Analysis Date2014-04-07 06:34:52
MD5667990858cbcf834d40e5706de7001d1
SHA124f6b932075ac80bfba662a3b69df4fe5bcbba51

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: c64b18bff82095f2c7eb20e4046a0039 sha1: 68def4c01f5b7516581efb7afbda187ce373f1f2 size: 8192
Section.rsrc md5: f52c792b184bac84ecb60f41aa7175ab sha1: c9ceb40dbe1e5ec78bb0285d138b5947fd054226 size: 6144
Timestamp2010-11-25 01:54:01
PackerUPX -> www.upx.sourceforge.net
PEhashcaf5fe05b6888cf43057fa83a6bd110dc422477a
IMPhashe155af7c68a690b349384d180f63a61f
AVavgAdware Generic4.AWVF
AVaviraTR/Dldr.Age.EB.207

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\ASD\STM ➝
1396870980

Network Details:

DNSyahoo.com.cn
Type: A
68.180.206.184
DNSyahoo.com.cn
Type: A
98.139.102.145
DNS8475.770304123.cn
Type: A
HTTP POSThttp://60.217.234.138/pl1.txt
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 60.217.234.138:80

Raw Pcap
0x00000000 (00000)   504f5354 202f706c 312e7478 74204854   POST /pl1.txt HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a486f73 743a2036 302e3231   */*..Host: 60.21
0x00000030 (00048)   372e3233 342e3133 380d0a43 6f6e7465   7.234.138..Conte
0x00000040 (00064)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x00000060 (00096)   6c697665 0d0a4361 6368652d 436f6e74   live..Cache-Cont
0x00000070 (00112)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000080 (00128)   0a                                    .


Strings
...".
.
....
 (C) 2005
msupdate
 msupdate
msupdate 1.0 
 msupdate(&A)...
TODO: 
~";@_\
:0,SrL'
`#0wr{
0X'4~vI%B
17.'http://60.=><'>>9
1@]fQd
1<TH3`
2a4]uN{< ?
2ZCnX<
3$glw6
402222,($ 2222
,4|7mx
4CSUVWM3w_
4p'I?l
?5cfC 
5QJ)dL/<
5ribT>
5y!h9z
64l5/%
6^F%cr
6/lAHf
[6V/N'
(6Y!.>
#?\788
8s}75q&j
8sMkW2B
92Ft)#'
9&|$_7u|!QF
:9=8;:'jg
:#9bHP3^N
9*MbNM
A4`S2X
ADVAPI32.dll
;bJOA	
BtxtC234.138/
CAPBDXZ@4DBZ
CgnLQOc
CLvh8@^
crooft2lock
cttribupz$ho
C;uEjT
c^WCz-e|38
D2VRQU
d6H;XwkI6y
DaclUEx{
D,axTdc>
DDDDDD
DIoVs^k
djbvS%s
dKaJ z
`DlNdJ
dSt tupInfo
dVvl7|^dU
D.!YQN
eARM=P
efg,F?
EUrs^7|
ExitProcess
eZ;/_~OLr
F1T	oA.*
Far^#L
FdAAELB+
F&{F@U
f@ssse#
Ft~NZ0
G7L?]'
~gEfrQ
GetProcAddress
}g#fB`E
G@q0\B
GR,.<O
g]>]XF
H LI*)
hlpOwfd
HN/8VV
HrCg@b	g 
+}H+T[!
i+B.XL$(
.;?)iGIF
InternetOpenA
ionBy7-Xw;O
ize#cu
%JA}1>'T
j[e]oS
:JF_bB*]E
?JL<6.
jr`~DC
jVj2`H
j|Y;jc	?n
}`{~K,
k}0C 0
KERNEL32.DLL
KG=2NL
KH UDO
$Kh}Y&U
kUO+(i
{kyn1M/
	L3L1T
lA"5%:
LastEr
lb%E'Of>,
LC>/{&d
lD,FaxO9':
;leTidi
LoadLibraryA
m8`*2%J
main]G
MEMz:/H
MFC42.DLL
^mN.;G*
MSVCP60.dll
MSVCRT.dll
N)}~??
NC~.8YV+P
^\nClosE
NefkheU<>8HM==1$8
Ne#SwG
n">(QV%,"&b
/Ny2'@TW
o0)f~8n
O?0$m<$HLJ8$M<LH;+
O?+|=6<
Object
*O<Brm
oTaryTyp$ModuHHanf
.?Otq-
P:1nh.3
pD"C'o
{"p>e;'
:>%pG1
:Pg	hL
;?phaff
P?>Ko"
ProcessA
	PTl^B,HO
PT[pS {
/px*"Zxi
&Pz@%{%=
QBd/7A
)qF	i1
Q,,o,B
qTy\GiHO&
qU,)G*
qY)&"z
.q{@zc
r3!CxxF
r7q^Y!tAi
r888Gr
RBfpDmdlng
`.rdoa
RegCloseKey
R-/*K$
rO)-w/
r*$-Va
!)<%RX
S#&BB-1
SetFilePointerWai
SZ	\}VE
`$^t0^a]
T/,<4SI3@D
tB' VPXL
Tc]XH;
T .f1]
t_fdiv-
!This program cannot be run in DOS mode.
{TLi-L
TOB'E?o
TP/1.0msnd
|tPxP|P
 trXMd
tuwddk
 Txwh~6
u0B7@n
Ud+R,:
>uE&8(XBn
/?&uidD
u(Q75q
uT~Kt,
uWN_-\l
UWNPC|vf
U(wQOZm
VirtualAlloc
VirtualFree
VirtualProtect
VolumIAS
ware\ASD]*
whSI.0J
WININET.dll
$wI>se
wm%	lB
WS2_32.dll
wwwwww
+X)%6H
XPTPSW
?_Xran@std@@YAXXZ
xUeu3d 
<x<!y$#@
y93baP
$Y'aI!8
Ya?]N0:
yF!jhy	
_]ynON
yU9(I&h
[Y;up 
yx{dPh
| yz}0
%Zat'R
z@C/zg
Z]oq{F
!z)"R1
]zSLb8aB
;ZV(&MHb
#zz%&V