Analysis Date2014-12-12 01:14:19
MD501b23a1d1103980f146d91d571c33eeb
SHA12384fb86ca59645a1be6ca0016ed24340e031cf8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1fb7e143df718e7d0198a0820a3cce48 sha1: 97f26434c7bc288e6c4f8820cf0a94f6baf32b83 size: 22528
Section.rdata md5: 1c2ae3e2696dc217620c541c6cd75ec7 sha1: af15785bb8bde4e35e8e43886d0d0eea2912a4a1 size: 3584
Section.data md5: e2b33211e1d48f2e76d93568b4771ec4 sha1: 320148b181acc17d9dd11d5dbed48fba579ce06d size: 1024
Section.vmp0 md5: 02a192692c1f260b41e0c1a153ecc317 sha1: 635df023d941c52c29ee5d6ad3876d50d11cd32d size: 97792
Section.tls md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.vmp1 md5: 5ddbc11400603004ebf3bafa1c279084 sha1: 398f710bfaf7bb732cd1c807551afe61b216c877 size: 35840
Section.aspack md5: 6697f1f33cb0d080f3e06522a2512e09 sha1: 2b8a96a1989a62876c6350182ea5df4a76eb0e8b size: 4608
Section.adata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2012-11-30 15:39:40
PackerASPack v2.1
PEhash18936601efa9c5c0a70c7d64849539afc37c9103
IMPhashf68bf75f0645a4f4452cf4374b01138a
AV360 SafeGen:Variant.Zusy.34474
AVAd-AwareGen:Variant.Zusy.34474
AVAlwil (avast)Dropper-gen [Drp]
AVArcabit (arcavir)Gen:Variant.Zusy.34474
AVAuthentiumW32/Trojan.MYGF-7800
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Variant.Zusy.34474
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.PWS.Spy.16250
AVEmsisoftGen:Variant.Zusy.34474
AVEset (nod32)Win32/TrojanDownloader.Agent.RQP
AVFortinetW32/Agent.ROW!tr.dldr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.34474
AVGrisoft (avg)Downloader.Generic13.RTR
AVIkarusTrojan-Downloader.Win32.Navattle
AVK7Riskware ( 0015e4f11 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.GamesThief
AVMcafeeGeneric Malware.fi
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Navattle.A
AVMicroWorld (escan)Gen:Variant.Zusy.34474
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen
AVTrend MicroTROJ_SPNR.35AA13
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNShi.baidu.com
Winsock DNSwww.naver.com
Winsock DNSsourceforge.net

Network Details:

DNSa1694.b.akamai.net
Type: A
23.74.9.174
DNSa1694.b.akamai.net
Type: A
23.74.9.223
DNSsourceforge.net
Type: A
216.34.181.60
DNShi.n.shifen.com
Type: A
180.76.2.41
DNSwww.naver.com
Type: A
DNShi.baidu.com
Type: A
HTTP GEThttp://sourceforge.net/users/live456
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
HTTP GEThttp://hi.baidu.com/justest/item/46897fe6ff90db015b7cfbd6
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Flows TCP192.168.1.1:1031 ➝ 23.74.9.174:80
Flows TCP192.168.1.1:1032 ➝ 216.34.181.60:80
Flows TCP192.168.1.1:1033 ➝ 180.76.2.41:80

Raw Pcap
0x00000000 (00000)   47455420 2f6a7573 74657374 2f697465   GET /justest/ite
0x00000010 (00016)   6d2f3436 38393766 65366666 39306462   m/46897fe6ff90db
0x00000020 (00032)   30313562 37636662 64362048 5454502f   015b7cfbd6 HTTP/
0x00000030 (00048)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000040 (00064)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000050 (00080)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000060 (00096)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000070 (00112)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000080 (00128)   5220312e 312e3433 3232290d 0a486f73   R 1.1.4322)..Hos
0x00000090 (00144)   743a2068 692e6261 6964752e 636f6d0d   t: hi.baidu.com.
0x000000a0 (00160)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x000000b0 (00176)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f757365 72732f6c 69766534   GET /users/live4
0x00000010 (00016)   35362048 5454502f 312e310d 0a557365   56 HTTP/1.1..Use
0x00000020 (00032)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000030 (00048)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000040 (00064)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000050 (00080)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000060 (00096)   202e4e45 5420434c 5220312e 312e3433    .NET CLR 1.1.43
0x00000070 (00112)   3232290d 0a486f73 743a2073 6f757263   22)..Host: sourc
0x00000080 (00128)   65666f72 67652e6e 65740d0a 43616368   eforge.net..Cach
0x00000090 (00144)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000a0 (00160)   6368650d 0a0d0a                       che....


Strings
:
d.j..
;S
F
.
..
";..
...

