Analysis Date2013-09-02 01:17:05
MD53c699322844a354920723dfa66bd5863
SHA130e092ca5e92373988f9eb5fe0e61fb6ab07b307

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 66a906b3e1015b27bc2ec59c3b659b30 sha1: 986d818e1cd98a40079de6db6b2be4e4ba00de39 size: 50176
Section.rdata md5: e07c37229660543ac0a245471b78e3db sha1: 28df81123cfd2cb7e390771e9fadd5a63e8d6d11 size: 2560
Section.data md5: 6be4de46af8511bdfffeefe42dd0989b sha1: f116f008902ff4291ae5d6ef1e31c84db2b177ba size: 6144
Section.idata md5: 1f0f9505b1e7493310df50d40bf33041 sha1: 28fbfd528ac211b9a8622cf5f60ead3067b25bf9 size: 2048
Section.reloc md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.aspack md5: 94644e16d5349416b8b2b7802203701e sha1: 50e9cd287e09de25f8a7ffb577ce44ac090685da size: 4608
Section.adata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2009-07-19 15:00:40
PackerASPack v2.1
PEhash08b9b0fab3579739d792e86754a28522dc9e6503
AVavgExploit.MS04-011
AVmsseBackdoor:Win32/IRCbot.gen!Z

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\dcmhlp.exe
Creates ProcessC:\WINDOWS\system32\dcmhlp.exe
Creates Mutexnull3szxx

Process
↳ C:\WINDOWS\system32\dcmhlp.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Dcom Helper ➝
dcmhlp.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Dcom Helper ➝
dcmhlp.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Dcom Helper ➝
dcmhlp.exe\\x00\\x00
Creates File\Device\Afd\Endpoint
Creates Filenew.txt
Creates Mutexnull3szxx

Network Details:

DNSscn.mytijn.org
Type: A

Raw Pcap

Strings