Analysis Date2015-01-17 15:31:59
MD5b2a697d29413668785745a7370915f1e
SHA1fcfc142c8a352dc7163d7f117586f6bc2637c7f1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c69726ed422d3dcfdec9731986daa752 sha1: 4546608e3b1a2ab1d69a34018d2ddfa7fa411885 size: 23040
Section.rdata md5: a2c7710fa66fcbb43c7ef0ab9eea5e9a sha1: 60485025c47935e745e57b6efc7042f2261b7d53 size: 4608
Section.data md5: e59cdcb732e4bfbc84cc61dd68354f78 sha1: ffc24489dd56b406f9078ba1cb9c71e9b430dbee size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 1e0ca0ca695627e4e43e26b621994928 sha1: 4c3a560d673b8e270c7f3c10fdf8c6ee498b5260 size: 22528
Timestamp2009-06-06 21:41:48
PackerNullsoft PiMP Stub -> SFX
PEhash0f11c9d332183c02755bd47ba256590638d27d28
IMPhash7fa974366048f9c551ef45714595665e
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)NSIS/TrojanDownloader.Chindo.M
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7Trojan-Downloader ( 004b258b1 )
AVKasperskyDownloader.NSIS.Chindo.m
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen.2
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsr2.tmp\Base64.dll
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Program Files\062547\Uninstall.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsr2.tmp\System.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsr2.tmp\nsProcess.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsr2.tmp\1.rar
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsr2.tmp\NSISdl.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsr2.tmp\Inetc.dll
Creates FilePIPE\lsarpc
Creates File1.ico
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\062547\uninst.lnk
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsr2.tmp\Base64.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsr2.tmp\1.rar
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsr2.tmp\NSISdl.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsr2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsr2.tmp\Inetc.dll
Deletes File1.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsl1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsr2.tmp\System.dll
Creates Process
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex5201314

Process
↳ Pid 0

Network Details:

HTTP GEThttp://222.186.60.2/1.ico
User-Agent: NSISDL/1.2 (Mozilla)
Flows TCP192.168.1.1:1031 ➝ 222.186.60.2:80
Flows TCP192.168.1.1:1031 ➝ 222.186.60.2:80

Raw Pcap
0x00000000 (00000)   47455420 2f312e69 636f2048 5454502f   GET /1.ico HTTP/
0x00000010 (00016)   312e300d 0a486f73 743a2032 32322e31   1.0..Host: 222.1
0x00000020 (00032)   38362e36 302e320d 0a557365 722d4167   86.60.2..User-Ag
0x00000030 (00048)   656e743a 204e5349 53444c2f 312e3220   ent: NSISDL/1.2 
0x00000040 (00064)   284d6f7a 696c6c61 290d0a41 63636570   (Mozilla)..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 0d0a                t: */*....


Strings
 " "
E

msctls_progress32
Please wait while Setup is loading...
SysListView32
*?|<>/":
0a&H#3"
0Qan"4
10f.5$
1D9:=.
;]1;q)V
1r3>ij
2mA13y
2xs~6;LNL,
3kHAFWB
=~<~3m
-3PQ&j
3/Pu+v
= 	4cO
56')sf@
6(O0mzpHK
7*Eq{F
8`6g#5
8NCRCu
9t,5&?
A3W%T{
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
!a>?iF
}[[aK@
AppendMenuA
BeginPaint
BLnhA=x
CallWindowProcA
CharNextA
CharPrevA
CheckDlgButton
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
... %d%%
D$0+D$(P
@.data
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
DialogBoxParamA
DispatchMessageA
dk};"n
~&D:nvi
D$$Ph,
dPO~Ws
DrawTextA
D$(SPS
;eIR%]=
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
E.p!s+
er<bJ_
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
[e$v&ia
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
E?YVjRHC
fG.o.U
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
FreeLibrary
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
GgZ7a	M2%
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
gW%Ybr`
;h6_T,I 
h!`cA@
http://nsis.sf.net/NSIS_Error
i0Bf/M
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu`
InvalidateRect
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
KERNEL32
KERNEL32.dll
*~kHy54
k{VhWy7([4
lemON@d
%{lLs2
"Lm33l
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
l!W:]#
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
More information at:
MoveFileA
MoveFileExA
{M?+pZ
MulDiv
MultiByteToWideChar
.ndata
?n(&($I
NSIS Error
~nsu.tmp
NullsoftInst
NulluN	E
ole32.dll
OleInitialize
OleUninitialize
OpenClipboard
OpenProcessToken
PeekMessageA
\*p!)lM
PostQuitMessage
PPPPPP
P!qoW{
)PRC=8!
p+]s?%C;Y
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
RichEd20
RichEd32
RichEdit
RichEdit20A
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
softuW
Software\Microsoft\Windows\CurrentVersion
SQSSSPW
SystemParametersInfoA
> _?=t
!This program cannot be run in DOS mode.
_^[t	P
TrackPopupMenu
~`u4,}1
u~P|h/}5
USER32.dll
%u.%u%s%s
verifying installer: %d%%
VerQueryValueA
VERSION.dll
v@t;Jp
v]UROQ
v#Vh;+@
vz&^^p
:w>4w[t4
WaitForSingleObject
WBzbP/
WriteFile
WritePrivateProfileStringA
wsprintfA
x@,^@?
[X_>e.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.45</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
yX	A}W(,Y^
Z~f+'1
Zjy"Aj
@zKC<iO
^}Z{Oc
:(z}WY