)?06Q;@
 0&7C4
 (08@P`p
(0`E}w
0kFql	
0[|Y.;t*
	18N	$
:1BU/K
1cq'C=
2cE4WTo
2M|JUf
2VWVj!JvkW)
2YMJ2(
32Le4B8
)	3IqT
3)QC]i
3{vv=T\gf
^3w3/[
[3y{[|
4:1S.O
4ve5@5
.4@Xq9b
5%~4a_
&5NYuM
5>;Ua1^
=5U@lA"!
6_SGKJ
6;W(qZ
6x|V&W
70j63F{
7782834491609516
8,eF=G
9b=	};
9w[@JZ
A-1$DEe]
a2lzk6
.adata
^/.adf
_aDR&'
advapi32.dll
`A%d-y
.ah<^[
.aspack
A*s	"ri
ATH&YE^
A!WxCB5:
b"DRe#U
bg=dix
bhdfE<(
BmnZkIM
^@<bqg
bV( o[
%%/bxn
=#C}-:
\C0y)5
@C 5??
	C?aLl
CccuPF
='CCxt
,cDOJ[<4
Ce@NA>
cEX0@qK
Cj)^dz
	CqZrp
d25gBze
D@Cgu7
-:Dg'\
d(m(Wt
DR%c00
d!@U!T
{<]_dW*
&+'d>X_
DX0:"Z
d~x E`
%DxRqD
e[]1y$
eBEn#o
EC>A2W
Edo%&MY
EHXESM
	EJ7q?
ExitProcess
;]"F>A]gK`^O
FjA-BE
fLwS\zj
f!MSuB
FNIx2l
f|ocYm
FrMG+5
Fs7K>F
{F$t9]
-f $x]
	/|FYo
gckM,H
GDJe>|>
GetModuleHandleA
GetProcAddress
GFwl-%$
=/GK*/B
g| <T3
g(uyGN
gVT4J%
H(}f8:
]HG9E?i
HJ+hG#@
HP F3=
HPxCsl
h@toMB
HV|K]o
iDJF7'
Ie,e62
iel\?^
)|i`@g
%_.iHe:
iJ)e)x
IL*sJE
iOwG-g
*I<.zb
J&,hX:I
j#j=Jb
J^*W2,\
jw_XM1
K6nWzJ5
,	K9+/
$Kc]6M
kernel32.dll
kg|-4'T(a0
kH1DCB
k),j,>
+k;l	l
kr },p
KVCx}E
kvddoa
L2%cxU
LA	[	>
`lI)f&w|l
-%#;lm
LOADER ERROR
LoadLibraryA
LOAlC-
<lo&i_U
lvo*9k
M2S?j1
m7aKs^-
/M%9	I
(MaPxe=5 
MB P-)
m<D,(B
MessageBoxA
)}"m!F
->M	f~
Mf0_Vh
M\*,ll
mN344)^#
moelgf
M	T*>X%^
(MwP5n
mXc^QJ
(+>N![
N`a}n8~
ngNqvuw
nIWY/N
n]/iy,v~
_&nKy6
])NLlj
-nLR/H
<,^NwU
NXz'2`yG`hy
+}[o?*
@oA]cd
of"3*&w=Qf
Oo^g'X
;ooO{`R$
O'q:b5
OU\o$*
\oYua'
P5xx<Y
p/8x/D
Pa{M87
p.Bf$Q 
Ph\?]E
<;Phuw~wG{
pi.j-dv
`pp2bLT
PP[6`:
P'}rWy
^'._q?
q+	dm!
Q<(	DOiR
Qkn+x&B
qrjiO, 
Qv3FUR
q]^yt`
qZ=r@N
.rdata
RegQueryValueExA
r!\KAI
rRA!k0
"rrB*5
rRH1t.L
-*#R!y
rzr?~h
>-|*/S
S1'b}+
s3k:C{
s5%rNQ}
sfHgf2
s~GrQ&
SHDeleteKeyA
shell32.dll
ShellExecuteA
shlwapi.dll
sn1yr^
!?{/(ss.
!t+5?2
T69Vl,
/t8(`Z
T9-d4I
ta>kmp
*tAuYX.
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
!This program cannot be run in DOS mode.
 tL)W$_8t
TTr?Kj
"TWab/_
#< '*U
u6AQVj
`U70L9+&V
/ucTg/
ujI/}n6
Unc/r!@
user32.dll
 U~:U2<
U?]Vm~,
uW5`;+
U]y5Wme
%V2b)AC
/V3NQn
v	a8<@
Vc\~bD
 v;GM1L
v=h	e=
VhSM1 V"
V|(Ipt
VirtualAlloc
VirtualFree
VirtualProtect
VSIYD^l5
_V=tQ[e
v=y|	W
V;zsSc
(w0S<p*
WA2KJ	
WaeMcuy
	/'Wb?
#w&C&6<
{{W@(d
W	d1>y
WJSQpS
\W`>o,
WRZY,W
wsprintfA
wTt3tI
ww>5ev
x3(?aF
x4MgEFT,Z[
X]|5mS
~x7c$/|
X/FZ%R
	\X}NS>
XXOtah+]
Y5T)zbQ
Y"bD/>^
'YB&DT@}
YN&cM2
>YO# a
Y~{q	d
yq=	n?
yskrBe
Ytsr/B
ZCG6;G
^zeE{+
z:e/h#
Z)j&4Q
*!Zlm)
ZqX% %
	zr-&zs
Zrz{?s
z,V#mv