Analysis Date2014-06-28 02:39:18
MD5b860b7d7082261880b8f9a46c44fdf34
SHA1c1ad9ee34b553a343b9b533f0f3be371cd82f628

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 0cef5df579d5ecdcf35fd6684d0d6b69 sha1: 65a48a560308c814b8b618e56517a4e64bf8bafd size: 400384
Section.rsrc md5: 80ce880b42aed3c083a47115bd920bc1 sha1: e63d1c6b3baedac6210b071642e26e3b0ec93417 size: 6656
Timestamp2010-05-06 10:56:05
VersionLegalCopyright: 彩虹氣泡RG輔助程式
FileVersion: 1.0.2.62
Comments:
ProductName: 彩虹氣泡RG輔助
ProductVersion: 1.0.2.62
FileDescription:
PackerUPX -> www.upx.sourceforge.net
PEhash0aa01f183b1a663eedb80b7c95ff7b042cf242b7
IMPhash806f47d4b635342ec6c5dfb8febc197f
AV360 SafeTrojan.Generic.6272940
AVAd-AwareTrojan.Generic.6272940
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Rogue.6272940
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.Agent-204211
AVDr. Webno_virus
AVEmsisoftTrojan.Generic.6272940
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.6272940
AVGrisoft (avg)Dropper.Generic3.BTGI
AVIkarusTrojan.Rogue
AVK7no_virus
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.Generic.6272940
AVNormanwinpe/OnLineGames.LWBP
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\vga.drv 1024x768x24(BGR 0) ➝
31,31,31,31\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.wretch.cc

Network Details:

DNSany-rc.a01.yahoodns.net
Type: A
98.139.102.145
DNSany-rc.a01.yahoodns.net
Type: A
74.6.50.150
DNSwww.big.somee.com
Type: A
66.197.198.196
DNSwww.wretch.cc
Type: A
HTTP GEThttp://www.big.somee.com/momo/001.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://www.wretch.cc/blog/darenjpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 98.139.102.145:80
Flows TCP192.168.1.1:1034 ➝ 66.197.198.196:80

Raw Pcap
0x00000000 (00000)   47455420 2f6d6f6d 6f2f3030 312e7478   GET /momo/001.tx
0x00000010 (00016)   74204854 54502f31 2e310d0a 55736572   t HTTP/1.1..User
0x00000020 (00032)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000030 (00048)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000040 (00064)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x00000050 (00080)   7773204e 5420352e 30290d0a 41636365   ws NT 5.0)..Acce
0x00000060 (00096)   70743a20 2a2f2a0d 0a486f73 743a2077   pt: */*..Host: w
0x00000070 (00112)   77772e62 69672e73 6f6d6565 2e636f6d   ww.big.somee.com
0x00000080 (00128)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000090 (00144)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f626c6f 672f6461 72656e6a   GET /blog/darenj
0x00000010 (00016)   70672048 5454502f 312e310d 0a416363   pg HTTP/1.1..Acc
0x00000020 (00032)   6570743a 202a2f2a 0d0a4163 63657074   ept: */*..Accept
0x00000030 (00048)   2d4c616e 67756167 653a2065 6e2d7573   -Language: en-us
0x00000040 (00064)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x00000050 (00080)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x00000060 (00096)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000070 (00112)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000080 (00128)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000090 (00144)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x000000a0 (00160)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x000000b0 (00176)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000c0 (00192)   20777777 2e777265 7463682e 63630d0a    www.wretch.cc..
0x000000d0 (00208)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000e0 (00224)   2d416c69 76650d0a 0d0a                -Alive....


Strings
..
...
7
.
.
y..!
040404B0
1.0.2.62
Comments
DEFAULT_ICON
FileDescription
FileVersion
LegalCopyright
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
.00v^>
?{08d,
*08-Xa
0aIqe,
@0AW@n
0o,u,G
0<q=}c"
0S9"na
0ufOq/
:0xHLk27O
![^0xZn
1$26H-
13QWF_;
/".1#6?
1&7'!=MO]
=1b=Qq
1CMGd!
1H&0eG
|1`jtBX
 1QSl )
1+T<006
}1wB	fq|
*^1xHZD
	/2=9 
2"9["e
2[cUG;
2ht;I$
2I+OlOhf
'2jq9+
-]2j&T
)(?2k 
2lW>h!
