Analysis Date2015-07-29 11:09:35
MD57f1311306b76854c0249e6ba7b48149a
SHA133934a8de5c41cf6008ecd8acb7aca11a606772a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 70962e223186210c46c42eb44f8306de sha1: c54ad71884b06d50ba3c3c7f49ef1dc9cdc0afd8 size: 250880
Section.rdata md5: aee0f92bc951de44e3ad82e81c533bb0 sha1: 147a901a70cee654abc952dfa4c9d72002aeb211 size: 65024
Section.data md5: 6ee1e77a351a949bf112d113eada4e1b sha1: ab753df04c85b7d208af19e535a01f1f99caf19d size: 90112
Section.rsrc md5: 5b4e5798fc1d8bfab3758a2310acde94 sha1: d914889a565a09132b9e71fa3c09d46b6b2aacb5 size: 378880
Section.reloc md5: 3884f0dc6a9b745516f7e0854e7d82d4 sha1: 9566ee663fdec4bd0600be0ed66588ff8f0bd016 size: 39424
Timestamp2015-07-26 13:17:30
Pdb pathC:\唐盛武\work\DownUi2.0\Release\demo1.pdb
VersionLegalCopyright: TODO: (C) <公司名>。保留所有权利。
InternalName: demo1.exe
FileVersion: 1.0.0.1
CompanyName: TODO: <公司名>
ProductName: TODO: <产品名>
ProductVersion: 1.0.0.1
FileDescription: TODO: <文件说明>
OriginalFilename: demo1.exe
PackerMicrosoft Visual C++ ?.?
PEhash00647605f54ce156d74b7b52a68dee5596d8a759
IMPhash5dc76303e3a11b6cbe0de9d9caad7cff
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.GenericKD.2597249
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Trojan.GenericKD.2597249
AVBullGuardTrojan.GenericKD.2597249
AVPadvishno_virus
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.Ngrbot
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyno_virus
AVZillya!no_virus
AVEmsisoftTrojan.GenericKD.2597249
AVIkarusno_virus
AVFrisk (f-prot)no_virus
AVAuthentiumno_virus
AVMalwareBytesTrojan.Agent
AVMicroWorld (escan)no_virus
AVMicrosoft Security Essentialsno_virus
AVK7no_virus
AVBitDefenderTrojan.GenericKD.2597249
AVFortinetRiskware/Chindo
AVSymantecDownloader.Upatre
AVGrisoft (avg)Win32/DH{gRKBE0EgIiU2PQ}
AVEset (nod32)Win32/RiskWare.Chindo.M
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareTrojan.GenericKD.2597249
AVTwisterTrojan.DOMG.wmdw
AVAvira (antivir)no_virus
AVMcafeeno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1b25_appcompat.txt
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 420
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1196 -e 380 -g
Creates Mutex143623123y75241237437315232835431520000000014533
Creates MutexDBWinMutex

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 420

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1196 -e 380 -g

Network Details:

DNSint.dpool.sina.com.cn
Type: A
180.149.136.219
HTTP GEThttp://int.dpool.sina.com.cn/iplookup/iplookup.php
User-Agent: WinInetGet/0.1
Flows TCP192.168.1.1:1031 ➝ 180.149.136.219:80

Raw Pcap
0x00000000 (00000)   47455420 2f69706c 6f6f6b75 702f6970   GET /iplookup/ip
0x00000010 (00016)   6c6f6f6b 75702e70 68702048 5454502f   lookup.php HTTP/
0x00000020 (00032)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000030 (00048)   2057696e 496e6574 4765742f 302e310d    WinInetGet/0.1.
0x00000040 (00064)   0a486f73 743a2069 6e742e64 706f6f6c   .Host: int.dpool
0x00000050 (00080)   2e73696e 612e636f 6d2e636e 0d0a436f   .sina.com.cn..Co
0x00000060 (00096)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x00000070 (00112)   6c697665 0d0a4361 6368652d 436f6e74   live..Cache-Cont
0x00000080 (00128)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000090 (00144)   0a                                    .


Strings