Analysis Date2015-08-06 22:53:53
MD519c46b455ac11f3cb2eb58c87db35dc9
SHA1b976564b693e2fa7948de58ccc5a745dc2430eed

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: de1bfd5fe885e662bb208c16fafd249e sha1: 303f22acc6f7294da7ee9e9e1d2e7565cfde674b size: 25600
Section.rdata md5: f421df8ad2260998d86660d39bc59136 sha1: 3c338ee33337091b66eb537655c2ded79cd7ba39 size: 74752
Section.data md5: ca7b626bdfb6fe55065afef8f607fb60 sha1: 73233c202b458c5fa12671cfd82fa814c418f7c3 size: 3584
Timestamp2014-04-21 07:47:28
PackerMicrosoft Visual C++ ?.?
PEhash099dab572592268bd93f487320c1c5984269316e
IMPhasha8a20d7db2ee7cd1a85074534adab9f4
AVSymantecno_virus
AVAvira (antivir)TR/Injector.104960.6
AVKasperskyno_virus
AVK7Trojan ( 004b03c71 )
AVIkarusTrojan-Ransom.Win32.PornoAsset
AVCA (E-Trust Ino)no_virus
AVZillya!no_virus
AVRisingno_virus
AVTrend MicroBKDR_PLUGX.EO
AVMalwareBytesno_virus
AVDr. Webno_virus
AVMicroWorld (escan)Gen:Win32.ExplorerHijack.gmW@ae8cX8n
AVAuthentiumno_virus
AVBullGuardGen:Win32.ExplorerHijack.gmW@ae8cX8n
AVBitDefenderGen:Win32.ExplorerHijack.gmW@ae8cX8n
AVClamAVno_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVFortinetW32/BackDoor.YG!tr
AVCAT (quickheal)TrojanAPT.PlugX.E4
AVMcafeeRDN/Generic BackDoor
AVFrisk (f-prot)no_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.H
AVArcabit (arcavir)Gen:Win32.ExplorerHijack.gmW@ae8cX8n
AVTwisterTrojan.DOMG.jfsc
AVF-SecureGen:Win32.ExplorerHijack.gmW@ae8cX8n
AVAd-AwareGen:Win32.ExplorerHijack.gmW@ae8cX8n
AVAlwil (avast)Evo-gen [Susp]
AVEmsisoftGen:Win32.ExplorerHijack.gmW@ae8cX8n
AVEset (nod32)Win32/Korplug.DB
AVGrisoft (avg)BackDoor.Generic18.ADHP

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\DRM\XXX\.exe
Creates ProcessC:\Documents and Settings\All Users\DRM\XXX\.exe
Creates MutexGlobal\ylkhkxsuxcpzk

Process
↳ C:\Documents and Settings\All Users\DRM\XXX\.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates MutexGlobal\ommdvtuqnjwvdfajh
Creates MutexGlobal\egduk
Creates MutexGlobal\ssmuagced
Creates MutexGlobal\irseozgsercpkmgwv
Creates MutexGlobal\ylknm
Creates MutexGlobal\msbczwdtcpdsi
Creates MutexGlobal\mschu
Creates MutexGlobal\aabhnqurdbfoh
Creates MutexGlobal\ylkhkxsuxcpzk
Creates MutexGlobal\ykbkv
Creates MutexGlobal\stuxkwabijxwwaxrh
Creates MutexGlobal\wubqw
Creates MutexGlobal\uimnyxkbx
Creates MutexGlobal\galkfshjhysauyehi
Creates MutexGlobal\iqlpefsfveadljlia
Creates MutexGlobal\msdsj
Creates MutexGlobal\mwmjwuuwpuvcczsph
Creates MutexGlobal\oibsb

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\All Users\DRM\XXX\nprqyjadoqkp
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexMMMM
Winsock DNS127.0.0.1

Network Details:


Raw Pcap

Strings