Analysis Date2015-11-27 22:00:35
MD5b1492b92eec07df55d4b71a2af126db0
SHA1d5911830fc2b8b51b42db0447837767bca3a8e11

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectionjsdsrs md5: e50955694a5306acdfbd6cb738a33c6a sha1: b6fd9c77e14eba1b8a36bd679cfebf25c3eaeb6d size: 19456
Sectionyswxe md5: b72135f48fd725a5c20ff05dea7dd52e sha1: ebf71bbf3a8e2583d57540a48918da01551acff8 size: 80384
Sectionzhaae md5: a714861752265de3ee1f0d674ca5a388 sha1: 1ce6f95b18902abc760315452587cf2bd49b3669 size: 512
Timestamp1987-03-29 02:06:08
PEhash05f5b2744ab8e5307d7f0767ef120370e650b428
IMPhash09d0478591d4f788cb3e5ea416c25237
AVKasperskyTrojan.Win32.Generic
AVRising0x5941b469
AVF-SecureGen:Heur.Kelios.1
AVKasperskyTrojan.Win32.Generic
AVMicrosoft Security EssentialsBackdoor:Win32/PcClient.ZR
AVMicroWorld (escan)Gen:Heur.Kelios.1
AVFortinetW32/Multi.BHG!tr
AVFrisk (f-prot)no_virus
AVIkarusVirus.Win32.Heur
AVK7Trojan ( 004b34cd1 )
AVMcafeeBackDoor-FAWP!B1492B92EEC0
AVMcafeeBackDoor-FAWP!B1492B92EEC0
AVMicrosoft Security EssentialsBackdoor:Win32/PcClient.ZR
AVMicroWorld (escan)Gen:Heur.Kelios.1
AVEset (nod32)Win32/Farfli.BHG
AVEset (nod32)Win32/Farfli.BHG
AVFortinetW32/Multi.BHG!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Heur.Kelios.1
AVGrisoft (avg)Win32/Heur.dropper
AVIkarusVirus.Win32.Heur
AVK7Trojan ( 004b34cd1 )
AVMalwareBytesno_virus
AVMalwareBytesno_virus
AVAd-AwareGen:Heur.Kelios.1
AVBullGuardGen:Heur.Kelios.1
AVBullGuardGen:Heur.Kelios.1
AVAlwil (avast)Oliga [Trj]
AVAuthentiumW32/Trojan.NTFE-8831
AVCA (E-Trust Ino)Win32/Tnega.NRECBMB
AVCA (E-Trust Ino)Win32/Tnega.NRECBMB
AVAuthentiumW32/Trojan.NTFE-8831
AVAlwil (avast)Oliga [Trj]
AVCAT (quickheal)Trojan.Aksula.A
AVCAT (quickheal)Trojan.Aksula.A
AVAd-AwareGen:Heur.Kelios.1
AVAvira (antivir)TR/Dropper.Gen
AVClamAVno_virus
AVClamAVno_virus
AVAvira (antivir)TR/Dropper.Gen
AVGrisoft (avg)Win32/Heur.dropper
AVDr. WebBackDoor.Siggen.52105
AVDr. WebBackDoor.Siggen.52105
AVArcabit (arcavir)Gen:Heur.Kelios.1:Gen:Heur.Krypt.19
AVBitDefenderGen:Heur.Kelios.1
AVEmsisoftGen:Heur.Kelios.1
AVEmsisoftGen:Heur.Kelios.1
AVBitDefenderGen:Heur.Kelios.1
AVRising0x5941b469
AVArcabit (arcavir)Gen:Heur.Kelios.1:Gen:Heur.Krypt.19

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\112530135\Parameters\ServiceDll ➝
C:\WINDOWS\system32\112530135.dll
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\112530135 ➝
NULL
Creates FilePIPE\samr
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\112530135.dll
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\D59118~1.EXE > nul
Creates Service112530135 - C:\WINDOWS\system32\svchost.exe -k 112530135
Starts Service112530135

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\D59118~1.EXE > nul

Creates Filenul
Deletes FileC:\malware.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates Mutexquansg

