Analysis Date2014-04-08 03:21:59
MD56fbe885ace08b2952403b48bae763193
SHA1c31b944a7452b23275e9824745de750480ff0cc4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5f00cf3c0e7c560c273328ef1324a91d sha1: 7b23020be7809c19da202fa720440ee00acc50c2 size: 16384
Section.rdata md5: b8c25f354ea0db0021839d67d7336bb9 sha1: 53c7741642dba79c21e393cf410c27d7c6bce522 size: 4096
Section.data md5: eb25be74612c69c61bd47e45c2fd066d sha1: f0eef9a708c34ddb2f01edbf0937ec3791b67d14 size: 4096
Section.rsrc md5: 016c777f6ce73f2b3266622567963fdf sha1: 6b419b7d61c361bbbaeeaee2a9ea2837d112b7b9 size: 4096
Timestamp2011-04-27 01:57:07
PackerMicrosoft Visual C++ v6.0
PEhashc26ea10fa21dfd1ca7521184ae7ebec73b9d1d1d
IMPhashd54c41d12a4fe2a86af153b61b5749c0
AVclamavWin.Trojan.Downloader-24891
AVavgDownloader.Generic11.WWM
AVaviraTR/Dldr.Small.aiina
AVmcafeeDownloader-CMX

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\ASD\STM ➝
1396944914

Network Details:

DNSyahoo.com.cn
Type: A
68.180.206.184
DNSyahoo.com.cn
Type: A
98.139.102.145
DNS8475.770304123.cn
Type: A
HTTP POSThttp://60.217.234.138/pl1.txt
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 60.217.234.138:80

Raw Pcap
0x00000000 (00000)   504f5354 202f706c 312e7478 74204854   POST /pl1.txt HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a486f73 743a2036 302e3231   */*..Host: 60.21
0x00000030 (00048)   372e3233 342e3133 380d0a43 6f6e7465   7.234.138..Conte
0x00000040 (00064)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x00000060 (00096)   6c697665 0d0a4361 6368652d 436f6e74   live..Cache-Cont
0x00000070 (00112)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000080 (00128)   0a                                    .


Strings

 (C) 2005
msupdate
 msupdate
msupdate 1.0 
 msupdate(&A)...
TODO: 
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
0My@8&aMqTo
14Yhg<
1=><'>>9:9=8;:'jg
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
]1i	n[.
<1rE] 
234.138/pl
_2<6ll
2C18QD
)2#$k$S
2U7Jd[
2ujS|P#
3S%uaE.K
,3vJ.o
&4h_i6
4x4gibF
+`.+58
5+;O5	
5:wUU.r
6pe+	M
$86A1vE/
8?:'jfd
8OQSiz
]A:;+7
-#a 7eh
_access
_acmdln
_adjust_fdiv
ADVAPI32.dll
aHlu=2GmTBF~
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
,A	t((#
.B?8|^1
[BKP%c
bQ@YRnC
b_Skn:w
BU{k<=(
BVL($v
Bx+mMj
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
c5%XZW
*C90'H;
CloseHandle
c)nI0x
_controlfp
?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
C,&+Pc
Cq7tWH3
CreateEventA
CreateProcessA
cVgW08
__CxxFrameHandler
D1\g.G
d$8Rh8c@
@.data
DDDDDD
DDDDDDDDD@
DDDDDDDDDDDDDD
DDDDDDDDDGpw
DeleteFileA
DeleteUrlCacheEntry
D$HRPj
__dllonexit
D^PNe{.Z
&&DS_]So
D$ UVWj
DVM5l4
^D)yu;n
e0)VQ'/
ECC{xw2
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
e*PPFN
'`Esu)
_except_handler3
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
<Fnf t
fNtTJ@
@Fu"4"tY
	G(`\ 
G1vX10
g<93{/
>~;GdeT
GetBinaryTypeA
GetFileAttributesA
GetLastError
__getmainargs
GetModuleHandleA
GetShortPathNameA
GetStartupInfoA
GetTempFileNameA
GetTempPathA
GetVolumeInformationA
GjIo	e
gm?`1|
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
GU$?@8E
"h-`.~=
-@h`#3
h:_	8~
Hdl}Sv
hf]1*Uv
HGR&_+k
Hi1tML
{h		jU
-$HmpWC
H]N?^@
HQ'0'8
HrCg@b	g 
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
HTTP/1.0
HTTP/1.1
http://60.
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
i1#eT:%1
:i6Er	"
i!\_dn
I+jQj4kO
InitializeSecurityDescriptor
_initterm
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetReadFile
InternetSetFilePointer
IO3"N:
IQPh8a@
Iu#h$a@
J3C\x^l
^j h6|
jJ#3h6
Jmbw~f
$j^o~%
jPh<d@
Jud>	w
j{V.hS
(:K~5Oq|
-k?+6a
Kb]hS!I5;+
kd{t8q
KERNEL32.dll
kh`m|'jfd
/Kk~D33
ks/W~QT
KZWn%qB
L$<PQR
LQ;DyL$
L$thLa@
L$XQSSP
[main]
memmove
MFC42.DLL
-MHChw
$>Mn)7
msndown
MSVCP60.dll
MSVCRT.dll
`n"9ECUM)
)na}EX
N*AH*Hh
NefkheU<>8HM==1$8O?0$=>m<$HLJ8$M<LH;;:==90K
@nL,E'5r
NLt`H@tB
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
]N<$#U
Nw2%Zd
OM	4Q9
_onexit
oN_kd?MB
Oo29AZ
OpenMutexA
oTX>E!F
"oWQ4"@g
{Pa&$_
__p__commode
pe:5Q'y
__p__fmode
phaff'jfd'jg
,P(smA
p}[v}6
"PZSR98B
q.|G;G
q|@.Gi.G
qJ #m#P|5
qOLQPe
{Qr{YD
QVhPa@
qz#3/	[
`.rdata
?[rdK	
RegCloseKey
RegCreateKeyA
RegSetValueExA
rF`eY<
R-&/Ii
s_..8X
SearchPathA
__set_app_type
_setmbcp
SetSecurityDescriptorDacl
__setusermatherr
She0]i
Software\ASD
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
sprintf
%s%s%s%s
strchr
strstr
@<!s"v
t^?cwa
!This program cannot be run in DOS mode.
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
!!tm"up
u4pjlT
/?&uid=
 ul5TF
u-V'`5`
V	90PQ
vI:8t\
vKg3fY
V@N^_mb
VRQUPS
V+`y0K
[W*-|]
WaitForSingleObject
WININET.dll
{Wl{C'
-Wmv'b
WS2_32.dll
W'=Vr5s
WVVVVhP`@
':wW8~a	
wwwwww
wwwwwwwwwwwwww
` }=-x
++#|x@
_XcptFilter
?_Xlen@std@@YAXXZ
X*l}{u
?_Xran@std@@YAXXZ
XZ[}B^
Y~+6Z{
~\YC/L
yl=]U~
yR*	Ki
^yv"Fv!v
%z5-x4<w
Z= a~nS
Zb.5_f6z9
*&zDs_
z+hlmDw
\ZTK;+
|]ZZ+b,