Analysis Date2014-11-23 05:24:47
MD572600fb8106a0d1ce468c3c4e681e355
SHA17b0763c3478576c7f7c6ee73425f248dafecbc34

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bcefd13d879b5aa1628d5731462b1935 sha1: 5e05fbf6b8bf012397b847cd5d10aee153dc895d size: 75264
Section.data md5: 0eb9af4768d13f3fe805922a21fcbf55 sha1: 9665ae9e81ee6c6c0d2193973be588eb90aa031c size: 2560
Section.idata md5: 7f9440e32acb299f3bda96288136b63a sha1: 1d51ab1fb34c6b541f544524a63c3d9d73f566f9 size: 4096
Section.rsrc md5: 268a04383dbc7e86a53e982e1da21c2c sha1: 5d008fc03fb658231e94722b64715e90f270a97c size: 12800
Timestamp2005-08-03 16:31:58
PackerRAR SFX
PEhasha5e26112ee6686c1c4b959887c4208af6d5889e5
IMPhasha6d1f237a38b6e7d3a48b606fa0d7939
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.VP.hm0@aifFw6hb
AVAlwil (avast)VB-OYX [Trj]
AVArcabit (arcavir)Downloader.Vb.aary
AVAuthentiumW32/Risk.ASXA-6378
AVAvira (antivir)TR/Gender.130255
AVBullGuardGen:Trojan.Heur.VP.hm0@aifFw6hb
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoad2.17889
AVEmsisoftGen:Trojan.Heur.VP.hm0@aifFw6hb
AVEset (nod32)Win32/TrojanClicker.VB.NOS
AVFortinetW32/VB.AARY!tr.dldr
AVFrisk (f-prot)W32/MalwareF.OGEU
AVF-Secureno_virus
AVGrisoft (avg)Downloader.Generic9.BWIN
AVIkarusTrojan.Win32.VB
AVK7no_virus
AVKasperskyTrojan-Downloader.Win32.VB.aary
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!dtc
AVMicroWorld (escan)Gen:Trojan.Heur.VP.hm0@aifFw6hb[ZP]
AVRisingTrojan.Clicker.Win32.FakeTx.a
AVSophosno_virus
AVSymantecSpyware.ADH
AVTrend MicroTROJ_GEN.R32E1BS
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileTXPlatform.exe
Creates ProcessC:\WINDOWS\system32\TXPlatform.exe

Process
↳ cmd /c ipconfig/all > C:\WINDOWS\system32\macmac.txt

Creates FileC:\WINDOWS\system32\macmac.txt
Creates Processipconfig /all

Process
↳ C:\WINDOWS\system32\TXPlatform.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFC72B.tmp
Creates FileC:\WINDOWS\system32\runtrue.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\WINDOWS\system32\runcount.txt
Creates FileC:\WINDOWS\system32\qqver.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Processcmd /c ipconfig/all > C:\WINDOWS\system32\macmac.txt
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ ipconfig /all

Winsock DNS192.168.254.254

Network Details:

DNSyd.ecoma.glb0.lxdns.com
Type: A
14.17.101.20
DNSyd.ecoma.glb0.lxdns.com
Type: A
14.17.101.21
DNSyd.ecoma.glb0.lxdns.com
Type: A
14.17.101.18
DNSyd.ecoma.glb0.lxdns.com
Type: A
14.17.101.19
DNSwww.ip138.cn
Type: A
218.133.22.66
DNSwww.ip138.com
Type: A
HTTP GEThttp://www.ip138.com/ips.asp
User-Agent: MyAgent
HTTP GEThttp://www.ip138.cn/
User-Agent: MyAgent
Flows TCP192.168.1.1:1031 ➝ 14.17.101.20:80
Flows TCP192.168.1.1:1032 ➝ 218.133.22.66:80

Raw Pcap
0x00000000 (00000)   47455420 2f697073 2e617370 20485454   GET /ips.asp HTT
0x00000010 (00016)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000020 (00032)   743a204d 79416765 6e740d0a 486f7374   t: MyAgent..Host
0x00000030 (00048)   3a207777 772e6970 3133382e 636f6d0d   : www.ip138.com.
0x00000040 (00064)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000050 (00080)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d794167   User-Agent: MyAg
0x00000020 (00032)   656e740d 0a486f73 743a2077 77772e69   ent..Host: www.i
0x00000030 (00048)   70313338 2e636e0d 0a436163 68652d43   p138.cn..Cache-C
0x00000040 (00064)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000050 (00080)   0d0a0d0a 61636865 0d0a0d0a            ....ache....


