Analysis Date2014-06-14 10:01:23
MD5c6960fae876484116c097c0fe60d7108
SHA1c3e7495dde04146f0cba462727aa3180b4baa115

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhash3d8b09e0f61e613d7822cf28acce638df256fe94
IMPhash
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)Win32/TrojanDownloader.Zurgop.BK
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVKasperskyTrojan.Win32.Sharik.stt
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVNormanno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Network Details:

DNSus.co1.cb3.glbdns2.microsoft.com
Type: A
131.253.40.1
DNSlb1.www.ms.akadns.net
Type: A
64.4.11.42
DNSwww.go.microsoft.akadns.net
Type: A
64.4.11.25
DNSarbek388.net
Type: A
46.165.241.241
DNSwww.msn.com
Type: A
DNSwww.microsoft.com
Type: A
DNSgo.microsoft.com
Type: A
HTTP GEThttp://www.msn.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.microsoft.com/windows
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.microsoft.com/windows
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=45396
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.microsoft.com/windows
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.microsoft.com/windows
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=146008
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.microsoft.com/windows
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://arbek388.net/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 131.253.40.1:80
Flows TCP192.168.1.1:1032 ➝ 64.4.11.42:80
Flows TCP192.168.1.1:1033 ➝ 64.4.11.42:80
Flows TCP192.168.1.1:1034 ➝ 64.4.11.25:80
Flows TCP192.168.1.1:1035 ➝ 64.4.11.42:80
Flows TCP192.168.1.1:1036 ➝ 64.4.11.42:80
Flows TCP192.168.1.1:1037 ➝ 64.4.11.25:80
Flows TCP192.168.1.1:1038 ➝ 64.4.11.42:80
Flows TCP192.168.1.1:1039 ➝ 46.165.241.241:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x00000060 (00096)   2e353037 3237290d 0a486f73 743a2077   .50727)..Host: w
0x00000070 (00112)   77772e6d 736e2e63 6f6d0d0a 436f6e6e   ww.msn.com..Conn
0x00000080 (00128)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000090 (00144)   0a                                    .

0x00000000 (00000)   504f5354 202f7769 6e646f77 73204854   POST /windows HT
0x00000010 (00016)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000020 (00032)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000030 (00048)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000040 (00064)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000050 (00080)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000060 (00096)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000070 (00112)   0a486f73 743a2077 77772e6d 6963726f   .Host: www.micro
0x00000080 (00128)   736f6674 2e636f6d 0d0a436f 6e6e6563   soft.com..Connec
0x00000090 (00144)   74696f6e 3a20636c 6f73650d 0a436f6e   tion: close..Con
0x000000a0 (00160)   74656e74 2d4c656e 6774683a 20313232   tent-Length: 122
0x000000b0 (00176)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x000000c0 (00192)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x000000d0 (00208)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x000000e0 (00224)   640d0a0d 0a7a                         d....z

0x00000000 (00000)   504f5354 202f7769 6e646f77 73204854   POST /windows HT
0x00000010 (00016)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000020 (00032)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000030 (00048)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000040 (00064)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000050 (00080)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000060 (00096)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000070 (00112)   0a486f73 743a2077 77772e6d 6963726f   .Host: www.micro
0x00000080 (00128)   736f6674 2e636f6d 0d0a436f 6e6e6563   soft.com..Connec
0x00000090 (00144)   74696f6e 3a20636c 6f73650d 0a436f6e   tion: close..Con
0x000000a0 (00160)   74656e74 2d4c656e 6774683a 20333238   tent-Length: 328
0x000000b0 (00176)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x000000c0 (00192)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x000000d0 (00208)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x000000e0 (00224)   640d0a0d 0a4801                       d....H.

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d343533 39362048 5454502f   nkId=45396 HTTP/
0x00000020 (00032)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000030 (00048)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000040 (00064)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000050 (00080)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000060 (00096)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000070 (00112)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x00000080 (00128)   73743a20 676f2e6d 6963726f 736f6674   st: go.microsoft
0x00000090 (00144)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000a0 (00160)   3a20636c 6f73650d 0a436f6e 74656e74   : close..Content
0x000000b0 (00176)   2d4c656e 6774683a 20333938 0d0a436f   -Length: 398..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a0d   rm-urlencoded...
0x000000f0 (00240)   0a8e01                                ...

