Analysis Date2015-09-27 09:33:21
MD50b06127ab562a609cee821122bb9242e
SHA1c8648c73cb5a521f060bdbdadb4d55c8dd9ef66e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3457a49495f9d1ac5a2a769d6738c8ef sha1: 9604c6110dcb058daeadcd24e1b467724c9483cb size: 10240
Section.rsrc md5: 63055616c102772210827145278a0ff3 sha1: 0b452f8059446577cf7ff93b1e70a2efa9b9b7d7 size: 95744
Timestamp2008-07-20 05:00:47
PackerMicrosoft Visual C++ v6.0
PEhash7dc17296d58a7a35b8e27d0c8e5ea9e6b4483c2d
IMPhash87d4ccc018fa88cfa2762cc29eddfcc8
AVCA (E-Trust Ino)Win32/Zegost.B!generic
AVF-SecureGen:Variant.Symmi.2321
AVDr. WebBackDoor.Pigeon.14101
AVClamAVTrojan.Magania-8433
AVArcabit (arcavir)Gen:Variant.Symmi.2321:Trojan.Redosdru.Gen.1:Rootkit.Agent.XN
AVBullGuardGen:Variant.Symmi.2321
AVPadvishno_virus
AVVirusBlokAda (vba32)BScope.Trojan.SvcHorse.01643
AVCAT (quickheal)Backdoor.Farfli.K2
AVTrend MicroTROJ_REDOS.SM2
AVKasperskyTrojan.Win32.Generic:Rootkit.Win32.Ressdt.hd
AVZillya!Trojan.Magania.Win32.5747
AVEmsisoftGen:Variant.Symmi.2321
AVIkarusTrojan.Win32.Dialer
AVFrisk (f-prot)W32/OnlineGames.BW.gen!Eldorado
AVAuthentiumW32/OnlineGames.BW.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.2321
AVMicrosoft Security EssentialsBackdoor:Win32/Bifrose.HU
AVK7Trojan ( 00004eab1 )
AVBitDefenderGen:Variant.Symmi.2321
AVFortinetW32/Torr.BH!tr.bdr
AVSymantecInfostealer.Gampass
AVGrisoft (avg)Generic_r.ENQ
AVEset (nod32)Win32/Dialer.NEW
AVAlwil (avast)Farfli-AX [Trj]:Dialer-BOK [Trj]
AVAd-AwareGen:Variant.Symmi.2321
AVTwisterTrojan.2772F490C3530721
AVAvira (antivir)TR/Rootkit.Gen
AVMcafeeBackDoor-DVB.e
AVRisingBackdoor.Farfli!4805

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Parameters\ServiceDll ➝
C:\WINDOWS\system32\NWCWorkstationapi.dll\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Type ➝
4
Creates FilePIPE\samr
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\Drivers\beep.sys
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\75640_res.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\74703_res.tmp
Creates MutexAAAAAA9fbvsK+vr72wsLGxvfzxBKmnr58=
Creates ServiceMicrosoft Corporation - %SystemRoot%\System32\svchost.exe -k netsvcs
Starts ServiceNWCWorkstation
Starts ServiceBeep

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FileC:\WINDOWS\system32\CatRoot2\edb.chk
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\System32\CatRoot2\dberr.txt
Deletes FileC:\malware.exe

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1864

Process
↳ Pid 1148

Network Details:

DNSvip3000.3322.org
Type: A
221.130.179.36
Flows TCP192.168.1.1:1031 ➝ 221.130.179.36:80
Flows TCP192.168.1.1:1032 ➝ 221.130.179.36:80
Flows TCP192.168.1.1:1033 ➝ 221.130.179.36:80
Flows TCP192.168.1.1:1034 ➝ 221.130.179.36:80
Flows TCP192.168.1.1:1035 ➝ 221.130.179.36:80

Raw Pcap

Strings