Analysis Date2015-05-09 10:59:19
MD59780a38fd54617cd12e93c65255b31c7
SHA1faaefcf7d1c2dfd8dfc33dcb9302ad7ba08f7704

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 628e4ee200b71033ba2275bf42750bca sha1: c9047a18fab2edfc2744d23d9aa1470dba20f217 size: 10752
Section.rdata md5: ca63502247da7bc9464a08c745ef1836 sha1: a9b37376035c9413cfb0d303b0f0cb1350d4d027 size: 3072
Section.data md5: a3f627f672ed3973ddf2c72f87e6896b sha1: ae88edd56d5ed04fa7ed38bfb7e0e8c3022812da size: 21504
Section.reloc md5: 9cbfbfe1c30601e2a3d6302330df1dab sha1: 9150aceacbddda57d8f5ecff9af5866fd5892955 size: 15872
Timestamp2001-06-04 00:45:10
PEhash792c7f25c875bfcf8bf978709e973fb9b91ac246
IMPhash9cc58992837ed0ed0260c0727355a558
AVAd-AwareTrojan.Inject.IA
AVAlwil (avast)ShellCode-AU [Trj]
AVArcabit (arcavir)Error Scanning File
AVAuthentiumPatched
AVAvira (antivir)TR/Spy.Gen
AVBitDefenderTrojan.Inject.IA
AVBullGuardTrojan.Inject.IA
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDownloader.Cutwail.BS4
AVClamAVWIN.Trojan.Pushdo-16
AVDr. WebTrojan.DownLoader6.62576
AVEmsisoftTrojan.Inject.IA
AVEset (nod32)Win32/Wigon.PB
AVFortinetW32/Pushdo.B!tr.bdr
AVFrisk (f-prot)New or modified Patched
AVF-SecureTrojan.Inject.IA
AVGrisoft (avg)BackDoor.Generic16.IFV
AVIkarusGen.Trojan
AVK7Backdoor ( 003e613b1 )
AVKasperskyBackdoor.Win32.Pushdo.b
AVMalwareBytesSpyware.Password
AVMcafeeDownloader-FHG!9780A38FD546
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Trojan.Inject.IA
AVPadvishno_virus
AVRisingno_virus
AVSophosMal/Emogen-Y
AVSymantecTrojan.Gen
AVTrend MicroMal_DLDER
AVTwisterBackdoor.CCCCCCCC@240E10.mg
AVVirusBlokAda (vba32)Backdoor.Pushdo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\tokonritobec ➝
C:\Documents and Settings\Administrator\tokonritobec.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\tokonritobec.exe
Creates Mutextokonritobec

Network Details:

DNS7atable.be
Type: A
213.186.33.5
DNS4esports.eu
Type: A
212.172.221.9
DNS4everything.pl
Type: A
188.128.169.68
DNS4everdreams.nl
Type: A
141.255.181.15
DNS4estates.eu
Type: A
94.229.34.2
DNS4dbabamozi.hu
Type: A
88.151.103.98
DNS4events.at
Type: A
83.169.32.159
DNS4evermusic.pl
Type: A
86.111.240.157
DNS9t6grafikdesign.de
Type: A
127.0.0.1
DNS4everyone.nl
Type: A
80.69.74.151
DNSaccountingtechs.biz
Type: A
Flows TCP192.168.1.1:1031 ➝ 213.186.33.5:443
Flows TCP192.168.1.1:1032 ➝ 213.186.33.5:443
Flows TCP192.168.1.1:1033 ➝ 212.172.221.9:443
Flows TCP192.168.1.1:1034 ➝ 212.172.221.9:443
Flows TCP192.168.1.1:1035 ➝ 188.128.169.68:443
Flows TCP192.168.1.1:1036 ➝ 188.128.169.68:443
Flows TCP192.168.1.1:1037 ➝ 141.255.181.15:443
Flows TCP192.168.1.1:1038 ➝ 141.255.181.15:443
Flows TCP192.168.1.1:1039 ➝ 94.229.34.2:443
Flows TCP192.168.1.1:1040 ➝ 94.229.34.2:443
Flows TCP192.168.1.1:1041 ➝ 141.255.181.15:443
Flows TCP192.168.1.1:1042 ➝ 141.255.181.15:443
Flows TCP192.168.1.1:1043 ➝ 88.151.103.98:443
Flows TCP192.168.1.1:1044 ➝ 88.151.103.98:443
Flows TCP192.168.1.1:1045 ➝ 83.169.32.159:443
Flows TCP192.168.1.1:1046 ➝ 83.169.32.159:443
Flows TCP192.168.1.1:1047 ➝ 83.169.32.159:443
Flows TCP192.168.1.1:1048 ➝ 83.169.32.159:443
Flows TCP192.168.1.1:1049 ➝ 86.111.240.157:443
Flows TCP192.168.1.1:1050 ➝ 86.111.240.157:443
Flows TCP192.168.1.1:1053 ➝ 80.69.74.151:443
Flows TCP192.168.1.1:1054 ➝ 80.69.74.151:443
Flows TCP192.168.1.1:1055 ➝ 213.186.33.5:443
Flows TCP192.168.1.1:1056 ➝ 213.186.33.5:443
Flows TCP192.168.1.1:1057 ➝ 83.169.32.159:443
Flows TCP192.168.1.1:1058 ➝ 83.169.32.159:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings

