Analysis Date2014-10-14 05:24:28
MD5fd638b547ea26fe0edfe0d5534c9b35a
SHA13f37e9b10893aaaf98f562fc6707d827e4d2bbcc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: c1edcb287c1bc13cb4d9ad3b7aa70a74 sha1: f4353157c1ddd7a045f2162dba43074bbfc471e8 size: 217088
SectionUPX2 md5: 7dbddb691690bc4ff494d5b5ddbc1aa4 sha1: 9cf920030f5bed3fb1eb513fba1440d57ca799af size: 1024
Timestamp2014-09-27 11:30:41
PackerUPX -> www.upx.sourceforge.net
PEhash50fbf3e919e037a8c5e812701d2a590af6221805
IMPhash12949835d0cda9d5836fa2fbd6c55e3c
AV360 SafeGen:Variant.Symmi.42740
AVAd-AwareGen:Variant.Symmi.42740
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.UBAJ-3890
AVAvira (antivir)TR/Hijack.219136.1
AVBullGuardGen:Variant.Symmi.42740
AVCA (E-Trust Ino)Win32/Oflwr.A!crypt
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Symmi.42740
AVEset (nod32)Win32/Agent.WCF
AVFortinetW32/Agent.WCF!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.42740
AVGrisoft (avg)Agent5.TK
AVIkarusTrojan.Win32.Agent
AVK7no_virus
AVKasperskyTrojan-Downloader.Win32.Generic:Trojan.Win32.Hosts2.gen
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.dx!dfz
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.42740
AVNormanwinpe/Troj_Generic.WDWZC
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page ➝
http://www.2345.com/?k98792151\\x00
RegistryHKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue ➝
NULL
Creates FileC:\Program Files\Common Files\appers_7_1958.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\Program Files\Common Files\asdqw_3104-48740.JPG
Creates FileC:\WINDOWS\system32\unrar.dll
Winsock URLhttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
Winsock URLhttp://down.9vh.net/appers_7_1958.exe
Winsock URLhttp://down.tianyunxj.com/tqrl_97_1957.exe

Network Details:

DNSwebmirror.pcbeta.com
Type: A
113.107.42.25
DNSdown.9vh.net
Type: A
222.186.60.3
DNSc06.i06.arnic.hadns.net
Type: A
183.57.148.246
DNSc06.i06.arnic.hadns.net
Type: A
116.11.254.249
DNScdn.pcbeta.attachment.inimc.com
Type: A
DNSdown.tianyunxj.com
Type: A
HTTP GEThttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
User-Agent:
HTTP GEThttp://down.9vh.net/appers_7_1958.exe
User-Agent:
HTTP GEThttp://down.tianyunxj.com/tqrl_97_1957.exe
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 113.107.42.25:80
Flows TCP192.168.1.1:1032 ➝ 222.186.60.3:80
Flows TCP192.168.1.1:1033 ➝ 183.57.148.246:80

Raw Pcap
0x00000000 (00000)   47455420 2f646174 612f6174 74616368   GET /data/attach
0x00000010 (00016)   6d656e74 2f666f72 756d2f32 30313430   ment/forum/20140
0x00000020 (00032)   392f3132 2f313733 39333769 6d617639   9/12/173937imav9
0x00000030 (00048)   79766379 636e3361 6b75612e 6a706720   yvcycn3akua.jpg 
0x00000040 (00064)   48545450 2f312e31 0d0a486f 73743a20   HTTP/1.1..Host: 
0x00000050 (00080)   63646e2e 70636265 74612e61 74746163   cdn.pcbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f617070 6572735f 375f3139   GET /appers_7_19
0x00000010 (00016)   35382e65 78652048 5454502f 312e310d   58.exe HTTP/1.1.
0x00000020 (00032)   0a486f73 743a2064 6f776e2e 3976682e   .Host: down.9vh.
