Analysis Date2015-05-09 10:19:40
MD50328be7b7448d1bc6492f4c925462f0a
SHA1f50c3cbff901f54d5731e85ec08970c3b6dd2a4d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 959b806f7d9f7cd9d4e894c91dbac5a5 sha1: 2cb12421bb57f545e782e548af134579921161cb size: 1536
Section.rdata md5: 0af8f709317d00fc6d4d864fbfc36e98 sha1: f7f14b50827b47b42c2cafaadca1e863ca6d30c3 size: 512
Section.data md5: 1874a948577021618abba04a1a6f00c6 sha1: ed74ed8926ebdf371f36b480cba181d6cdfe962d size: 512
Section.rsrc md5: cf194718322be6e4cb33d6d25dadba50 sha1: ee9e9597baa468a48084b3fbf5475963d9c06287 size: 47104
Timestamp2005-08-10 11:16:34
PackerPE Diminisher v0.1
PEhash56104f25be8f04d0fb3b190dc47dbef8881e648a
IMPhasha56f115ee5ef2625bd949acaeec66b76
AVAd-AwareGen:Variant.Zusy.61925
AVAlwil (avast)Cutwail-BP [Trj]
AVArcabit (arcavir)Gen:Variant.Zusy.61925
AVAuthentiumno_virus
AVAvira (antivir)TR/Zusy.61925
AVBitDefenderGen:Variant.Zusy.61925
AVBullGuardGen:Variant.Zusy.61925
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDownloader.Cutwail.r4
AVClamAVno_virus
AVDr. WebBackDoor.Bulknet.1105
AVEmsisoftGen:Variant.Zusy.61925
AVEset (nod32)Win32/Kryptik.BJIW
AVFortinetW32/Pushdo.AZJ!tr.bdr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.61925
AVGrisoft (avg)Downloader.Generic13.BKRA
AVIkarusBackdoor.Win32.Pushdo
AVK7Trojan ( 00458c571 )
AVKasperskyBackdoor.Win32.Pushdo.azj
AVMalwareBytesTrojan.Agent.BFG
AVMcafeeGenericR-DOE!0328BE7B7448
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Zusy.61925
AVPadvishno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecBackdoor.Trojan
AVTrend MicroTROJ_SPNR.14A014
AVTwisterTrojan.5A36F6B35FD628FA
AVVirusBlokAda (vba32)Backdoor.Pushdo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\sikirpirypvo ➝
C:\Documents and Settings\Administrator\sikirpirypvo.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\sikirpirypvo.exe
Creates Mutexsikirpirypvo

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.163.152:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25