0x00000000 (00000)   504f5354 202f7769 6e646f77 73204854   POST /windows HT
0x00000010 (00016)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000020 (00032)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000030 (00048)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000040 (00064)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000050 (00080)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000060 (00096)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000070 (00112)   0a486f73 743a2077 77772e6d 6963726f   .Host: www.micro
0x00000080 (00128)   736f6674 2e636f6d 0d0a436f 6e6e6563   soft.com..Connec
0x00000090 (00144)   74696f6e 3a20636c 6f73650d 0a436f6e   tion: close..Con
0x000000a0 (00160)   74656e74 2d4c656e 6774683a 20343036   tent-Length: 406
0x000000b0 (00176)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x000000c0 (00192)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x000000d0 (00208)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x000000e0 (00224)   640d0a0d 0a9601                       d......

0x00000000 (00000)   504f5354 202f7769 6e646f77 73204854   POST /windows HT
0x00000010 (00016)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000020 (00032)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000030 (00048)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000040 (00064)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000050 (00080)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000060 (00096)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000070 (00112)   0a486f73 743a2077 77772e6d 6963726f   .Host: www.micro
0x00000080 (00128)   736f6674 2e636f6d 0d0a436f 6e6e6563   soft.com..Connec
0x00000090 (00144)   74696f6e 3a20636c 6f73650d 0a436f6e   tion: close..Con
0x000000a0 (00160)   74656e74 2d4c656e 6774683a 20343031   tent-Length: 401
0x000000b0 (00176)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x000000c0 (00192)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x000000d0 (00208)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x000000e0 (00224)   640d0a0d 0a9101                       d......

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d313436 30303820 48545450   nkId=146008 HTTP
0x00000020 (00032)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20676f2e 6d696372 6f736f66   ost: go.microsof
0x00000090 (00144)   742e636f 6d0d0a43 6f6e6e65 6374696f   t.com..Connectio
0x000000a0 (00160)   6e3a2063 6c6f7365 0d0a436f 6e74656e   n: close..Conten
0x000000b0 (00176)   742d4c65 6e677468 3a203137 390d0a43   t-Length: 179..C
0x000000c0 (00192)   6f6e7465 6e742d54 7970653a 20617070   ontent-Type: app
0x000000d0 (00208)   6c696361 74696f6e 2f782d77 77772d66   lication/x-www-f
0x000000e0 (00224)   6f726d2d 75726c65 6e636f64 65640d0a   orm-urlencoded..
0x000000f0 (00240)   0d0ab3                                ...

0x00000000 (00000)   504f5354 202f7769 6e646f77 73204854   POST /windows HT
0x00000010 (00016)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000020 (00032)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000030 (00048)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000040 (00064)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000050 (00080)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000060 (00096)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000070 (00112)   0a486f73 743a2077 77772e6d 6963726f   .Host: www.micro
0x00000080 (00128)   736f6674 2e636f6d 0d0a436f 6e6e6563   soft.com..Connec
0x00000090 (00144)   74696f6e 3a20636c 6f73650d 0a436f6e   tion: close..Con
0x000000a0 (00160)   74656e74 2d4c656e 6774683a 20323634   tent-Length: 264
0x000000b0 (00176)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x000000c0 (00192)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x000000d0 (00208)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x000000e0 (00224)   640d0a0d 0a0801                       d......

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000020 (00032)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000030 (00048)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000040 (00064)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000050 (00080)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x00000060 (00096)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x00000070 (00112)   61726265 6b333838 2e6e6574 0d0a436f   arbek388.net..Co
0x00000080 (00128)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000090 (00144)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x000000a0 (00160)   20323631 0d0a436f 6e74656e 742d5479    261..Content-Ty
0x000000b0 (00176)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x000000c0 (00192)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x000000d0 (00208)   636f6465 640d0a0d 0a0501              coded......


Strings
myapp.exe...
.;^T.
...G?A|.hO}.
.*..
..[..z.....[(_GL.G.b..K...(.*.S...3.....{>..P.r...7.E.T....o..l..=.
i......{.c..a......F.fD....D@.W..h^
.........................
.........................
.
.
.
....
.
.
.
0
.
a
U.
..