0x00000030 (00048)   6e65740d 0a436163 68652d43 6f6e7472   net..Cache-Contr
0x00000040 (00064)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000050 (00080)   63646e2e 70636265 74612e61 74746163   cdn.pcbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f747172 6c5f3937 5f313935   GET /tqrl_97_195
0x00000010 (00016)   372e6578 65204854 54502f31 2e310d0a   7.exe HTTP/1.1..
0x00000020 (00032)   486f7374 3a20646f 776e2e74 69616e79   Host: down.tiany
0x00000030 (00048)   756e786a 2e636f6d 0d0a4361 6368652d   unxj.com..Cache-
0x00000040 (00064)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000050 (00080)   650d0a0d 0a636265 74612e61 74746163   e....cbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....


Strings
...vw
.
00
..U.8
.
...Q
$
_JC...
D.;.
g.:.}......m.
.A
.0 c
.
04..
.v
.K
..
...vw
.
00
..U.8
.
...Q
$
_JC...
D.;.
g.:.}......m.
.A
.0 c
.
04..
.v
.K
..

>	>">.
 !"#$%&'()*+,-./
?//%(-$
/+`'\+
0 0&0,02
010:0G0S0g0m0
<048<\
\,048\.
&%070K0_R
 (08@P`p
 $(09<
0@<h[	
0J0P0V0\
0'@}qK8
0s32fta
.-0$v)
;1;?;{;
:">(1"
1$1(1,
1%1B1U1^1
@1`1d>
1c8g8k8o8s
1C`{H{
<*>1>j>q
1@O1'_
1q2	2C2
1#QNAN
 :1|)r
1r1v1z1~1
1RP-t,
<1xmln
20XC00
2(252;2O2
2275622D8D
?"?&?*?.?2?6?:
 2 ~/D6i
2DBu.hP
2@E(_&
2ea7be1
{2G?UC
&2I3X^>Ht
<}2lsF
2p*s?f
\2 S2h
2X2h2x2
(3(:2,
32@3L3X:x3
32\taskmgr.exe
3$3(3H
35138b9a-5d9
:(>->3>8>Y>w>
3c5W7J
3kcyo\
3VhDJP
4{'']%
/4.0 (
4463<tC
456789abcdef
465p5X7
4804w6i0
4,84<4\4`4d
4AB>bwB
4$,C4Q4a4p4
4\<`<d<h
4<DLTg
,4<DWX
4(E])w
4~f9.u
4h]0^v
4>%h'I
{4lA7o
,+<4P,M
4S0000
538f494a2afdb0c
5(54~H5h5t5
"57-1546-4
<-<++58=4f//?
5:8642fc
5E+fTL
5,h]ntfY
5o.vD<
/5t"bu
-5$tJ&Y%
	5YfF-.n
5yw5N8
5Z`>H^0-:R0
60[awbw 6!(
61tn,r
647X7`
6!6(6/6N6U6\6!
6,686<
6 7-Z9
6D@g{F
6ER)i!
`'6?g 
6k>o>s
6L\vJb\0
6Q617]7
`6SLG0
7$:(:,
7^3&0G%
731o0a2
73937Zav9yvcycn3aku
73$G*7G
75f06e
77=Ano(
7-7Q6"
7/7Sr"818;9X9
7 8@.32{
7)8j<A=X=
7DWORD4nK
7J-%$J
<7{Nf8+ 
7s*<'Di
7T9p`t
7YQ 6vR
8273I3
<840( 4
840,($y
^,(8	7
8"8(8.848:ZF
]8.9|9
-8au'ru!
8bj)FL
<8C8J8Q8X8_
8&Fvl#PL-(
8G120)
@8ge;*y!St
%8L	"@
(8l@03
8NA,E!
