Analysis Date2014-06-09 08:46:27
MD53f2a454c8544a5acef7921e5a825e512
SHA1f262438bf831fd43b18cb892e8e8bd43d60f16f2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0658d21d2bc211b2c658d6fa4820318b sha1: 4ec7f2f9b9a54c76946935eb31e20bba283ed2c8 size: 512
Section.rdata md5: 1983bc242e754c86cb211f8ae342db4a sha1: 470686b2f6e51465f8e9091168e8ae0d44759b6f size: 1536
Section.data md5: a04d083834ef5090af8998f3de3b9a72 sha1: 8028124bcadea9c872885f7f7608f5b637ab3c91 size: 512
Sectionadata md5: d83abe3c0e818ba334b92ea56584cc48 sha1: 16bf35609e9574717355fb52178178bbfbb05609 size: 4608
Section.rsrc md5: d9e62f1d35f5200dd95507b664f18301 sha1: 7a98cb71fb9a8bdad878e533b51fa58c8fc2d298 size: 57856
Timestamp2014-05-19 13:14:00
VersionLegalCopyright: Copyright (C) 2006
InternalName: seasoning
FileVersion: 5,1,2,13
ProductName: seasoning Application
ProductVersion: 4,4,2,41
FileDescription: seasoning Application
OriginalFilename: seasoning.exe
PEhashb2fb786918ed5ff5ae86aa6fa721e34edb00b701
IMPhash062793db9f0fe01deb2e3ff7ffc36bac
AV360 SafeGen:Variant.Kazy.381506
AV360 SafeGen:Variant.Kazy.381506
AVAd-AwareGen:Variant.Kazy.381506
AVAd-AwareGen:Variant.Kazy.381506
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/ATRAPS.Gen
AVAvira (antivir)TR/ATRAPS.Gen
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Cutwail.r5
AVCAT (quickheal)Trojan.Cutwail.r5
AVClamAVno_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoader11.10672
AVDr. WebTrojan.DownLoader11.10672
AVEmsisoftno_virus
AVEmsisoftno_virus
AVEset (nod32)Win32/Kryptik.CCGN
AVEset (nod32)Win32/Kryptik.CCGN
AVFortinetW32/Kryptik.CCGN!tr
AVFortinetW32/Kryptik.CCGN!tr
AVFrisk (f-prot)no_virus
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.381506
AVF-SecureGen:Variant.Kazy.381506
AVGrisoft (avg)SHeur4.BVSX
AVGrisoft (avg)SHeur4.BVSX
AVIkarusWin32.SuspectCrc
AVIkarusWin32.SuspectCrc
AVKasperskyTrojan.Win32.Cutwail.cwt
AVKasperskyTrojan.Win32.Cutwail.cwt
AVMalwareBytesno_virus
AVMalwareBytesno_virus
AVMcafeeRDN/Downloader.a!qy
AVMcafeeRDN/Downloader.a!qy
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail
AVMicroWorld (escan)Gen:Variant.Kazy.381506
AVMicroWorld (escan)Gen:Variant.Kazy.381506
AVNormanwinpe/Troj_Generic.UACMG
AVNormanwinpe/Troj_Generic.UACMG
AVRisingno_virus
AVSophosno_virus
AVSophosno_virus
AVSymantecno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Cutwail

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\coboqjeaqoxg ➝
C:\Documents and Settings\Administrator\coboqjeaqoxg.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\coboqjeaqoxg.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexcoboqjeaqoxg

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSkamaruka.vic.edu.au
Type: A
112.140.176.61
DNSwsipowerontheweb.com
Type: A
176.58.125.225
DNSszostka.com
Type: A
127.0.0.1
DNSrobertmcintyre.com.au
Type: A
199.73.58.66
DNSatr-technologies.com
Type: A
141.101.116.118
DNSatr-technologies.com
Type: A
141.101.117.118
DNSscreaminpeach.com
Type: A
162.159.240.165
DNSscreaminpeach.com
Type: A
198.41.249.164
DNSshipeliteexpress.com
Type: A
108.162.198.142
DNSshipeliteexpress.com
Type: A
108.162.199.142
DNSchoice-select.com
Type: A
50.56.218.189
DNSfloridadoubled.com
Type: A
64.59.81.104
DNStheautospas.com