2m`4g8
"2>t^l
!2ucN:
(]2 XmDr
^	2y6S
2y>LEJ
#3%0(w
35Pe;B
35[,QZ
36l+h]
3="?d-
3@E1<e
3Ey*Y;[g
3Kd-v(Y3
3L<Fh$
:?3n?u}r*le
3Q(	W:
3VL`l2D
&3&W!HV
@3'Xw4
_:~,(3=Y
4&;7SN
|4 [^d%
4	]FsbJR1
4g|92>
(4+j~+I
4n;Bm~
4T9Z[b
4yhP6\
%!\5_2S
5Ee.17
5J5/%4NO
5m%2,M
5o"4"bL,\_
5tOT\{
"5 >y5
}*[6(;
,;6B!E
$6GgJ*
6MlotZ
6M<:u6
6rQNCk
6Sd%wHl
/6T-W=
\6u;@SJ
_, 6\V
6w|g*S
6ztzL|
;*-";7
73GgJb
75Z,k+
7c)YI}I
7~~	+D
7)fFplI)(
7Gl{9{D
7Jt1]E
7P?Dm^
7qq_Id
7*.Yk%
(8@}|-
!:_84&
$&8665I
8FK/ h
.8m(-1
8oDg"7
^8Rr},
'8Z0TDL
92:JJ@h
98TzM#
9bl+wg
{9h-~-
]9~&JhK`
9l$\w_
9MV8X,
9odZ_UE
9>qhir
9W**.{
9w3QJW
9WQ;:}7_
9W uqB<38
-9_XLu
a%0]5v
A`1[[\
!A1k_-
a1mI2`
{a:=3^
a5E\t23D
a6%Skh
Aa>!H25k
aB)<#GV
ACq,z,fj
A%cZ/ +
ADVAPI32.dll
a	Eyzm
!a%e[Z
a!F<js
	AGa`S
a{Hd];
A}iF_!
aIP5L9
~@AKar
AlY+x$3
;aOBp:
ApRzqk
	AQt6R
A\'Q&WZ%
As	@$_`
a`V1M>L
_%Axig
aY|vzx
@aZ>33
B1=ih%k
=B2.a@
B2atuN
B$57)f
B[_5r$4
!B~'7*
['b@9|,
.B=apV
bI\U!Om	
^bJbJ*
*B!m *q
BmwY{V
bm' ZYQ
bt6pYXv
B#;`UZ
BVJ&ep
'bW+2p]
	b]yht!
c"1@Cl
C#40;L
&c4doO
~C9c3.M
cB7^$23
C*bmgEt
cD[4c&
=|Cdmyg
;c$dz`
&&cFBk
ChooseColorA
%ClE9ZdX
c=mTv{
COMCTL32.dll
comdlg32.dll
%:c|q[_
C*R::?[
cSq|)Q
c@\tH%"=
'CzgE~
CZ-lQD{@
D3#=js
|d5oOf
d'7{>.
d9`pc}
dao5L.
#*dC.#m
d$>E.@
+D-f{?
'DFV(A	
DG&1=w
.)D$H)
:DiTsG
DlJfSO
,DMG;)WL
D$t+D$\
D$t#D$h
D=U8h3|
DvB -OR
dWH<QSi
DwZ"	F#O
E3!U?3
E)\dI?=q
EdMG7S
%$EFaeM
eHK!WJ
%Ei\-8)
E/IqUl
e^jsV'
el5>0/o:
EL:"EP
eltsN8
en0GAWu
{enC\x
ENFK^VE9C
EP742EO
@eQ4>!
e#RH4{
&euL6E
=eV(k)^
;EW^}!
]eW>c{
eW[W2a
'_E[}x
ExitProcess
EZsx4=$
]F0L{#
F5mt4F
&fA\pA
FaUWTO"
^fCG]S
f/cpMR
+?fFVx
f'g}|M
F)gREp
FHvLIG
.{fI5Q
fI|d(K
FjTorT
F%kJE {
)"	{`Fl
<fmB($
<FMBX-
F^M$v_y
^:/?fn[
FN)Hv@z@
Fnv9}y
F;O4^\
fQd:8Xl
FQl7Rj
*FQ>)T
@-^fR~>*
!fT`BH
fUAZ":
{{F&;V
FX2.'x
fX4a+T	
FX#F!|
f:xP9K
g0gDJG
g0[nh3
{GakiS
]gARqOI[wL
`GbL:@
gbq[\e
'_>GC=A
G^;	cK
-.gcN+
GDI32.dll
get~"G[w
GetProcAddress
g)#ghg
g'K@hdK
G@.LW&W
GM|MT7n
@Gn8(X
GpxHJ|
gq`k2*[Qd
\?gR5-}1
]G);Tfh
GTGq@8q
gwG~XR
Gwmc>]
g:YH4~
gy[s";
.(GZ-e
G]&ZkF
g-_zWl
!GzZ!<16
*	#h?^=
\h1=,*!
