Analysis Date2015-03-24 17:30:21
MD57b42b35832855ab4ff37ae9b8fa9e571
SHA1374943af10ae4c47ba27b4534cc4b468bfaa9eff

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b442cc1ec79958ed5c8881fd7984feff sha1: e2f0adcf99e24685baa6ce6732e40f351d88ed80 size: 27136
Section.rdata md5: 7215c37c4097c125847115e68d5c05c2 sha1: 26595b22f83a0155e2ef5d4bd40dd8d0d2f19926 size: 3072
Section.data md5: 2e25dcbdb4c10fcf5072c47ffc0cee8b sha1: adae22a7157429904bfd89524c99accb0e35e562 size: 3072
Timestamp2009-08-03 08:29:29
PackerInstaller VISE Custom
PEhashd09f233f13a9efd4259ede490fbec2db25e01407
IMPhasha1a42f57ff30983efda08b68fedd3cfc
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.4596108
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.Generic.4596108
AVAuthentiumW32/Trojan.FJYA-5091
AVAvira (antivir)TR/Cossta.grt.10
AVBullGuardTrojan.Generic.4596108
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Cossta.grt
AVClamAVWIN.Trojan.Cossta-4
AVDr. WebTrojan.Siggen4.25865
AVEmsisoftTrojan.Generic.4596108
AVEset (nod32)Win32/Agent.WQS
AVFortinetW32/Cossta.WQS!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.4596108
AVGrisoft (avg)Agent2.BCYK
AVIkarusTrojan.Win32.Cossta
AVK7Trojan ( 000030f81 )
AVKaspersky 2015Backdoor.Win32.Small.liy
AVMalwareBytesno_virus
AVMcafeeGeneric BackDoor.adt
AVMicrosoft Security EssentialsBackdoor:Win32/Neunut.A
AVMicroWorld (escan)Trojan.Generic.4596108
AVRisingTrojan.Win32.Generic.12C8EA9F
AVSophosMal/Dloadr-BK
AVSymantecTrojan.Gen
AVTrend MicroTSPY_COSSTA.DH
AVVirusBlokAda (vba32)Trojan.Cossta

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSks.aoldaily.com

Network Details:

DNSks.aoldaily.com
Type: A
69.195.129.72
Flows TCP192.168.1.1:1031 ➝ 69.195.129.72:443

Raw Pcap
0x00000000 (00000)   160301                                ...


Strings
==
00-+ 
.
\
. 
-
         (((((                  H
jjjj
jjjjjj
(null)
WinHTTP 1.0
AAAAAAAAAAAAAAAA
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
abnormal program termination
btHHt.
CloseHandle
\cmd.exe
connect ok
connect %s
CreateFileA
CreatePipe
CreateProcessA
@.data
DOMAIN error
D$,SPQh,
DSUVWh
Error %d has occurred.
ExitProcess
- floating point not loaded
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetACP
GetActiveWindow
GetCommandLineA
GetComputerNameA
GetCPInfo
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetVersion
GlobalFree
`h````
</head>
<head>
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HHtpHHtl
https://
KERNEL32.dll
ks.aoldaily.com
LCMapStringA
LCMapStringW
L$hQSSSUSS
LoadLibraryA
MessageBoxA
Microsoft Visual C++ Runtime Library
MultiByteToWideChar
new.new
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
(null)
PeekNamedPipe
ppxxxx
Program: 
<program name unknown>
- pure virtual function call
`.rdata
ReadFile
Ready!
RtlUnwind
runtime error 
Runtime Error!
SetEndOfFile
SetFilePointer
SetHandleCount
SetStdHandle
SHELL32.dll
SING error
SS@SSPVSS
TerminateProcess
!This program cannot be run in DOS mode.
t-Ht!Ht
TLOSS error
t#SSUP
t.;t$$t(
t$$VSS
T$XVRSS
UFUVh0
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
user32.dll
VC20XC00U
VirtualAlloc
VirtualFree
WideCharToMultiByte
WinHttpCloseHandle
WinHttpConnect
WINHTTP.dll
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpOpen
WinHttpOpenRequest
WinHttpQueryOption
WinHttpReadData
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSetOption
WinHttpWriteData
WriteFile
"WWShx
_^][YY