Analysis Date2015-11-28 08:05:31
MD5ed740cf2d3eae1fe80a016721d7d0984
SHA1088aed5264373b2a87d604e4926e02d49d20ae7c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e4983de0e9bb6268f01f5b33beb05174 sha1: 3cbc847d5ab052b2b9cd4c3289d5db99d48d3694 size: 204800
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: e14ca25f4c7e5d1a1b671dd5f00623e8 sha1: 9cf2e2bbe343915742d89bcd843911cbd885ee38 size: 32768
Sectionumwzqtw md5: 38bffe380e20557e0d253d4459d205b1 sha1: 91ec7f2fc2fd1b5fc5a5c72289b2466cc8926970 size: 61440
Sectionmowxlwk md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp1996-08-02 03:49:59
VersionLegalCopyright: sdgfhytrsdfbnvc
InternalName: zfxdvvxzcv
FileVersion: 541.23.0152
CompanyName: sdghfseyrtxdvb
LegalTrademarks: sadfhdsfhg
Comments: dfghjvcbn
ProductName: fdgnbcxvbr
ProductVersion: 541.23.0152
FileDescription: dsfhcnbvm
OriginalFilename: zfxdvvxzcv.exe
PackerMicrosoft Visual Basic v5.0
PEhasha23f46cbb470585cf8e97899788d8fafd9419074
IMPhashac27d9cfe8b6c341dc579b64eb3cf363
AVRisingno_virus
AVMcafeeBackDoor-FCQK!ED740CF2D3EA
AVAvira (antivir)TR/Dropper.Gen
AVTwisterno_virus
AVAd-AwareGen:Heur.ManBat.1
AVAlwil (avast)Virtu-F:Win32:Virtu-F
AVEset (nod32)Win32/Blohi.A
AVGrisoft (avg)Luhe.Gen.B
AVSymantecno_virus
AVFortinetW32/KillMBR.NAG!tr
AVBitDefenderGen:Heur.ManBat.1
AVK7Trojan ( 004986d91 )
AVMicrosoft Security EssentialsBackdoor:Win32/Blohi!rfn
AVMicroWorld (escan)Gen:Heur.ManBat.1
AVMalwareBytesno_virus
AVAuthentiumW32/VBInject.J.gen!Eldorado
AVFrisk (f-prot)W32/VBInject.J.gen!Eldorado
AVIkarusBackdoor.Win32.Blohi
AVEmsisoftGen:Heur.ManBat.1
AVZillya!Trojan.Writos.Win32.739
AVKasperskyTrojan.Win32.Writos.vhu
AVTrend MicroBKDR_BLOHI.SM
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)Trojan.Writos
AVPadvishno_virus
AVBullGuardGen:Heur.ManBat.1
AVArcabit (arcavir)Gen:Heur.ManBat.1
AVClamAVWin.Trojan.Agent-954690
AVDr. WebTrojan.DownLoader12.61857
AVF-SecureGen:Heur.ManBat.1
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeBackDoor-FCQK!ED740CF2D3EA
AVAvira (antivir)TR/Dropper.Gen
AVTwisterno_virus
AVAd-AwareGen:Heur.ManBat.1
AVAlwil (avast)Virtu-F:Win32:Virtu-F
AVEset (nod32)Win32/Blohi.A
AVGrisoft (avg)Luhe.Gen.B
AVSymantecno_virus
AVFortinetW32/KillMBR.NAG!tr
AVBitDefenderGen:Heur.ManBat.1
AVK7Trojan ( 004986d91 )
AVMicrosoft Security EssentialsBackdoor:Win32/Blohi!rfn
AVMicroWorld (escan)Gen:Heur.ManBat.1
AVMalwareBytesno_virus
AVAuthentiumW32/VBInject.J.gen!Eldorado
AVFrisk (f-prot)W32/VBInject.J.gen!Eldorado
AVIkarusBackdoor.Win32.Blohi

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSpds27.egloos.com
Winsock URLhttp://pds27.egloos.com/pds/201501/19/49/DS021dffa.jpg

Network Details:

DNSpds27.egloos.com
Type: A
125.141.132.107
HTTP GEThttp://pds27.egloos.com/pds/201501/19/49/DS021dffa.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 125.141.132.107:80

Raw Pcap

Strings