h=&;1>
>"H1nM
H5AX!m
hC|fY@
HDBXc!
hDI~dm*Kl
HeT+q%
?HfPTA
h"JH{D
HllR6FZ
hmKhe(
h)^-NdB
"hN;vC
$}{[hqFl	
hRr[Is;
HSfJqv9Y
"hW;+]
h;x~+/
/\H<-x
i>0,UJ
I4S3HM
}i7^ZS+
:Ia(us
=!IcmS
*&iCt'
iE0/K6quF
iE|V'.
IFveY;5
I:I!vXu7
II`-:X
?)Im].
IMKp6,
I)mx{9
InternetOpenA
iPi.$Z
?IqR<6
;iTAZB'
"@ Itg
iT$kAR8
itQ!U2
iu!4bj
I/v8<i
~+IV*e
I*W,wT
&-I`XA
IXCTgmD_O
\J4%L?
J@	5PB
J6Yrp|J
&j7+' 
J(D8>o
jGcyiW
%):JGtN!
J)/H}<
;JjlNh
`;+jlh
}JLzK4
\J}mZ2
JODP(b
JOhzO=q>r=
Jo|~;K
+jPaWgU
(jpUAo
jsll;<^
{jT/@	
jv`KLR
jWD5_R
jw`p&#
JxPU~m
JYQe,Ko
,k0DVc
K2TaV0
KERNEL32.DLL
KGUT6O
K:HAfQ
Kj-0r	$iRr
K<'j5([D
k?J	:H
k%K$1|N
;\kK3/
)kkba^
kn%#|s
		(\K*`p	Wn[
/[KQ1I
kQoI~T
\	kURb
kvVS-0]&H
L3!gn+
L4L~g6
/l_@4X
L--68??=
L9s?1Y
L,A}K_
lC@"@E
*LF&,2/
^lhD.Y
LiEyQ)G
lILcUxz&
ljDMd5
lKk^IgWW
l{l)YgZ
Lm`Ht9n0P
l%mvzR
Ln_ZrX
}%l	*O
LoadLibraryA
LQ)VOQ_
ls0T"M
l@SqwN
:LY3=4
lYNM9N{F
M/1mq-
m6V{Fs
m9m#Y7s
M9X$gS
m|a	LK
Mbd:\$
Mb\P[1
#mb|`Q
 mE|)u
@mfc"H
=M~HRQ
Mji)%!A
m"k!li
mk;z&]?SKa
mlO^*}
~mQ\6d
^Mr g`
Ms4]*1
m=U?fe[
,Mv!W	
^@?m(z
?n710^x
"\N^A/^
>N'*bA
'ND3/%u1B
&N}<Dl
NDWAuG
ngCOT7
|)>Ngi>;
Nh-.Q@r
n[K_H=	
%nl6WM
=NLRB/
?n_L@Y
`NN[jXF
n:[,=Rr]
nTC,sQ
n$wNe^
.^+{?o
o1E'%\Z
-o4};0
o#"8}sy5
{oaryG
OBn@wo_
oFD|7Om1*f
O#{@[h
Oh5"gi
oj5BLy
$.o!kz
ole32.dll
OLEAUT32.dll
oledlg.dll
OleInitialize
OMzv.Dg
 o+~N04
(oObd&9
OOw^AgT
OpenPrinterA
o`pSmm
O<VBA{
OY OZ7
OY~S/`
OYY-Vii
#*,Oz39
P<2x[6
P~3GE)`
\P8$fM
p9F1B|
PatBlt
>P_Dtn
p;+eOJ
pGK66g
pgkh	,Y+
P?IOdU
P'Lly:
PpQ4Ja
~PR6,_
psdS>&ls
p.;/Uj
pv9z/&
<)>`pw=4
#$"pwPX
PY[Zr 
Q#08YB
**q2x Q
}@|q7ko#b
!Q7*o8
?q9P]C
q'au; 
QCIUt[
~>QD0Wu
Q[&$EH
||QGry
#qgz5)
Q\;h)N5
]Q_jeI
q$kY sI
QO(a*y3I
=?Qo,YV
!QQ=s"!
