Analysis Date2015-10-23 09:59:07
MD53fbd42f72c537013477a7652e0b8644b
SHA17d493ec91f4f4b76a09bcc938cc8afa28c859a90

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8fbe4da8c0c907cdf9eb00d68179d3df sha1: f442216d0defb4828b4feafebaec1aca6da20b6f size: 334848
Section.rdata md5: fb63bf653dba2c8131fff876af25df8e sha1: a1ddc0fec39edd3c78c21d5664b98db3abe5907a size: 153088
Section.data md5: a0cc10c54ff58bb908a439ff0cf26780 sha1: 245deb65a0163b9de6b352765bdf154e848058bc size: 26624
Section.rsrc md5: 4eb8dcc18c802afc5816d70006834e79 sha1: 931d23e5769b9fb92d2150fef366a038e06fb85b size: 2239488
Timestamp1970-01-01 05:15:02
Pdb pathC:\Bin\setup.pdb
VersionLegalCopyright: Copyright ? 2013
FileVersion: 3, 15, 9, 1711
CompanyName: MICROSOFT
ProductName: sunshine
ProductVersion: 1, 0, 0, 2
OriginalFilename: tomgo
PackerMicrosoft Visual C++ ?.?
PEhash77a6086c237c4a1d70035b8423d7a57e3ce1edfb
IMPhash4ca0a24dbc751324aa7e7f0cb8c2109f
AVRisingTrojan.Win32.Zzinfor.d:Trojan.Win32.Zzinfor.f
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Zusy.118140
AVDr. WebTrojan.Rootkit.15977
AVClamAVWin.Trojan.Ascii.115_238_251_56-1
AVArcabit (arcavir)Gen:Variant.Zusy.118140:Gen:Variant.Mikey.25218:DeepScan:Generic.Malware.P!Pk!.B27A4187:Trojan.Generic.14936877:Trojan.Generic.11782610:Gen:Trojan.Heur.LP.du4@aaYL6Cpi:Trojan.Generic.14934268
AVBullGuardGen:Variant.Zusy.118140
AVPadvishno_virus
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.NSAnti.Gen.1
AVCAT (quickheal)Backdoor.Dusenr.08124
AVTrend MicroBKDR_IXESHE.SML
AVKasperskyTrojan.Win32.Generic:Trojan-Dropper.Win32.Daws.dtdj
AVZillya!Trojan.Zzinfor.Win32.133
AVEmsisoftGen:Variant.Zusy.118140
AVIkarusPUA.Zzinfor
AVFrisk (f-prot)W32/SYStroj.N.gen!Eldorado
AVAuthentiumW32/Trojan.XRIC-1106
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Zusy.118140
AVMicrosoft Security EssentialsTrojan:Win32/Skeeyah.A!rfn
AVK7Adware ( 004b8eb11 )
AVBitDefenderGen:Variant.Zusy.118140
AVFortinetW32/Daws.DTDJ!tr
AVSymantecno_virus
AVGrisoft (avg)Hider.ADZR.dropper
AVEset (nod32)no_virus
AVAlwil (avast)Malware-gen:GenMaliciousA-NAP [Trj]:Trojan-gen:Rofin-A [Trj]:Win32:Malware-gen:Win32:Trojan-gen
AVAd-AwareGen:Variant.Zusy.118140
AVTwisterTrojan.Generic.qdwn
AVAvira (antivir)TR/Rogue.27840:TR/Spy.Agent.58880.2:TR/Downloader.Gen7
AVMcafeeGenericR-ESN!3FBD42F72C53

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\123\AddShExe ➝
NULL
RegistryHKEY_CLASSES_ROOT\Microsoft.IE\ ➝
C:\blow.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing ➝
NULL
Creates FileC:\DProEx.sys
Creates FileC:\configWord.cf
Creates FileC:\reTcp.sys
Creates FileDProEx
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\config.ini
Creates FileC:\Windows\System32\clk.ini
Creates FileC:\WINDOWS\he1p
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\blow.exe
Creates FileFixTool
Creates FileC:\Windows\System32\cBLK.dll
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates ServiceDProEx.sys - C:\DProEx.sys
Creates ServicereTcp.sys - C:\reTcp.sys
Starts ServiceDProEx
Starts ServiceFixTool
Winsock URLhttp://ad.zzinfor.cn/static/hotkey.txt

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf
Creates FileC:\WINDOWS\Prefetch\7D493EC91F4F4B76A09BCC938CC8A-27E2E1B0.pf

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL

Process
↳ Pid 1860

Process
↳ Pid 1096

Process
↳ C:\WINDOWS\Explorer.EXE

Network Details:

DNS1st.ecoma.ourwebpic.com
Type: A
8.37.239.17
DNSad.zzinfor.cn
Type: A
HTTP GEThttp://ad.zzinfor.cn/static/hotkey.txt
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 8.37.239.17:80

Raw Pcap

Strings