Analysis Date2013-08-24 06:41:09
MD57ca0a066a2b44a5bfba71bba1a5f6441
SHA1f8fa4b7c8ffbca6a02d71e1249a543427428a0b0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9d64b6ac6eb1aa41e38f6cc8798b652e sha1: f4a3d9f95186a438562e94d405bfef3355c6cb1f size: 23552
Section.rdata md5: f179218a059068529bdb4637ef5fa28e sha1: 6035d27db526131eb0f29aee60cfcdbb5072ed7d size: 4608
Section.data md5: af685ae5a632e08acd6c90a62cdfc3bb sha1: efc7ece496385ad53dda894ae310ffa90b2fc571 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 72bd29e202fc7e63acfccafa83458a1e sha1: 2a931a15fd761c9ae1663f4c9eb493fa9749cdb6 size: 6656
Timestamp2009-12-05 22:50:35
PackerNullsoft PiMP Stub -> SFX
PEhash17fc4d8d2cfb40726ec98ee8ba006fda080aaa9a
AVavgWin32/Heri

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CLASSES_ROOT\CLSID\{30E7B485-2705-7529-3AA6-C604A4D8153C}\ ➝
revenuestreaming browser enhancer\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\AppDataLow\Software\{94C1BCC8-4F4A-D0BE-97F3-B67B231B005E}\aff_id ➝
revenuestreaming_5
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\xqlyeqdxyq\DisplayName ➝
Advanced Performance Platform Revenuestreaming.\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fwovtriaczyfxhx ➝
C:\WINDOWS\System32\regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\nsq4.tmp.dll"
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30E7B485-2705-7529-3AA6-C604A4D8153C}\NoExplorer ➝
1
Creates FileC:\WINDOWS\system32\xqlyeqdxyq.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nss3.tmp\System.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsq2.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsq4.tmp.dll
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nss3.tmp\System.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nss3.tmp
Creates Process"C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\system32\tslgjhnnbbbqrsru.dll"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSrevenuestreaming.net

Process
↳ "C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\system32\tslgjhnnbbbqrsru.dll"

RegistryHKEY_CLASSES_ROOT\CLSID\{30E7B485-2705-7529-3AA6-C604A4D8153C}\ ➝
revenuestreaming browser enhancer\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fwovtriaczyfxhx ➝
C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\tslgjhnnbbbqrsru.dll"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30E7B485-2705-7529-3AA6-C604A4D8153C}\NoExplorer ➝
1
Creates FilePIPE\lsarpc
Creates MutexGlobal\afxOpenEvent1337

Network Details:

DNSrevenuestreaming.net
Type: A
64.74.223.44
HTTP GEThttp://revenuestreaming.net/bc/nsi_install.php?inst_result=success&aff_id=revenuestreaming_5&id=7d2c1ab9d1cfe00d7254c93d819c053475c383b2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 64.74.223.44:80

Raw Pcap
0x00000000 (00000)   47455420 2f62632f 6e73695f 696e7374   GET /bc/nsi_inst
0x00000010 (00016)   616c6c2e 7068703f 696e7374 5f726573   all.php?inst_res
0x00000020 (00032)   756c743d 73756363 65737326 6166665f   ult=success&aff_
0x00000030 (00048)   69643d72 6576656e 75657374 7265616d   id=revenuestream
0x00000040 (00064)   696e675f 35266964 3d376432 63316162   ing_5&id=7d2c1ab
0x00000050 (00080)   39643163 66653030 64373235 34633933   9d1cfe00d7254c93
0x00000060 (00096)   64383139 63303533 34373563 33383362   d819c053475c383b
0x00000070 (00112)   32204854 54502f31 2e310d0a 41636365   2 HTTP/1.1..Acce
0x00000080 (00128)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000090 (00144)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x000000a0 (00160)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x000000b0 (00176)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x000000c0 (00192)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x000000d0 (00208)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x000000e0 (00224)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x000000f0 (00240)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x00000100 (00256)   0d0a486f 73743a20 72657665 6e756573   ..Host: revenues
0x00000110 (00272)   74726561 6d696e67 2e6e6574 0d0a436f   treaming.net..Co
0x00000120 (00288)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x00000130 (00304)   6c697665 0d0a0d0a                     live....


Strings