Qso7EF
Q`s\&&$W
q=X$>x
qyfbh A
qz	-Gm
r2%(TO
r5ot,>M
r6)VuD|
RASAPI32.dll
RasHangUpA
rb[O>r,y
RD1Ia#
r~d_RY
]/-R-E
]rE_cr
RegCloseKey
R\)#eVY
;\rGba
r/|H(P
Ri17	'c
/{Rka'
RlY ;p#h\
	}`rOn
RP4]gs
rT)J~r-+
rwrKw3
RYd?2'q
,S21V2\q
s6V^c]~
S'7@5H;@.
saKRU$
saR_@8
s}&AS+Z
SfK4F'L
SHELL32.dll
ShellExecuteA
?Shg.F
%S%i.!
S{j5Gr
s`)L$4
sm2`u!
S,Nfbb6J
SNqr)L
'sQ\HpE
[^S-?q<k
s^Su-#>V\
}s*tUU
&S]uP0
"SU'"q
+>	S$W
*SxQ@0yd
S<Zdd|
t4	D27
=T`!7mI<:
t!;9.a
tbdmn;
*tE7OUn
TEn}Z+m}
TfiIfu. 
!This program cannot be run in DOS mode.
!t'L2%
.Tl$!oF
=tm}QI>DC
TNG$x,(|
t_@OB~
^"TpEn
;t_R0Q
tS"@	^
T|sYj>g
t$t#t$l
tZ*Ywr
'+(u*~
U0sm!-/
!U0TFL$
"(U0z&A
U:7RO,]
~u7.X#
=Ua"ZP
%U	B	^
UB:7%OF
`:U	@C
uc`*`0
`Ucz/L_
Uc$zV!wQF$E
&U+'e*O
UF(LGN
%?uG`"i
UH$5GQ
"uNe/ 
u^o`-.@
up4^p/
=us/9/d
USER32.dll
(*uUR@
uu_>z/ 
,u{v</'
#UX$vQx
V:$"30
v5N@.#
V+9wfK
vAIWOre
'`'(vB
.'{.Vc
$vc&Dn
^@V:E8
V@E#p%"
vFGfoQzA
viD^$M
VirtualAlloc
VirtualFree
VirtualProtect
v/Nk45
vn|&OL
:Vn;Pd]
Vo;g8zg}
}V$|%p
v[QbDd
Vq"n-F
V<q)_	R
;vU]Gc
V\@W@02d+F
v>Wxh\f
@vy%N;
/v}?yp
VzB-#Tt
W7P0.x<
waveOutOpen
*W=\	C
WDFQdFq
w_Eev"
W&`	eLQU
w@.GK1v&
wg^u1P
w!ihMD
WININET.dll
WINMM.dll
WINSPOOL.DRV
-@Wja*
wKwnjI
_;wNB@
w.P9@!Dg
WP)Ck"]
W<po	4~
w^r,/o7
WS2_32.dll
;wT}`	1
W$w~-Hr
(w-'x"
~$|~wX
'wx0	:
~WXurHV4(
*W@y)*
W|~"yo
)\WyoZ
]WzVsqc
*+x>]]
X0_z_b
X5.K"d
x<7q]L
XABv,"&
XAcWv?
Xa^$t<
xEy'e-
/=x!g]
 XIcpy
x+]|Li
xlJOxh4
%X}lm;
?x%m_^
XM\^O}
x%$N4/
X	NK`a
xOoA5q
=xO|=T
XPTPSW
X,quf6x 7
xrE1c@
Xt*K]F
:x*])v
$Y.4([
y5G1{|Di
{Y9u!aL
.=Y<D|
Y|Djtr
y (E?@
Ye8~L}
y^E-$H
yFJxpHc
/Yh>fAf
yiOTH6
YIXPe"
YJ$zSXA0
y!k1)P
)/Y.K j00
Y,MNW:
[y,^<N
[yNEHEFN
YPH2r?
y%rH-jJ\
<ySj'x7(S
'ytONe
y}Y-"4
<&:Y%Z
Z0U"W(c
+Z <&1
$z)&<4p
z*53@"E
Z7S,'R4
z7zss2@
zb4kV6|
ZBNG	p
Z:c!$@
ZN+Pu\
zpmPjFpy
Zrq	wA,
z,?StK
zU1=i(\
ZvCK~3
Z,Vd[M
[z[w	a
Z=#wFh
*ZYd'5
zyF"Iw
ZYm6N}e
!zZtR7