Analysis Date2014-10-31 17:41:29
MD50faf02e4a0889a4ff3dc28aa02b5ef5b
SHA1acdaa3ff023894b4e649c5c1f2f95e0160eebdd9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 230b8127c61aa631508aa9ebf977824b sha1: 644f4f834236d9bd0a9be53e2c85dd35b7723c00 size: 279552
Section.itext md5: 28dea27186512b12eef04f1d6ac1843b sha1: 8a53ffb562fd8f9f3d0ebe88e8ca1b182bb604a9 size: 2048
Section.data md5: 90b5d254c2e9bb30cc0e6921e194e67a sha1: 8341bb763c52897578f2e1fd1b691411049d0d63 size: 7168
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: f212c4783e0ccae1bfe2661e52c41fb9 sha1: ce52c70684406be82983327cbe6366459f870cf6 size: 4096
Section.tls md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: 0cf7ec66994cd2de84b485f77cd5daec sha1: fa9b5495025aac48aed64fef2ff5c229d548ef18 size: 512
Section.reloc md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: e47992395b83233660ed1f751b4547d6 sha1: 907db62dbfea6a604f501478a9d2d959568a6fe8 size: 18944
Section.aspack md5: f60ccfb00d1f362c677b3e515a5bf864 sha1: a8a59f766b58921563561e5e733a9616b33329eb size: 10240
Section.adata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2008-11-28 03:36:27
VersionLegalCopyright: 追心工作室QQ:520139
InternalName: FTP迷你服务器
FileVersion: 1.2.0.0
CompanyName: 追心工作室
LegalTrademarks:
Comments: FTP迷你服务器 BY 追心工作室!QQ:520139
ProductName: FTP迷你服务器
ProductVersion: 1.0.0.0
FileDescription: FTP迷你服务器
OriginalFilename: FTP迷你服务器
PackerASPack v2.1
PEhashdb52f0d0c6345fa2ae0b88c408712faf86b8def8
IMPhashd7866498b25a388d428131f0b68866c7
AV360 SafeTrojan.Generic.2872749
AVAd-AwareTrojan.Generic.2872749
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)BDS/Delf.ryr
AVBullGuardTrojan.Generic.2872749
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Backdoor.Delf.ryr
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Generic.2872749
AVEset (nod32)no_virus
AVFortinetW32/Malware_fam.NB
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.2872749
AVGrisoft (avg)BackDoor.Generic12.ZFL
AVIkarusTrojan-Dropper.Delf
AVK7no_virus
AVKasperskyBackdoor.Win32.Delf.ryr
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojan:Win32/Trufip!rts
AVMicroWorld (escan)Trojan.Generic.2872749
AVNormanTrojan.Generic.2872749
AVRisingTrojan.Win32.Generic.12CA4B41
AVSophosno_virus
AVSymantecBackdoor.Delf
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:


Raw Pcap

Strings
do
U.".
.
ym.
.
%
M.
..
......
O
%
.
.
.n
?
D.
...
c.f.<d
.
..
3
..
..
..[
..=l.
.

080403A8
1.0.0.0
1.2.0.0
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBNO
BBOK
BBRETRY
BBYES
 BY 
CDROM
CLOSEDFOLDER
Comments
CompanyName
CURRENTFOLDER
DLGTEMPLATE
DVCLAL
EXECUTABLE
FileDescription
FileVersion
FLOPPY
HARD	KNOWNFILE
InternalName
LegalCopyright
LegalTrademarks
MAINICON
NETWORK
OPENFOLDER
OriginalFilename
PACKAGEINFO
PREVIEWGLYPH
ProductName
ProductVersion
!QQ:520139
QQ:520139
SPINDOWN
SPINUP
StringFileInfo
TEXTFILEDLG	CHARTABLE
TFORM1
Translation
UNKNOWNFILE
VarFileInfo
VS_VERSION_INFO
|.._)`
"@`)?_
07kU(	
 (08@P`p
0BkqMd/
$;0B{v
0hDB"D
&!0	hJ
0%,$m4489
}0mYM?
 $#1?+
}&,%1>
10MffE
1bLWG4^
1<co#7+
1&e`hU
^; 1J8
1]?U|6}
1wZ~?c
:1X&Ii)
'1Y=u%
233 MR
2-8T-"z
2a\^#"
2c	S2a
2C"#VH
2efOFG_
2frWj:K
>&2%Kr&=
(2s59?
2\T-_(%a
]2w3pv
$>(3]-~
31R#eo
3|Id/}R
3NUZ{;
3t-HMm%
40X4@{
`4*{9g
	4f-O'
4h5j$'
+4\P~V
4'"v 3
4xUalO
5?0C"?
52a(m0
5[BPv?