)gzip
text
041C1I1^1e1v1|1
2)2.2;2F2X2b2
233;3G3Y3^3
?2?9?@?I?l?
$2{FL-=
 2p*':rl
3<4P4W4k4r4
:4;A;H;==w=
4e!j^s@
4e-solutions.ch;4egolifestyle.de;4elementos.es;4elements.gr;4elements.us;8zaamarchitecten.nl;4enerchi.nl;4ernila.de;accounting.ee;0handicap.at;4dbenelux.be;4e-energiezentrale.de;4einstitute.jp;4elements.de;4-elements.se;8zaamarchitecten.nl;4enerchi.nl;0risiko.de;4darabians.nl;accords-bilateraux.ch;4effect.ca;4einstitute.jp;4-elements.ch;4elements.gr;4elements.us;8wellesley.ca;8zstabor.taborak.cz;4entertainmentgroup.tv;4e-solutions.ch;accountingtechs.biz;
5"565>5P5
5ePTc^2m
@5\mpu*
>->6>J>
@6^lBm0
7:7N7U7g7q7w7
7%?R4U{t
7V7@8F8L8
,'`?^'8
8$8@8J8Q8w8
8_9e9j9w9
8LmVlO
9	:9:B:
=(9m[o
9R\:_FwT^C78
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Accept: */*
Accept-Language: en-us
ADVAPI32.dll
AppManagement
#a*RzDs
B?r3ST
{C1BDBEFC-9C3C-4bb9-9127-45B2F8F5127B}
C9#eVR
C9#slY
CloseHandle
CoCreateInstance
CoInitialize
Content-Length: %d
Content-Type: application/octet-stream
CopyFileA
CoUninitialize
}}c$OX
C\$! ^P
CreateFileA
CreateMutexA
CreateProcessA
CreateRemoteThread
CreateThread
CreateWellKnownSid
@.data
[D!dP0veH
:%:D:K:U:
dpY\33
dr i(I
|'E$7I
ed18w=
EqualSid
ES>} Q
e|v*DA
ExitProcess
GetAdaptersInfo
GetAllUsersProfileDirectoryA
GetCurrentProcess
GetEnvironmentVariableA
GetExitCodeProcess
GetLastError
GetModuleFileNameA
GetProcAddress
GetProcessHeap
GetSystemDirectoryA
GetTempFileNameA
GetThreadContext
GetTickCount
GetTokenInformation
GetVolumeInformationA
*gv.V(
G|;wS|o
g^xLFc:7	
g^xLFc:7W11T14Z:@iLU
H],ayK
HeapAlloc
HeapFree
HttpAddRequestHeadersA
HttpOpenRequestA
http://%s
HttpSendRequestA
https://%s
&/`]HV-
HX*1>5Y
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetQueryOptionA
InternetReadFile
InternetSetOptionA
IPHLPAPI.DLL
jFxF)^
:=;J;Y;b;
KERNEL32.dll
LoadLibraryExA
lstrcatA
lstrcmpiA
lstrcpyA
lstrlenA
{m7%5m
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
M|y!9@
n\m8)=
n?vV*dG
ole32.dll
Oor/RX
OpenProcessToken
(p6d	W
PGltZyBzcmM9ImRhdGE6aW1hZ2UvanBlZztiYXNlNjQs
ph+Mc:!
PVVVVVV
PX7#IX
~+Q	M	
Qu|=dn2\i0]m7gzGz
QueryPerformanceCounter
&'$R,"
ra]VM[
`.rdata
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
ResumeThread
Rich=U
 r	z&)
SetThreadContext
SetUnhandledExceptionFilter
SHLWAPI.dll
software\microsoft\windows\currentversion
Software\Microsoft\Windows\CurrentVersion
software\microsoft\windows\currentversion\run
%s\%s.exe
\system32\svchost.exe
SystemRoot
TerminateProcess
!This program cannot be run in DOS mode.
/<TLu]h-
TMi?;Z32T02W6;cEMx]h
tokonritobec
T~s+~|
;tZ+Vyy
]UpE@^64U01U37^?FpT^
USER32.dll
USERENV.dll
USERPROFILE
VirtualAlloc
VirtualAllocEx
VirtualFree
V@-z"ci
 ^W6({8
WaitForSingleObject
WININET.dll
wnsprintfA
WriteFile
WriteProcessMemory
WS2_32.dll
wsprintfA
x	+1XN	
xLFa:7W	1T14Z:@iLU
[xRt:L
y:A!lJQ
)|ygpxa
Z0m0:1K1U1[1z1
Z"ci6t"
!z%uQ%