Analysis Date2014-11-22 06:55:45
MD5bb832d34f70b160062b58ba30a5e9826
SHA128ddaa321ed8a304f8e84809c9ccc7e8083aaf52

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: bc3abd6c4d545f32671aed0e716bbba3 sha1: 0d15940ac6202f238fe56727f21a219f9b20aea6 size: 217600
SectionUPX2 md5: bf7aef12f9ab1a21aa165814ad5b2dfb sha1: 1a7f55a28c06d9f01f4bd884ffbffeeef6d83fa7 size: 1024
Timestamp2014-10-13 15:53:22
PackerUPX -> www.upx.sourceforge.net
PEhashdff82cfb0296a611589f5b80c5979cb6bdecb77c
IMPhash12949835d0cda9d5836fa2fbd6c55e3c
AV360 SafeGen:Variant.Symmi.42740
AVAd-AwareGen:Variant.Symmi.42740
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.TEWH-4760
AVAvira (antivir)TR/Dldr.Agent.219648.2
AVBullGuardGen:Variant.Symmi.42740
AVCA (E-Trust Ino)Win32/Oflwr.A!crypt
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Symmi.42740
AVEset (nod32)Win32/Agent.WCF
AVFortinetW32/Agent.WCF!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.42740
AVGrisoft (avg)Agent5.BGV
AVIkarusTrojan.Agent5
AVK7no_virus
AVKasperskyTrojan-Downloader.Win32.Generic:Trojan.Win32.Hosts2.gen
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.dx!dgp
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.42740
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page ➝
http://www.2345.com/?kkkkkkkk2345\\x00
RegistryHKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue ➝
NULL
Creates FileC:\Program Files\Common Files\appers_7_1958.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\Program Files\Common Files\asdqw_3104-48740.JPG
Creates FileC:\WINDOWS\system32\unrar.dll
Winsock URLhttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
Winsock URLhttp://down.9vh.net/appers_7_1958.exe
Winsock URLhttp://down.tianyunxj.com/tqrl_97_1957.exe

Network Details:

DNSwebmirror.pcbeta.com
Type: A
113.107.42.25
DNSdown.9vh.net
Type: A
222.186.60.3
DNSc06.i06.arnic.hadns.net
Type: A
183.61.10.249
DNSc06.i06.arnic.hadns.net
Type: A
183.57.148.246
DNScdn.pcbeta.attachment.inimc.com
Type: A
DNSdown.tianyunxj.com
Type: A
HTTP GEThttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
User-Agent:
HTTP GEThttp://down.9vh.net/appers_7_1958.exe
User-Agent:
HTTP GEThttp://down.tianyunxj.com/tqrl_97_1957.exe
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 113.107.42.25:80
Flows TCP192.168.1.1:1032 ➝ 222.186.60.3:80
Flows TCP192.168.1.1:1033 ➝ 183.61.10.249:80

Raw Pcap
0x00000000 (00000)   47455420 2f646174 612f6174 74616368   GET /data/attach
0x00000010 (00016)   6d656e74 2f666f72 756d2f32 30313430   ment/forum/20140
0x00000020 (00032)   392f3132 2f313733 39333769 6d617639   9/12/173937imav9
0x00000030 (00048)   79766379 636e3361 6b75612e 6a706720   yvcycn3akua.jpg 
0x00000040 (00064)   48545450 2f312e31 0d0a486f 73743a20   HTTP/1.1..Host: 
0x00000050 (00080)   63646e2e 70636265 74612e61 74746163   cdn.pcbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f617070 6572735f 375f3139   GET /appers_7_19
0x00000010 (00016)   35382e65 78652048 5454502f 312e310d   58.exe HTTP/1.1.
0x00000020 (00032)   0a486f73 743a2064 6f776e2e 3976682e   .Host: down.9vh.