Type: A
162.159.248.242
DNStheautospas.com
Type: A
162.159.249.242
DNSpaulrenna.com
Type: A
198.154.229.165
DNSaustriansurfing.at
Type: A
85.13.151.94
DNSimpex.com.pl
Type: A
188.252.27.130
DNSadultlivechat.us
Type: A
127.0.0.1
DNSaciuba.com.br
Type: A
186.249.220.203
DNSosouji-school.com
Type: A
211.13.204.89
DNSbrookfarm.com.au
Type: A
116.251.204.207
DNSsztartufi.com
Type: A
95.110.192.171
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSnorakuroya.com
Type: A
DNSenzoyrodrigo.com.br
Type: A
HTTP POSThttp://kamaruka.vic.edu.au/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://wsipowerontheweb.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://robertmcintyre.com.au/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://atr-technologies.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://screaminpeach.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://shipeliteexpress.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://choice-select.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://floridadoubled.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://theautospas.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://paulrenna.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://austriansurfing.at/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://impex.com.pl/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://aciuba.com.br/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://osouji-school.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://brookfarm.com.au/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://sztartufi.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 63.250.193.228:25
Flows TCP192.168.1.1:1052 ➝ 112.140.176.61:80
Flows TCP192.168.1.1:1053 ➝ 176.58.125.225:80
Flows TCP192.168.1.1:1055 ➝ 199.73.58.66:80
Flows TCP192.168.1.1:1056 ➝ 141.101.116.118:80
Flows TCP192.168.1.1:1057 ➝ 162.159.240.165:80
Flows TCP192.168.1.1:1058 ➝ 108.162.198.142:80
Flows TCP192.168.1.1:1059 ➝ 50.56.218.189:80
Flows TCP192.168.1.1:1060 ➝ 64.59.81.104:80
Flows TCP192.168.1.1:1061 ➝ 162.159.248.242:80
Flows TCP192.168.1.1:1062 ➝ 198.154.229.165:80
Flows TCP192.168.1.1:1063 ➝ 85.13.151.94:80
Flows TCP192.168.1.1:1064 ➝ 188.252.27.130:80
Flows TCP192.168.1.1:1066 ➝ 186.249.220.203:80
Flows TCP192.168.1.1:1067 ➝ 211.13.204.89:80
Flows TCP192.168.1.1:1068 ➝ 116.251.204.207:80
Flows TCP192.168.1.1:1069 ➝ 95.110.192.171:80

Raw Pcap

Strings
..
041904b0
4,4,2,41
5,1,2,13
6stands wiving engine Humane millions jolting Coaxingly$Almost panting offers public pennies&learningknight forward because bellows
&abroad
&Absolutely
account
admitted lovely words second
advertising
&afresh enthusiastic
&Agenbite Mulligan
allowing distant
&amatory Edmund
&anywhere
Aphrodisiac nipping
&apodosis
appeared
&artistic foampool
&ascended
&asked
&assured
awhile
&Baraabum
bearded
&because confidante
Because eightpence
beetles extent1against earth course galloping smiled Fitzpatrick
&behind hawthorn
behoved tattoo
&betrayed
&Better Childs
&between example
Bits Raleigh
Bloom
BLOOM
&BLOOM
&BLOOM SOPHOMORE
boomblebee
&bosom
&Boylan
Brigittines
bringing
Briskly mnemotechnic
bronze earth
brought
&brutes something
budgers specimen
butter orange talking
&buttonholes Outside
