Analysis Date2014-12-09 11:10:09
MD5d4b05cb0750267c2ea39592c2c99d07e
SHA140404c1d9f1b8098811c8331a28ac277c92b8ee4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 780e6c904e4670b8fa845360d2d0ca4a sha1: 570b8a3f294d60fe2f23623d9f1d408f769c49be size: 217088
SectionUPX2 md5: 7dbddb691690bc4ff494d5b5ddbc1aa4 sha1: 9cf920030f5bed3fb1eb513fba1440d57ca799af size: 1024
Timestamp2014-10-16 01:08:22
PackerUPX -> www.upx.sourceforge.net
PEhash50fbf3e919e037a8c5e812701d2a590af6221805
IMPhash12949835d0cda9d5836fa2fbd6c55e3c
AV360 SafeGen:Variant.Symmi.42740
AVAd-AwareGen:Variant.Symmi.42740
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.EERZ-0114
AVAvira (antivir)TR/Symmi.42740.67
AVBullGuardGen:Variant.Symmi.42740
AVCA (E-Trust Ino)Win32/Oflwr.A!crypt
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Symmi.42740
AVEset (nod32)Win32/Agent.WCF
AVFortinetW32/Agent.WCF!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.42740
AVGrisoft (avg)Agent5.AMB
AVIkarusTrojan.Win32.Agent
AVK7Trojan ( 0049c9161 )
AVKasperskyTrojan-Downloader.Win32.Generic:Trojan.Win32.Hosts2.gen
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.dx!dgk
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.42740
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page ➝
http://www.2345.com/?kkkkkkkk2345\\x00
RegistryHKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue ➝
NULL
Creates FileC:\Program Files\Common Files\appers_7_1958.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\Program Files\Common Files\asdqw_3104-48740.JPG
Creates FileC:\WINDOWS\system32\unrar.dll
Winsock URLhttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
Winsock URLhttp://guangqu924.oss-cn-hangzhou.aliyuncs.com/gqbb24_mt1.exe
Winsock URLhttp://down.9vh.net/appers_7_1958.exe

Network Details:

DNSwebmirror.pcbeta.com
Type: A
113.107.42.25
DNSdown.9vh.net
Type: A
222.186.60.3
DNSguangqu924.oss-cn-hangzhou.aliyuncs.com
Type: A
112.124.219.90
DNScdn.pcbeta.attachment.inimc.com
Type: A
HTTP GEThttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
User-Agent:
HTTP GEThttp://down.9vh.net/appers_7_1958.exe
User-Agent:
HTTP GEThttp://guangqu924.oss-cn-hangzhou.aliyuncs.com/gqbb24_mt1.exe
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 113.107.42.25:80
Flows TCP192.168.1.1:1032 ➝ 222.186.60.3:80
Flows TCP192.168.1.1:1033 ➝ 112.124.219.90:80

Raw Pcap
0x00000000 (00000)   47455420 2f646174 612f6174 74616368   GET /data/attach
0x00000010 (00016)   6d656e74 2f666f72 756d2f32 30313430   ment/forum/20140
0x00000020 (00032)   392f3132 2f313733 39333769 6d617639   9/12/173937imav9
0x00000030 (00048)   79766379 636e3361 6b75612e 6a706720   yvcycn3akua.jpg 
0x00000040 (00064)   48545450 2f312e31 0d0a486f 73743a20   HTTP/1.1..Host: 
0x00000050 (00080)   63646e2e 70636265 74612e61 74746163   cdn.pcbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f617070 6572735f 375f3139   GET /appers_7_19
0x00000010 (00016)   35382e65 78652048 5454502f 312e310d   58.exe HTTP/1.1.
0x00000020 (00032)   0a486f73 743a2064 6f776e2e 3976682e   .Host: down.9vh.
0x00000030 (00048)   6e65740d 0a436163 68652d43 6f6e7472   net..Cache-Contr
0x00000040 (00064)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000050 (00080)   63646e2e 70636265 74612e61 74746163   cdn.pcbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f677162 6232345f 6d74312e   GET /gqbb24_mt1.
