Analysis Date2015-11-03 14:03:31
MD5b4f06e8cc9553eac3e42544fb8e9fc78
SHA1d71d478317d1342e045b9375a2092e537a98395b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 281308fde9af090dd86c53a91ff84ff1 sha1: e8edf59a7b272781a95166d0ba98513730cee56f size: 265728
Section.rsrc md5: a90b9943e5da9b784201083d23ce317e sha1: 13b9ef4c44ec81ab72d13f40db8f628ed272a44e size: 8704
Timestamp2014-06-19 06:59:42
VersionLegalCopyright: HAXLIB
InternalName: YouHax
FileVersion: 1.00
CompanyName: HaxLib.Info
ProductName: CrossMain
ProductVersion: 1.00
FileDescription: HaxLib.Info
OriginalFilename: YouHax.exe
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhashd8f7e8f1bf5cc38e5513bbc5675e3dc8da9f3d89
IMPhash09d0478591d4f788cb3e5ea416c25237
AVAd-Aware Command-LineGen:Variant.Graftor.138391
AVArcaVir AntivirusGen:Variant.Graftor.138391
AVAvast! AntivirusMalware-gen:Win32:Malware-gen
AVAVG AntiVirusClicker.BGNK
AVAvira AntivirusTR/Crypt.PEPM.Gen
AVBitdefender Command-LineGen:Variant.Graftor.138391
AVBullGuard AntivirusGen:Variant.Graftor.138391
AVClamWin AntivirusNo Virus
AVCommand Anti-MalwareNo Virus
AVDr. Web Anti-virusNo Virus
AVEmsisoft Command-Line ScannerGen:Variant.Graftor.138391
AVeScan Anti-VirusGen:Variant.Graftor.138391
AVESET NOD32 AntivirusWin32/TrojanClicker.VB.OEN
AVFortinet Command-Line ScannerW32/TdvbPack.A!tr
AVF-PROT AntivirusNo Virus
AVF-Secure Anti-VirusGen:Variant.Graftor.138391
AVIkarus Command-Line ScannerTrojan.Win32.TrojanClicker
AVK7 Anti-VirusSpyware ( 00496ec71 )
AVKaspersky Anti-VirusTrojan.Win32.Generic
AVMalwareBytes Anti-MalwareNo Virus
AVMcAfee Command-Line ScannerRDN/Generic.dx!d2t
AVMicrosoft Security EssentialsNo Virus
AVPadvish AntivirusNo Virus
AVQuick Heal AntiVirusTrojan.Generic.r2
AVRising Command-Line Scanner0x58fc23d3:AV product failed to resolve detection name
AVSymantec Command-Line ScannerTrojan.Gen.2
AVTotal Defense Internet Security SuiteNo Virus
AVTrend Micro System CleanerNo Virus
AVTwister AntivirusNo Virus
AVVirusBlokAda Console ScannerTrojan.VB.Inject.gen
AVZillya! AntivirusNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFB892.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessH_LOADER.DLL
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSyouhax.com

Process
↳ H_LOADER.DLL

Network Details:

DNSyouhax.com
Type: A
119.81.45.87
HTTP GEThttp://youhax.com/lib/full.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://youhax.com/lib/KichHoat.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 119.81.45.87:80
Flows TCP192.168.1.1:1033 ➝ 119.81.45.87:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c6962 2f66756c 6c2e6874   GET /lib/full.ht
0x00000010 (00016)   6d6c2048 5454502f 312e310d 0a416363   ml HTTP/1.1..Acc
0x00000020 (00032)   6570743a 202a2f2a 0d0a4163 63657074   ept: */*..Accept
0x00000030 (00048)   2d4c616e 67756167 653a2065 6e2d7573   -Language: en-us
0x00000040 (00064)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x00000050 (00080)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x00000060 (00096)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000070 (00112)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000080 (00128)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000090 (00144)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x000000a0 (00160)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x000000b0 (00176)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000c0 (00192)   20796f75 6861782e 636f6d0d 0a436f6e    youhax.com..Con
0x000000d0 (00208)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000e0 (00224)   6976650d 0a0d0a                       ive....

