Analysis Date2015-10-04 19:57:59
MD52be13ae78c95b827377e7799eeed7ec8
SHA122d11a3f044b8d6ab8599fea4371425f3777610f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 20f3df2082a20420737033adf51f2a1e sha1: a6fd59b84ca9aa2042e24a9b04b70b80bd2fedf7 size: 479232
Section.rdata md5: 2f531010b663e427a4f004a33c4b4d1c sha1: 8a8c75dd4b0c86d5aac6c23e7661bb737b193cdc size: 925696
Section.data md5: 7b99865a69490577533ea7fda43ea285 sha1: bbd4fe13847465e8e7552f32c0a0df4af63a2048 size: 65536
Section.rsrc md5: dc8bcf83f4f15ddaf99d6f486cb7fd16 sha1: 6f3df8c9010a069c8b1f81b339500533e7c520f7 size: 114688
Section.rmnet md5: 96a9ee61dc3e9ec836b9c34edd254ffb sha1: afd5ddccec6650d87840e0e0cfc131c21facef3b size: 61440
Timestamp2013-09-02 01:36:30
VersionLegalCopyright: 夏 * 个人所有
QQ714307168
FileVersion: 1.0.0.0
CompanyName: 夏 *
Comments: 表白网页一键生成
ProductName: 表白网页一键生成
ProductVersion: 1.0.0.0
FileDescription: 表白网页一键生成
PackerMicrosoft Visual C++ v6.0
PEhash84ea93e16d7043c5337c9763a687a38831de76fd
IMPhash73df489ddffdce77ad5d79df1955447d
AVCA (E-Trust Ino)no_virus
AVF-Secureno_virus
AVDr. Webno_virus
AVClamAVWin.Trojan.Agent-204211
AVArcabit (arcavir)no_virus
AVBullGuardno_virus
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Porn-Tool.Agent.07947
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftno_virus
AVIkarusno_virus
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)no_virus
AVMicrosoft Security Essentialsno_virus
AVK7no_virus
AVBitDefenderno_virus
AVFortinetW32/Generic!tr
AVSymantecno_virus
AVGrisoft (avg)Win32/Ramnit.A
AVEset (nod32)no_virus
AVAlwil (avast)Ramnit-CZ:Win32:Ramnit-CZ
AVAd-Awareno_virus
AVTwisterTrojan.558BEC6AFF68@1254.mg
AVAvira (antivir)no_virus
AVMcafeeno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\vga.drv 1024x768x24(BGR 0) ➝
31,31,31,31\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\logo[1].gif
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\2345[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\SkinH_EL.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015100420151005\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Mutex_!SHMSFTHISTORY!_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012015100420151005!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.2345.com

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Network Details:

DNSwww.2345.com
Type: A
42.62.30.180
HTTP GEThttp://www.2345.com/?k714307168
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.2345.com/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 42.62.30.180:80
Flows TCP192.168.1.1:1033 ➝ 42.62.30.180:80

Raw Pcap

Strings