Analysis Date2015-09-20 03:00:01
MD5393bfe9fa0d56f24b909aa1df697a1b1
SHA14fce00dec4568e885e8c556a5dbfe9b9a322bb4c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f8506d51f74bea2f98f3da3686ac060f sha1: a2832e974c2ca5584e8e1b5857b086fb5297aa80 size: 409600
Section.rdata md5: ee8395c9f1d60225f762881ca7ffe0e4 sha1: a45210137096714250cbf31d1fc2569194e8c8a7 size: 65536
Section.data md5: d267d4d7cc539067e92b47ab222d1277 sha1: d69d12191e86dabcfd6fbc3f037f2cfdf02f2361 size: 61440
Section.rsrc md5: a0498386c76cd16a265f7c241ea6f54a sha1: fcbdd1d29e384f5da80d5e2ae86068a0050aacc8 size: 24576
Section.rmnet md5: beb6f5450341d65b905c520af4394e30 sha1: b60d51463f27252232c42cc05a91b20f147e1dfb size: 61440
Timestamp2014-06-16 18:01:50
VersionLegalCopyright: 作者版权所有 请尊重并使用正版
FileVersion: 1.0.0.0
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
ProductName: 易语言程序
ProductVersion: 1.0.0.0
FileDescription: 易语言程序
PackerMicrosoft Visual C++ v6.0
PEhash2cd1cecad355d769ece2e6a0618b9de67a66a0a5
IMPhash6447027bbf837fb693d001fb7f68ce0c
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Graftor.179151
AVDr. Webno_virus
AVClamAVWin.Trojan.Agent-918523
AVArcabit (arcavir)Gen:Variant.Graftor.179151
AVBullGuardGen:Variant.Graftor.179151
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.FlyStudio.Win32.14635
AVEmsisoftGen:Variant.Graftor.179151
AVIkarusno_virus
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVMalwareBytesSpyware.OnlineGames
AVMicroWorld (escan)Gen:Variant.Graftor.179151
AVMicrosoft Security EssentialsTrojan:Win32/Skeeyah.A!rfn
AVK7Trojan ( 004b18c71 )
AVBitDefenderGen:Variant.Graftor.179151
AVFortinetW32/Generic.OMD!tr
AVSymantecno_virus
AVGrisoft (avg)Downloader.Generic13.CLKE
AVEset (nod32)Win32/FlyStudio.OMD
AVAlwil (avast)Ramnit-CZ:Win32:Ramnit-CZ
AVAd-AwareGen:Variant.Graftor.179151
AVRisingno_virus
AVTwisterW32.Flystud.OMD.kott
AVAvira (antivir)TR/Zusy.626688.4
AVMcafeePasta

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2.txt

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015092020150921\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\logo[1].gif
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\2345[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Mutex_!SHMSFTHISTORY!_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012015092020150921!
Creates MutexShell.CMruPidlList
Winsock DNSwww.2345.com

Network Details:

DNSwww.2345.com
Type: A
42.62.30.180
HTTP GEThttp://www.2345.com/?kq1249967666
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.2345.com/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1034 ➝ 42.62.30.180:80
Flows TCP192.168.1.1:1035 ➝ 42.62.30.180:80

Raw Pcap

Strings