0x00000030 (00048)   6e65740d 0a436163 68652d43 6f6e7472   net..Cache-Contr
0x00000040 (00064)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000050 (00080)   63646e2e 70636265 74612e61 74746163   cdn.pcbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f747172 6c5f3937 5f313935   GET /tqrl_97_195
0x00000010 (00016)   372e6578 65204854 54502f31 2e310d0a   7.exe HTTP/1.1..
0x00000020 (00032)   486f7374 3a20646f 776e2e74 69616e79   Host: down.tiany
0x00000030 (00048)   756e786a 2e636f6d 0d0a4361 6368652d   unxj.com..Cache-
0x00000040 (00064)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000050 (00080)   650d0a0d 0a636265 74612e61 74746163   e....cbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....


Strings
.
......
.
!0.
..
.
t..
.v.
.J..
F.
...
.`;g
.FA0. z
.....
.
.
fT
.U..
.
B.
......
.
!0.
..
.
t..
.v.
.J..
F.
...
.`;g
.FA0. z
.....
.
.
fT
.U..
.
B
>	>">.
'' '0]
0 0&0,02
010:0G0S0g0m0
\.,048.
&@&@ $&@&@(,&@&@04&@&@<8&@&@@H&@&@LP
<048<.v^
0>6'J6!
&%070K0_R
< $(09
0)Augus
0D/*l 
0?&Dv|m
0-hH&	,
$0NM=$
(0.(P7c;
0r;3B,
0s32fta
0TosdB
.-0$v)
",0XP]
0z:vh)
;1;?;{;
 1$1(1,
1%1B1U1^1
@1`1d>
}127.0
>1.76P
,!1%+A
1c8g8k8o8?z
<*>1>j>q
1M^VyS?
1q2	2C2
1#QNAN
1r1v1z1~1
1RP-t,
1xmlns="
2(252;2O2
2275622nA
?"?&?*?.?2?6?:
2afdb0c
2AUdzn
2'G pEA
.2i,96
2,&Xu7
$:)3.\
^3&0J(W
31o0a2
32@3L3X:x3
32\taskmgr.exe
3$3(3H
35138b9a-5d9fbd-8
365wFZr,
 3^A,(wl
3c5W7J
3\FN45
3ocd,X
>$3>x:
3x<JSC
_<40LZ
4463<t
456789ab
465p5X7
4,84<4\4`4d
4C    
4$,C4Q4a4p
4\<`<d<
4D<4,$
4~f9.u
4':|G,
4GHFD?
/4s\BlD
4X<ibs
 (,4z'
50vi(8PX
538f494a
54*YY,
5(54~H5h5t5
<58=4~
5= R28
~5v7mX,
.-5 V&N
	5YfF-
60[lNK
647X7`
6!6(6/6N6U6\
6=Ac6F
6_?%hM
6k>o>s
6L(:2D
6Marchebru
6Q617]7
6TJ)pl
6#@x\hE
6$XO,z
<6Z2ea7be1
 6zVhDJP
7$:(:,
73937Zav9yvcycn3akk
75f06e
"7-7Q6"
7/7Sr"818;9X9
7)8j<A=X
7B6_4G
7BWK<"
7C`;5<
	7<CUR
7*gic_
^\7SS9pe
7V;,0,27
7Ybc'5Q
#{8+=2
8273I3
@<840,>
8"57-1546E7S
=8\\(6@"
+^,(8	7
8;{7A^
8"8(8.848:ZF
]8.9|9
<8C8J8Q8X8
8&Fvl#PL-(
8(^LPv
&8$O 3
8T`p]i
8xT6ER)
\8#yZ=x*%
`8Z8d8
8zo`E4
"8@@Zs
900FB7
942q71f
959@9y9
96>NH9N
98:T:\:d:u:
9`:i:r:~:
="=9=J=
9J:n:t:z:
@9QQPC1
\=9!~t
9X2h/8
_9~X~B
9y`8;qdt
A0/7/yHK
A+0s&B
a@4xn+8XM
A5t"bu
a95:8642fc
A\?_AFX_
%aAn!E
:;<=>?@ABCDE
accbY'
ACPgR/S
Ad@&p~/l
adu007qsd.k
ADVAPI32.dll
&ad	wV
AfxOldh
A"ik4a
AISuIQQtP
)Aiv1~
aKJ2*wD
AmxC~{
and Object
AndS~*C
a@qKq]
, |A`Qr(
 a(rack
Array<char>
+ar!Vj
ATL.DLL
aTV`\W8
==Auto=1
*!A'WClos
A&zInh
 !"#$%&'()*+,-.//B@
b4-48740.JPG_c]`E
b_8z1C
(_B@:A
BA@8u45Z
::bad_a
BaseGD
**BCCxh1
/bCryptKeyCacheIT
BfJcG 
?B?F?J?N?R?V?
