Analysis Date2014-10-11 23:29:20
MD504aecce79a1a346d7132662fc66e81f5
SHA16453ada76906019974ab7074df271633e45a55bf

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: ba7088196459217b82597fbd50ee88e5 sha1: 0c8c25e63fe8d7ce884dff05833a6845d0787f38 size: 217088
SectionUPX2 md5: 7dbddb691690bc4ff494d5b5ddbc1aa4 sha1: 9cf920030f5bed3fb1eb513fba1440d57ca799af size: 1024
Timestamp2014-09-27 15:23:07
PackerUPX -> www.upx.sourceforge.net
PEhash50fbf3e919e037a8c5e812701d2a590af6221805
IMPhash12949835d0cda9d5836fa2fbd6c55e3c
AV360 SafeGen:Variant.Symmi.42740
AVAd-AwareGen:Variant.Symmi.42740
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.IDDZ-0372
AVAvira (antivir)TR/Hijack.219136
AVBullGuardGen:Variant.Symmi.42740
AVCA (E-Trust Ino)Win32/Oflwr.A!crypt
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Symmi.42740
AVEset (nod32)Win32/Agent.WCF
AVFortinetW32/Agent.WCF!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.42740
AVGrisoft (avg)Agent5.KJ
AVIkarusTrojan.Win32.Agent
AVK7Trojan ( 0049c9161 )
AVKasperskyTrojan-Downloader.Win32.Generic:Trojan.Win32.Hosts2.gen
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.dx!df3
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.42740
AVNormanwin32:win32/SB/Malware
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page ➝
http://www.2345.com/?k98792151\\x00
RegistryHKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue ➝
NULL
Creates FileC:\Program Files\Common Files\appers_7_1958.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\Program Files\Common Files\asdqw_3104-48740.JPG
Creates FileC:\WINDOWS\system32\unrar.dll
Winsock URLhttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
Winsock URLhttp://down.9vh.net/appers_7_1958.exe
Winsock URLhttp://down.tianyunxj.com/tqrl_97_1957.exe

Network Details:

DNSwebmirror.pcbeta.com
Type: A
113.107.42.25
DNSdown.9vh.net
Type: A
222.186.60.3
DNSc06.i06.arnic.hadns.net
Type: A
183.57.148.246
DNSc06.i06.arnic.hadns.net
Type: A
116.11.254.249
DNScdn.pcbeta.attachment.inimc.com
Type: A
DNSdown.tianyunxj.com
Type: A
HTTP GEThttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
User-Agent:
HTTP GEThttp://down.9vh.net/appers_7_1958.exe
User-Agent:
HTTP GEThttp://down.tianyunxj.com/tqrl_97_1957.exe
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 113.107.42.25:80
Flows TCP192.168.1.1:1032 ➝ 222.186.60.3:80
Flows TCP192.168.1.1:1033 ➝ 183.57.148.246:80

Raw Pcap

Strings
.
.
G
.
000
..Z8
.v..
$
|..J..CS
7
X...;+
..
..}kI.
fF
A
O.
..
.C.
.
..
.
.
G
.
000
..Z8
.v..
$
|..J..CS
7
X...;+
..
..}kI.
fF
A
O.
..
.C.
.
..
>	>">.
?"?&?*
0 0&0,02
010:0G0S0g0m0
&%070n
/0`7l]
07qsd.k
 (08@P`p
}09/12
0A@@JR
0/b/	u
0?~CT;[
(0/?k98k
(0.(P7;
=\0t2q
 0;tHNiE
0%t	O#l(2
0T)WA@x
;1;?;{;
1 1$1(1,@
1%1B1U1^1
@1`1d>
17:u |
1930,H
1c8g8k8o8s8w8{8
<*>1>j>q
1#QNAN
1RP-t,
<;`1s`fs
;219.235
2275622D8D
2@3L3X:x3
252;2O2
?.?2?6?:
2;7XpKXrT
2DBu.hP3
2Hqy6q
.2i,9j
@2NDJND
<,2NSi
2\taskmgr.exe
2v"W@O
3&0J(Wjx
3$3(3H
35138b9a-5d9fbd-8
(>->3>8>Y>w>
40.JPG
'>40SX'
4463<t
456789abcdef
457W$n
465p5X7
4804w6i&
4,84<4\4`4d
48'OFNc
4$,C4Q4a4p4
4\<`<d<h
*4f0*7
4\I;B5ZL
"4O^ 3s
4.,$s/z \
4X<ibs
517xky.w
538f494a2afdb0c
54~H5h5t5
<58=4f
5E&!"1
5PVHUP
5&RGzt
5tqrl1
	5Yn8(XfF-.nns
<6!+&/
60[awbw
62VTof
6@@+3;
64144ccf1dfBl
647X7`
6!6(6/6N6U6\6c6
6,686<
673EF7
6"7-7Q
684l2c4511da95:864(
6CzFr]
`'6?g 
6GH&	,
6Q617]
6TJ)pl
6$u(2,$F
\\(6@"Un/i
<6Z2ea7be1
_7_1958=e
731o0`
73937Zav9yvcycn3aku
77>7E7L
7/7Sr"818;9X9
7)8j<A=X=u=
>7aD8=
7BW;<"
7DWORD4
7/Format
7hl-sms=:
%7J-{.
