Analysis Date2015-08-18 04:45:07
MD54fc0e27c8dcd713fae6d771ea5172c7e
SHA193c78ab247888a348dc9cf36e080cb6a4a23c9cc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 388a5adbee137e462cbbab07de08361d sha1: bdabef0b9447e0848c24e2d5c951c4b59d1e2f8f size: 638464
Section.itext md5: bd9a6a167767cfb50454df6470438cd6 sha1: 78b938815430924c7836cda2bed190e07272a70d size: 3072
Section.data md5: 7ee274780e36ee364ece1e8689abcf1a sha1: 400f33a4548b73a9c59a9cf18950e449adf5f69f size: 558080
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: ead356ac6c93850bb893301b2b8ebf56 sha1: 8b0b1336fba9fae653aeab2043688a0a05d349ed size: 12288
Section.tls md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: b98490e793b8f3b220fb9d3a17b0dfc1 sha1: fca1352570aae0adff5390ca9e5e97a99c81e713 size: 512
Section.reloc md5: 02aabc16bdbe9f7a41d0a5ec7f6b46d0 sha1: 625424c6b5e3606ccd07596df6dad104590ff577 size: 44032
Section.rsrc md5: 544fcdb5747e7edb30754c4ba26908e2 sha1: 237ab3549d693d0d74fb16f050510277143cf4c1 size: 53248
Timestamp2011-11-09 07:39:30
PackerBobSoft Mini Delphi -> BoB / BobSoft
PEhash513663ac2001dec50b338b08624190d915beb9ce
IMPhash85a7c00d4da04141220f00c2443f8f0b
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Generic.14486249
AVDr. WebBackDoor.Bifrost.15005
AVClamAVWin.Trojan.Bifrose-2285
AVArcabit (arcavir)Trojan.Generic.14486249
AVBullGuardTrojan.Generic.14486249
AVPadvishno_virus
AVVirusBlokAda (vba32)Trojan.Redosdru
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyno_virus
AVZillya!Trojan.Redosdru.Win32.3810
AVEmsisoftTrojan.Generic.14486249
AVIkarusTrojan.Fraud
AVFrisk (f-prot)no_virus
AVAuthentiumW32/A-3475dff0!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Trojan.Generic.14486249
AVMicrosoft Security Essentialsno_virus
AVK7Trojan ( 0048351c1 )
AVBitDefenderTrojan.Generic.14486249
AVFortinetW32/GenericR.DCS!tr
AVSymantecno_virus
AVGrisoft (avg)no_virus
AVEset (nod32)Win32/Packed.DRMSoft.C suspicious
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareTrojan.Generic.14486249
AVTwisterno_virus
AVAvira (antivir)TR/Fraud.Gen7
AVMcafeeGenericR-DCS!4FC0E27C8DCD

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.qiaqing.net

Network Details:

DNSqiaqing.net
Type: A
184.168.221.21
DNSwww.qiaqing.net
Type: A
HTTP GEThttp://www.qiaqing.net/lb/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 184.168.221.21:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c622f 20485454 502f312e   GET /lb/ HTTP/1.
0x00000010 (00016)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000020 (00032)   41636365 70742d4c 616e6775 6167653a   Accept-Language:
0x00000030 (00048)   20656e2d 75730d0a 41636365 70742d45    en-us..Accept-E
0x00000040 (00064)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000050 (00080)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000060 (00096)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000070 (00112)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000080 (00128)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000090 (00144)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x000000a0 (00160)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000b0 (00176)   0a486f73 743a2077 77772e71 69617169   .Host: www.qiaqi
0x000000c0 (00192)   6e672e6e 65740d0a 436f6e6e 65637469   ng.net..Connecti
0x000000d0 (00208)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000e0 (00224)   0d0a                                  ..


Strings