Analysis Date2015-09-06 23:00:01
MD50a77b7cd082e1f5677e8550df61d9660
SHA1020ecfb2c350dcfcfb2b39f3c63b70fbb9fc270b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 38b6f96bd50466f5db5c2b9ca8e2faed sha1: 27deaa870fd6e4833d570479b9b577507b63995f size: 153088
Section.rdata md5: 72047d1dc28c9cd64371635047e5bdbc sha1: 80d00a87e3d6aa3870658d0da18649d3529e92b1 size: 29696
Section.data md5: df6ffa9ce51ad61e38983f6ed44134af sha1: 4453aae588db49f7dcc25ebdebc543329353ffa8 size: 6144
Section.rsrc md5: da7fa1a8282de5790a74156ba4512a09 sha1: 19dbf6befe825ae97b832b16b4a6eac6731f35f0 size: 73728
Timestamp2015-08-02 05:28:36
VersionLegalCopyright: Copyright 2011 Clarus,Inc.
InternalName: Portable SecretZone.exe
FileVersion: 1.0.81.0
CompanyName: Clarus, Inc.
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Samsung Portable SecretZone
SpecialBuild:
ProductVersion: 1.0.0.1
FileDescription: Samsung Portable SecretZone
OriginalFilename: Portable SecretZone.exe
PackerMicrosoft Visual C++ ?.?
PEhash14c06a5f64f6e7505db5db76073e5e9b4154cb8d
IMPhash67742fb2c6f1341c571642f2c66f0c66
AVDr. Webno_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVArcabit (arcavir)Trojan.GenericKD.2613201
AVEmsisoftTrojan.GenericKD.2613201
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.AR
AVSymantecTrojan.Gen.2
AVEset (nod32)Win32/Dorkbot.J worm
AVPadvishno_virus
AVCA (E-Trust Ino)no_virus
AVFortinetW32/Kryptik.DSDB!tr
AVAvira (antivir)TR/Crypt.ZPACK.51723
AVTrend Microno_virus
AVFrisk (f-prot)no_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVClamAVno_virus
AVF-SecureTrojan.GenericKD.2613201
AVMcafeeRDN/Generic.dx
AVTwisterW32.Dorkbot.J.kwds
AVGrisoft (avg)Win32/Cryptor
AVBitDefenderTrojan.GenericKD.2613201
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVAd-AwareTrojan.GenericKD.2613201
AVCAT (quickheal)Backdoor.Androm.r4
AVK7Riskware ( 0040eff71 )
AVVirusBlokAda (vba32)no_virus
AVMicroWorld (escan)Trojan.GenericKD.2613201
AVKasperskyBackdoor.Win32.Androm.htnr
AVBullGuardTrojan.GenericKD.2613201
AVMalwareBytesTrojan.Kovter
AVZillya!Backdoor.Androm.Win32.23909

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\35d7_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 196
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 476 -e 152 -g

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 476 -e 152 -g

Process
↳ C:\WINDOWS\system32\msiexec.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
195.154.253.69
DNSeurope.pool.ntp.org
Type: A
91.207.136.50
DNSeurope.pool.ntp.org
Type: A
217.114.59.3
DNSeurope.pool.ntp.org
Type: A
212.83.128.217
DNSnorth-america.pool.ntp.org
Type: A
204.9.136.253
DNSnorth-america.pool.ntp.org
Type: A
204.2.134.162
DNSnorth-america.pool.ntp.org
Type: A
66.228.35.252
DNSnorth-america.pool.ntp.org
Type: A
38.229.71.1
DNSsouth-america.pool.ntp.org
Type: A
200.160.0.8
DNSsouth-america.pool.ntp.org
Type: A
186.71.75.78
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSsouth-america.pool.ntp.org
Type: A
200.186.125.195
DNSasia.pool.ntp.org
Type: A
157.7.203.102
DNSasia.pool.ntp.org
Type: A
157.7.154.134
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSasia.pool.ntp.org
Type: A
202.178.122.195
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
27.54.95.12
DNSoceania.pool.ntp.org
Type: A
202.6.116.123
DNSoceania.pool.ntp.org
Type: A
121.0.0.42

Raw Pcap

Strings