8N };_g
 \(8q;
#8UP*$J
`@8VfB
8v-$Fs
8=y:7:>
[8ypbC
`8Z8d8
9@%1q$m
942q71f
959@9y9
96>NH9N
98:T:\:d:u:
9dw{mUu
9EMQ t
	9h<V-
9`:i:r:~:
9<I@YF
="=9=J=
9`!j0KP
9J:n:t:z:
>9k_;l 
9p	:rX0
\=9!~t
9 vBAG
_9~X~B
9XW/	<$
9y`8;qdt
-9Zwk_
A0/?k9879215
a1B;Zu
a7&gn&2A
a+8XM[
A9 NT 
/:;<=>?@ABCDE
@ACL@TMq
%_AD+~
ADVAPI32.dll
AFN^_F
?_AFX_
AfxOld
A+gU@/
AI5Qyt0
aIH,r)
}a+l&|
alwUgA(
and Object
Array<char>
a)ru|.
@A[SDf
ATL.DLL
AujX60
Auto=1
"Aw<Aj
!A'WCl
AXL0@B
;B 7,7i0
 @B8TX_z
bab{*<s
::bad_aia0Z2v
BaE	uF@
**BCCxh1
{Bc*m>r[sK6ly
@bCry^h
>BEFKK
BfJcG GH
?^?b?f?j?n?r?v?z?~?
?B?F?J?N?R?V?Z
bfndmm
B%[glt)
BitBlt
bNTahq
/Bo%}k
BPibly"
}b	'qXr
bR@<@u
'bscn<'
Buff#Uppw
bugHook
BWideC
bWjaPg.j
 &(C3 
c4 fv_la	f
cAn!EH
C D]AB
C^fE%e
ClosePrinter
 (/clr)
\CLSIDp1T
CmdTar*t
cn/bbsx,
COMCTL32.dll
CONOUT$U
COZ( A}u
c|pDNI
CPPZ*y
[`C~T$*L$
curityP
CWinApp
*d0N"@
:d0Y8X 
d1.0">
D48`}<j
D7m7y7
D@<840<
	{/d`B
]D;B9>
dB&dBdddB&ddddP
dc71cb684l2c4511da9
'"D!cI
D(CRKf
dd1*23
DefaultI0nB,%X
~d\Fold
DHBA@8GS
>>+DHr
d(i*B&
-dk+#u	
DnE"yP0
dqw_3104-4
DragFinish
Dt<yw!Ms
<<DWq/
]dxu2Z
e "^	\
> @ ,E
}E#?2l
E4SCQD
_e5pd.
))EE	F
EeXP#&
eg/posi
;`eh %
\E|"*he
<?EINS
~em$qqri1Free3pvf-
EN!9ms
e#nrO-uI
EnumDi}
E])P'hF
;er 8^D
EsGh5M p
Es<p49
euoGetM
e>X86"6
ExitProcess
f0 n#e
F0R_Xjn}
f1r3|3v3
f7j7w7~
f9]8	fr
F&A"1VN~
$F`[b!
]fBgNl
@.f@C|
&'`Fdjh
Ff)k@{
fgW&^bP\n
Fh;=x}W
[(fig]
FIs@_ X
@fL2g[
fm0Uk)
F>mJ:T
fmo_hy=T
F&(NX\
?Format
fph @s
fRichEdit {
fRY8Z 
}F,tv(V
*&fU&	]
FVF~aW
`fw>r'N
F	XDoH
+FXVLfX
=f;*Y.
#g@=+}
-+*G|&
G0J>tQ
G#+0,X
G8pKtL%~D
G94952
[	gC(^
GDI32.dll
G\du9(
GetProcAddress
g:HTTP+
GKUK4vs|
__GLOBAL_HEAP_SELECTE.
gOW_of@
Gy}Sx4
gz-iT0<j
%<GZ|w
}~,h%4
h595b64144ccf1df
h6l Dlg
h+Ak31
;HaoZip
@hC!j.
HCu_1'(
    He 
>#[H}f
_Hftop
`&:$hJ
<h\J:*
HKEY_LOC
"(>H>L>l
.HLPdK:!
hm|%g2
h!nI3r
`?hO&!