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1856

Process
↳ Pid 1172

Network Details:

DNSpmp1234.eicp.net
Type: A
174.128.255.231
DNSpmp1234.eicp.net
Type: A
174.128.255.231
Flows TCP192.168.1.1:1031 ➝ 174.128.255.231:2345
Flows TCP192.168.1.1:1032 ➝ 174.128.255.231:2345
Flows TCP192.168.1.1:1033 ➝ 174.128.255.231:2345
Flows TCP192.168.1.1:1034 ➝ 174.128.255.231:2345

Raw Pcap

Strings
0.
.
.M
.
.. .
..iI
.
5.
..
.
09!OdA
{=~0As
~0d<[)=S
0\qI`*_^
0QR3zW
112530135
1-Lm|?
1oxRHs
25/:_B
2"b`u+
2h%TtI
{3=],)
#3~_,#~
{$3/?Tv
`4rbkv
5a9Y.:^
6ElH*O
]6:)}t
?6Y$yj
"7|4ny
&@7a5>wf
7e#-+f
[(7lxG]3
7q{0nD
7Z0`7FBa
8,0oA)
(8si?|
8[{u+{
( A0j3hi
agaBoxA
[<a}m0
**aN:m
b2M/ss
"<b9~:=8uN@
BCmvIaf
[bE1i`
bg[Bk+
bh|HJDp
bv}Tf7I
(#.c^8
cI.p[z8
/C[JUM6
[cT^/	
c(U*WE
C-'VMy
)C<XS6
Cz&"xy`\
D!6=y^
Df-|)m_
"*Do)+
donmy)GF
.dUm^s
DW8fpi
]:DZs(
EDIr7j
,eg0@P
EP,\Juy
ES&=gv$/hk
e?Ub;q
eZk=>f)
f0U3+V
f0wQjd
F2$U-@
:FI&WG
|F~MO'
fu3X)M>
~F&{@x
?Gb4@JP
GetProcAddress
G*JKN@9
`_G`Kv
"GpnXHR
g}XGP:
`;h2=2
h24Ewb
HgwNBz
hHanxd
HUnjjDur
H/YEdy[
I8?5x_
iiiiiiiiiiiiiii
I	V_$>
I`Zl[Xs
jH2o>T)G4
jsdsrs
kernel32.dll
[kf/Uo%
	/K~\t
kT58m>;)
K<urp0i\
\`lgQU
lj$}8c
lNls_,
LoadLibraryA
(=LR1.-
L;UJQ	cm"
lyvn}tAb
MfSRkH
;mFvf|
|mH8N@
+@  MZX%
&N7fp5
`&nb.'
nJvDuI_
Nn&9DU
n{scG["
NSIQ\$3y=
nYKwo@`G
(O>3Z`j
oF1!gcb
o@S_y)
O<``vL
]p4||)
P=4:/z
p\cWY0
$=&PD"b
P*FE5DS
pPKEb7
_.Pr;E
|PUD&`V
PZ$gl)
q:a?	!;<
\rexj\XY
RfT}/{d
RNpp:z
@|R!rz
rtKb(X
}Rw1X1)I
"S'2h!_
S"}5Rw
ServiceMain
sGEW-:
su#~EO
sW=s4>
T#`{+<
T@0FVsj
T}0rPB
!This program cannot be run in DOS mode.
!This Program cannot be run in DOS mode.
tQAxQb
!Tq CL
t}Y$w8
t\yx`"
!U4shSj
"% u,C
u-CZps
U %EE?
uh57\`
_]ulFb
UmnRCkx
Upr=x7
	"U'?s
USQWVR
Uz%n5b
uzrmB\vB
`v1]9#
:v9VRp"
Vd	zyf0
VirtualAlloc
VirtualFree
VQFL>Ky
#VRBNN
vv#5.8
w60lDDlk2
w;)G QA
@WIN7g
}}w(,M
WS-:{H
x9a5pCNS
(Xp~%Y
yDs-oy
YP.t^v
_y	qd+
(\ZE&"
z^*kE#r9
ZP>fJ=
Z:@&{U
zu:T"`
Z^_Y[]