Analysis Date2016-02-06 13:00:58
MD52f1d011c3997e7707255a46024810c4d
SHA15f58981deae1c7191289b123ed4bbeab6609c56a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ebf3eff606657dc74b9364f93cd8f595 sha1: d52374a58b56d25750aa51fc18301a7a0bd04d0b size: 99328
Section.rdata md5: fcac598e2a76088e512a684511b2d39d sha1: 10a075d63ae1178589530298d9e1b62297d79f70 size: 18944
Section.data md5: 56015f5538e88d1b4edaa40ddef843ae sha1: 28cba375e89712864d629a0fbaea023053aa7d86 size: 5632
Timestamp2015-12-28 21:28:59
PackerMicrosoft Visual C++ ?.?
PEhash87fba2ca0793beef392130d0ae6c935767d07fc2
IMPhashd2f902be0ae4ce34af5f46e41b1f875f
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeBackDoor-FCYI!2F1D011C3997
AVAvira (antivir)TR/Spy.A.20765
AVTwisterVirus.660000E989FEFFFF8B.mg
AVAd-AwareGen:Variant.Graftor.159006
AVAlwil (avast)Alinaos-A [Trj]
AVEset (nod32)Win32/Alinaos.B
AVGrisoft (avg)BackDoor.Generic19.AACX
AVSymantecNo Virus
AVFortinetW32/Dapato.B!tr
AVBitDefenderGen:Variant.Graftor.159006
AVK7No Virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Alinaos.G
AVMicroWorld (escan)Gen:Variant.Graftor.159006
AVMalwareBytesBackdoor.Katrina
AVAuthentiumNo Virus
AVEmsisoftGen:Variant.Graftor.159006
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Alinaos
AVZillya!No Virus
AVKasperskyTrojan-Dropper.Win32.Dapato.nzvj
AVTrend MicroBKDR_ALINA.SMB
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanPOS.Katrina.A3
AVBullGuardGen:Variant.Graftor.159006
AVArcabit (arcavir)Gen:Variant.Graftor.159006
AVClamAVWin.Trojan.Alina-3
AVDr. WebBackDoor.Alina.7
AVF-SecureGen:Variant.Graftor.159006

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\javaa ➝
C:\Documents and Settings\Administrator\Application Data\usercache\javaa.exe
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier ➝
QLHsbE
Creates FileC:\Documents and Settings\Administrator\Application Data\bootstrap
Creates FileC:\Documents and Settings\Administrator\Application Data\usercache\javaa.exe
Creates Filepipe\KatrinaQLHsbE
Creates ProcessC:\Documents and Settings\Administrator\Application Data\usercache\javaa.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\usercache\javaa.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\javaa ➝
C:\Documents and Settings\Administrator\Application Data\usercache\javaa.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\bootstrap
Deletes FileC:\malware.exe

Network Details:

DNSkatynew.pw
Type: A
192.169.82.86
HTTP POSThttp://katynew.pw/vis/settings.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Flows TCP192.168.1.1:1031 ➝ 192.169.82.86:80

Raw Pcap

Strings