Analysis Date2014-11-27 13:12:09
MD5f33f40105fa0884339bfc2f777815a4e
SHA1f60ba178c57dc35029de22e3f5eedf9bdd06a0f6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 96f19965715a9b4a77290326ac9e545c sha1: 5c40f458dea04920bd36bd718a4eed9e52b9ff43 size: 4608
Section.data md5: 5e210c11b9fe92358c4fa917043afda7 sha1: 0facd928697b3deed173c2149df0e2bc3e3a78a0 size: 7168
Section.idata md5: bdd6e11a11fffb3445806e7648a94008 sha1: 8d8b343a67cd2d91ec8e124914714cdc3cd4cc70 size: 1024
Section.rsrc md5: 2d206b8f393c1844fd6fb61d74d40184 sha1: fd6b747a1d974c755bb891bfc7d7eff66104bf98 size: 5632
Timestamp2005-05-22 14:12:56
PEhashfd09002112a4313b1d5bcfb338f14d27db93121b
IMPhashc5effa462f51432aeac8904668baca02
AV360 SafeGen:Variant.Kazy.311358
AVAd-AwareGen:Variant.Kazy.311358
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.Bublik.boim
AVAuthentiumW32/Trojan.SCZK-3312
AVAvira (antivir)TR/Dldr.JQGV
AVBullGuardGen:Variant.Kazy.311358
AVCA (E-Trust Ino)Win32/Zbot.HSD
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVClamAVno_virus
AVDr. WebTrojan.DownLoad3.28161
AVEmsisoftGen:Variant.Kazy.311358
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVFortinetW32/Kryptik.CF!tr
AVFrisk (f-prot)W32/Trojan3.GVH
AVF-SecureGen:Variant.Kazy.311358
AVGrisoft (avg)Crypt2.CDKF
AVIkarusTrojan-Spy.Zbot
AVK7Trojan ( 00491c461 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.FakePDF
AVMcafeePWSZbot-FOH!F33F40105FA0
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVMicroWorld (escan)Gen:Variant.Kazy.311358
AVNormanGen:Variant.Kazy.311358
AVRisingno_virus
AVSophosTroj/Agent-AFGR
AVSymantecTrojan.Zbot
AVTrend MicroTROJ_BUBLIK.AAA
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"
Creates MutexVideoRenderer

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexVideoRenderer
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSpvwebsolution.com
Winsock DNSbestdatingsitesreview4u.com

Network Details:

DNSbestdatingsitesreview4u.com
Type: A
54.231.160.67
DNSpvwebsolution.com
Type: A
107.150.48.43
Flows TCP192.168.1.1:1031 ➝ 54.231.160.67:443
Flows TCP192.168.1.1:1032 ➝ 54.231.160.67:443
Flows TCP192.168.1.1:1033 ➝ 54.231.160.67:443
Flows TCP192.168.1.1:1034 ➝ 54.231.160.67:443
Flows TCP192.168.1.1:1035 ➝ 107.150.48.43:443
Flows TCP192.168.1.1:1036 ➝ 107.150.48.43:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
;
"011
011)
[.11
"1G"
:222)
!222
%222
2222
;225
2B221
>322
3222
4221
4221b
4222)%
422(O
45w:
6222
7225
7H22
b222
B222
b<2222F22
C:\6rK9ahXj.exe
C:\9Mv2h3yq.exe
C:\_aAe2Ubm.exe
C:\ah2pUxjt.exe
C:\CXdmAIOY.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.860\payment-history-n434543-434328745231.exe
C:\joqzqDkD.exe
C:\KTlJdrQu.exe
C:\OR5IuFXG.exe
C:\PcsRxiHN.exe
C:\qPQ7RHAZ.exe
C:\tj2bmaoC.exe
C:\wN_EOgPn.exe
c:\work\1309739\bc646542672516a08e7fc3824432b1f6.exe
C:\YFxKtMnq.exe
F222
F222%
G'a225
G;f225
H222
j/11
J222
J322
N222
O222
q.11
r>5w:
t>5w>
tB5w:
vV:`
vV>2
vV;2
vV@2
vV5v
vV7`
vV8e
vV9d
vV9s
vVE2
vV?t
W1A5w.3F8
W222
w.2222
w"2222
w*2222
w&2222
w.3222
w*3222
w&4322
Z222
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
%%____
0000000
00000000000000
1"t7.r
26)EEEEEEEEEEEEEEEEEEEEEEEEE
+2I_DEEEJ
2kEEEE
4e *<+
?5?5?5
5?55555
55@WEh
65F62F5?5??5?5h>
6EEEEEEEEEEEEEEEEEEEEEE
8EEEEEEEEEEEEEEEEEEEEEE
)-a6$wA
acmFilterChooseA
acmStreamOpen
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
ckkkk8kkEEEEEEEE
CloseHandle
CreateEventW
CreateWindowExA
DefWindowProcA
DeleteCriticalSection
-E8EEEEEEEEEEEEEE
EEE8/5[g
EEEEEE
EEEEEEE
EEEEEEE86e,<RkEEEEEEEE8S!
EEEEEEEEE
EEEEEEEEEEE
+*<EEEEEEEEEEEEE
=EEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEi.HEEE<(
EEEEEEi5@?oEEEEEEEEEEEEEEEEEEEEE
EEEkEEEEEEEi
EES	+ Ek<QYsYQY
EkEEEEEEEEcss8EE<
ExitProcess
FFhFFhFhhhhFh
FreeLibrary
fZ5555?5
GetLastError
GetMessageA
GetModuleHandleA
GetModuleHandleW
GetPrivateProfileIntW
GetPrivateProfileStringW
GetProcAddress
GetTickCount
GetVolumeInformationW
GlobalLock
GlobalUnlock
HeapAlloc
HeapCreate
i<1@*5*5
.idata
InitializeCriticalSection
j,?*W$$f
k "\BkkkkkkkEEEEEEEEE
kernel32.dll
 kkEEEEEEEEEEEEEE
kkEEEkEEEkE)
kkk8k8k8kk9E
kkkE-`KBkkkk
kkkkkEEkEEEEHaa
kkkkkkk
kkkkkkkkkEk
kkkkkkkkkEkkk^TBEEEEEEEEEEEEEEEE
kkkkkkkkkkEER(T(REEEEEEEEEEEEEEE
kt"--nEkkkkkk
L		L(L	](]	]	]	]	]	]	]	]	]	(L#2
LoadCursorA
LoadIconA
LoadLibraryExA
lstrcpyW
mciSendStringA
+Mk.j)	8.B
Msacm32.dll
oPeN Bad.mp3 typE mPeGvideo aLIas myF
PostQuitMessage
QanEEEEEEEEEEEEEE
QdLEEk$
RegisterClassA
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
Rkkkkk
    </security>
    <security>
SEEEEEEEEEEEEEEEEEEEEEEE
SetEvent
.s,*@ff?<EEEE
T} G# 
!This program cannot be run in DOS mode.
TranslateMessage
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
TryEnterCriticalSection
user32.dll
VI(Z`(
WaitForMultipleObjects
*WE$8!$8.
@WE8<Z
Winmm.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
*y(o;+n
YYYYYY
+YYYYYYs+7I_IEEEEJ
,+Z*P\$