Analysis Date2013-08-11 20:15:07
MD58fc38cb10c52751c8284f5effb3437c1
SHA1a6b4e55fb1f9182a1ef6cd0625e71fd8b4a412ba

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cea67d825da0f3a90fbe2b8d048e4d1a sha1: ca990f52d13c8177b6cf9088eaaec642e5e18b4d size: 491520
Section.rdata md5: c056ba6c79cfdbba5b76eb197ff3f950 sha1: e47ce19a69a698312ea84f27f5d654518d9cbc38 size: 98304
Section.data md5: ccc74f559bfcabd5a26a2b45d69b352f sha1: 09446966e8b0d60c9cb926341b416eb5ab62de98 size: 61440
Section.rsrc md5: ebca2812333aa79675c817c561ed477d sha1: 79ee60c7fa22235124524509323f368a9ff02452 size: 24576
Timestamp2011-09-07 14:50:37
VersionLegalCopyright: 作者版权所有 请尊重并使用正版
FileVersion: 1.0.0.0
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
ProductName: 易语言程序
ProductVersion: 1.0.0.0
FileDescription: 易语言程序
PackerMicrosoft Visual C++ v6.0
PEhash3e6ab93273dd2355c7134f56de045268f808b226

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\xiongba321[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dnfduanku[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\3214[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\6625[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.5266.me
Winsock DNSwww.xiaoman520.com
Winsock DNSwww.dnfduanku.com
Winsock DNSwww.3214.cn
Winsock DNSwww.ewasai.com
Winsock DNSwww.lelev8.net
Winsock DNSwww.kguigushi.com
Winsock DNSwww.zijun520.com
Winsock DNSwww.buhuiwg.com
Winsock DNSwww.6625.me
Winsock DNSwww.xiongba321.com
Winsock DNS822210.9lwan.com

Network Details:

DNSwww.6625.me
Type: A
69.43.161.178
DNSwww.dnfduanku.com
Type: A
209.222.14.3
DNSwww.xiongba321.com
Type: A
208.73.210.210
DNScs.ename.net
Type: A
208.98.43.158
DNS822210.9lwan.com
Type: A
DNSwww.ewasai.com
Type: A
DNSwww.zijun520.com
Type: A
DNSwww.lelev8.net
Type: A
DNSwww.3214.cn
Type: A
DNSwww.5266.me
Type: A
DNSwww.buhuiwg.com
Type: A
DNSwww.kguigushi.com
Type: A
DNSwww.xiaoman520.com
Type: A
HTTP GEThttp://www.6625.me/soft/Dn_YCM/1118-DnYCM.htm
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.dnfduanku.com/beifen.htm
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.6625.me/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.xiongba321.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.dnfduanku.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.3214.cn/?langman
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.6625.me/soft/Dn_YCM/1118-DnYCM.htm
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.dnfduanku.com/beifen.htm
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 69.43.161.178:80
Flows TCP192.168.1.1:1034 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1035 ➝ 69.43.161.178:80
Flows TCP192.168.1.1:1036 ➝ 208.73.210.210:80
Flows TCP192.168.1.1:1037 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1039 ➝ 208.98.43.158:80
Flows TCP192.168.1.1:1040 ➝ 69.43.161.178:80
Flows TCP192.168.1.1:1041 ➝ 209.222.14.3:80

Raw Pcap
0x00000000 (00000)   47455420 2f736f66 742f446e 5f59434d   GET /soft/Dn_YCM
0x00000010 (00016)   2f313131 382d446e 59434d2e 68746d20   /1118-DnYCM.htm 
0x00000020 (00032)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000030 (00048)   3a202a2f 2a0d0a41 63636570 742d4c61   : */*..Accept-La
0x00000040 (00064)   6e677561 67653a20 656e2d75 730d0a41   nguage: en-us..A
0x00000050 (00080)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x00000060 (00096)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x00000070 (00112)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000080 (00128)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000090 (00144)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x000000a0 (00160)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x000000b0 (00176)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x000000c0 (00192)   35303732 37290d0a 486f7374 3a207777   50727)..Host: ww
0x000000d0 (00208)   772e3636 32352e6d 650d0a43 6f6e6e65   w.6625.me..Conne
0x000000e0 (00224)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000f0 (00240)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f626569 66656e2e 68746d20   GET /beifen.htm 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d4c61   : */*..Accept-La
0x00000030 (00048)   6e677561 67653a20 656e2d75 730d0a41   nguage: en-us..A
0x00000040 (00064)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x00000050 (00080)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x00000060 (00096)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000070 (00112)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000080 (00128)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000090 (00144)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x000000a0 (00160)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x000000b0 (00176)   35303732 37290d0a 486f7374 3a207777   50727)..Host: ww
0x000000c0 (00192)   772e646e 66647561 6e6b752e 636f6d0d   w.dnfduanku.com.
0x000000d0 (00208)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000e0 (00224)   702d416c 6976650d 0a0d0a              p-Alive....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000030 (00048)   2d75730d 0a416363 6570742d 456e636f   -us..Accept-Enco
0x00000040 (00064)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000050 (00080)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000060 (00096)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000070 (00112)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000080 (00128)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000090 (00144)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000a0 (00160)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000b0 (00176)   73743a20 7777772e 78696f6e 67626133   st: www.xiongba3
0x000000c0 (00192)   32312e63 6f6d0d0a 436f6e6e 65637469   21.com..Connecti
0x000000d0 (00208)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000e0 (00224)   0d0a                                  ..