7K8\8j8
>)\ 7p
7p8KDb
7V;,0,27
8273I3
@<840,<
@<840,|
8"8(8.848:ZF
-8au'ru!!u
8"C4Eh
<8C8J8Q8X8_8f8
8EZfd`*
@8ge;td*y!
8mdtZv
8OUPyqc0b
,8qjU@
8!TH3F
$8w-#(V@%
`8Z8d8
')+$9@
91yGLG0
92.e:$
959@9y9
96>NH9NvZ}
^98LIH
98:T:\:d:u:
999XI@7
9`:i:r:~:
="=9=J=
9J:n:t:z:
(9qRxj
	9wfSi
_9~X~Bv
9zXI8)
aa*:4x
<=>?@ABCDE4IJK
about o
@ACL@TM
ADVAPI32.dll
?ADVAPIa&
?_AFX_
AIS_I5Qt0
)Aiv1~
a`[Lc!
and Object
 apack
apoO7n
&APpj:
ap<pN5
Aq&,2v
	=aQA/
Array<charHV
asctorgk
ATL.DLL
Auto=1
AVM_	M`
!A'WClose
a;=x}W
;_$aYbQ	{Du
,B$$))
B3NMx!
b4`/PreviewPages
b"57-1546-4
 @B8TXLH
:bad_a2v
<bbsWj
*BCCxh1
	bCryptKeyCacheI
!BD/5,
be%cAn!B0
}}Bf2$Z
?B?F?J?N?R?V?Z?^?b?f
BGCBAb
bh%H:%M
BitBlt
bJ}n\\
B/LYIu
Bm|J&;,
:B>n9<
bo?-mEpg8l5`
br: m.v1"h
:Bt|C/
Buff#Uppw
BWideC
\?	]=bX6
B(XOLk
%<BZU 
c	2xr[
CB:?D&@F
CDt<yw!Ms
c$[I`A
clB127
%C[ldGW
ClosePrinter
 (/clr)
\CLSI.
COMCTL32.dll
CONOUc
CPPZbugHookr*y
(CR:@#
cripth.
C|SJQGx
[`C~T$*L$
curityP
CValue
+$.CwB
CWinAp
 <$ d0@,b
D0J0P0V
d1.0">m
.D2LR-0qs
d4D)<g-
D7m7y7
dc71cb
d	D<4.
@DefaultI0nB
^&d%er
~d\Fold
dPxGA~
dqw_3104-4b
DragFinish
D sg&s
(dzaA<
E4SCQD
E'CZTar*t
))EE	F
;`eh %V
?EINSZy
#e%Jb+
+EJj~y
~ejta%
~em$qqr
E!n^^j
EnumDisplay/L
#E\.os
er 8^D
Es<p4!
Et0pJM
eT>KtL
E{.txtq
E<*>U*4(
e>X86"N
\,EXE#n
ExitProcess
f1r3|3v3
f5A'OR
F[6A+N
f>?77=d
f7j7w7
f9]8	fr
@FBC(|
Fc4 f	fi
?'fg?t
FKl\3f
fL2g[C
f,l\ h
fMt.B2
FN}>0!
'f%npA{
fOQ2Nm
fph @)#
fP!h/P
	F"&r.
Frre3V
fstVkH
}F,tv(V
|%Ft&xRn
%<FvRAx	y}
fVsM.i(
fxOldhProc423' 
=f;*Y.
fzhWfv
Fzvz[q&J
G0J>t-
G8`/Pp
,G949X
G95\sO
,!`("gAH
GDI32.dll
GetProcAddress
gH i$j
g:HTTP
;GIx@Oq
__GLOBAL_HEAP
_gM`PhT
G:@p&%
g/posi
"gtDM5.
g]tVZrl(
g-u+2!
