Analysis Date2015-06-10 08:03:35
MD54802539350908fd447a5c3ae3e966be0
SHA19514cdeec8d962f087f23fb377323ae385cff027

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b46f9051427c353b0ba8d31de5c839b0 sha1: 47e3ae604fa1beded8c27483c95f3b255b37f254 size: 15360
Section.rdata md5: 7952322781bfa3efd6caaaf49592b733 sha1: 1e7e8f0efd6c7b7a38090572e247780b092d015a size: 512
Timestamp2014-05-21 17:03:47
PackerBorland Delphi 4.0
PEhash8527906f0fbd9bd1f3e7e9231abf205d6cec7d11
IMPhashbcdf1cfdb5ffa79572225bbdaf344e7c
AVTwisterTrojan.Cap1453020.anqb
AVDr. WebTrojan.RDPBrute.13
AVTrend MicroTROJ_ZP.8BB03604
AVK7Trojan ( 004998631 )
AVBitDefenderGen:Trojan.Heur.biW@IPuAyjn
AVKasperskyTrojan.Win32.Generic
AVClamAVno_virus
AVF-SecureGen:Trojan.Heur.biW@IPuAyjn
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVCAT (quickheal)Trojan.Dyname.r2
AVSymantecTrojan.Asprox.B
AVMalwareBytesTrojan.Downloader
AVMicrosoft Security EssentialsTrojan:Win32/Tibrun.A
AVFortinetW32/BrutPOS.A!tr
AVVirusBlokAda (vba32)Hoax.Blocker
AVEset (nod32)Win32/Kryptik.CANM
AVAuthentiumW32/Trojan.VMPO-8996
AVArcabit (arcavir)Gen:Trojan.Heur.biW@IPuAyjn
AVAd-AwareGen:Trojan.Heur.biW@IPuAyjn
AVMicroWorld (escan)Gen:Trojan.Heur.biW@IPuAyjn
AVEmsisoftGen:Trojan.Heur.biW@IPuAyjn
AVPadvishMalware.SubId.48797431
AVMcafeeRDN/Generic.tfr!eh
AVCA (E-Trust Ino)Win32/Tnega.XARW!suspicious
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVBullGuardGen:Trojan.Heur.biW@IPuAyjn
AVGrisoft (avg)Crypt3.RXM
AVIkarusTrojan.Crypt3
AVFrisk (f-prot)no_virus
AVRisingno_virus
AVZillya!Trojan.Blocker.Win32.18274

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\Documents and Settings\Administrator\Application Data\llasc.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\llasc.exe

Creates File\Device\Afd\Endpoint
Winsock DNS62.109.16.195

Network Details:

HTTP POSThttp://62.109.16.195/brut.loc/www/cmd.php
User-Agent: Browser
HTTP POSThttp://62.109.16.195/brut.loc/www/cmd.php
User-Agent: Browser
HTTP POSThttp://62.109.16.195/brut.loc/www/cmd.php
User-Agent: Browser
HTTP POSThttp://62.109.16.195/brut.loc/www/cmd.php
User-Agent: Browser
HTTP POSThttp://62.109.16.195/brut.loc/www/cmd.php
User-Agent: Browser
Flows TCP192.168.1.1:1031 ➝ 62.109.16.195:80
Flows TCP192.168.1.1:1031 ➝ 62.109.16.195:80
Flows TCP192.168.1.1:1032 ➝ 62.109.16.195:80
Flows TCP192.168.1.1:1033 ➝ 62.109.16.195:80
Flows TCP192.168.1.1:1034 ➝ 62.109.16.195:80
Flows TCP192.168.1.1:1035 ➝ 62.109.16.195:80

Raw Pcap

Strings