Analysis Date2015-11-15 14:01:51
MD581cbc5337ad57888d9d2895106daedc9
SHA193c373831b1b3bd06c0d6701e8ab989ac1d46ca2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.code2 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.code md5: 5c32a0704e60b6b08862bd07437600bd sha1: 66ba1103dfadb62e8b0aedbea4293a69f280e22e size: 512
Section.text md5: 331f02b22c23ec365d6e95a29e571ebe sha1: 2ed05abcfd6479368853d87fe2d901afb2c1213e size: 1536
Section.data md5: 424cb991de8d0001e7e4cefaee00f616 sha1: 036d1ab25655272df1c2a19c9158279917622a16 size: 6656
Section.idata md5: 2c3e2235782b039c5cb29de287146390 sha1: d4fa32e71a3e90a05bfca55f96cd8567a9d178d8 size: 2560
Section.rsrc md5: 7e3dc6fa127a9818dbf6389c2c83ebfb sha1: bac64e8d85b83fbe8e965136fc41c65a43a506a0 size: 12288
Timestamp2013-10-16 14:34:57
VersionLegalCopyright: Copyright (C) 2002
InternalName: app.exe
FileVersion: 1.0.0.1
CompanyName: IntelCorp
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: App
SpecialBuild:
ProductVersion: 1.0.0.1
FileDescription: app.exe
OriginalFilename: app.exe
PackerSafeguard 1.03 -> Simonzh
PEhash10ccdc4f073e13bb104f8b5db3e02b8ef459e537
IMPhasha9b9938478f081edcf93145a100a5caa
AVF-SecureTrojan.GenericKD.1345564
AVAuthentiumW32/Trojan.ANIH-8016
AVMalwareBytesTrojan.Zbot
AVDr. WebTrojan.DownLoad3.28161
AVGrisoft (avg)Crypt_s.EEG
AVMalwareBytesTrojan.Zbot
AVEset (nod32)Win32/TrojanDownloader.Small.AAB
AVMicroWorld (escan)Trojan.GenericKD.1345564
AVTrend MicroTROJ_UPATRE.SM37
AVClamAVWin.Trojan.Agent-948018
AVTwisterTrojan.05C1F469D8CC0902
AVEset (nod32)Win32/TrojanDownloader.Small.AAB
AVBitDefenderTrojan.GenericKD.1345564
AVMicroWorld (escan)Trojan.GenericKD.1345564
AVAvira (antivir)TR/Dldr.Small.aab.2
AVAlwil (avast)Kryptik-OEY [Trj]
AVFortinetW32/Agent.AMI!tr
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVIkarusTrojan-Downloader.Win32.Upatre
AVKasperskyTrojan-Downloader.Win32.Agent.hdqf
AVVirusBlokAda (vba32)TrojanDownloader.Agent
AVArcabit (arcavir)Trojan.GenericKD.1345564
AVMcafeeDownloader-FUL!81CBC5337AD5
AVAvira (antivir)TR/Dldr.Small.aab.2
AVAd-AwareTrojan.GenericKD.1345564
AVAlwil (avast)Kryptik-OEY [Trj]
AVSymantecTrojan.Zbot
AVFortinetW32/Agent.AMI!tr
AVK7Trojan ( 0040f6941 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVRisingno_virus
AVMcafeeDownloader-FUL!81CBC5337AD5
AVTwisterTrojan.05C1F469D8CC0902
AVAd-AwareTrojan.GenericKD.1345564
AVGrisoft (avg)Crypt_s.EEG
AVSymantecTrojan.Zbot
AVBitDefenderTrojan.GenericKD.1345564
AVK7Trojan ( 0040f6941 )
AVAuthentiumW32/Trojan.ANIH-8016
AVFrisk (f-prot)W32/Trojan3.GFR
AVEmsisoftTrojan.GenericKD.1345564
AVZillya!Downloader.Agent.Win32.181223
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.1345564
AVCA (E-Trust Ino)Win32/Tnega.ATDI
AVRisingno_virus
AVIkarusTrojan-Downloader.Win32.Upatre
AVFrisk (f-prot)W32/Trojan3.GFR

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hhcbrnaff.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\hhcbrnaff.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\hhcbrnaff.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSmiamelectric.com

Network Details:

DNSmiamelectric.com
Type: A
64.74.223.44
Flows TCP192.168.1.1:1031 ➝ 64.74.223.44:443
Flows TCP192.168.1.1:1032 ➝ 64.74.223.44:443
Flows TCP192.168.1.1:1033 ➝ 64.74.223.44:443
Flows TCP192.168.1.1:1034 ➝ 64.74.223.44:443

Raw Pcap

Strings