`(`;gv
H^0-:R0
~,h%4p
h595b`
h6l DlgP
H8?ei5
+h,"9$
h#$a8<
H@aAAi
haoi]x
;HaoZix
hC!j.H
<"H#D$
H;d0q!
(HE@a`
>#[H}f
HiB'8{o
h j8.P
HKEY_LOC
"(>H>L>l>p>
\.hlpt.
HL-SE %B&	
_?%HM/
H:mm:{
>H=Po'
HsH D H+
h~tf$u<
?(?H?T?X?h?
hu4mn~
hwp'0?
HZ,$%_
HZK/$p
i1Free3pv56f-
.;i7DFl
i#,&80$L
I@)[_)b
IC:.FH
IDuhI!
i+l8}W
ilgI`Ts1
in81L\
InternetOpenA
$|i'PHeaVw
_iR0kF
i#R6028
is0~~6
@ise,rp
i}sjxun9
ISPLAY&m|rl_
i>,YHx
@j4M[Si
]Ja5Z3R[nB0
*$JBl%
~J.hnkD
J|:/Kv`
^J@][N
?j?n?r?v?z?~?
:jp:e/
J:Pu\D
J		ti}
ju!QcZuz
~jvd7o
j.W)uQ
jxB;Zu$
=|	j	XO
-JyO$|
j?ZIo_)
j<z<RA
K3E000!*
K>3V4T
	k6F6H
@KERN8
KERNEL32.DLL
kfw>r'N
K&hT?+
-Ki:H$@Q
KjJ>lxM
kM}-/d
;k=o=s=w7
k Source
-~[$KvH
k+w'-n
L6d6h6
L8.mn>
L,:^9%uTf
la/4.0 (
LASSES_ROOTR10
LBnew_
L*.DLL
LEhPjBx$
lGL@:S
L	HN!U
lj0@Pv
LJt|f+
;#<l<-<=<J<u
lkaHCW
@,lMt/
l/mV p
.lnkwu@S
LoadLibraryA
	lod$~
	lovt+
LS4%d. 
Lsoftw
LT#|P8JW
lUaxzGW
&L\vJb\0
,<L<X<x<
l.yi85
_>|l^Z|[
M0s041<1
@ m	>!2
M?)\2$Z
m4y.ie
m6Ir5_vl..1
^;M.\8
M_9/76
ma$:+3
MACHjE\SOFTWAR0
<$MA(+i
mA	i w
{mbA91kd
'MDIFr
?Mg84tV&
mG_Tex
&m-H` 2k
Mh{df4
M<H.W1)
MiscSt
% MkWq
MO+`$,
!?=MODULE
Mo`o$~lPPM
*m>r[sK6l
Msug@w
m_u3] 
MU%WU*
[M;V{(
_M^VyS
M]Xpu1
n08Cqi3
n/3tb_M2
n5Vge&
	N6ER)i!
@N_|Ab4a
(n}Bob#0
NC:3pM8
NDh&%X
NEQG	P1/J0
:nE"yP
NG_NO&;
NI(X dyJ
Nkp7qO_
Nl%(_j
n|mo(X
n	nOtg
No such.
NPgR/S
nPv`~p,t
nrx1)~
N+t+D)
|NtEVU
n _vec
(`o0~&
O2AYf|y
/<.&O3
~O4n4v4
)o7`=t
oAb$RP
#OD4Y9
oe*<h$h
_of_rp@V{
oGetM i
o"IlX~C
OiQIYI\QiyiI
oKB0JH
okGU"R
ole32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO
OleRun
omPoizo'Rg7b
<!(ONop
Oo!+Bt
oOzp~P
opyright 19
OPzr,9Y$Q
orm"9H
Ot$#AMx
otSupp
OW_of@
OXKtU?