0x00000010 (00016)   65786520 48545450 2f312e31 0d0a486f   exe HTTP/1.1..Ho
0x00000020 (00032)   73743a20 6775616e 67717539 32342e6f   st: guangqu924.o
0x00000030 (00048)   73732d63 6e2d6861 6e677a68 6f752e61   ss-cn-hangzhou.a
0x00000040 (00064)   6c697975 6e63732e 636f6d0d 0a436163   liyuncs.com..Cac
0x00000050 (00080)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000060 (00096)   61636865 0d0a0d0a 696d632e 636f6d0d   ache....imc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....


Strings
c..D8.Y
.
0
.
.PP
.b..
..X
/
J..
.
...`;..
#
+
..
..
.
o+..c.ba
,.
;
..u
c..D8.Y
.
0
.
.PP
.b..
..X
/
J..
.
...`;..
#
+
..
..
.
o+..c.ba
,.
;
..u
>	>">.
 !"#$%&'()*+,-./
0 0&0,025
009J.@10
-00JDV
00s[|0
010:0G0S0g0m0
@01Fd2h7xfui
	{'04$0u
&%070K0_R
 (08@P`p
0974[C1
0@Bw!Nl
0e	{R3
0_of_r
0.(P7;;
0R[*'S
0s32fta
.-0$v)}1
0"vAk,
0W:D\X
0'xDs%o
0xpWmF
=0xQT{W`8
;1;?;{;
1 1$1(1,
1%1B1U1^1
1.76/AS
1c8g8k8o8s8w8{8
\1C M.
1"+Dg8
1g@=+#.
<*>1>j>q
1^"n&?
<1PrI<<4
1q2	2C2
1#QNAN
1r1v1z1~1
1RP-t,~)<B&
1v`KAt
2(252;2O2
2275622D8D
2 3-4a
24_mt1=Y
25sn	b
?"?&?*?.?2?6?:
"2AUd0
2dlg4"
!@2 mV
"2@Tj>
2u9.7P1
3! |-,|
~31o0a2
32@3L3X:dP
32\taskmgr.exe
:(>->3>8>Y>w>
3c5W7J
~3CG*7G
3g,%WE
3!TEIAg
3x<J{g	
3#Y%&!
3yd[T|u
42718)Y
} 4&/4?
4463<t
44h88U
456789abcdef
465p5X
4,84<4\4`
4ccf1dfBl
4\<`<d<h
4~f9.u
4s\Blu,
4TL\vJb\0
4X<ibs
517xky.we(dw
538f494a2afdb
5(54~H5h
"57-1546-46Pt%t-a5
<58=4~f[xf
59@9y9
5PVHUP
5+_ryZi
/5t"bu,
];5v7m
<5;|Y_
	5YfF-.n
5@;ZNk
60[awbw
6(6/6N6U6\6c6
6,686<
673E|7
6"7-7Q6"
6Ir5_vl..1
6k>o>s
6Q617]7
6rH,$,&8
6Rmo_H
|6TJ)pl
7$:(:,
73937ZavE
75f06e
77>7E7L
7/7Sr"
7)8j<A=X=u=
7C`;rh
7DWORD4
+7Fl|<
7/Format
7*gic_
7K8\8j8
7OwI}h
7sA3> 
# 7,sv
7"t^9(uZ
7V;,0,
@7vL{og
8*@:':
818;9X9
840,($y
=8\\(6@"
8"8(8.848:
 88og.P
8`@8Vf
]8.9|9
8au'ru!!u
8b9a-5d9fbd-8
<8C8J8Q8X8_8f8
@8ge;J^
&8$Hw$
8|jms*F
8MZ0H<
8Sh2tnC(
8 UnH 
#8UP*$JB
8X)|ca
&,8y/9J
`8Z8d8
900FB`'
91yG<G
92.e:$:
930,H?E
.942q71f
^}%950Nb~
98:T:\:
="=9=J=
@9QQPC1
9 vBAG
9X8-fe$
9y`8;qdt
9yvcycn3aku
a|$6AX
a9# <n
AAHO0#
a* )Augus
)Ab7HK
/:;<=>?@ABCDE
Ab-V+	-x
accbYpi
acheI:[4]
@ACL@T\
!ActuZ
ADVAPI
ADVAPI32.dll
ad	wV{
AfxOldhProc423k
ag&CK_
aJ\?6N
and ObjectO
AndSh%%'
AN&sI>
Array<ch
ATL.DLL
Auto=1
AXP!% 
+axz.d
B127.0
>B>_2.