Raw Pcap

Strings
rMMm..
y
Y
10 hours
1 minute
21 days
7 days
Additional IP address
&Add new domain mapping
&Add new realm
&Add new server
Addressless
&Addressless
Address List
Admin
AES128_CTS-HMAC-SHA1_96
AES256_CTS-HMAC-SHA1_96
Approved for delegation	Anonymous1The Kerberos v5 profile file could not be written>The file %s could not be opened as a profile file for writing.bThe file %s could not be opened for writing.  The current changes will be saved to %s temporarily.
ATHENA.MIT.EDU
&Browse ...
Browse...
Can be &forwarded to other machines
Can be forwarded to other machines
Can't add new realm %s{The new realm name %s can't be added because there is already a realm with the same name listed.  Please type another name.$Can't add new server %s for realm %sQThere already is a server named %s for realm %s. The new server can not be added.(Can't add new domain map %s for realm %s
Changing Kerberos v5 Password
Configuration File
Configure Realms ...
Create file if missing
Credential cache
Credential Caches
Credential flags
Credential lifetime
Credential lifetime range
Credential renewable lifetime range
Current Password
Default credential flags
Default lifetime
Default realm
Default Realm
DES3-CBC-RAW
DES3-CBC-SHA
DES3-CBC-SHA1
DES-CBC-CRC
DES-CBC-MD4
DES-CBC-MD5
DES-CBC-RAW
DES-HMAC-SHA1
Domain
Domain mappings
Domains that map to %s
Domain to Realm mappings
File based Credential Caches
File-based Credential Caches
Forwardable
&Forwardable
Forwardable	Forwarded	Proxiable
From
Hardware authentication
Hostname
Import credentials
Include all API: credentials caches
Include all configured realms in New Credentials realm list
Include Windows LSA cache (MSLSA:)
Initial
Invalid	Renewable
Issued on
@jjj
Kerberos Realm Configuration
Kerberos Realms
Kerberos Servers
Kerberos Servers for %s
Kerberos v4
Kerberos v4 credentials
Kerberos v5
Kerberos v5 CCache
Kerberos v5 Change Password Options
Kerberos v5 Configuration
Kerberos v5 Credential Caches
Kerberos v5 Credential Options
Kerberos v5 credentials
Kerberos v5 Flags
Kerberos v5 Identity Provider
Kerberos v5&Kerberos v5 options for all identities
Kerberos v5%Kerberos v5 options for this identity Kerberos v5 Credentials Provider
Kerberos v5: %s
Kerberos v5 Servers
Kerberos v5 Warning
Key version number
Kvno
&Lifetime
Load into realm editor ...
LOCAL-DES3-HMAC-SHA1
LOCAL-RC4-MD4
Location
Master
Maximum lifetime
Max. Renewable lifetime
May postdate	Postdated
Microsoft Windows
Minimum lifetime
Min. Renewable lifetime
MS Shell Dlg
Name
<New domain mapping...>
New Password
New Password againZ<p><a id="SwitchPanel" param="Krb5Cred"><b>Krb5</b></a><tab>: Changing password for %s</p>,Never,Always,Only when the principal matches
<New realm...>
<New server...>
(Not available)
NULL
 Options
<p><a id="SwitchPanel" param="Krb5Cred"><b>Krb5</b></a><tab>: The password for the selected identity has expired.</p><p><tab>  Click <a id="Krb5Cred:!Passwd">here</a> to change the password</p>
<p><a id="SwitchPanel" param="Krb5Cred"><b>Krb5</b></a><tab>: The selected principal name has expired.</p><p><tab>  Please contact your system administrator.</p>
Pre-authenticated
Proxiable
Proxy
RC4-HMAC-NT
RC4-HMAC-NT-EXP	(Unknown)
Realm
Realms
&Remove domain mapping
&Remove realm
Remove Selected
&Remove server
Renewable
&Renewable
&Renewable for
Renewable for
Renewable for%Kerberos v5 Primary Credentials Cache
Renewable lifetime
Renewable till
Renewable Till	Renew for
Renew Till
%sD<p><a id="SwitchPanel" param="Krb5Cred"><b>Krb5</b></a><tag>: %s</p>
Server
Service Encryption Type	Addresses
Service EncType
Session EncType
Session Key Encryption Type
Specify &additional realms ...
SysIPAddress32
SysListView32
TEXTINCLUDE
The identity name is invalid.=An unknown error occurred while validating the identity name.
The identity name is too long.
_There already is a domain named %s mapping to realm %s.  The new domain map could not be added.
This may be due to not having privileges to modify the configuration file.  Please contact your system administrator to resolve the issue.
Ticket &lifetime
Ticket re&newable lifetime
Toggle a&dmin server
Toggle &master KDC
Transit policy checked
Unknown address type %dV<p><a id="SwitchPanel" param="Krb5Cred"><b>Krb5</b></a><tab>: Tickets for realm %s</p>
Username
Valid till
Warning:3The credentials cache you specified does not exist.,The path you specified not an absolute path. Select a credential cache to add
*>;.\2c
&3aUHj
5.vR2U
{7c/8%X
7,|^-fD
8CeB*dwR%
<8L'L]
8n$*{4'
A{i45|
BGi:Mh
b+L'YH
]C&*bB3
CreateThread
c|t(/Z
@.data
<Eoa|2
gdi32.dll
GetModuleHandleA
GetObjectW
GHa#	7
#g-nhz
hLGgN]
HYGm<h*
#include "afxres.h"
jdp$?sT2~
Js9<4&
kernel32.dll
k,-nZY
..\..\langres.h
LoadImageW
LoadLibraryExA
m=<88BB
@n4:2z5
)o,(qx
PKk7-i
>PntNN
PSQRVW
q\2[RW
$Q#%aI
Q_m_-c
Q<Msmd6~
`.rdata
SD62#9
S ^Xuyq
!This program cannot be run in DOS mode.
ts>:U{D
+TWj$^
ulu/zU
user32.dll
*UW0T_;
>W5uaWV
WaitForSingleObject
xnsewoNu
XSW0pU
xYsrN,