P	^0@B 
]p-0$v)
p=0xGQ
P1xmlns="
/p3_kY8
p!4skQ
PathMatchSpecA
PBL"PT
PC%g2a
PDHLPb
@pDNI 
p(}<dS
@PeBaO
P(f0gD
,*p@guoV
P;hESA
pIu[/S
P)iyYY
@Pj@5`vH
#PL-(;=
!Pna{T
+PnK~N
pn`P,R
>PPADDrXX
\!	&Pr
P|#/]T
pTkiO0
'PuB	 
PuO$H./
)P#/_@!X}
p,ZN0Mt
PZ.WW>\
q0x%lR
qD[ozo
Q_e?FlB
qeL==P
`qj0KPv
QK5ucXTP
Qq}zUM5h
q*>VUSWY
Q{X;@w
r?9WLkF
$R[A(R'
rdi2b.c:
RegFlushKey
Rei;ra
rfazmQ
r	F=/lG	Q
RichEdit Tex
RM =l1
RmS/(2
"r(pIpVP
R`Pl08|
rs\etc\ho(s
RsVvfv
R$T:a*s>
rTX\`dr
r?xxO0[
RykP#q
{S_*>;
s32ftaNp
S3Y3d3p3
}S4%JJm
s8d8Lu
s8(`O4z
SAbyKb
:sch&0-m
S@Dt93X
_SELECTED
Sf?`1<-
sf8002*<>|"
Sfndmm
shadu0`
SHELL32.dll
shHNGm"
SHLWAPI.dll
si!9, %8
_SIMULATE_TLS: 
So6c7)
sO;>|C;
SoH0vK
)s;QDj5
s=R;>u
s_ZDWQ
sZ}WQj
,T[09Hk!%
t$0(AH`
-t,0tR
T2X2h2x
t44 ,;
T*4b}B.S_*
`t4=Ft
T5`5l~@6
t 6zVf
T6z}YX
t8lBar%
+*T8X{
"t^9(uZ
TabET|
T )Augu"
|<t`e#nr>
.te_oB
Tg %B&T"
!This program cannot be run in DOS mode.
_THREAD@
Th spa
t>j2S-
]tM.fXzU='
t\ND8*
tNJ@p	/PZ
</T[nK.
tO.PsG
>$T@py
TQp;N	B!,
tR99py
t'" rl
t*SWp7
ttp://2
TV'>]8
t&=,VgD
_Tv*LJ
tw\E|"
tXel/R
^tXuX:
t	z ,T:
t=ZV(]
U0s(VS
@u42:q
>u8SS(\
uA ( HH
uB_nC\x
U&Fvl[G}
U.hU5R
uhWQQv
u!kuB:R/
,u}n$v}
unxj{Uy
UPdR,lP+
UQPXY]!4
uRFGHt
uRSlbXT
?Us6Ex
USER32.dll
u[s"ND-U
uV{6^!rQB
UV~OfU
uvwxyzq
Uw=N9!
v1T9p`t
V/.2r{
,V6<,	
v](b=i
VC20XC00
VERROR
VF0:`?
VFYTikC
vfZF0"2
V*gic_
([V||h
V+	-H+
^(VHCVLvpu
*VH, U
viK/{h
VirtualAlloc
VirtualFree
VirtualProtect
 VisUC++ 
 V+Iy`
Vj(@B$
VJ.QF/F
Vkv_8 5
`vLXk4
\\v]Po
,&[vrH
V\`\s/o
$*v/$tmi
VV4gB+&K u
VXXK&T
#$%&'()*+,-.//:;W
@W0122r2*23
w0&9 #p
w50o0y0
w55^p#
(wbe*!
WB`%;U
W'c5jt
`wg(~bT
Wi74s+^,(8	7
WININET.dll
WINSPOOL.DRV
 --wj-la
#WNexE.
wPrPXH
wsgwdnI13
W',*VeT0;
w ZhoB
X2BN.6h/8xN.
X2Wt/@
>'XA!P;
XcS1Nm
%XCx.C3W
_xf"0o;
X @F6u
, X=/I>
xiGtt4e
xijklm&pq
>x>*J0
~x'JKZ |W
&xK;wF
x=lJ?+
X^,LwB
XO{'']
}xp\+ _cs%
XPTPSW
X<SIbW
XtB+<9
xt@H6&yh(7]
X tnj-
|xtply
x!@W3K
XYZ[\X`?
y2G@/a
`	=YDD
\*@Yf+
YFW+hm8 }
YGam8K
yhd`\X
yj"NY`
]y%M ^
YMD~j2HBE
y==%N_'
 yotW. I
(yp8OXAn
ypdXP^D
yPLD0(
Y[R^Y@
YSTEM 
yTJ:, 
yVL4U0
yXL@4(
y=yC/vV
`/< }z"
z9f9l9r9z9
.@z_E<`
Z<:E,>
Ze*K]o~
z;l@03
Z\N`(6
ZN	9h<d
zNh` B
ZRVBa|
zuKhX_
$ZV c%
zWAW@d
ZwKO`]F
zx1*2=}!
]ZYXbc