b_8zvBSG1Cq(so
::bad_
~b?_AFX_j_ST
BaseG"
B-?.B]
bb<@Xa6
**BCCxh1
%`@bCryptK/
BfJcG!
bfndmm
BHGuE0
b/ibbq
BitBlt
bLC}	;
B?M!IOZ
:B>n9<f
b{%nk&K
*Bosd+8d0B
.BoWND
b'$%pD
BQCo@8
BrQMd44
bR@<@u
Buff#&
@B.vTE(
B'vt"hv
^bv<v)3P
BWideCd
]BxA}<-
B!	~Ya
Bz-:F(a
%<BZ$=YvW
C:3FSX
,C4Q4a4p4
C8OF{=
CDt<yw!
ceLu?v/
c-=gsP
ClosePrinter
~\CLSID
ClwlN^
CmdTar*t
COMCTL32.dll
CONOUT$
@Cp080
CPbAMj>
<CPDHL
CPgR/S
crackP
cripth.
cTC7B@
ctXLHXvT
curityP
cW@)?hO
cWkb*,
Cwld*f
cX(Q(]
D0J0P0V0\
[:d0Y8
d1.0">
.D2LR-0qs
D2<oOl
D2=.(R
D48`}<j
D<4,TP
d+4:Zda
D7m7yW
=d (b,
<=D\ @B8V
dBc*m>r[s
DBu.hP3
dc71cb684l2c4511da
de%aAn!
d\Fold
$D\$	g)
*dGpa-
dh'p}o
di2b.c: L
d(i*BEb{J&
D~j2HT
DKV^iabS
D\Kw;\9
dnvp[,X
dqw_3b4-48740.JPG_X
DragFinish
dR[	mr
DSig.XB
Dv]<<C
dz.371
e5!YM3
E{{\acb
))EE	F
@eeG,(
_e?Fld
(Efv7Mk
eGa"c3
*,E}|H
~,;`eh %h
=|EHVP
@Ejnop
^ejta" 
Elehmd
~em$qqri1Free3pY
En_KD*
!eN:p]
e#nrO-uID
EnumDisplay/
`/En-V
E>Onx|
;er 8^D
eSh,_BY
E\SOFTWAR`
euoGetM i
e>X86"
ExitProcess
\Expljr\Adv
Eyy7R5^;
f&0-m9
F0Rb8jn
f1r3|3v3
F4TZ\-
`f7fJ 
f7j7w7
f9]8	f
f9vh.p
@ F@AO
{FAV#y
FazpiWB
^F B=N
&'`Fdj
FF$qW&!
FgjYYa
?'fg?t
F?J?N?R?V?Z?^?b?f?j?n?r?v?z?~?
FKl\3H
fmo_hy=T
fMt.B2
Fnw(U`v
]F}p*L0@
}F,tv(
>FVuC[.=
FW5NNnk
`=Fx\?
f*x.85
F<XuX:
=f;*Y0j
fYu!$V
fzhWfv
g(~b_SQ
GB`\tJ
GDI32.dll
GetProcAddress
gH i$j
GKUK4vs|
__GLOBAL_HEAP_SELECT
G"m:8R"D
G'm;{mo
guo5gq
GwilgI*Cva`Ts1'r
gYQC !
?<GZ|w
h4aRxy-
h595b6414
h6l Dlg
H9NvZz9f9l9r9z9
hC!j. 
%H-D4%
HD@<84y
H#D$@zr,
H]E!R'
]^ HFD?
;HFZip
/h%H:%M
H(I[WTtN
HKEY_LOC
	H!;l5
,Hl\6a	i
"(>H>L>l>p>
Hm9PIX
HN.00y
@h	nG?