HOLEPRO 
hProc423' 
:H$@Q 
h  SOa1
H$Sv08
?(?H?T?X?h?
Hx1q${
/}H!X7b
HXtB+<9
HZKR_H
hzx1*2
I4m#fwk=,
i>B2Md{
`IBck_/
ibL4s 
icG8%'`
?;"i&d
i!!'djW
IF(((#
Ih%H:%M
i<hSG8j
IJKLMNO S
=I#K)Fb
IKmpF5
,ikw=a
ileNameW
+iLUR1
InternetOpenA
Iq0KIH
iQIYI\Qi
Ir5_vl..1
IsBaCVh
@ise,rp
#iTLYO
).iU2A
i>VUSWY
,!`("j
*J='(|a+
-japoO7notzW
JBusy^
#=//jD
jG`Kqt
j\HZ,$%
&*jL|aj
^J@][N
jO57:NF
J:Pu\D
@JsB:;K
JS>]:V";3
j.W)uQ
-<=<J<z<
k$6@ZkM
K(7u[PV
k7V;,0,27 4
.k9,~8GHs
K*>{$B
>kE	ac
KERNEL32.DLL
kfpiix(
Kj>$+FC[
K	OrYRV
kP#qRy
KRFi 8R<
Kr,l+g
k Source D
K\w1SX
k/'X	v
^K	YPv(
L2tx|r
L3'7Yr
L6d6h6
Lad	wVy
LASSES
l c>6u
ld*f[K
L*.DLL
l>!ENG[IhK4
l *F09
<lhd`\
`(`;l&I
lj0@Pv
LkZ3EF7
l%]L}k~
LoadLibraryA
lOsug@wu
$_l%Ugd
lv<$'-A
,<L<X<x
l.yi85
_>|l^Z|s@7
M0s041<1
(m 1IQU
:m7zum
MACHjE\SOFTWAR
%MA(+i
[MCBAb
@"mD"u
#,MD[y
Mfg1w1
mFq0xp
MiscSt
MKoJ`wh
M~lPPM
!?=MODULE
!/!<MP
M'Qh=F
N0>'bD
n/3tb_
N6W<7W,@
@N_|A4a
==%N_'b(Q
NDh&%X
}new_9d"MA
n:g97:b
NG_NO&
NGSY\3
NH-6>Y
<.>N\l
 ]	N[n
no"IlXC
No such
NotSupp
Nr\ESt<O
}$-N&s
nt>j,U
!Nv[.D
~n _vec
nx98t^
nyboU,
o2b.c: L
~O4n4!
O517xky.we(dp3
o6>pVPt
o6rdon
oE91yG
-}?ofk
_of_r!
OI}O\0
ole32.dll
OLEAUT32.dll
oledlg.dll
OleRun
O.mpGp
opyright 19
OYSTEM
oZ9y/8
P21O[pE
/p3_kY8
P[5A#d`
@p!7:t
PADVAPIx
!pA|m!j
Pat,aW
PathMatchSpecA
PBL"PT
<|pdXL
< _Pg|*
pg8l7hl-sms=
^P|g@>U
P$"'GU
|pH3r!
'PHeaV
	P+iv"pK
piW0gSs
P)i)YY
P@.<JO
>PPADD
p*p@guo5
PreviewPages
%pt6SI
ptKeyCacheI:[4]
pu(2,C
Pvi8x"C
pW</LfarV
pZp~d2t
Q(4@}|
Q9"Tmh.
Q	+ac.
\QB=^{
'Q (d]
qeL==P
$`:QF|
Q faqs
	!QFWd
/QJ(um
qj;	Xc
>qLe@e
qOaccbY'vpi
qPJw%S8
qptfV?X
  qui*
QUUQPXY]+Bh8a
q[#v*?