B`>H^0-:R0
^bHEF@
b:(HOOK
BitBlt
@*B$$KK
/b/kpe
blnnzp
@BMc]x/
Bnew_9d"M;
.bpkeE
&^bP\n
BQS7h"
bQVR6\
Buff#Uppw
b\VSXzNh`"
^bv<v)3P
BWideC
B~&WPw	
.>C:3M8
<"C8Eh
CADVAPI
cAR$[I
c	eIF7!}
Cf#(:2,
}ciI/m
C*KG)9dJhdC
cKibb\
ClosePrinter
 (/clr)x0"P
\CLSID
cNeoup'
COMCTL32.dll
CONOUT$u
CPPZbugHook
C.QM9C
curityP
<CV[_^+
CWinApp
;CxC]u
C/yptl
/d;,  %
D0J0P0V0\
d1.0">
D2qs"F(
D4pTCy
d:`$5ZE2ag&
D7m7y7
<d7YeGQ
dBc*m>r[sK6<L(
DBu.hX3
dc71cb684l2c4511d
Dc<^tm
DD~8-U)!
@DefaultI0nB
dF-4*H
D`fL2g[C
d\Fold
)"]DH'2p
d(i*B&
dJ@DdJ
dJ.J00
DnE"yP
dqw_31
DragFinish
?dupValue
dvukl0
DWORD4
)dxu2Z
d'yP)c
E5tqrl1j$
E6icFM#G
 /e9aVhA;
eAM>Zp
@EeB.v(
))EE	F
EeX\`2
EFGE		f#
eF<>>Zr
`eh %V
Ej3!M	
e'JH	3:
e)kpWjqN
/@~em$qqri1F"N
e#nrO-uI
EnumDisplay
Ep0k4m
:EP_3b
@.Eq7&
Er(pIpVP
E\SOFTWAR
euoGetM
EUQPXY]Q
e>X86	
ExitProcess
ExPjBx(
EXsDdss
f.[|0u_
@	f\1);
f1r3|3v3
f6HD6@#
F8B45<
!F+	-9
f9]8	f
f9vh.p/J
fa%Yx@`
!FazpiW0g,
@FBC(|
FBruH&
F;d0jH
&fg1w1
fHhUjl6
FjX8pPJjD
:f,l`$H
fmo_hy{
Format
frk|g\
FSly.ie
fstVkH
'FxX)!\
fzhWfv
G0J>tQ
G:(>->3>8>Y>w>
!g(~=7
g=[a?>
G[a]h 
gB\rlP
GDI32.dll
GetProcAddress
GF$WRkE
gH i$j
gi'7ju
GL\7j[
__GLOBAL_HEAP_SELECTED
G:@p&%
_g	SPPR1A
gUE;A]
GwOlgI`
?<GZ|w
h08G120
h595b64144ccf1dfBl	
h6l Dlg
h7xfui
hC!j.) 
<hd`\X
!hFm%&;s
/&h%H:%M
hijB5tSa
HKEY_LOC	
"(>H>L>T
H:mm:ss
|hQ_74
H</rHG
 H)R:t
/:H %s
hS;:!7l%xAC2%|
?(?H?T?X?h?