    
        
041d04e3
1, 0, 0, 1
BASICINFO
 (C) 2002
Check1
Check2
Check3
Comments
CompanyName
Copyright ? 2014
Dialog
FileDescription
FileVersion
(&H)
InternalName
L3z(
LegalCopyright
LegalTrademarks
Local AppWizard-Generated Applications
mapping
mapping.exe
Materi
 Material_MIS
;Material_MIS
Material_MIS
Material_MIS 1.0 
 Material_MIS(&A)...
MaterialMIS.Document
Materi Document
(&o)
OriginalFilename
PrivateBuild
ProductName
ProductVersion
(&s)
SpecialBuild
StringFileInfo
System
Translation
VarFileInfo
VS_VERSION_INFO
(&x)
(&X)
 $.' ",#
;0Du$9Vt
$:-1H,K
??1type_info@@UAE@XZ
21XwBqJ
!22222222222222222222222222222222222222222222222222
243E#`
33DH![
3[K}~=
3v{`u.
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
4:#aI:
>4y{ }
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
6MsObON
6S'R4Y
(7),01444
<)8&=G u"
9)7KZi
'9=82<.342
9^ uYh
9Y uUh
_adjust_fdiv
'and yebase='
a:QYsi
.?AV_com_error@@
.?AVtype_info@@
^c|0?JU
ceQjR4
<c>J`!
CloseHandle
CMainFrame
CMaterial_MISView
C<nt*F
_controlfp
CreateFileW
__CxxFrameHandler
_CxxThrowException
^c&\Y,$
d(`~0\
@.data
delete from material where wzid='
delete from msave where rkno='
delete from msurplus where yeaccount=0
delete from muse where lyno='
__dllonexit
e^.2}(4
EnableWindow
_except_handler3
<FB3Qi
f$	${(t!
GCu6:/
G"DDM$
GetClientRect
GetFileSize
GetLastError
GetModuleFileNameW
GetModuleHandleW
GetProcAddress
GetStartupInfoW
GetSubMenu
"GI?Cd
;GZ3^~,%
H9W'OH
HJy2c8j
>HkLX7
HrCg@b	g 
hU0o@B)
h~w?MS
i%2	:Tj
Ilt]!o
_initterm
InterlockedDecrement
j>\3(nx
}ji#C;f
jpf~D;qrFN
j#?VWZ}qDEA
?,}jY@
kernel32.dll
KERNEL32.dll
k\jGj3
KOyO#OX
KX]I"|
 l N ; 
LoadLibraryA
LoadMenuW
LocalFree
lstrlenA
lykind
lyname
lyspec
lyunit
Material_MISDoc
memcpy
MFC42u.DLL
MSVCRT.dll
MultiByteToWideChar
nadq$H
ng0Qp=R3W>
NTk@8Q
NUx .r
O9eirD
OHOVOs
OLEAUT32.dll
_onexit
O#O83vt6
<O:OEO
/O%OKOp
O)ONOR
O+O?O/
OTO9O:
OX[@b	g
?oZZ<s
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
__p__commode
__p__fmode
QLxjB"
Rbc0RHQMR
`.rdata
ReadFile
r>j0&w*iD
+Rk!rqOfS
r"Nv@7D
s;1`Vf
select * from 
select * from material order by wzid
select * from material where wzid='
select * from msave
select * from msurplus
select wzname from material
SendMessageW
__set_app_type
__setusermatherr
S>e'Y0R
SK8O,Oj
sMsVRhW%^9m
tE9^ t7h
!This program cannot be run in DOS mode.
tk9^ t]h
u #6;q
UHJvp5
uM[Ur4{
update msurplus set yeaccount=yeaccount-
update msurplus set yeaccount=yeaccount+
UpdateWindow
u`RK>H
USER32.dll
u;Sj0h
/#/{^v\
~\V`9 6
vbei(~
VegW11
vM4S7yO
V>Q%O8;
vr<3Aq)
w09R5Q
_wcmdln
wcscmp
wcslen
__wgetmainargs
 where yeid='
WideCharToMultiByte
www.meitu.com
wzkind
wzKind
wzname
wzunit
&xbJj@n
_XcptFilter
x?M!W?
Y0Rck8^'Y
y6C&fQK
Y6{yw"H
ydBwfqc
yekind
yename
yespec
yeunit
,yevalue=yevalue-
,yevalue=yevalue+
Z-I;i`U
Zy4r!E