Qwe@X:
Q --wj
QWSuAjn
q(Wt#6
 }+!R=
R1wJXl
r2VTofM
r\Advb
*Rais#z
$rBtn:9w
.>%RC=
RegFlushKey
r	F=0^
rf2w!*
r<%GPi
ripth.
r: m.v1"
rQ|cqeX
rrj{ASH
rs\etc\ho(s#
rSWXpu1
RU+3C*
RU  8Qw
%;R$Vm
rwiqa^
s<2ctuZ
S3Y3do
S4GHFD
s8j\%K
Saf1Dhk
SB127.0
:sch&0-A
sctorgk'
]sDdssJ
s	 E]W
s"F+@-
sf8002*<>|"
s_g;	"
Sgd:xr'
S_g	SP@
+Sh  <
%Sh8|%W
shadu007qsd.k
?Shd5.P
SHELL32.dll
SHLWAPI.dll
s{H:mm:{
si!9, %8
SiAi/Y
_SIMULATE_TLS: 
skQ_7_1958
;Sl\C$
=Sn{Da
So|Bdh!txV
sO;>|C;
`sov~E{
splay/L
SPLAY&m|rl_DZg
spmV p
SrinW^
S$U(j6
SV1)Wkb
sWMG=#
]sY%G$
.,$s/z \
-t,0tRC
t44 ,;
`t4=Ft
T5`5l~@6
t 6zog
t8lBar%'MDIFr
"t^9(uZ
T:a*s>z
T )Augus
TB&1*5
tBaSpn
T^&d%er
.te_o"9
tfk('T
tg+\hc
TgTQ %B
!This program cannot be run in DOS mode.
THREAD@
Th spa
Th$s'Wed
#Tj _T1
%t	l(s 
~t$N.#
`TPLD0ib
|tqrl1M_9
t*SWp7
ttp://
t&=,VgD
TV`\W8uU
Ty5 =!TY%
T#y/76
t=ZVP?P
U$0VD5h
uA ( HH
uB_nxoh
UE>CNjJ
U.hU5R
u!<I(,
UI.D,!
um;219.235
unxj{U8
?Upbe%
$	 UPdR,l#Vx
$upValue
uRFGHt
?Us6Ex
USER32
USER32.dll
uT8HSS
uvwxyzS
uwu@Sy28L
V0}CDl0
V50vi(8PX
vAPpgcV
V+`B-jU
vc521s`	v
vd6gJO!
VERROR
vFKl\3Hf$
v'Frre3Vw
(}Vhgg
VI@EH'
VirtualAlloc
VirtualFree
VirtualProtect
 VisUC++ RA
vIV.INI/
Vl/S)G
vmSK_mLXZ
v`~p,go
,&[vrH
$*v/$tmi
;;V=Vi
VV&K r
)VX`?{|}~
v-xa%p*
VzK,D*8M!<
vZz9f9l9r9z9
|W 4$8
w50o0y0
w(85j4
*)WA <
was about o=
(wbPben
WB&X_%`%;U
wdqbhd_&
WININET.dll
WINSPOOL.DRV
%w.J#;^
.Wm; q
W-$N%J
WO`s	C
wsgwdnI13M
)WTK0sSa
WWEt$0tQ
w< }z"
*=*,	x
X$\0tx
x0Uw=N9
'XA!P;
xf"0oS
xijklm&pqi
xL\Ki;\9p
?x.M<[
X{mbAUH
xOl1eM
XP^D@<
XPTPSW
Xt+DPI
xt@H6&
	XvO	u
~x |Wa<QZ
*x$x	e
y2G@/a
y2>JZf
yb.fdf4
> %yD'
\*@Yf+
[yHrd,
Ym;=80
_yn1Zf\
 yotWp
{<:y&q?	
 *yQJC,
Y;UP6g
)ywf>?t
Yy4+L0@
Y;\YYu
z17:u 
Z5!Vm3
zBjP AR
zc:9o[@
,ZEFB'
z)jFz3Q
+ZJyO$|'
Z!kjA3
[ZKYY)
<z>:Nml>
z	S>H3
%zu(8so
/Z$=Yv
Zz /,T