cachuchad settees
&capbell
&carking
carriage
&carriage unlicensed
&castle happens
&cavaliers charge
&Channel
cheeks
Chemists believe Osvalt's allround
&cherished doesn't
christian
&coalsmoke walked
&codfish
&coins
&colour
&Come
&comprises
Connemara outstretched bedroom Joseph
&constable
constable quoting
&contentedly CRIER
&convinced
Copyright (C) 2006
coughs
couldn't
&Country
Crofton
cultivator Better direction
curiously
&damned comprehend
daughter
decency
desiderate
desists staring
destination
&deuced wearing
&didn't
&dietary
&different beauty
difficult
&Dignam snapshot
&Dignam Yes
&direction looking
&directors Abnegation
&disliked womanly
&Dodder
&dogcarts bloom's
&donought keened
Drover
&dwelt
Earnestly bawling Voglio spectacles
easily
&economic
elsewhere
&emitted
&enclosed lovely
&endorsing flapping
&engaged played
envelope
eugenic
Europe
evening professor
&everything
excitement wreath
exodus
Explain chuckling
&extemporisation talionis
&extracted
eyelids
&fandango nothing
&fanlight
&Father
&Father sailor
&favourite
&fellow's slopes
FileDescription
FileVersion
finger surrounding nigger
&firedrake
&fissure higher
&flowers
fought thirsty cherchez appears
&fraught waited
&frittered happened
Gaelic
&Galbraith Haines
&gallery
&Galle scribbled
Gatherer
Giddy
&girls insular
&giving
&godmother
gouger striking
&grapes Daren't
grasses
greatest Uncloaks tuckstitched Come
Greeks
Green
greeted
&greeted turlehide
guineas
hands
Hannigan evening Trained Charmed
&Harry perhaps
heads seminis
&heart
hearty
higher
&house
house Entertainment
&huckster Caffrey
&hundred
&Hundred scones
&idiot
&Iiiiiichaaaaaaach welted
imagine
Immense
&imperturbability deceitful
&implacable
implements stress against
impunity praisefed
incompatibility anything
&indecently locking
Indeed
&insular days
intended
InternalName
Italian easily Bloom
Jackson referred
&jealousy remembering
&Jesus
&Karamelopulos
&Kearns
kissed
KISSES
Kraandl
label
lagoons Vladinmire
&lamps
&lattice
laughed
&laughed
laughing
&learned Chartreuse
&leaving
LegalCopyright
lengthy
Leonard
&Leopold
&letter suggested
&little tenens
&lively Brother
living
looked juices others
&lovely gagged
&lumbago
lumbering animal kidney
&Malachi merely
&males
&manfully
METROPOLIS unbeknownst
&M'Guinness
Millicent
&M'Intosh
&modifications absconded
&Montague Mulligan
monumental
&moribund entrails
MS Shell Dlg
Mulligan
Mulligan dulcimers cross
&muriatic tartan
&music standing
&national nature
&natural
&nature
nature Dolor Midnight
Naughty
&never
NEWSBOYS interlocutor
Nods
noise claretwine Police+bridge lightship nature haunch maybe button
no-one
&objects without
&observants school
office propose
&O'Flynn walked
&olivepress
&O'Madden carefully
O'Molloy History
&Ontario
&O'Reilly
OriginalFilename
Otherwise
Outside gleefully
pains Martin
painted joyous
paler
&paralysed
Partulam getting
&pebbles
&people BLOOM
&perfume
pfrwritt
phosphorescent Stephen
&phrases threepence
&playfield Bloom
&plumber
&poetry
&possibly burning
Possibly person before
&practical
&previously
&Prince
&privately resulting
&probably solemnly
&procurator
ProductName
ProductVersion
&professor
&profile horsed
&pronounced notepaper
&properly
quarrel THERE street
&quoits carcass
racing Blazes ejaculation seemed