;$5Dwlp%-#
[_#5,%]r<N
5uXteG
66-u{BZ#6
69,BOwy
{6bogA8
>*6GeN
[6h8]f
6o1TTL2t
|-! 6Y
|}(7%%
 #(">7
73.a}G
:7;8rD
7c4^w<3V
7FcRe(
7|f:&H
7IvGz 
~7~O\CX
7oV1yB
7pIxF9
=7t9"m+U
7^:WVfW
`8*6fZ@
8#a&n;
8e=MjT
8Ud\[=
8UI!Cz
8wn5sy
 >8YvQ4
8Z|0Jr
 ,9	,*"
90i:(!Ch
90ik	5
90iq	8
91\7_B
	+9`cW
9%dO!	~l
9e'Lb)
9h J,H
9kIK$;U}Z
9l/|U3
>^A0[L
<a2QJ&
#A41^e
a8BIKd
a%+ab?
A~A/j4
"#AB+Er}
.adata
advapi32.dll
aeT<PW
A*!h4u
ah.|l'
Ah( v=
<aIgIB
AjAjaHB
AlphaBlend
/AnmBO
ao5h|JTI
_a	 :r
AR N%o
.aspack
A~,wjG
aY^+:V
aza22}
'b8pOR6
BBy O*l
bCN]>D
b,f2P\
BFb>lo3
BfLwC9.
b%i=:D
bn4	9g
	B)(Nf
=#bO>t
BR,4=KX
BSf-cT_
-(bxY?
BYX6lAr
bYX6u@
>BZ>TY
[cA}!m
	c~<b=c/
Cb=nkCg
Ce-YsSe
cf|51H
CFq9E;
c^G.i|
cLGqVj
!"*Cn,
comctl32.dll
CreateWindowExW
	%C$-T
C>tc].NJLY
Cu^$gi
c*v.CV
CZ(c+5F$
D)>{)@
?D1u9dU
D,!2H_1
`D)3%[
d%!+A]
DcsL#_
d)+_dV
d-i6#h
D]	'jLW
Dnr. e}
do%DKM
dq?6~&U
d%Q]{b
Dq	JD4
*DtDOV,x^a
'.dtv$
dueYM|
d`uH)<
 Dv6SJ
"	DVDXD
\d%|Wq+
dwV^z4
dWzZ[4
DX%Fs1P}
DYopqe
;E:0C?&
E4R>zM
%E4we}
e6_	,-
+\E(8a
E(CisU
Ed5F(0
|@E.dE
e'du&H
ej9z.q
+eK)a2
eo6{@$uV	n
E#O#]u]
 E&t	y
e`*w3G
ExitProcess
E;z3li
(Ez,D+
E~zU&H5
(F_1*l
F78Q0V
f.bG.`
fc~wFZ
F!\Ef=
}fEryB
Fe Y8~
@(+fFdSb,
+FFT*u
fFvFfP
fJPxJYQ
:fk{Ci
FLIZ[qQ
}fl	V]
fP|-s$
FQp*=83
F>RMFm
Fr*wwN
Fs>CpT>
G%^+&_
G2Y3}C
\g>"5\
g6:~UW
g7t@3-9
G8Guv?
$	~g8_X
gA18Z`
GAG@9G
gbl%Pz
Gdb0rP
gdi32.dll
gd~LG/
(GDuE;a
GetKeyboardType
GetModuleHandleA
GetProcAddress
g%hHpj
.g]hNiN
G.i\3EIT
Gn'2Y(v
`GQ+}9S
	gS'	J2#
G~t,IQ
guDYxM
GuH!9v
,GUZV7~
G V\Na G
Gz9^7:P
GZ/9fr
Gzq\Of
g)zyMBN
h8Y|\9
HBKgHFn
HdN.c[
)h-F3i
 $H/f|B
HFn\6)
hgOR."I
Hg<Y<]1DL
hH@.Ee
*hKATB!
~h,kS\
Hl"B@YCS5
,HPp\F3
hR$3}Q
HR-d7n-
hWE|XE
h"Ya<b
!$	|{)I
^I5jAo
I:5Ne]
iC,%AYAa
(i\CRl
.idata
i/Gk	R7H
</-	iH
i(LZi|
#|< i`N~
InitializeFlatSB
ipP5pM
IPPPI_
=iQV"W
i|(]R\
iS2H6J
iT-%AM
.itext
Iw>w!'
iY@U`=Y
i_zM:5
@j{[4:/r
+j`7h)
_j-b@=
J>+#C&j9
jD.GQn
`jd:~m
%jdsF_
JF=m2F
jf]rJ.
jG?u+K
jI`nkN
J`JaJbJcJdJe
jj	'LK
JqoR	*
%	JVJXJ
JVqb^l]2R
j~WeA}*
jxKI:0
_jYg%+
K&2@I	P
`\k3Oq
*k6n9'
k7#r-7
k8bp6J
.k$Bct
K/Cu*>D/
KD}YP*
kernel32.dll
;k|F.	