Strings
/
 
%
"
\
NYRCN
..._ 
\"
01A0__
\\
\
.
:
.
x

(&A)
about:blank
ASKNEXTVOL
</b> 
 <b>
(&B)...
<br><br> <lI>
b<style>body{font-family:"Arial,
(&C)
(&D)
DVCLAL(
(&E):
";font-size:12;}</style><ul><li>
GETPASSWORD1
hmsctls_progress32
jjjj
(&L)
</lI>
</li><br><br>)<li>
LICENSEDLG	RENAMEDLG
</lI></ul>
(&N)
(&R)
REPLACEFILEDLG
Rs$@
 %s 
"%s"
 %s CRC 
%s CRC 
Shell.Explorer
STARTDLG
(&W)...
 Windows 
WinRAR 
(&Y)
?*<>|"
 (08@P`p
0e7!0[h
0I2;U7
,{@2D7
33!D	3
`3#Jc 
3Rlxpnx
4cmr)d[
4pcsmT
4Y_cOW
4Y_cOW	
5A}PvUH
5zd[EB-
5	Ze~e
7[&]}:
?7F&Ns
a87ap%
AdjustTokenPrivileges
ADVAPI32.DLL
AQRPhD
ASKNEXTVOL
a`z,2T
@b	gck(W
-bQl;+>
Bwo zu
C,;C$s/
ceQ&^	gdk
CharToOemBuffA
CharUpperA
CloseHandle
CLSIDFromString
cnq6bt
CoCreateInstance
COMCTL32.DLL
COMDLG32.DLL
CommDlgExtendedError
CompareStringA
CopyRect
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileW
CreateStreamOnHGlobal
CreateWindowExA
|$|;|$d
D$0+D$<
`.data
D$`;D$\}
D$,;D$0u	
&;D$Dr
D$`;D$T
D$`;D$T|
DefWindowProcA
Delete
DeleteFileA
DeleteFileW
DeleteObject
DestroyIcon
DestroyWindow
DialogBoxParamA
DispatchMessageA
&;D$Lw
~DnC1^
DosDateTimeToFileTime
DPZ4)L
D$T;D$\|
;D$Tt\
EnableWindow
EndDialog
e	Nvug
ExitProcess
ExpandEnvironmentStringsA
ExtSign
fbc:N:
FFF))EE	FFFF))))))
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceA
FindWindowExA
f\J|i"!
FreeLibrary
F|v[?l
g33WwQ
GDI32.DLL
GetClassNameA
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetDateFormatA
GetDlgItem
GetDlgItemTextA
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetNumberFormatA
GetOpenFileNameA
GetParent
GETPASSWORD1
GetProcAddress
GetProcessHeap
GetStdHandle
GetSysColor
GetSystemMetrics
GetTempPathA
GetTickCount
GetTimeFormatA
GetVersionExA
GetWindow
GetWindowLongA
GetWindowRect
GetWindowTextA
GlobalAlloc
gwS3	3
gwS37%w`	
gz\$|Y
<head><meta http-equiv="content-type" content="text/html; charset=
HeapAlloc
HeapFree
HeapReAlloc
</html>
<html>
ICON*b
.idata
,i\i\j
InitCommonControlsEx
Install
IsDBCSLeadByte
IsWindow
IsWindowVisible
IUDJrX
\ jp>4 z
|jXPz`
K5SR<j
KERNEL32.DLL
KGyzx|
);l$8u
License
LICENSEDLG
L$\)L$T
LoadBitmapA
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
LocalFileTimeToFileTime
LookupPrivilegeValueA
lstrcmpiA
lstrlenA
MapWindowPoints
MessageBoxA
*messages***
MoveFileA
MoveFileExA
mPj!4I
'~Mq<R_
MultiByteToWideChar
M;Z4s+;Z,s
N4Y_cOW
&nbsp;
=nH]'SK
#nJU4;
N>,u?u
N_^[Y]
O7@qr+
OemToCharA
OemToCharBuffA
`O/f&Tnx
/oGj_}
OLE32.DLL
OleInitialize
OleUninitialize
OpenProcessToken
Overwrite
:p2#7i
P8r>+S
,$&_&p9
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>
PeekMessageA
penc-N
PostMessageA
PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
Presetup
ProgramFilesDir
QV}P<^
Qy4&	q
__rar_
RarHtmlClassName
RarSFX
RDxq(&
ReadFile
RegCloseKey
RegCreateKeyExA
RegisterClassExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RENAMEDLG
REPLACEFILEDLG
riched20.dll
riched32.dll
RichEdit
@.rsrc
rtmp%d
SavePath
%s.%d.tmp
SendDlgItemMessageA
SendMessageA
SeRestorePrivilege
SeSecurityPrivilege
SetCurrentDirectoryA
SetDlgItemTextA
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetLastError
SetMenu
SetWindowLongA
SetWindowPos
SetWindowTextA
sfxname
SHAutoComplete
SHBrowseForFolderA
SHChangeNotify
SHELL32.DLL
ShellExecuteExA
SHFileOperationA
SHGetFileInfoA
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
shlwapi.dll
Shortcut
ShowWindow
sIh$FA
Silent
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s%s%d
%s %s %s
STARTDLG
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
SystemTimeToFileTime
T$0+L$8
TempMode
tfkL$@)
This program must be run under Win32
}TIv3\,es
t Kt<Kt[
TranslateMessage
T$(;T$,
TXPlatform.exe
UpdateWindow
USER32.DLL
utf-8"></head>
>Vcl-d
v*eJwb
v]GtN^;
|~]V?/i_k
vMx`&?}
/v }S@
WaitForInputIdle
WaitForSingleObject
Wd|"4o
We#'jm
WideCharToMultiByte
]wrI\]/
WriteFile
wsprintfA
wvsprintfA
Wwgu"'P
WwR"'P
WwS7'u
x5Jv)6g
x 7_@k
,XrCQ`
xt-0|K
Y2'"@`V
$yKai\
YNANRC
{<:y&q?	
y<+}{S"
_^[YY]
$YZ_^[
YZ]_^[
zrMJ)aW
;Z$sa;Z
ZT~@CN/g
Zv^jon