Analysis Date2015-01-11 17:55:17
MD50b7b0b7801a8179dc3b052ae8add5283
SHA10028d838eb324d3c8b1c3b226f436d8533da0618

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 354345f3d06c69b1bb2c34eac6286df0 sha1: 4c1bfb707d86f04d3332bac3c9f595d6731c1179 size: 94208
SectionHHH md5: b9c872012206e074aa17d87f9a71b17b sha1: f60160977d44c2b17f8be276e7b2af94e14f4515 size: 4096
SectionGGG md5: 29f6e6a9a15bef30cb7491ee4894cece sha1: 3cfc5506f3f3071040420274f1f10247daa5dde3 size: 20480
Section.rdata md5: 89523202f94550e0ebe727c2ed1c8c0f sha1: dff4b92478d563b7eceb46463d2fbf05bb53ae1b size: 20480
Section.data md5: d8f9b78111aca780f823359093881b08 sha1: 51b4d04ef2a23d71ad7e121c098fa85aefcb9686 size: 12288
Section.rsrc md5: 03b91bc299d29fdbebf45c035b110ea1 sha1: 757a3f9b1e0634ee609e4eb2ac488432233bb297 size: 4096
Timestamp2014-12-09 02:40:16
PackerMicrosoft Visual C++ ?.?
PEhash9176aeff4b74ec334996c1a052059f8df348a673
IMPhash6ba1ee6bb2bff4924698c17476db26a7
AV360 Safeno_virus
AVAd-AwareGen:Variant.Zusy.118039
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Zusy.118039
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.Xpack.124548
AVBullGuardGen:Variant.Zusy.118039
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Agen.r6
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Zusy.118039
AVEset (nod32)Win32/ServStart.IV
AVFortinetW32/Zegost.AIZP!tr.bdr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.118039
AVGrisoft (avg)DoS.EPS
AVIkarusBackdoor.Win32.Zegost
AVK7no_virus
AVKasperskyBackdoor.Win32.Zegost.aizp
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Zusy.118039
AVRisingno_virus
AVSophosno_virus
AVSymantecBackdoor.Ghostnet!gen1
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File\Device\Afd\Endpoint
Creates Mutex8fGrnZ6V8POr8OzqzQ==

Network Details:

DNSdd.018cf.com
Type: A

Raw Pcap

Strings
krn32.dKRNL32.dCatPocAKRNL32.dCatPocAShe32.d
SheExecuteA
open
CloseEventLog
DVPI32.dll
OpenEventLog
DVPI32.dll
ClearEventLog
DVPI32.dll
GSsmDicoAKRNL32.dOpenMutexA
KERNEL32.d
ReeaseMutex
KERNEL32.d
BackGround
SetFieAttributesA
KERNEL32.d
ExitProcess
KERNEL32.d
RgOpnKyDVPI32.d
ProductNameCreateMutexA
KRNL32.dll
GetLastrror
KRNL32.dll
KRNL32.dll
xitProcess
OpenventA
KRNL32.dll
CopyFileA
KRNL32.dll
KRNL32.dll
DeleteFileA
MoveFileA
KRNL32.dll
OpenventA
KRNL32.dll
GThraDskopUSER32.OIuDsko
USER32.d
WIIET.dll
IntrntOpnA
Mozilla/4.0 (compatibl)
IntrntOpnUrlA
IntrntRadFil
IntrntClosHandl
.
-E-
-0
-0010+-0
0
-0
CC
00-+ 
\
. 
00
...........?- 
0
0
0
0
BlacCanceIoKRNL32.d
AIoct_3.d
ProductName
WIIET.d
IrCosHad
IntrntOpnA
IntrntOpnUrlA
IntrntRadFil
WIIET.dll
IntrntClosHandl
IntrntOpnA
IntrntOpnUrlA
WIIET.d
IrCosHad
IntrntOpnA
IntrntOpnUrlA
GeTickCounKRNL32.d
E.
P
E
..
.E...
.GeNeworkParams
KERNEL32.d
GobaAoc
KERNEL32.d
GbaFree
KERNEL32.d
l
u
                                 H
         (((((                  H
         h((((                  H
jjjj
(null)
                          