<hp6#]
,:H %s
h|t-i*R/
h(,V|"T:M
hw,Qz	
H:@xFW
h;=x}W
HxZKU>/
>\HZ,$%P=1
HZQ"Jq
["&i2//
i6DefaultI0nj
I7XH(7upu1
I8F.>-
I8~/rg
I8Xt>@|^/
?Iau==
ibL4f4
IDuZBjj
iewPages
"iG9,~8
IGh5M p
IJKLMNO
i+l8}W
ileNameW
InternetOpenA
\i!PCM
i:r:~:
\IR;l,
@ise,rp
"I#uDz6
|J7g, 
J[89GW
jaPg.K
japoO7not
jbPF0\C
jbwi}sjxun)
|JCUa)
jE$5P"
jf,;;&
_jg04Ou\F483lZatm
JH4wQ^
;j`h8N
j<IR1.
j	JNVT
J#L0N<PHR
J:Pu\D
jtiPP(
@j.Vvf
>@k]8R
kcWMG="
KERNEL32.DLL
k}h#%i~
Kk)+Y)
;k=o=s=w
kP#qRy
KQ3	zp
Kq=*H[1
&?kv)(
$Kw8.XLOwq
kWwktZ%L|
k:Zk,C
|l(||"|
=L4;O 
+l5&<8
L6d6h6
l7hl-sms=
!#L8W$
la/4.0 (M4,
{lBar%'MDIFr
L $$)d
L*.DLL
/LfarV
lGL@:S
=(`;l&I
^li)YL2xk
LJt|lE4
;#<l<-<=<J<z<
LKuk	@
,LL*	+2
.lnkwu@
LoadLibraryA
Lo$upValueg
loXA#d
{#~lPPM
\L S1u
L,:Tf?
lUaxzGW
lus)HSl
Luvwxyz
LV>xlTNP
,<L<X<x<
l.yi85
_>|l^Z|[ga
LzVhDJP
M0s041
=m,4p[a?
m95:8642fc
+<$MA(+i
MEfd{g
?-mEpg8`
m@FBC(|
=[MH/\
#.mijr
MiscSt8!
MiUzfaa
;!ml#J
mm)n X
m{;nFC
	!MO'^
M~O4n4v4
Mp6ER)i!
MsSb8e
&+MTo*P
,<m!:v
_M^VyS@
[m/W<F
(MzG(\
n1'wp'
;n3SZ/
n(`3\ut
N,4{,R
\nb;"i
NDh&%X
new_9d"MAE
Nf8+ ZZh
NG_NO&
NH-6>Y
NIn9MZ
{nl&%1
n.mpGpM
N{o"HY
no"IlXPh
No such.
NotSupp
n(p.mn>K
nPrx1~
Nr!16?
N$R8Nd?
 n'R.p
<$-N&s
|ntEVU
nt>j,BU
 NT LVS
.(~nv2
n _vec
nV@PHL
nWLELO
N]{wsf
}/o,*4
O6^\tA
O94952
#OD4Y9
=oFvl#PL-(;=
[oiV{$ vt
ojor6~
o'L|)A
ole32.dll
OLEAUT32.dll
oledlg.dll
OLEPROE
OleRun
omPoizo'#
oO&m|rl_DZgL
o/posi
opyright 19
OqNC!y
Otx>Oy
o;t_[y
ource D
/Ovi$,S
P/27h/
**P{6!'
*p987y
p)APPk@
PathMatchSpecA
PBL"PT
$p{D@Q 
PE+T5p
>~p,go.
p=]gPt
p@{@GPtU
Ph@atY
)'PH*.L
p,ikw=+
PjBx(Z
-pLVPo
P)l	YY
Pnm`w	=&
p<(n"XPD
p _Pg 
ppsGiQI	
}pSg,]Y
pTab)Q8
p@`	.v
PV~00^
pWYHYs
]:q=4,
@Q4\/l
Q_7_1958
{(<Q@B$
+Q+C&y
qdb':O
qD=RY*/
QD.@>we@G:a
qFbAl{
q.I@c@,
"Qj}t<
\@QlR 
qn?_~d
qoAML-)]
> q\]Ro	
,Qsl<a6r
+{q*T8
@QT9p`t
  qui*
q[#v*?