railings jealous BLOOM"Hanging Dollard Ireland ingemiscit
ravished English
razorblade
&received quarry
reclined
regarded beefsteak famous
&regular
&remember vigilant
remind evenly present
&request thought
&result children
&reveals
RichEdit20A
&rifletta dillydallying
&roadside
saloon
&satiny stepping
&scaffolding
&scarce
&scarlet
&scholarly himself
Scilly elastic
seasoning
seasoning Application
seasoning.exe
&second Anyhow
seeing
&sending
sentry
&Shakespeare through
&Shanagolden suttee
&sheeny
&sheets Bloom
&she's
&shillings
&Shotover Boylan
&shoulderblade looking
sideways
sighed
&sighed please
Silverpowdered
&Simon Yes
sinner memory
&sisters
Slaves
sluices
&smattering
smiled WINNER voice
&Snatches lunatic
soaker
softer Ireland
Something Tastes
sound
&spectator
&spiffing
&Spurned resuscitation
&square Telegraph
squirmings Scholastica
standing
&standing Haja
&staring
Stephen
&STEPHEN
&Stephen's Anch'io
&stepped Skin-the-Goat
&stillflowing husband's
strain trying
street*melodiously stimulus Johnny brought street
strength
&stretches
StringFileInfo
strutted
&superfluous citizen
&symbolism
&sympathy sweated
SysListView32
Tahoma
tails Malachi's thought
Tell eyelids
T-f&
that
thought
&through
together magnificent laughs
tooraloom
&touching
&towards things
tower culdees
Translation
treated
&trees covers
&tremulous
&trousers
trying
&trying
T*U&
turds
Turkish
Tweedy's
&twelve Kilmainham
&Umpteen
&understanding
unshaven Onlookers intres
&vaccinated
&Valenti Murder
VarFileInfo
viceroy's boywomen
Vinegar
virgins
VS_VERSION_INFO
wagging lingering
walked
&walked nearly
&walking
&walking Purefoy
&waves particularly
&wearing
&weather
&Wellmannered Resting
whatever mutilated sitting
What Lambert
wheelbarrow practised
&where palace
whether steerage seriocomic
&whiteheaped
whoredom/shrew Gabbles feather Lionel's That'll insuring
&wildlooking Kempthorpe's
woman conducts
&woman creature
&world malicious
&worthy MacKay
&wretch tickets
writingtable always
yaps
&yellow
Yelverton
0~7k`+_^
1Bdzq0-
340578634956345545
34857689345693456
[!4!^U
@=6%A1
;6f|TGj
7R*j-tFGm
8cxks$
	9?G]P
9QXW|S
=a3Z96j
advapi32.dll
amDOxw
^,[$B<
b5Gi9tD5P
b]cUFRC
;bPlT*
CertGetNameStringW
CertNameToStrW
civd4"
closesocket
CreateWindowExA
C.rpl"f
crypt32.dll
CryptDecodeMessage
CryptMsgVerifyCountersignatureEncodedEx
CryptVerifyMessageSignatureWithKey
^cs7[G
@.data
DefWindowProcA
DeleteDC
DispatchMessageA
dnsapi.dll
DnsNameCopy
_)|$.e
e5zD<@S
-E:&JE	
/_eJG#
EndPaint
eOLZBg
]:fePlx
FtpPutFileEx
g!!CXP
gdi32.dll
GetMessageA
GetModuleHandleA
GetObjectW
GetVersion
`G~ISK
GK(AQX
h&9CD-
hEWuB%$
IH\$Z2$
>JA=,b
?j$hgIk
k-8hD+
"K@Bue
kBwY: 
kEHLO/
kernel32.dll
KillTimer
kzJU	[<
lN'{]H
LoadCursorA
LoadIconA
LoadImageW
lO$Y{[
MY0D\p
Nmq8W+4%
'nW2-X	r
''O}6=\6)
o9~nD4 	
OD#-%p
ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
OpenEventLogW
PostQuitMessage
&pWsF'Q
QEJ~52*
QG8\V%
r4Jm)K
`.rdata
RegisterClassA
RegOpenKeyExA
RegSetValueA
rnt]b|
SetTimer
ShowWindow
SwitchDesktop
ted/p&x
!This program cannot be run in DOS mode.
T"R0~2
TranslateMessage
UpdateWindow
user32.dll
+"`\&v0
VirtualLock
vOm|M!#
V;Z+17#D)
WCO\B^\C
wininet.dll
=W)/||J
<)WMIx
ws2_32.dll
WSACleanup
WSACloseEvent
WSASetEvent
<wyBR8pGp%'
wY@v,'
 X5Q0X
X{<tVx
ypM]E&