Analysis Date2013-08-29 22:19:51
MD5a9ff81e9dd5b24aa5758a330dba6a3d1
SHA1042c9beba9f645a53ba0342e17a38921252aa7b4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f6983618f90c53dc558c154ed76fb3a6 sha1: 6717561a4740bd9738c211e47bb85fda5aed89d6 size: 655872
Section.data md5: 946ec01b075b61b75c949ed934625182 sha1: 7eb09dc4a50206f8acd6c12ae064b8d3851570b8 size: 52736
Section.tls md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rdata md5: e80cbf6f0de86c93493e497260ce3302 sha1: 808517d8157ab1f3fd75ed0ba8c1e87d42bdb175 size: 512
Section.idata md5: 58d2b8fc1f66342967af61073dd016df sha1: d80bd9cc10cfe71a0682728d52715d9df9157dc9 size: 11264
Section.edata md5: 89527c62fc30d3ef653a7dfe7d07b528 sha1: 82db516d68821e0de8eeb28ae625e4d4c65aee7e size: 512
Section.rsrc md5: b4eddf076333bd48bb01819f0d6a8ae3 sha1: 40cf08651e72bdcc78bdaeb7e7d7510736225827 size: 35840
Section.reloc md5: d5147e043536e7a50bb12e873df7bcf4 sha1: a2cbe16ca5a0fa6164b5d0eed1d3aec28c8a5892 size: 41472
Timestamp2011-10-25 07:48:08
VersionLegalCopyright:
InternalName:
FileVersion: 3.4.2.0
CompanyName:
LegalTrademarks:
Comments:
ProductName:
ProductVersion: 3.4
FileDescription: 客户端
OriginalFilename:
PackerBorland C++ DLL
PEhash08a23bbb1d345a04fc0e62e899d1b13836a1e7f8
AVavgWin32/DH{Lg8gEyE}

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetPoliceClient ➝
C:\malware.exe\\x00
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint

Network Details:


Raw Pcap

Strings