Analysis Date2015-12-21 21:52:04
MD58e525be6da4b163007c0f1ae5f9befbf
SHA1273240302499e441c0a464efb667af67bd4c7c8e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6cabf4c36ff186bccd477c8532d3e9ff sha1: 5f3abf1be856e39ace7e852c5ec7b140a18c57b5 size: 103936
Section.rdata md5: fa3d149682e35840016512b71e8b29b5 sha1: ec9fc627a34a35328276e216727bd9b7c834caae size: 36864
Section.data md5: 67af39e2608914a5cb2cac5366f096cb sha1: 79dcdb845b14012924557e60297e00bfaf326dc2 size: 68096
Section.rsrc md5: 48bb1e69db164df55fe0bea8e36900a4 sha1: e410e642dbecaf3018ba3f0a5c307605ec6abebc size: 36864
Timestamp2015-10-23 07:06:17
PackerMicrosoft Visual C++ ?.?
PEhash9f3eaa1830dd999b3c80196d6efef7d223ffa85a
IMPhash3ff5b20dde26bd4a83af94fc87933d99
AVAd-AwareTrojan.GenericKD.2820459
AVGrisoft (avg)Inject3.LPX
AVCAT (quickheal)Trojan.Lethic.r4
AVIkarusTrojan.Win32.Crypt
AVAvira (antivir)TR/Crypt.ZPACK.196057
AVK7Riskware ( 0040eff71 )
AVClamAVno_virus
AVKasperskyTrojan.Win32.Yakes.mygq
AVArcabit (arcavir)Trojan.GenericKD.2820459
AVMalwareBytesno_virus
AVDr. WebTrojan.Dridex.234
AVMcafeeRDN/Sdbot.worm
AVBitDefenderTrojan.GenericKD.2820459
AVMicrosoft Security EssentialsVirTool:Win32/CeeInject.LJ
AVEmsisoftTrojan.GenericKD.2820459
AVMicroWorld (escan)Trojan.GenericKD.2820459
AVAlwil (avast)Androp [Drp]
AVEset (nod32)Win32/Injector.BNHS
AVRisingno_virus
AVBullGuardTrojan.GenericKD.2820459
AVFortinetW32/BNHS!tr
AVSymantecTrojan.Gen
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVTrend Microno_virus
AVFrisk (f-prot)no_virus
AVTwisterno_virus
AVCA (E-Trust Ino)no_virus
AVVirusBlokAda (vba32)Trojan.Yakes
AVF-SecureTrojan.GenericKD.2820459
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KdjSaS011arha ➝
C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arhaa.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\KdjSaS011arha ➝
C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arhaa.exe\\x00

Process
↳ C:\WINDOWS\Explorer.EXE

Creates File\Device\Afd\Endpoint

Network Details:

Flows TCP192.168.1.1:1031 ➝ 93.174.95.60:6600
Flows TCP192.168.1.1:1031 ➝ 93.174.95.60:6600

Raw Pcap

Strings