"HUAnU
HuO1930,H?T1F
\HZ,$%_
i2,$,&8XA
]`i2&Q
I7Xpu1$H(1*\
I8L|$6
I=a5:5
IBck_/;
IdxRskmit
Ieet2t
(I[F~EE
IGh5M p
I&h1>$w$
ihCBAb
IJKLMNO
|ijklm&pq
ileNameW
;"~imw
I+&*&*Nr
InternetOpenA
iP#\q_[:n
iQIYI\Qiyi
@ise,rp
i}sjxun
ISPLA[
=I)Tbj*
=I~t$N2R)
It%(?u
i:Y`Gvb
i]ZKY_~
IZyZ0$0
j1Y4ikP
{j@[5s
J.6^G]
Ja3^($*
[japoO7notz
jBmmb0
_jg04Ou\F483lZatm6Ir5_vl-@AG..1
;j`h8N
~J.hnkD
)JI{xc
^J@][N
J:Pu\D
j.W)uQ
=|	j	XO
-JyO$|
<-<=<J<z<
JZ>j|v
-?K_]}
KERNEL32.DLL
Kf!YZK
KOD78hP
K /O?O
KRR<m0J
Kr(<]X
k Source D
kWwktZ^r
ky.we(dww
L0000f
l2p3Z<N|
L6d6h6
l7hl-sms=S
(L9=6	C
L,:^9%uTf
la/4.0
L&bJ\C
lbt4xk
 LcZ#7
L*.DLL
/LfarV
lGL@:S
lGnpF8
Li_TvJ
~llhr=
lmj?Cq/h
.lnkwu@Sa*HlyKb\
LoadLibraryA
|l^RF8
l r\nu
lum;219.235
L\vJb\
,<L<X<
l	X}7V<
l.yi85
_>|l^Z|[
M0s041<1
M`@8VfB
[MA(+i
{mbA91kd(
mcd&\t
<M`cKv
<Me<.&%
?-mEpg8
?MgtV&
MiscSt
M~lPPM
mNZ:a	* 3
!>m=P`
]?m?QB
MU%WU*
m.v1"h-4
M@<zl+|
n\0t	P
N8l@03
N[cPJ\X
NcQ!S])d
ND%'"@
Ndy\<<l
N`/En-
n:g97#V*K
"N:Hl,Yxc
n]hpH%
Nh?ZpR
'=NJK`
N@msX!
n#n5h!
?nnJS%
No such.b
	nOtg3
NotSupp
nPv`~p?
n ]QU[)
 NT j*
@@nVdI&
n _vec
Nvt"hv
@n"~X=
  nY"yU
<O 2>JZf<
<o/b!*
\$O{%C
=\OC77
ODULE_?
\Oel(T
o~{f4|
ole32.dll
OLEAUT32.dll
oledlg.dll
OLEPROs
OleRun
?OM7J3
OMA$#R
omPoizob
`oNG_NO&
<!(ONop
"oOlE%
O(PPB.
opyright 19
@OWnW@
P>30xK
/p3_kw8
p@[5A#dH
:,*p:a
pAHXHX2E
PathMatchSpecA
PBL"PT
pd1x1q
P^D@<84
<pdXL@
$p]e4|
Pfi| X
Pg}B9(
)'PHeaTqa
@,:PI=1
PI+8"9
pk<hfFS
*|@Pl\
]p MUP
pN}>mW
/posi.
>PPADDA
pP.nns
PPTS:g
PreviewPages
Proc423' 
PS+0~u
\PTX\\.
&pwx'`VM!'
Q_7_1958
Q;8s$;
\QB=^7qwl
q,|"bh
Qc4 f	f
QC=&v(O
QiwvXR
QJ~BjnX
\@QlR 
q.PS(@8W
qRg1Lx
  qui*
Q{X;@w
Q#zhU<
r2`dX\""
:^\R8Nd?
