Analysis Date2015-07-04 12:31:37
MD54d6c880b7b58e9bd2a91f751b22bd497
SHA11d9f1220d95d0a38bc453ceec9a48b25528fdcc2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7b231b17a1f5ec13aeea61787fe98842 sha1: b10f216e3d4affc2dcaaef50d29e1423d44ed334 size: 499712
Section.rdata md5: 8d2e1c235f0c9369a7893c4aaf0337fd sha1: 01e4873ae376916814ed739462575c72298a1f6f size: 94208
Section.data md5: 067071643d387840747e8fc66996a6a9 sha1: ef06f82e75f44f225fae12552e7a98f4664e9b1b size: 65536
Section.rsrc md5: e88cdba8b7ca5e548fb3067c5e434cd8 sha1: 4d42424fa8b8d8a17634c67af4865b11ee7d180c size: 24576
Timestamp2015-05-02 07:19:15
VersionLegalCopyright: 作者版权所有 请尊重并使用正版
FileVersion: 1.0.0.0
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
ProductName: 易语言程序
ProductVersion: 1.0.0.0
FileDescription: 易语言程序
PackerMicrosoft Visual C++ v6.0
PEhashc7c57f95e20c8b2050ad6ae055b13abf294e7f6d
IMPhash2da325c32c94181ba6b12cb6864902db
AVCA (E-Trust Ino)Win32/ASuspect.HHDZV
AVF-SecureTrojan:W32/DelfInject.R
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Graftor.54746
AVBullGuardGen:Variant.Graftor.54746
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyno_virus
AVZillya!no_virus
AVEmsisoftGen:Variant.Graftor.54746
AVIkarusno_virus
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVMalwareBytesSpyware.OnlineGames
AVMicroWorld (escan)Gen:Variant.Graftor.54746
AVMicrosoft Security Essentialsno_virus
AVK7no_virus
AVBitDefenderGen:Variant.Graftor.54746
AVFortinetRiskware/FlyStudio
AVSymantecno_virus
AVGrisoft (avg)no_virus
AVEset (nod32)no_virus
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareGen:Variant.Graftor.54746
AVTwisterno_virus
AVAvira (antivir)TR/Graftor.688128.45
AVMcafeePasta
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015070420150705\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\logo[1].gif
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\2345[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Mutex_!SHMSFTHISTORY!_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012015070420150705!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.2345.com

Network Details:

DNSwww.2345.com
Type: A
42.62.30.180
HTTP GEThttp://www.2345.com/?kkk119
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.2345.com/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 42.62.30.180:80
Flows TCP192.168.1.1:1033 ➝ 42.62.30.180:80

Raw Pcap
0x00000000 (00000)   47455420 2f3f6b6b 6b313139 20485454   GET /?kkk119 HTT
0x00000010 (00016)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000020 (00032)   2f2a0d0a 41636365 70742d4c 616e6775   /*..Accept-Langu
0x00000030 (00048)   6167653a 20656e2d 75730d0a 41636365   age: en-us..Acce
0x00000040 (00064)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000050 (00080)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000060 (00096)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000070 (00112)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000080 (00128)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x00000090 (00144)   7773204e 5420352e 313b2053 56313b20   ws NT 5.1; SV1; 
0x000000a0 (00160)   2e4e4554 20434c52 20322e30 2e353037   .NET CLR 2.0.507
0x000000b0 (00176)   3237290d 0a486f73 743a2077 77772e32   27)..Host: www.2
0x000000c0 (00192)   3334352e 636f6d0d 0a436f6e 6e656374   345.com..Connect
0x000000d0 (00208)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000e0 (00224)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f6c6f67 6f2e6769 66204854   GET /logo.gif HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a526566 65726572 3a206874   */*..Referer: ht
0x00000030 (00048)   74703a2f 2f777777 2e323334 352e636f   tp://www.2345.co
0x00000040 (00064)   6d2f3f6b 6b6b3131 390d0a41 63636570   m/?kkk119..Accep
0x00000050 (00080)   742d4c61 6e677561 67653a20 656e2d75   t-Language: en-u
0x00000060 (00096)   730d0a41 63636570 742d456e 636f6469   s..Accept-Encodi
0x00000070 (00112)   6e673a20 677a6970 2c206465 666c6174   ng: gzip, deflat
0x00000080 (00128)   650d0a55 7365722d 4167656e 743a204d   e..User-Agent: M
0x00000090 (00144)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x000000a0 (00160)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000b0 (00176)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000c0 (00192)   3b205356 313b202e 4e455420 434c5220   ; SV1; .NET CLR 
0x000000d0 (00208)   322e302e 35303732 37290d0a 486f7374   2.0.50727)..Host
0x000000e0 (00224)   3a207777 772e3233 34352e63 6f6d0d0a   : www.2345.com..
0x000000f0 (00240)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000100 (00256)   2d416c69 76650d0a 0d0a                -Alive....


Strings