Analysis Date2013-12-08 09:18:44
MD5ba1e6d17fcd499c7449ca4e556cb60c4
SHA1f4af411603a3de9193557934950fb80a9a9f796a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3334dbab60ad171bff78fa5e1a23cc6f sha1: 93b8e888e3cad0da9dbc6bfe24d3c09ae6945abb size: 1024
Section.rdata md5: aa67564fb2e43ff7a095fb6df1faaf6b sha1: ee2baacbc5d9925be5577fbaef212fb686e01cc1 size: 512
Section.data md5: 96a48bd7c1d7899d6e63402c89ae76e3 sha1: ccc0f92735a288e5760a0a822cbe1f8382d368f6 size: 512
Section.rsrc md5: ec7a4634dd99425f6fc234ff090559a2 sha1: ac2dba5278a0725e0d105a086ae0376948daa399 size: 35328
Timestamp2008-10-07 18:12:21
VersionLegalCopyright: Copyright (C) 1998
InternalName: cbrowse
FileVersion: 1, 0, 0, 1
CompanyName:
LegalTrademarks:
ProductName: cbrowse Application
ProductVersion: 1, 0, 0, 1
FileDescription: cbrowse MFC Application
OriginalFilename: cbrowse.EXE
PackerPE Diminisher v0.1
PEhashcb398c021da7b9a08a0c0265607cc25d85b95e74
AVavgBackDoor.Generic17.COFR
AVmsseTrojanDownloader:Win32/Cutwail.BS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\dilgeginywip ➝
C:\Documents and Settings\Administrator\dilgeginywip.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\dilgeginywip.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexdilgeginywip
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSarea72aa.org
Winsock DNSniray.com.cn
Winsock DNSe-shuukyaku.com
Winsock DNSrovoneli.com
Winsock DNSboundbydesign.com
Winsock DNSperc.ca
Winsock DNSsafetyconnection.ca
Winsock DNSvitalur.by
Winsock DNSbigtopmultimedia.com
Winsock DNShartmultimedia.com
Winsock DNSnanfangcw.com
Winsock DNSbethisraelcenter.org
Winsock DNSservico-ind.com
Winsock DNSginalimo.com
Winsock DNSxuanxiao.com
Winsock DNSjustconnect.co.za
Winsock DNSarquiteturadigital.com
Winsock DNSchurchsupplies.net
Winsock DNSkafrit.com
Winsock DNStaykon.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.162.200
DNSsmtp.mail.eu.am0.yahoodns.net
Type: A
188.125.69.59
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.162.200:25
Flows TCP192.168.1.1:1032 ➝ 188.125.69.59:25

Raw Pcap

Strings
040904B0
1, 0, 0, 1
&About...
&Back
cbrowse
cbrowse Application
cbrowse.EXE
cbrowse MFC Application
CompanyName
&Copy
Copyright (C) 1998
Cu&t
&Debug
&Edit
Edit Mode
E&xit
&File
FileDescription
FileVersion
&Forward
&Go To
&Help
&Home Page
InternalName
LegalCopyright
LegalTrademarks
Open Links in New Windows
OriginalFilename
Page Setup...
&Paste
Post Data Test
&Print Page
ProductName
ProductVersion
&Refresh
Sa&ve As...
Select &All
Sour&ce
&Stop
StringFileInfo
TEXTINCLUDE
Translation
VarFileInfo
&View
&Visible
VS_VERSION_INFO
!0~,Hm
.1JR	a
{/1?W6$^
3A{BV c
3~i6%~&L
3jff5n
3[N/RD
4>|6*`F
4>VO%Z
"6SRTC
7	"F/{^
7F6$6,5*
7P^@qXa
84O<L<
8P}/nf
'90R5%%
AreFileApisANSI
BOGX\bM
:+B#+zm-y
C~:?8H
<cbm%X"
@.data
dD?ykF
#define _AFX_NO_OLE_RESOURCES
#define _AFX_NO_PROPERTY_RESOURCES
#define _AFX_NO_SPLITTER_RESOURCES
#define _AFX_NO_TRACKER_RESOURCES
^E*<G"
Ehl$^:3
#endif
En]?kw
(Eo~7B
&ET\H q
Fk\P+4
gdi32.dll
GetCurrentProcessId
GetModuleHandleA
GetObjectA
GetTempPathA
<Gk\CN?
	)'HjQ
i"5}w*
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
#ifdef _WIN32
#include "afxres.h"
#include "afxres.rc"         // Standard components
#include "res\cbrowse.rc2"  // non-Microsoft Visual C++ edited resources
JJ${/A
JT\]U7
$.JT$Wwy
<J/XD0
,@kdpt
kernel32.dll
%kzsW*
\L8^`q
LANGUAGE 9, 1
LoadImageA
LoadLibraryExA
lp$vMaW
M-F@@@Z
Nop%^O
'	OCXp
P8&gCH
pba]__
.P#	JtI
plU#2`
#pragma code_page(1252)
qc)"AV
Q\mOW_
*R0[o}
 [[RAYkG
`.rdata
resource.h
{!Rich
SezXC<:
s/[YqB
T37x]M
/_?t^FT
!This program cannot be run in DOS mode.
@|Tw6ly
user32.dll
v&@]kG
 w_!{~=8
wXyGMnB#,q
w;'z}wn1
XqCZh1
Z-x-c-v!@#$%^