KG16Vn
k~H\K{g
(KhL<;'-
Kj%B%C$
K?J{c2
k^?jQ6
.>@kkudB
KvEFvm[
Kw7?io
kx/"6/f
K<$;ZA
~l6[xH
LF6\y>>
?lfmh-
l#h$SRK
L]I'd=
Lk$pc`
L[@-kZ
l(lHlhl
L]LRXd
LOADER ERROR
LoadLibraryA
-l<{ux5
"_#lw8
;l.+YO
^:lySq
!L)Y"V
M+2C=g
m2%=jv
~m#3tI
M87kL;l
m9L]y#
M=aDyGSj
MbeA\0$
mE/nU\
MessageBoxA
mgrjE#l
mO`Umm/
^mq-G5@
mRmOe3t
msimg32.dll
mSR2{Y~>
MT.^"%(
[mt%mc@
,MuYc{4=	{
&|Mwq 
n}{>")?	
{N`0+d
N\dm"z
Nj8FXl
/{nKs%
'{+noY
n<&qs]"^
nw&?gH
n:= Y&
!`o0{0-	x
o41KjY
!O	a!L
O!C\MHh
ole32.dll
oleaut32.dll
OleUninitialize
 OlLS&
oN+,Hsu
;oo[i6
O;q9He`R
@oqVCF
OS k+'
_o)?Sp
;)OS*yi
p!{1@z
]	p+8MaYB
p93=$&v}
"p(anba
PaoXP?
P b\	A
PcPdPgH%
(P(DEy
PEI|1R
pfR	HZ
p+,g9F
`PKwcS
PMQJsb
|)PoS<D
_P=PE	
PQVeRcf*@(
[p:RDi
P""VDIZ!5+
 pW7r|>
pW|wI3r
|.p%Y"
py-y<B
(/@Q""
Q1Tj8X
Q1Vp|.P
q4Ll8zt
}Q&a$'e5H
qc4X7>
qjhgW.R^
q%Khn~
QlRwz#
qMG!U=
`q!mw	c
Q)`O>?
'Qt*h4^
QWD.Q}[e9@
qXg>[{
q?xJf:
]qYO%F1q
Qzsx$U
qz<zeg
R3<{\'sO
R]+4c]
r7t}OL
.rdata
rDLB;&u
RegQueryValueExW
.reloc
r|Lr{'",s
;RRmJ.
,RSr#^
!Rszh9
RVW'g(!]}R
RWu<)hS
\[^s>0zL
S#4.B%
}s8xt"&
S[adtK;
SafeArrayPtrOfIndex
\s|be_l"[
sdA[y=
SetSecurityDescriptorDacl
shell32.dll
Shell_NotifyIconW
SHGetSpecialFolderLocation
_sjAy?/
SoW/5p[F
Sql;bU
sSi`H	
ST^UW7
:#Sx_R
):()|s@y
SysFreeString
s*Yz	K	
	?t< #
/^t3< 
t)8l`Z@l
Tag%I/,MA
TbRg%J
TE@/Gz
tEWFE'Jk1@9
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
This program must be run under Win32
)TL1i6KJf
TNs4.0
tU50M"
&TX!Q@
u2d[y	
%uCGgDUF
uc)Vy:
u"d5Cm
uDK9;-
UfKWi_
UnrealizeObject
!U"O&+
uSa)3(
user32.dll
?u]sHb
US["w,
+u%VwU
Uz86.T
'uZGbL
]v66Xg
	>@+&vE
ve!At;@Y
verG-}
VerQueryValueW
version.dll
vgO_{*
v#i?K:
VirtualAlloc
VirtualFree
Vk}}2&_}s
VMM"zf
=V#~mx-N
vN30nS
VS^(>~
@V"#:W
vw~lI]
;Vws05
V.>W\y
w0}q-@[
-*w)17
w}^61`1E_
W79Qb	v
wa.^]Y
W:bcu?
WCCK%dV4
wD C<DsS
)WfFfZ
W`]F-Gn
WfT`F"VA2*
W.iT+bj
WjeF$Cc
WKHHK0xX
!w^kxy
wq=Y>5Aw
w+ `-r
/wrIhdY
W(rqXK
!`^wSB
wsprintfA
wVcB,P
^-=WVo
Wzb2c&
X):{/[,
*.x0ZjC}
:XAXKXDX
xbt[Lz
xe@AZ{0l
Xh9C]!
XIP@>4C
:"x<?%N
#X_qF!
XQ+	Sc
X	Qy{#
%xsBK`
XSE):f
x!Y^L_
*xyyrW
x^|ZFx@
XzvhhWqD
y"1JxN>
Y2u"8pH
y3k(#j
yAKMMel
Y&BfNID
Y#BL)}
yc4K./e
%Y|fOy
~Yi\+=q
.Y{\Jl
/;yl;=J	
yltG=s
yN:&j5!n>
=(Y'r"
yrVD`E
YSE,Xb
z4Ot1s j
~z51u`K
Ze)3|$
z|!+eB
ZheRz4
-Z\HhZE_
$Zij^e.
Z]-j+/!g5A
z^M`n%t
Z`ONU2tS
\z,SD(
Ztv`Px