Analysis Date2015-06-28 17:51:13
MD54266dc03f0b135ef3d8c1e7d95b1d7a1
SHA1038e2c7d2215af65d83b9c1e6fc86874e49956cd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9d228ba0d68cfd4d18d7280b5631e1d7 sha1: 3baad94854be2eadec544106fdf3ce91f8c55bea size: 479232
Section.rdata md5: 531ba0c5e01981717ea479ce06e6d629 sha1: 1021c68210a84cdee8a1e0a7bbbfafb1d45a3d30 size: 913408
Section.data md5: 0d18243e0e54ea56431c2a39550b355f sha1: 20d9565675ec2e64f1be783fad432a740849d036 size: 65536
Section.rsrc md5: 704e16c7aa05ddb5aad0ebe5082275bd sha1: e0f33e76456fec50b6c8b8f21ddf5dde53444ef4 size: 24576
Timestamp2014-07-21 05:17:35
VersionLegalCopyright: 作者版权所有 请尊重并使用正版
FileVersion: 1.0.0.0
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
ProductName: 易语言程序
ProductVersion: 1.0.0.0
FileDescription: 易语言程序
PackerMicrosoft Visual C++ v6.0
PEhash49619072d2995feca9c3ce409cf557c4dab21367
IMPhash7464854ffa63fc127de437a08ea78177
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan:W32/DelfInject.R
AVDr. WebTrojan.MulDrop5.53224
AVClamAVWin.Trojan.Agent-204211
AVArcabit (arcavir)Gen:Variant.Graftor.155495
AVBullGuardGen:Variant.Graftor.155495
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Win32.VirTool.DelfInject.gen!X.4.a
AVTrend Microno_virus
AVKasperskyHackTool.Win32.FlyStudio.wjy
AVZillya!no_virus
AVEmsisoftGen:Variant.Graftor.155495
AVIkarusWin32.SuspectCrc
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVMalwareBytesSpyware.OnlineGames
AVMicroWorld (escan)Gen:Variant.Graftor.155495
AVMicrosoft Security Essentialsno_virus
AVK7no_virus
AVBitDefenderGen:Variant.Graftor.155495
AVFortinetRiskware/FlyStudio
AVSymantecno_virus
AVGrisoft (avg)no_virus
AVEset (nod32)no_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Graftor.155495
AVTwisterTrojan.558BEC6AFF68@1254.mg
AVAvira (antivir)TR/Graftor.1486848.23
AVMcafeeno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\vga.drv 1024x768x24(BGR 0) ➝
31,31,31,31\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\logo[1].gif
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\2345[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015062820150629\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\SkinH_EL.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Mutex_!SHMSFTHISTORY!_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012015062820150629!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.2345.com

Network Details:

DNSwww.2345.com
Type: A
42.62.30.180
HTTP GEThttp://www.2345.com/?k2535422933
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.2345.com/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 42.62.30.180:80
Flows TCP192.168.1.1:1033 ➝ 42.62.30.180:80

Raw Pcap
0x00000000 (00000)   47455420 2f3f6b32 35333534 32323933   GET /?k253542293
0x00000010 (00016)   33204854 54502f31 2e310d0a 41636365   3 HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000030 (00048)   4c616e67 75616765 3a20656e 2d75730d   Language: en-us.
0x00000040 (00064)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000050 (00080)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000080 (00128)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000090 (00144)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x000000a0 (00160)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000b0 (00176)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000c0 (00192)   7777772e 32333435 2e636f6d 0d0a436f   www.2345.com..Co
0x000000d0 (00208)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000e0 (00224)   6c697665 0d0a0d0a                     live....

0x00000000 (00000)   47455420 2f6c6f67 6f2e6769 66204854   GET /logo.gif HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a526566 65726572 3a206874   */*..Referer: ht
0x00000030 (00048)   74703a2f 2f777777 2e323334 352e636f   tp://www.2345.co
0x00000040 (00064)   6d2f3f6b 32353335 34323239 33330d0a   m/?k2535422933..
0x00000050 (00080)   41636365 70742d4c 616e6775 6167653a   Accept-Language:
0x00000060 (00096)   20656e2d 75730d0a 41636365 70742d45    en-us..Accept-E
0x00000070 (00112)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000080 (00128)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000090 (00144)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000a0 (00160)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000b0 (00176)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000c0 (00192)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x000000d0 (00208)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000e0 (00224)   0a486f73 743a2077 77772e32 3334352e   .Host: www.2345.
0x000000f0 (00240)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x00000100 (00256)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....


Strings