Analysis Date2015-06-13 20:29:03
MD541e7b94afce536da2b15471ec5598a8d
SHA138752b5a97f71e0e55b046a95f3f9a8e9f1f995a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 704661009f4884b4f225959c2b5a627f sha1: 09c835ac12a7cfec3cad61827730977784d3ef90 size: 53248
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: 5adc3292894011c68a85e256c4d0ac7a sha1: ca76e92f36e16d1d1f245b1ae62e4415e55add10 size: 53248
Timestamp2009-01-28 14:34:40
PackerMicrosoft Visual Basic v5.0
PEhashae641cd17b1a5887f79133e8708958eb8f47caca
IMPhash5755b75844cfa52d57ba6716498d2924
AVRisingTrojan.Win32.Generic.12DE7004
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.18070
AVDr. WebTrojan.Siggen.63395
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.18070
AVBullGuardGen:Variant.Symmi.18070
AVPadvishno_virus
AVVirusBlokAda (vba32)Malware-Cryptor.VB.gen.1
AVCAT (quickheal)Trojan.Agent2.iyf
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Yoddos.vkd
AVZillya!Trojan.Agent2.Win32.3139
AVEmsisoftGen:Variant.Symmi.18070
AVIkarusVirTool.Win32.VBInject
AVFrisk (f-prot)no_virus
AVAuthentiumno_virus
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.18070
AVMicrosoft Security EssentialsVirTool:Win32/VBInject.gen!S
AVK7Backdoor ( 04c5369d1 )
AVBitDefenderGen:Variant.Symmi.18070
AVFortinetW32/Vb.AQ!tr
AVSymantecW32.Spybot.Worm
AVGrisoft (avg)Agent2.GFU
AVEset (nod32)Win32/Injector.AFXI
AVAlwil (avast)no_virus
AVAd-AwareGen:Variant.Symmi.18070
AVTwisterTrojan.B6B2E95F94DAE5A6
AVAvira (antivir)TR/Dropper.Gen
AVMcafeeGeneric BackDoor.k

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\malware.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\malware.exe
Creates ProcessC:\\malware.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\awtqnkhe.bat "C:\Documents and Settings\Administrator\Local Settings\Temp\malware.exe"

Process
↳ C:\\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2c0c_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 540 -e 152 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C80120} ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\awtqnkhe.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\WINDOWS\system32\awtqnkhe.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\administrator@wmvmedialease[1].txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\awtqnkhe.bat "C:\Documents and Settings\Administrator\Local Settings\Temp\malware.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 540 -e 152 -g

Process
↳ \??\C:\WINDOWS\system32\winlogon.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtqnkhe\Asynchronous ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ➝
NULL
Creates Mutexe2f5bee9

Network Details:

DNSchildhe.com
Type: A
141.8.225.80
HTTP GEThttp://childhe.com/pas/apstpldr.dll.html?affid=152078&uid=&guid=4C48C17156884952ACE1F6E49B75390B
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f706173 2f617073 74706c64   GET /pas/apstpld
0x00000010 (00016)   722e646c 6c2e6874 6d6c3f61 66666964   r.dll.html?affid
0x00000020 (00032)   3d313532 30373826 7569643d 26677569   =152078&uid=&gui
0x00000030 (00048)   643d3443 34384331 37313536 38383439   d=4C48C171568849
0x00000040 (00064)   35324143 45314636 45343942 37353339   52ACE1F6E49B7539
0x00000050 (00080)   30422048 5454502f 312e310d 0a416363   0B HTTP/1.1..Acc
0x00000060 (00096)   6570743a 202a2f2a 0d0a4163 63657074   ept: */*..Accept
0x00000070 (00112)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000080 (00128)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x00000090 (00144)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x000000a0 (00160)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x000000b0 (00176)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000c0 (00192)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x000000d0 (00208)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000e0 (00224)   290d0a48 6f73743a 20636869 6c646865   )..Host: childhe
0x000000f0 (00240)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x00000100 (00256)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x00000110 (00272)                                         


Strings