Analysis Date2015-07-26 07:03:31
MD5081b2dc53073c3c2dd2861eccdc12b90
SHA186f5f19f9df63daadd0581a4a640eeb243e7a3bc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a8692f5ba740240ef0f9a827376f76f9 sha1: 41f3c4b70ff31dfc1b3352173567cb857c3f7cb3 size: 74752
Section.rdata md5: d4f36accffde0bf520f52486679ccf0d sha1: 891cbdf18a460a41df342f7f806a2dca0a68bea1 size: 7680
Section.data md5: b6c7edb5b7fec47a37a622cc5d71f3f4 sha1: 6e76e64e9fec63232a0ae118666c0588b4543be1 size: 512
Section.CRT md5: 439411041ee0b8261668525c5c132cd9 sha1: 817c1d9c0c3df118ce4391ba48b5f5285b01916c size: 512
Section.rsrc md5: e038efcb7bd8930787f4e321791d381f sha1: 3044ac80e5c2ec9d9c135eeabbf3c083a84963b4 size: 14336
Timestamp2012-06-09 13:19:49
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhash1993df15aa1f1c71a045acbc5c6088049a9bfd95
IMPhash3c98c11017e670673be70ad841ea9c37
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)no_virus
AVTwisterTrojan.432F02A8FA7D7401
AVAd-AwareGen:Variant.Graftor.163150:Gen:Variant.Symmi.25245:Gen:Trojan.Heur.cm0@snFepKmbh
AVAlwil (avast)Banker-LTV [Trj]:GenMalicious-BLD [Trj]:Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/Spy.Banker.ABFF:Win32/Farfli.OY
AVGrisoft (avg)PSW.Banker6.BQGI
AVSymantecno_virus
AVFortinetW32/Banker.ABFF!tr.spy
AVBitDefenderGen:Variant.Graftor.163150:Gen:Variant.Symmi.25245:Gen:Trojan.Heur.cm0@snFepKmbh
AVK7Trojan ( 0001140e1 )
AVMicrosoft Security EssentialsBackdoor:Win32/Zegost.AD
AVMicroWorld (escan)Gen:Variant.Graftor.163150[ZP]
AVMalwareBytesBackdoor.PcClient
AVAuthentiumW32/Onlinegames.OJMH-4535
AVFrisk (f-prot)W32/Onlinegames.BHW
AVIkarusTrojan.Win32.Spy:Backdoor.Win32.Zegost
AVEmsisoftGen:Variant.Graftor.163150:Gen:Variant.Symmi.25245:Gen:Trojan.Heur.cm0@snFepKmbh
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic:Backdoor.Win32.Zegost.ufc
AVTrend MicroBKDR_ELAN.X
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Graftor.163150:Gen:Variant.Symmi.25245:Gen:Trojan.Heur.cm0@snFepKmbh
AVArcabit (arcavir)Gen:Variant.Graftor.163150_Gen:Variant.Symmi.25245_Gen:Trojan.Heur.cm0@snFepKmbh:Gen:Variant.Graftor.163150_Gen:Variant.Symmi.25245:Gen:Variant.Graftor.163150:Gen:Variant.Symmi.25245:Gen:Trojan.Heur.cm0@snFepKmbh
AVClamAVTrojan.OnlineGames-1393
AVDr. WebTrojan.Click2.39056
AVF-Secureno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileYZ\\xe6\\xbf\\x80\\xe6\\xb4\\xbbTCP.exe
Creates File\\xe6\\x94\\xaf\\xe4\\xbb\\x98.exe
Creates File__tmp_rar_sfx_access_check_74859
Deletes File__tmp_rar_sfx_access_check_74859
Creates ProcessC:\WINDOWS\system32\\\xe6\\x94\\xaf\\xe4\\xbb\\x98.exe
Creates ProcessC:\WINDOWS\system32\YZ\\xe6\\xbf\\x80\\xe6\\xb4\\xbbTCP.exe

Process
↳ C:\WINDOWS\system32\YZ\\xe6\\xbf\\x80\\xe6\\xb4\\xbbTCP.exe

Process
↳ C:\WINDOWS\system32\\\xe6\\x94\\xaf\\xe4\\xbb\\x98.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\logo[1].gif
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\2345[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFD748.tmp
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.2345.com
Winsock DNSwww.dd373.com

Network Details:

DNSwww.2345.com
Type: A
42.62.30.180
DNSwww.dd373.com
Type: A
120.55.104.141
HTTP GEThttp://www.2345.com/?k33673308
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.dd373.com/Member/Signout
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.2345.com/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.dd373.com/Charge
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 42.62.30.180:80
Flows TCP192.168.1.1:1033 ➝ 120.55.104.141:80
Flows TCP192.168.1.1:1034 ➝ 42.62.30.180:80
Flows TCP192.168.1.1:1035 ➝ 120.55.104.141:80

Raw Pcap
0x00000000 (00000)   47455420 2f3f6b33 33363733 33303820   GET /?k33673308 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d4c61   : */*..Accept-La
0x00000030 (00048)   6e677561 67653a20 656e2d75 730d0a41   nguage: en-us..A
0x00000040 (00064)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x00000050 (00080)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x00000060 (00096)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000070 (00112)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000080 (00128)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000090 (00144)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x000000a0 (00160)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x000000b0 (00176)   35303732 37290d0a 486f7374 3a207777   50727)..Host: ww
0x000000c0 (00192)   772e3233 34352e63 6f6d0d0a 436f6e6e   w.2345.com..Conn
0x000000d0 (00208)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000e0 (00224)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f4d656d 6265722f 5369676e   GET /Member/Sign
0x00000010 (00016)   6f757420 48545450 2f312e31 0d0a4163   out HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000030 (00048)   742d4c61 6e677561 67653a20 656e2d75   t-Language: en-u
0x00000040 (00064)   730d0a41 63636570 742d456e 636f6469   s..Accept-Encodi
0x00000050 (00080)   6e673a20 677a6970 2c206465 666c6174   ng: gzip, deflat
0x00000060 (00096)   650d0a55 7365722d 4167656e 743a204d   e..User-Agent: M
0x00000070 (00112)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000080 (00128)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000090 (00144)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000a0 (00160)   3b205356 313b202e 4e455420 434c5220   ; SV1; .NET CLR 
0x000000b0 (00176)   322e302e 35303732 37290d0a 486f7374   2.0.50727)..Host
0x000000c0 (00192)   3a207777 772e6464 3337332e 636f6d0d   : www.dd373.com.
0x000000d0 (00208)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000e0 (00224)   702d416c 6976650d 0a0d0a              p-Alive....

0x00000000 (00000)   47455420 2f6c6f67 6f2e6769 66204854   GET /logo.gif HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a526566 65726572 3a206874   */*..Referer: ht
0x00000030 (00048)   74703a2f 2f777777 2e323334 352e636f   tp://www.2345.co
0x00000040 (00064)   6d2f3f6b 33333637 33333038 0d0a4163   m/?k33673308..Ac
0x00000050 (00080)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000060 (00096)   6e2d7573 0d0a4163 63657074 2d456e63   n-us..Accept-Enc
0x00000070 (00112)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000080 (00128)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000090 (00144)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x000000a0 (00160)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x000000b0 (00176)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x000000c0 (00192)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000d0 (00208)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000e0 (00224)   6f73743a 20777777 2e323334 352e636f   ost: www.2345.co
0x000000f0 (00240)   6d0d0a43 6f6e6e65 6374696f 6e3a204b   m..Connection: K
0x00000100 (00256)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f436861 72676520 48545450   GET /Charge HTTP
0x00000010 (00016)   2f312e31 0d0a4163 63657074 3a20696d   /1.1..Accept: im
0x00000020 (00032)   6167652f 6769662c 20696d61 67652f78   age/gif, image/x
0x00000030 (00048)   2d786269 746d6170 2c20696d 6167652f   -xbitmap, image/
0x00000040 (00064)   6a706567 2c20696d 6167652f 706a7065   jpeg, image/pjpe
0x00000050 (00080)   672c2061 70706c69 63617469 6f6e2f78   g, application/x
0x00000060 (00096)   2d73686f 636b7761 76652d66 6c617368   -shockwave-flash
0x00000070 (00112)   2c202a2f 2a0d0a41 63636570 742d4c61   , */*..Accept-La
0x00000080 (00128)   6e677561 67653a20 656e2d75 730d0a41   nguage: en-us..A
0x00000090 (00144)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x000000a0 (00160)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x000000b0 (00176)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x000000c0 (00192)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x000000d0 (00208)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x000000e0 (00224)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x000000f0 (00240)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x00000100 (00256)   35303732 37290d0a 486f7374 3a207777   50727)..Host: ww
0x00000110 (00272)   772e6464 3337332e 636f6d0d 0a436f6e   w.dd373.com..Con
0x00000120 (00288)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000130 (00304)   6976650d 0a0d0a                       ive....


Strings