								
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
1#QNAN
1#SNAN
2If90t
{4_^]3
8fGrnZ6V8POr8OzqzQ==
~(9~$u
AAAAAAAAAAAAAAAAA
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Additional:%d
address Number = %d
Address:  %s
ADVAPI32.dll
An application has made an attempt to load the C runtime library incorrectly.
Answers:%d
Application
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
.?AVCBuffer@@
.?AVCClientSocket@@
.?AVCKernelManager@@
.?AVCManager@@
.?AVexception@std@@
.?AVtype_info@@
BackGround switch 1.0
?bad Allocate
bad allocation
bad buffer
bad exception
 Base Class Array'
 Base Class Descriptor at (
__based(
buffer error
Cache-Control: no-cache
__cdecl
C:\Documents and Settings\All Use
C:\Documents and Settings\All Users\
C:\Documents and Settings\All Users\S
 Class Hierarchy Descriptor'
CloseDesktop
CloseHandle
__clrcall
 Complete Object Locator'
Connection: Keep-Alive
CONOUT$
`copy constructor closure'
CorExitProcess
C:\progra~1\Common Files\svcchost.exe
CreateEventA
CreateFileA
CreateThread
- CRT not initialized
C:\Users\Administrator\AppData\Roaming\Micros
D$(8D*
@.data
data error
%d.%d.%d.%d
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly 
 delete
 delete[]
Delete
DeleteCriticalSection
DeleteFileA
DeleteService
DOMAIN error
dows NT\CurrentVersion
D$ Phx
D$(PQW
;D$<s!
D$$SUV
D$$SVW
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
empty distance tree with lengths
EncodePointer
EnterCriticalSection
ExitProcess
ExitThread
__fastcall
Fdf+Fh
February
file error
- floating point not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
F\=(NB
ForceRemove
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
Friday
GAIsProcessorFeaturePresent
GetACP
GetActiveWindow
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GET %s HTTP/1.1
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
GlobalMemoryStatus
`h````
HARDWARE\DESCRIPTION\Sy
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
`h`hhh
HH:mm:ss
HHt@HHt
Host: %s
|$HPWS
_hypot
incompatible version
incomplete distance tree
incomplete dynamic bit lengths tree
incomplete literal/length tree
incorrect data check
incorrect header check
 inflate 1.1.4 Copyright 1995-2002 Mark Adler 
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
insufficient memory
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
invalid bit length repeat
invalid block type
invalid distance code
invalid literal/length code
invalid stored block lengths
invalid window size
IsDebuggerPresent
JanFebMarAprMayJunJulAugSepOctNovDec
January
j(j ^V
j"^SSSSS
jTh !B
KERNEL32
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
L$0_^[3
L$(_^3
LCMapStringA
LCMapStringW
LeaveCriticalSection
L$HQhx
L$LQVS
L$ ;L$$u
LoadLibraryA
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
L$ QSSSSSSh
L$ QSSSSSSVS
L$,QWV
L$ RUPj
lstrcatA
lstrcpyA
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
mscoree.dll
MultiByteToWideChar
need dictionary
NetSubKey
 new[]
New Update
_nextafter
NoRemove
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
/*Now ptr points to Answers*/
(null)
October
oft\Windows\Start Menu\Programs\Startup\server.exe
`omni callsig'
OpenDesktopA
OpenSCManagerA
OpenServiceA
operator
oversubscribed distance tree
oversubscribed dynamic bit lengths tree
oversubscribed literal/length tree
__pascal
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
POST %s HTTP/1.1
PPPPPPPP
Pragma: no-cache
Program: 
<program name unknown>
__ptr64
- pure virtual function call
QQSVWd
QueryPerformanceCounter
Querys:%d
RaiseException
`.rdata
recv error
Referer: http://%s/
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ResetEvent
__restrict
Richg>
RtlUnwind
runtime error 
Runtime Error!
Saturday
`scalar deleting destructor'
Security
September
\server.exe
SetErrorMode
SetEvent
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetThreadDesktop
SetUnhandledExceptionFilter
SING error
%s   internet address = %s
%s       nameserver = %s
SOFTWARE\Microsoft\Win
s[S;7|G;w
%s%s%s
^SSSSS
__stdcall
stem\CentralProcessor\0
stream end
stream error
`string'
Sunday
SunMonTueWedThuFriSat
\syslog.dat
System
T+3x%A
t^9(uZ
tart Menu\Programs\Startup\server.exe
tD9(u@
T$DPVS
TerminateProcess
TerminateThread
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
< tK<	tG
TLOSS error
T$LPQR
T$LRWS
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tNIt?It0It 
too many length or distance symbols
T$,PQh
T$(PQR
tR99u2
T$,RWV
t#SSUP
<+t(<-t$:
t$<"u	3
Tuesday
;t$,v-
t$$VSS
t+WWVPV
 Type Descriptor'
`typeof'
tZ9H tU9H$tP
`udt returning'
u&f!;f;
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
unknown compression method
Unknown exception
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.2)
v$;5<WB
`vbase destructor'
`vbtable'
`vcall'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
VirtualAlloc
`virtual displacement map'
VirtualFree
v	N+D$
_VVVVV
W(9W$u
WaitForSingleObject
Wednesday
WideCharToMultiByte
Windows 2000
Windows 2003
Windows 2008
Windows 7
Windows NT
Windows Vista
Windows XP
WinSta0\Default
WriteConsoleA
WriteConsoleW
WriteFile
WS2_32.dll
WSASocketA
wsprintfA
|$ WUSV
^WWWWW
	X 9} 
xppwpp
xpxxxx
>=Yt/j
Y;= VB
_^][YY
YYu-9D$
YYuTVWh