Analysis Date2015-09-16 20:42:52
MD5581afe167dbdbc03c8921879c4c1efcb
SHA1912cf2a9eb029484f7f2a5f00b5fefe7b92b4ad9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1c7f4b85b4e857be5ee9b2e3e4b181ba sha1: c5c6216ea0245eed51e7ce528ee2e87f304dc394 size: 25600
Section.rdata md5: ed17eec5c39ffb718fcea612b2d13519 sha1: e4a17a421e9b9970f8112dd6fce8ba8ba06119cf size: 74240
Section.data md5: ca7b626bdfb6fe55065afef8f607fb60 sha1: 73233c202b458c5fa12671cfd82fa814c418f7c3 size: 3584
Timestamp2014-05-16 06:42:22
PackerMicrosoft Visual C++ ?.?
PEhash00b7624d1a364f41664faf7b09042397f6c61e63
IMPhasha8a20d7db2ee7cd1a85074534adab9f4
AVRisingno_virus
AVMcafeeRDN/Generic BackDoor
AVAvira (antivir)TR/Injector.104448.13
AVTwisterTrojan.DOMG.gqlp
AVAd-AwareGen:Win32.ExplorerHijack.gmW@a0HaUkf
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Korplug.DB
AVGrisoft (avg)Agent5.ADOC
AVSymantecno_virus
AVFortinetW32/Hra.BX!tr
AVBitDefenderGen:Win32.ExplorerHijack.gmW@a0HaUkf
AVK7Trojan ( 004b03c71 )
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.H
AVMicroWorld (escan)Gen:Win32.ExplorerHijack.gmW@a0HaUkf
AVMalwareBytesno_virus
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusTrojan-Ransom.Win32.PornoAsset
AVEmsisoftGen:Win32.ExplorerHijack.gmW@a0HaUkf
AVZillya!no_virus
AVKasperskyBackdoor.Win32.Gulpix.aoo
AVTrend MicroBKDR_PLUGX.EO
AVCAT (quickheal)TrojanAPT.PlugX.E4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Win32.ExplorerHijack.gmW@a0HaUkf
AVArcabit (arcavir)Gen:Win32.ExplorerHijack.gmW@a0HaUkf
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureGen:Win32.ExplorerHijack.gmW@a0HaUkf
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\DRM\XXX\.exe
Creates ProcessC:\Documents and Settings\All Users\DRM\XXX\.exe
Creates MutexGlobal\ujulwjpjx

Process
↳ C:\Documents and Settings\All Users\DRM\XXX\.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates MutexGlobal\qcmtwcnjuwzinxyff
Creates MutexGlobal\ommdvtuqnjwvdfajh
Creates MutexGlobal\ujulwjpjx
Creates MutexGlobal\crkfavsfawggh
Creates MutexGlobal\wvisq
Creates MutexGlobal\ssmuagced
Creates MutexGlobal\mschu
Creates MutexGlobal\iqlgrgyod
Creates MutexGlobal\aabhnqurdbfoh
Creates MutexGlobal\yonehkppypnacelbb
Creates MutexGlobal\stuxkwabijxwwaxrh
Creates MutexGlobal\wubqw
Creates MutexGlobal\uebxg
Creates MutexGlobal\uimnyxkbx
Creates MutexGlobal\mxunbqgir
Creates MutexGlobal\mwmjwuuwpuvcczsph
Creates MutexGlobal\aelgflwcvvytstumy
Creates MutexGlobal\egbhmpyceumde

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\All Users\DRM\XXX\nprqyjadoqkp
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexMMMM
Winsock DNS127.0.0.1

Network Details:


Raw Pcap

Strings