Analysis Date2015-08-18 06:47:47
MD502643cdc2b02a040ea4ba73b003c001d
SHA16c8739cf548fb95ef5d2f0b07c7d5ff733ca7290

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f9594a0902b2a8360c2448d7b0275819 sha1: a2fb435e18d619bc80832a68410f2ffab45ce5a5 size: 238592
Section.rdata md5: 2d619db48ad40d65ace93766d3397ef4 sha1: e3b199da04d4652a8de783e751fa4f98c5ef84ae size: 13312
Section.data md5: 7eaaa3efcf641f3705c4252ae46ba50d sha1: b0c2a675da4a2da2a58d1a7df6296f7b1c459280 size: 6144
Section.rsrc md5: 9b58581f9c8da9b41cff7dd9680adf40 sha1: 81064d333834b7d52662c4723420e001a47385db size: 27648
Timestamp2015-08-08 17:24:45
VersionLegalCopyright: Copyright(c) 2008 Adobe, Inc.; 7-ZIP DLL Copyright(c) 2008 Igor Pavlov
Comment: Created by PowerArchiver. Copyright(c) 2008 ConeXware, Inc. 7-ZIP Copyright (c) 2008 Igor Pavlov.
InternalName:
FileVersion: 1.0.1.2
CompanyName: Adobe Systems Incorporated
LegalTrademarks:
ProductName: Adobe Extractor
ProductVersion: 1.01
FileDescription: Adobe Extractor
Comment2:
OriginalFilename:
PackerMicrosoft Visual C++ ?.?
PEhash9a5d4240486e7a3f8665a46c87641248fe254226
IMPhash0f9d8eb470fc5da1436a80cc5c96bbb3
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Mikey.21897
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Mikey.21897
AVBullGuardGen:Variant.Mikey.21897
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan-Dropper.Win32.Dycler.wjt
AVZillya!no_virus
AVEmsisoftGen:Variant.Mikey.21897
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Zusy.155133
AVMicrosoft Security EssentialsTrojan:Win32/Lethic.K
AVK7Trojan ( 004cca441 )
AVBitDefenderGen:Variant.Mikey.21897
AVFortinetW32/Dycler.DTAP!tr
AVSymantecTrojan.Gen
AVGrisoft (avg)Crypt4.BTXL
AVEset (nod32)Win32/Kryptik.DTDR
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Mikey.21897
AVTwisterTrojan.Girtk.DTDR.dbyw
AVAvira (antivir)TR/Crypt.ZPACK.123724
AVMcafeeRDN/Gamarue-FCA
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KdjSaS011arhaaa ➝
C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arhaaaa.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\KdjSaS011arhaaa ➝
C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arhaaaa.exe\\x00

Process
↳ C:\WINDOWS\Explorer.EXE

Creates File\Device\Afd\Endpoint

Network Details:

Flows TCP192.168.1.1:1031 ➝ 178.19.109.197:6600
Flows TCP192.168.1.1:1031 ➝ 178.19.109.197:6600
Flows TCP192.168.1.1:1032 ➝ 178.19.109.197:6600

Raw Pcap

Strings