*Rais#
R(bhd_h
RCbtJB
rdi2b.c: L
ree3pv5Re
RegFlushKey
rf2w!L
,~$Rhx
RichEdit Te
:'R^J5
r_ofyp8#
rs\etc\ho(s
R$T:a*
rwiqa^V1B
rXtR99zG
RyGtkX
s	 0wL
]:s1'`
}S4%JM
s8w8{8
Saf1Dhk
SCBz_x
:sch&0-m
sctorgk*N
sf8002*	
SgF.Me/
S ,gow
SHELL32.dll
Sh\*hXi
SHLWAPI.dll
si!9, %8
_SIMULATE_TLS: 
SJ,=5K^
;Sl\C$
sMK6 drB?
So|B,hxV
sO;>|C;
S'p\"Bu
|SpFt	
Sq!NYg
[SQV9C
<SSES_ROOT
}s|t}mS!
.[^$SUV
*SWp7=
.,$s/z \
-t,0tR
T2mCPg
T2X2h2x2
T5`5l~@6o
t6h'Y}	
t8lBar%'MDIFr
=$t8p+
t8-WWB2
tCQc}7ku.
T^&d%e@
.te_oB
TFv[Sh\
!This program cannot be run in DOS mode.
,?THREAD@
Th spa
Th$s'Wed
t>j2S-
Tj '&dX
#Tj _f
TK0s(VS
tl`TP;
_`_TNg
T>S5"Y
"tTab)
ttp://ba<
tu8mMF
tw\E|"*l
t?W>pg
tXLHXv
+u1s,J}
:u2amJ
UdD'[:
_UIqhse
U$L@^A
,unxj{U
$UP6gUV
*u#&PB
$	 UPVQ
uRFGHt
U@RkC?U@
?Us6Ex@
USBCd]#
uSdT,J
USER32
USER32.dll
U>u8SS
UV~OfU
]V1pVN	
%'v2qF
VAa<Aq
vA`XD+UP
VC20XC00
vc521s`fs
!v[C-R
v~E{*&Me
VERROR
V{$ Fe
V/.Fn/#/
v'Frre3
&=,VgD
([V||h
VHa9($
V^iabS
VirtualAlloc
VirtualFree
VirtualProtect
 VisUC++ RAaw
vJEP+"eJp+
vM_9/7
?)<vnWf
-vpO&qN
,&[vrH
v/$tmi
*>VUSWY
VW0lX{
VyC\$t
vZz9f9l9r9z9
@W01FFNF*23
%~w+&#0Y
W 4$8O
w50o0y0
WaiHrSNM
was about o=
wf>?77
W&'`Fdj
WFVv+He
<WHg+$$
*whlY3
WININET.dll
WINSPOOL.DRV
%w.J#;^
 --wj-laC
W<NH-6>Y
wsgwdnI13
}wVtGmaV
WWEQQ:
)-\;*X
!x`0v$
$X0YSf
x/:[4]
X90\? 
X<9 o[a
'XA!P;
^]x!Cp
xd0YC/J~
Xe(`O4
%xf"0o i
xFZNc=
xiGtt4eh
X:jaPg.x
X(*jL|
}xkf0@
xpljr\Adv
XPTPSW
xrT#A9
X`t4=F
Xt+DPI
xt@H6&yh(7
X tnj=
|xtpl<
x;xrI7
XYZ[\X`
X%ZbJ}
XzX3P`
y^CGtG
y<DWfH
yeS`ciJH_9
\*@Yf+
YFQRs{
YFW }X
Y:HTTP+m
YM0]W#(	&
YMD~j2HBE
Y&m|rl_DZgL
_yn1Zfr
{<:y&q?	
	<YR,+d
y<t_[y
&<!YUV
Y^VgPH)
;\YYyXF>_w 
Z4}b \
 z$6ZA
Z9?M0`
Z)>_(;B
Z?^?b?f?j?n?r?v?z?~?
zBjP AR
z-iT0<5~
ZKTmhm
z\mt4Y
@;ZN.L(qk
Zsm]mW^\@)