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000030 (00048)   2d75730d 0a416363 6570742d 456e636f   -us..Accept-Enco
0x00000040 (00064)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000050 (00080)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000060 (00096)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000070 (00112)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000080 (00128)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000090 (00144)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000a0 (00160)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000b0 (00176)   73743a20 7777772e 36363235 2e6d650d   st: www.6625.me.
0x000000c0 (00192)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000d0 (00208)   702d416c 6976650d 0a0d0a43 6f6e6e65   p-Alive....Conne
0x000000e0 (00224)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000f0 (00240)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000030 (00048)   2d75730d 0a416363 6570742d 456e636f   -us..Accept-Enco
0x00000040 (00064)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000050 (00080)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000060 (00096)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000070 (00112)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000080 (00128)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000090 (00144)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000a0 (00160)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000b0 (00176)   73743a20 7777772e 646e6664 75616e6b   st: www.dnfduank
0x000000c0 (00192)   752e636f 6d0d0a43 6f6e6e65 6374696f   u.com..Connectio
0x000000d0 (00208)   6e3a204b 6565702d 416c6976 650d0a0d   n: Keep-Alive...
0x000000e0 (00224)   0a                                    .

0x00000000 (00000)   47455420 2f3f6c61 6e676d61 6e204854   GET /?langman HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a416363 6570742d 4c616e67   */*..Accept-Lang
0x00000030 (00048)   75616765 3a20656e 2d75730d 0a416363   uage: en-us..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000c0 (00192)   33323134 2e636e0d 0a436f6e 6e656374   3214.cn..Connect
0x000000d0 (00208)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000e0 (00224)   0a0d0a37 37612036 39373032 63323020   ...77a 69702c20 
0x000000f0 (00240)   36343635 36363663 20202064 696e673a   6465666c   ding:
0x00000100 (00256)   20677a69 702c2064 65666c0a             gzip, defl.

0x00000000 (00000)   47455420 2f736f66 742f446e 5f59434d   GET /soft/Dn_YCM
0x00000010 (00016)   2f313131 382d446e 59434d2e 68746d20   /1118-DnYCM.htm 
0x00000020 (00032)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000030 (00048)   3a20696d 6167652f 6769662c 20696d61   : image/gif, ima
0x00000040 (00064)   67652f78 2d786269 746d6170 2c20696d   ge/x-xbitmap, im
0x00000050 (00080)   6167652f 6a706567 2c20696d 6167652f   age/jpeg, image/
0x00000060 (00096)   706a7065 672c2061 70706c69 63617469   pjpeg, applicati
0x00000070 (00112)   6f6e2f78 2d73686f 636b7761 76652d66   on/x-shockwave-f
0x00000080 (00128)   6c617368 2c202a2f 2a0d0a41 63636570   lash, */*..Accep
0x00000090 (00144)   742d4c61 6e677561 67653a20 656e2d75   t-Language: en-u
0x000000a0 (00160)   730d0a41 63636570 742d456e 636f6469   s..Accept-Encodi
0x000000b0 (00176)   6e673a20 677a6970 2c206465 666c6174   ng: gzip, deflat
0x000000c0 (00192)   650d0a55 7365722d 4167656e 743a204d   e..User-Agent: M
0x000000d0 (00208)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x000000e0 (00224)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000f0 (00240)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x00000100 (00256)   3b205356 313b202e 4e455420 434c5220   ; SV1; .NET CLR 
0x00000110 (00272)   322e302e 35303732 37290d0a 486f7374   2.0.50727)..Host
0x00000120 (00288)   3a207777 772e3636 32352e6d 650d0a43   : www.6625.me..C
0x00000130 (00304)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x00000140 (00320)   416c6976 650d0a0d 0a326434 31363720   Alive....2d4167 
0x00000150 (00336)   36353665 37343361 20202061 74652e2e   656e743a   ate..
0x00000160 (00352)   55736572 2d416765 6e743a0a            User-Agent:.

0x00000000 (00000)   47455420 2f626569 66656e2e 68746d20   GET /beifen.htm 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a20696d 6167652f 6769662c 20696d61   : image/gif, ima
0x00000030 (00048)   67652f78 2d786269 746d6170 2c20696d   ge/x-xbitmap, im
0x00000040 (00064)   6167652f 6a706567 2c20696d 6167652f   age/jpeg, image/
0x00000050 (00080)   706a7065 672c2061 70706c69 63617469   pjpeg, applicati
0x00000060 (00096)   6f6e2f78 2d73686f 636b7761 76652d66   on/x-shockwave-f
0x00000070 (00112)   6c617368 2c202a2f 2a0d0a41 63636570   lash, */*..Accep
0x00000080 (00128)   742d4c61 6e677561 67653a20 656e2d75   t-Language: en-u
0x00000090 (00144)   730d0a41 63636570 742d456e 636f6469   s..Accept-Encodi
0x000000a0 (00160)   6e673a20 677a6970 2c206465 666c6174   ng: gzip, deflat
0x000000b0 (00176)   650d0a55 7365722d 4167656e 743a204d   e..User-Agent: M
0x000000c0 (00192)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x000000d0 (00208)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000e0 (00224)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000f0 (00240)   3b205356 313b202e 4e455420 434c5220   ; SV1; .NET CLR 
0x00000100 (00256)   322e302e 35303732 37290d0a 486f7374   2.0.50727)..Host
0x00000110 (00272)   3a207777 772e646e 66647561 6e6b752e   : www.dnfduanku.
0x00000120 (00288)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x00000130 (00304)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....


Strings