.f..l
...B.B..m
....'h.5fAi..@rd..
Jb}D.y.l.9S.".w`!..$.u)5..~.t}W").H
.......Em;..(.....^.C..k}.PY].....
'..?.
..
S
0	0"0*00060;0C0U0Z0`0f0m0~0
0#0*0/040:0O0W0]0c0p0w0
!0-/A@
0aRichY
1!1.171@1H1U1`1f1l1v1{1
1!1'1B1I1P1U1Z1b1s1
2!2%22282D2J2Q2]283@3E3K3Q3W3^3d3j3p3t3z3
2&2-242;2@2E2M2[2a2h2o2s2y2
3!3%33393?3H3`3f3l3}3
<'<-<3<<<A<I<Y<`<f<l<r<w<
:$:*:3:F:L:U:b:i:q:x:
4(444<4A4H4M4R4X4n4t4z4
4 464=4E4J4R4c4i4p4v4}4
=,=4=8=>=D=K=X=^=
>!>4><>A>F>N>[>a>i>m>|>
;+;4;H;N;T;\;g;q;w;
5"5(5,555=5D5T5Z5p5w5
5+585@5G5L5Q5W5a5g5n5r5x5~5
#5l-'1
6+61686=6B6H6Y6`6g6l6q6w6
6!6&6.6@6J6P6T6Z6g6u6{6
7*70777<7A7G7V7_7e7i7o7u7|7
8 8&8+868;8A8K8U8[8k8p8v8}8
8&8-8F8K8Q8`8g8l8q8y8
9!9(91999C9V9\9k9o9u9
9 9'919B9I9P9W9\9a9g9r9
9ZT>JC
A)53@@
ADVAPI32.dll
AO;A0-f
~B}+5G,
CACloseCA
CACloseCertType
CADeleteCA
CAEnumFirstCA
CAEnumNextCA
certcli.dll
?;?C?H?N?[?a?e?k?q?
CloseHandle
ControlService
CountryRunOnce
CreateDirectoryA
CreateNamedPipeA
CreateProcessAsUserA
CreateServiceA
CreateWindowExA
@.data
DeviceIoControl
DialogBoxParamA
DllInitialize
DrawIcon
drvCommConfigDialogA
drvGetDefaultCommConfigA
drvSetDefaultCommConfigA
E(=~@@
FABsbShUK
f,?f_[M
FindResourceA
Fksa_JWj
FormatMessageA
g[>6W(np
GAbmwNmBwoFbOnIE
GetAtomNameA
GetCaretPos
GetComputerNameA
GetCurrentDirectoryA
GetCurrentProcess
GetFullPathNameA
GetMessageA
GetModuleHandleA
GetPrivateProfileIntA
GetPrivateProfileStructW
GetProcAddress
GetProcessId
GetPropA
GetStringTypeA
GetSystemTimeAsFileTime
GetWindowTextA
g!=gA@
GradientFill
=H.1yljs
HeapValidate
HthKdMJwCUjQgP
InitializeSid
IsCharLowerW
IsDialogMessageA
IsTextUnicode
IsValidAcl
IsWindow
IsZoomed
J)AAa*
%'<[%K
k76wp^
kernel32.DLL
KERNEL32.dll
Lo2Rg<0o
lokitar.pdb
.loM"0#
modemui.dll
msimg32.dll
NV[,_P
oI'"XX
PathCombineA
Q\`d.q
`.rdata
ReadConsoleA
ReadFile
RegCreateKeyA
RegEnumKeyA
RegEnumValueA
RegFlushKey
RegOpenKeyExA
RegQueryValueA
RegSaveKeyA
@.reloc
RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA15
-S|a8V)j_
SetCursorPos
SetFilePointer
SHLWAPI.dll
!This program cannot be run in DOS mode.
TransparentBlt
UpdateResourceA
UrlCanonicalizeA
UrlCombineA
UrlCompareA
UrlEscapeA
UrlGetLocationA
UrlGetPartA
UrlHashA
UrlIsA
UrlIsOpaqueA
user32.dll
VirtualAllocEx
vSetDdrawflag
v;vzX,|
WaitForSingleObject
waK&?!?h
	wsprintfA
WTSAPI32.dll
WTSEnumerateProcessesA
WTSEnumerateSessionsW
WTSFreeMemory
WTSLogoffSession
WTSOpenServerW
WTSRegisterSessionNotification
WTSSendMessageA
WTSSetSessionInformationW
WTSSetUserConfigW
WTSUnRegisterSessionNotification
WTSVirtualChannelOpen
WTSVirtualChannelQuery
WTSVirtualChannelRead
WTSWaitSystemEvent
xAzzX0C
xWquaRoQlOP