Analysis Date2015-07-28 22:50:28
MD501a8a87d8d54b0571b45fcd418d3606f
SHA10acdd9df73a108a77d439db34ea5dee077204ee8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 991be8aeff0bd8234e0ff6ba49cea6be sha1: fad0dd49d4a49d412f37bf929bad8533cc6131db size: 466944
Section.rdata md5: 4a13e5f46076c522f0e99fc822287497 sha1: 410ecaa2d6c7bd4b51d56a0dd1808078685b8910 size: 86016
Section.data md5: b70cfa764ebad97afb25edfe1f60f8a7 sha1: 3b93b6b3902403a02866a367f1a2530a47305f56 size: 65536
Section.rsrc md5: 60be63d3c4de132ae28209a9f2e833e6 sha1: b87f239e44b8499369b8c0d2aed751e1255ba06e size: 114688
Timestamp2015-06-04 03:40:46
VersionLegalCopyright: 本源码来自黑桃网赚
FileVersion: 1.0.0.0
CompanyName: 本源码来自黑桃网赚
Comments: 本源码来自黑桃网赚
ProductName: 万能种子搜索神器
ProductVersion: 1.0.0.0
FileDescription: 本源码来自黑桃网赚
PackerMicrosoft Visual C++ v6.0
PEhash9217d439444bee6af246ff172cbf847793541c1e
IMPhash44b6f87474feb2ec4246866e3d1281b3
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan:W32/DelfInject.R
AVDr. WebTrojan.DownLoader15.967
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Strictor.32272
AVBullGuardGen:Variant.Strictor.32272
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.FlyStudio.Win32.15247
AVEmsisoftGen:Variant.Strictor.32272
AVIkarusno_virus
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVMalwareBytesTrojan.Disabler
AVMicroWorld (escan)Gen:Variant.Strictor.32272
AVMicrosoft Security Essentialsno_virus
AVK7Trojan ( 0049c4f31 )
AVBitDefenderGen:Variant.Strictor.32272
AVFortinetW32/LockScreen.BHZ!tr
AVSymantecno_virus
AVGrisoft (avg)Downloader.Generic_s.LG
AVEset (nod32)Win32/FlyStudio.OKF
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Strictor.32272
AVTwisterno_virus
AVAvira (antivir)TR/Agent.737280.688
AVMcafeeno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr ➝
1
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr ➝
1
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSyuelover.com

Network Details:

DNSyuelover.com
Type: A
107.191.99.114
DNSyuelover.com
Type: A
142.4.203.239
DNSyuelover.com
Type: A
107.161.23.204
HTTP GEThttp://yuelover.com/1/?id=a-8274
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 107.191.99.114:80

Raw Pcap
0x00000000 (00000)   47455420 2f312f3f 69643d61 2d383237   GET /1/?id=a-827
0x00000010 (00016)   34204854 54502f31 2e310d0a 41636365   4 HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000030 (00048)   4c616e67 75616765 3a20656e 2d75730d   Language: en-us.
0x00000040 (00064)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000050 (00080)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000080 (00128)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000090 (00144)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x000000a0 (00160)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000b0 (00176)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000c0 (00192)   7975656c 6f766572 2e636f6d 0d0a436f   yuelover.com..Co
0x000000d0 (00208)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000e0 (00224)   6c697665 0d0a0d0a                     live....


Strings