Analysis Date2016-04-22 08:35:02
MD5197aab751aaa9ff46adde36f066ce13f
SHA19882a73d9dabb5b2ddf3f520b242b57fe6744a43

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ed55fcdc93ad7bc7b4aa6adbd8bd8f3b sha1: a8417c6ab78fa31ffa1597f3087ff74ea7a2d683 size: 425984
Section.rdata md5: cbc9e0b0e8005fc22100e4df00301e50 sha1: 12f45e737a767b4e1806bb8407d679f9214fddd6 size: 1581056
Section.data md5: e6f5a2652894c98b96f886d1363b0330 sha1: 619191820b94c1be06bfff51c41f9da571cf831d size: 61440
Section.rsrc md5: 0c5a578d67aadf2d017d65075196168b sha1: e3ba3310f2816e31251f4933cf2285f4d85f8f21 size: 24576
Timestamp2016-04-16 14:35:59
VersionLegalCopyright: 作者版权所有 请尊重并使用正版
FileVersion: 1.0.0.0
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
ProductName: 易语言程序
ProductVersion: 1.0.0.0
FileDescription: 易语言程序
PackerMicrosoft Visual C++ v6.0
PEhash660903b57b5582e826264d9d96ca2c201b2b3249
IMPhash5a8edfd816aa4167bb47a66b00fa0986
AVRisingNo Virus
AVCA (E-Trust Ino)Trojan.GenericKD.3168070
AVF-SecureTrojan.GenericKD.3168070
AVDr. WebTrojan.MulDrop6.17661
AVClamAVNo Virus
AVArcabit (arcavir)Trojan.GenericKD.3168070
AVBullGuardTrojan.GenericKD.3168070
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)Trojan.Generic.01823
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Agentb.idug
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVEmsisoftTrojan.GenericKD.3168070
AVIkarusTrojan.Win32.Agentb
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVMalwareBytesSpyware.OnlineGames
AVMicroWorld (escan)No Virus
AVMicrosoft Security EssentialsNo Virus
AVK7No Virus
AVBitDefenderTrojan.GenericKD.3168070
AVFortinetRiskware/Qhost
AVSymantecNo Virus
AVGrisoft (avg)Win32/DH{YTUJ?}
AVEset (nod32)No Virus
AVAlwil (avast)Win32:Malware-gen
AVAlwil (avast)Malware-gen
AVAlwil (avast)Downloader-WEX [Trj]
AVAd-AwareTrojan.GenericKD.3168070
AVTwisterTrojan.33C0C390@2FF0300@.mg
AVAvira (antivir)TR/Downloader.Gen
AVMcafeeNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\\\xc3\\x81\\xc3\\x99\\xc3\\x8a\\xc2\\xb1\\xc3\\x84\\xc2\\xbf\\xc3\\x82\\xc2\\xbc\\xc3\\x8e\\xc2\\xbb\\xc3\\x96\\xc3\\x83.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fox1.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\taskmgr.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\\fox1.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\\taskmgr.exe

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\WINDOWS\system32\ping.exe 127.0.0.1 -n 2

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\\fox1.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\\taskmgr.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~tmp_hl\mslmedia.inf
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\_lm_delself_.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~tmp_hl\mslmedia.sys
Creates FileC:\WINDOWS\Setupsti.log
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\hllog.txt
Creates FileC:\WINDOWS\_ntdll.bak
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~tmp_hl\mslmedia.inf
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~tmp_hl\mslmedia.sys
Creates Mutexlmins_1_0_1

Process
↳ C:\WINDOWS\system32\ping.exe 127.0.0.1 -n 2

Winsock DNS127.0.0.1

Network Details:

HTTP GEThttp://183.60.200.160:8081/cpa1.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://183.60.200.160:8081/cpa2.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://183.60.200.160:8081/cpa3.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://183.60.200.160:8081/cpa4.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 183.60.200.160:8081
Flows TCP192.168.1.1:1031 ➝ 183.60.200.160:8081
Flows TCP192.168.1.1:1032 ➝ 183.60.200.160:8081
Flows TCP192.168.1.1:1033 ➝ 183.60.200.160:8081
Flows TCP192.168.1.1:1034 ➝ 183.60.200.160:8081

Raw Pcap

Strings