Analysis Date2015-07-29 03:51:48
MD591b1ff758d6a563e092306df2571a014
SHA17b43a9140b473e13ade6a1684b84236bb710864c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5fc98034ea189b7af1f9023fd8323dea sha1: 51f3d5ed83405ce59473d328be0b1d8b4f3b74f3 size: 458752
Section.rdata md5: e65849885f4eebe5720d7ce9ca6b2180 sha1: 0b73dc1f4d0a932c70b7a5fd36f4b06fd53892ec size: 675840
Section.data md5: 9abca6ba62727402d74eb95b347565e8 sha1: d52378776738bb6a073da7eec15fb79a685e7386 size: 65536
Section.rsrc md5: 00e838c0becfb10061a84489f4dd39e3 sha1: 0aee106c016dce970f9c51991043a23a07b3cd90 size: 24576
Timestamp2013-06-26 05:37:40
PackerMicrosoft Visual C++ v6.0
PEhasha7c36731d00bf0f72f786e855be1501fd9d7762d
IMPhashb591a8f87be5b6dd8c614e70d5ef9169
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Graftor.182498
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Graftor.182498
AVBullGuardGen:Variant.Graftor.182498
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Win32.VirTool.DelfInject.gen!X.4.a
AVTrend Microno_virus
AVKasperskyno_virus
AVZillya!no_virus
AVEmsisoftGen:Variant.Graftor.182498
AVIkarusno_virus
AVFrisk (f-prot)no_virus
AVAuthentiumW32/A-b0178058!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Graftor.182498
AVMicrosoft Security Essentialsno_virus
AVK7no_virus
AVBitDefenderGen:Variant.Graftor.182498
AVFortinetRiskware/FlyStudio
AVSymantecno_virus
AVGrisoft (avg)no_virus
AVEset (nod32)no_virus
AVAlwil (avast)no_virus
AVAd-AwareGen:Variant.Graftor.182498
AVTwisterno_virus
AVAvira (antivir)TR/Graftor.1228800.18
AVMcafeeno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\2345[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tz.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\tz.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.2345.com

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\tz.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\34fe_appcompat.txt
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1720 -e 300 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 344

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 344

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1720 -e 300 -g

Network Details:

DNSwww.2345.com
Type: A
42.62.30.180
HTTP GEThttp://www.2345.com/?k36500594
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 42.62.30.180:80

Raw Pcap
0x00000000 (00000)   47455420 2f3f6b33 36353030 35393420   GET /?k36500594 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d4c61   : */*..Accept-La
0x00000030 (00048)   6e677561 67653a20 656e2d75 730d0a41   nguage: en-us..A
0x00000040 (00064)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x00000050 (00080)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x00000060 (00096)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000070 (00112)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000080 (00128)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000090 (00144)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x000000a0 (00160)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x000000b0 (00176)   35303732 37290d0a 486f7374 3a207777   50727)..Host: ww
0x000000c0 (00192)   772e3233 34352e63 6f6d0d0a 436f6e6e   w.2345.com..Conn
0x000000d0 (00208)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000e0 (00224)   76650d0a 0d0a                         ve....


Strings