Analysis Date2016-04-22 09:11:56
MD50528232b6ed9b376eeff5ec7dc40fda3
SHA1427269c5b6b7d827a120206968098f714dfb073a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 009cf957e62aa08e087fa3e5a6e5dde1 sha1: a3dfdc3f42960535eddcc74f4ea29c981958f72c size: 421888
Section.rdata md5: 4adaa63acafd37002bad9e3b7a9ea220 sha1: 333c7721082bb47638ef14cc46a8b3f57471fb96 size: 4734976
Section.data md5: 9045d8789b55c5c2cddb59bf8c857041 sha1: e748fae27ef5e89cb5ac29017355cb11e5776245 size: 61440
Section.rsrc md5: a329525cdefcfa7a2a47b3af0b419770 sha1: 8c36a6f9c2ae287e4a4b0e0779fdd9c0fab68bfe size: 24576
Timestamp2016-04-17 05:20:31
VersionLegalCopyright: 作者版权所有 请尊重并使用正版
FileVersion: 1.0.0.0
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
ProductName: 易语言程序
ProductVersion: 1.0.0.0
FileDescription: 易语言程序
PackerMicrosoft Visual C++ v6.0
PEhash19a205fd956eebecda08c77d4758b6684b8e82e0
IMPhashb2560abea75009e1fdd82740029130a6
AVRisingNo Virus
AVCA (E-Trust Ino)Gen:Variant.Strictor.104579
AVF-SecureGen:Variant.Strictor.104579
AVDr. WebTrojan.MulDrop6.17661
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Strictor.104579
AVBullGuardGen:Variant.Strictor.104579
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Agentb.idug
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVEmsisoftGen:Variant.Strictor.104579
AVIkarusTrojan.Win32.Agentb
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVMalwareBytesSpyware.OnlineGames
AVMicroWorld (escan)Gen:Variant.Graftor.73899
AVMicrosoft Security EssentialsNo Virus
AVK7No Virus
AVBitDefenderGen:Variant.Strictor.104579
AVFortinetW32/Generic!tr
AVSymantecNo Virus
AVGrisoft (avg)Win32/DH{YTUJ?}
AVEset (nod32)No Virus
AVAlwil (avast)Win32:Malware-gen
AVAlwil (avast)Malware-gen
AVAlwil (avast)Downloader-WEX [Trj]
AVAd-AwareGen:Variant.Strictor.104579
AVTwisterW32.AddUser.V.aqcy.mg
AVAvira (antivir)TR/Downloader.Gen
AVMcafeeNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fox1.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\taskmgr.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\\taskmgr.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\\fox1.exe

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\WINDOWS\system32\ping.exe 127.0.0.1 -n 2

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\\fox1.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\\taskmgr.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~tmp_hl\mslmedia.inf
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\_lm_delself_.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~tmp_hl\mslmedia.sys
Creates FileC:\WINDOWS\Setupsti.log
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\hllog.txt
Creates FileC:\WINDOWS\_ntdll.bak
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~tmp_hl\mslmedia.inf
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~tmp_hl\mslmedia.sys
Creates Mutexlmins_1_0_1

Process
↳ C:\WINDOWS\system32\ping.exe 127.0.0.1 -n 2

Winsock DNS127.0.0.1

Network Details:

HTTP GEThttp://183.60.200.160:8081/cpa1.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://183.60.200.160:8081/cpa2.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://183.60.200.160:8081/cpa3.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://183.60.200.160:8081/cpa4.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 183.60.200.160:8081
Flows TCP192.168.1.1:1031 ➝ 183.60.200.160:8081
Flows TCP192.168.1.1:1032 ➝ 183.60.200.160:8081
Flows TCP192.168.1.1:1033 ➝ 183.60.200.160:8081
Flows TCP192.168.1.1:1034 ➝ 183.60.200.160:8081

Raw Pcap

Strings