<Q#>_VS
<Q w	=
Q#,x`u
r$\0t	P
#R6028
RA1Ffg1w1
r@DHLPr
[RdX[8
RegFlushKey
rf2w!*
(<Rfr~y
RF!>_v
rju!QcV
>RLLb7
 r: m.v1"
"r(pIpVP
rri444@*
rs\etc\ho(s.
RSWCV-l
R$T:a*s>z%
_	r!Vj
rwiqab
rXtR99
S3Y3d3p3
Saf1Dh
SB`>H^0-
sctorgk
sf8002*<>|"1
shadu007qsd.k
SHELL32.dll
SHLWAPI.dll
si!9, %8
_SIMULATE_TLS: 
;Sl\C$
sO;>|C;2I
S @( q(L
sug@wu
$SUVB<3
SyKldp
s_ZDWQ
SzH:mm
 ,&T^0@B<
-t,0tRCK
T	<0ws&Pr
T2X2h2x2
	t34$Y
T5`5ltA
*t8W<D
t9UW_I
T\,B$$
Tbx.hd
tCQc}7ku.
.te_HN
TERz~W
]/T{F>
!This program cannot be run in DOS mode.
t+/h=l
THREAD@
Th spa
Th$s'We
#Tj _@5
t Kt<I
TM4s+^,(8	
tn:g97
t<|$nH
tO.PsGw
tp://0
TPLD0(p
TP;Xc |
t*SWp7=
TV`\WU
t?W>L|]@,
\.TX\`.
?T?X?h?
u,;`*	
u(\)@`[
+u1s,J
-u+2!J
U4zi/j
*>u8SS
`@U`9D[
ubzNhB
ucHUTE
U:f,l` h
uGLrZS
#u&gnF%
u!kuB:R/
`u*LIw
;ulV^h
um;219.235
$uogHfiy
up;98?
UQPXY]W
U	rEbRG
uRFGHt
USER32
USER32.dll
uTn>ES8HS
UV~OfU
uxijklm&pq
?u%YSTEM
,!`("V{
V0tIC,]C
`V2a,\
\v/	a"
=#/vaw
VC20XC00
<;`?vc521s`fs/
<{Vcj,({
&V!C%q
@ |.VD
$veIq0w@JZ
VERRORr
Vge&Z7!
([V||h
VirtualAlloc
VirtualFree
VirtualProtect
 VisUC++ R
,&[vrH
v[Sh$`
:VSP0E
VSPLAY
>VUSWY
vw6"HA
)v"W@Oy
V%X_kl
|V;\YYyX
was about o=
WB`%;U
WClose
WEp:z[1
w"F$WRk
wG8`/k
WININET.dll
WINSPOOL.DRV
--wj-lazh-
wLVSPh
{.<w~N
+w'OEM
Wo`j\R
WP(U;P
`wS7a<
wsgwdnI13
@Wtcf/
)WTKl[
WW7@qH
w+&'WZ
wY)bhd_h
\! X\!
X`?{|}~
X4K*g[
X6/\6.
X6U`2L
_!x8V	
'XA!P;
x&^bP\n
x	e 0!W
xIdxit
xiGttv
xj99|\
x Ju/'_yO$|(
X&./?k
 <Xm1[
xmlns="
X?=MODULE_j
xoa*iP
XP^D@<
XPTPSW
XpUMb[
X (s(J
  X`t4=
XtB+<9
Xt+DPI5
,&Xu7&h
x, wlY
XwX\'q
(x! :z
{Xz?,@
y09?EI
y0H3Ix
Y-0Z}c
$'y6t444
Y7@j2G
yb/bbs3W
\*@Yf+a
yI}ciI/m
YI\Qiyi
yl)u%y
_yn1Zf\
<YP;Fr/C
yPibly
yplhd`
{<:y&q?	
Y'Sr,OFXHH
:ywf>?7
yW_of@
/< }z"
Z)+$.@
Z2ea7be1
z64lbt4xk
zBjP AR
ZbugHook
?Z (/clr)Cv4
z^(EcW
{;Zm-5
Zp~d2t
ZRichEdit Tex
Z?u-h0
zWdxu2Z