Analysis Date2014-07-29 13:39:32
MD53ce08f804c5986856a85e16a4e211334
SHA1377e67693759a42371fee5bb5631a6f1e6167118

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectioncode md5: 1058d5005133a6ff9f21be9e6ee83874 sha1: 13d7337c4b6f307aaf518263caa35d42c46ce192 size: 7680
Sectiondata md5: f51a0427387458195c05906bae8ef96c sha1: 9fe74e232e62b289f06eece31401f28f710e3095 size: 13824
Section.idata md5: 798744f175bcc62970423d43e37d6062 sha1: a0d2d94d08bc7913db947bcebff349009fd4e0f7 size: 3072
Timestamp2014-02-27 15:20:25
PEhash9907d106baa2999cfeb2057e7b2eb0044526a7c2
IMPhash3e960be8eda70801665d22b1c143e813
AVMicrosoft Security Essentials 32bitNo Virus
AVRising Command-Line ScannerNo Virus
AVMcAfee Command-Line ScannerNo Virus
AVeScan Anti-VirusGen:Trojan.Heur.bmX@XI16QXj
AVMalwareBytes Anti-MalwareNo Virus
AVAvira AntivirusNo Virus
AVEmsisoft Command Line ScannerNo Virus
AVNorman AntiVirusNo Virus
AVIkarus Command-Line ScannerNo Virus
AVF-PROT Antivirus for WindowsNo Virus
AVCommand Anti-MalwareNo Virus
AVYARA Command-Line ScannerNo Virus
AVZillya! AntivirusNo Virus
AVAd-Aware Command-LineGen:Trojan.Heur.bmX@XI16QXj
AVTrend Micro System Cleaner (SysClean)No Virus
AV360 SafeGen:Trojan.Heur.bmX@XI16QXj
AVAvast! Professional Anti-Virus 8.0No Virus
AVESET NOD32 AntivirusNo Virus
AV VirusBlokAda (Console scanner)No Virus
AVQuick Heal AntiVirusNo Virus
AVAVG AntiVirusWin32/Heur
AVSymantec Command-Line ScannerBackdoor.Trojan
AVArcaVir AntivirusNo Virus
AVClamWin AntivirusNo Virus
AVFortinet Command-Line ScannerNo Virus
AVK7 Anti-VirusNo Virus
AVDr. Web Anti-virusNo Virus
AVF-Secure Anti-VirusGen:Trojan.Heur.bmX@XI16QXj
AVKaspersky Anti-VirusTrojan.Win32.Generic
AVCA (Total Defense) Internet Security SuiteNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:


Raw Pcap

Strings
DCitrix XenApp Secure Input Active
1*0.56}qsn
121018000000Z
121221000000Z
140109000000Z
140304045803Z0#
150208235959Z0r1
201229235959Z0b1
201230235959Z0^1
35?3 3$
35?3 3$x3.3
ADVAPI32.dll
AllocateAndInitializeSid
	Anyang-si1
BeginPaint
CallWindowProcA
CloseHandle
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreatePipe
CreateProcessA
CreateWindowExA
Develope1
Durbanville1
EndPaint
EqualSid
ExitProcess
ExpandEnvironmentStringsA
fclose
ffffffffff
FindFirstFileA
FreeSid
fwrite
GetComputerNameA
GetCurrentProcessId
GetCursorPos
GetDlgItemTextA
GetFileSize
GetForegroundWindow
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetSystemWow64DirectoryA
GetTempFileNameA
GetTempPathA
GetTickCount
GetTokenInformation
GetUserNameA
GetVersionExA
GetVolumeInformationA
GetWindowRect
g><;m<
gmtime
GoLink, GoAsm www.GoDevTool.com
Gyeonggi-do1
hhhhhhhhhhW
.http://crl.thawte.com/ThawteTimestampingCA.crl0
*http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
http://ocsp.thawte.com0
HttpOpenRequestA
HttpSendRequestA
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
http://ts-ocsp.ws.symantec.com07
.idata
Ilwj{Xwr{
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetReadFile
IsUserAnAdmin
Iwp[f{}
jw|r{%5SMW[5&0.%5Iwpzqim5PJ5+0/%5MH/7
KERNEL32.dll
l{BSw}lqmqxjBIwpzqimB]kll{pjH{lmwqpBLkp>1h><;m<>1j>L[YAMD>1z><;m<
LoadBitmapA
>""&lyy!!!x>#5>?8x59;y83!%y ?3!x7%&i599=?3ks%p"/&3ks2p ?2ks2
>""&lyy!!!x>#5>?8x59;y83!%y&>9"9ys%x<&1i ?2ks2
\/-.+*M
malloc
|mA} Zy
memcpy
memset
MessageBoxA
MQXJI_L[BSw}lqmqxjBIwpzqimB]kll{pjH{lmwqpBLkpB
M{rx>Nlq}{mm>Wz$;z
msvcrt.dll
MultiByteToWideChar
OpenProcess
OpenProcessToken
PeekMessageA
PeekNamedPipe
ReadFile
RegCloseKey
RegDeleteValueA
RegOpenKeyA
RtlZeroMemory
SetFilePointer
SetWindowPos
SetWindowTextA
SHELL32.dll
ShowWindow
	SJ SYSTEM0
	SJ SYSTEM1
sprintf
Sqdwrr
strcat
strcpy
strlen
Symantec Corporation100.
Symantec Corporation1402
'Symantec Time Stamping Services CA - G2
'Symantec Time Stamping Services CA - G20
+Symantec Time Stamping Services Signer - G40
}sz0{f{>1}>
}sz0{f{>1}>lkpzrr-,><;m<>Nr
}sz0{f{>1}>l{y>
}sz0{f{>1}>nwpy>/,)0.0.0/>8>z{r><;m<
}sz0{f{>1}>}sz0{f{>1}>}sz0{f{>1}>}sz0{f{>1}>}sz0{f{>1}>}sz0{f{>1}><;m<
Thawte1
Thawte Certification1
Thawte Code Signing CA - G2
Thawte Code Signing CA - G20
Thawte, Inc.1$0"
Thawte Timestamping CA0
TimeStamp-2048-10
TimeStamp-2048-20
u{lp{r-,0zrr
USER32.dll
VirtualProtect
VJJN1/0/
Western Cape1
WideCharToMultiByte
Win32 Program!
WININET.dll
!!!x>#5>?8x59;
y83!%y ?3!x7%&i599=?3ks%p"/&3ks2p ?2ks2
;zA;zA;zA;m
zz>;mBMqxji