0x00000000 (00000)   47455420 2f6c6962 2f4b6963 68486f61   GET /lib/KichHoa
0x00000010 (00016)   742e6874 6d6c2048 5454502f 312e310d   t.html HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000030 (00048)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000040 (00064)   6e2d7573 0d0a4163 63657074 2d456e63   n-us..Accept-Enc
0x00000050 (00080)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000060 (00096)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000070 (00112)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000080 (00128)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000090 (00144)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x000000a0 (00160)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000b0 (00176)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000c0 (00192)   6f73743a 20796f75 6861782e 636f6d0d   ost: youhax.com.
0x000000d0 (00208)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000e0 (00224)   702d416c 6976650d 0a0d0a              p-Alive....


Strings
{
5
.
2Qu
a
x
q
.
.=
.A4;
...
}
.....
J...
4.
.
}
+.
040904B0
1.00
CompanyName
CrossMain
CUSTOM
FileDescription
FileVersion
HAXLIB
HaxLib.Info
InternalName
LegalCopyright
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
YouHax
YouHax.exe
,,,,,!!!!!!! 
''''''''''''''''''''''''''''''''''''''''''''
$$$$$$$
007007
'%:*02
/&023o
0:_B1M
@0bud/
0D~|kTX<
-)0dvRO
0DYt"e
0"&^Jf
0-`q`9
0-Xc~R
)0xe,W
111]:-X
1iZ*^2
{1Muj]
1(odj	{-
["{1,r
{&#1{:r
"^1s!9
1~VfXw
2A1UY\
2@InsBl
?2irQU
#2L\Qb0E
2Ma g.
!2[_+o
2TDdsR
2u8\QOecZ@F
|$2+uhl
2vK@jT
2x r5X
3*.$3~
{33eoDS
3BMQ[4
?3E.^,\^
3>#(*k0
3NSt5l
3SKfYs
3_TA5e
4~3BaC
43(v5!.7
-4}6QI
@4]acE
4~B`cr!
4""c_ 
4jGTUbHn
4	*	\L
4[]Pdd`KKdd``
4q$({1
4%yKWhG
4znN	-l
+5>7;wSV
5Jxd9s(
+`5xx?
62@oYYA;'
!66~d=
6(q?U)
6V?EkR
\"6Vf9o5O
?7{9|i
~[:7G$
7`ln0.j
7,w9w0}
&	80/k
8hp@;G
8nQ*#Q
9]3),Dd
96Y5b@
^}9fTD0wa
9kKyYT
9q[[[d
9RKjh9
A2ys[]
a5d3[l
A6AleCD
%? aAT
$AeN+}
%Ae/WcI
AfG39R
A;FI_|
[<ah_0h
'AHoo6II
Ajec.2
a'K%|}
aLfuJ5
and?p=Opx
|)Anl\
AnnnxpH
aO,?Pk
+aS=o	
atK#\8^
&AU[$j
a#Vs6{
|a	w'M*<L
Awsct*R
AwTR0q
b0E*&K 
b98IxN
Ba{EAW?
BBcBBccBcjj@
bDOwp+
BDr#s3
betg0F
)BGDlO
Bh3z1G,
-Bi|4Y
bjf6dw
"B	l~J
'B <on
BoxpA{w
b>uvFH
Bv\/im
Bvxr/D
BxgR9pk
BZ`"mC#
_)c&*4
C89~N;X]
c/AZRd
cI@*|:C
c'"+vB
_/C*{Y
#c?zXb
D~|5i>
!d6-	J/fA
dCvmfQ
De(A"#
D\ehkI
DG^av=
dg#mxQ0 
DHb`6'{
,d]_I)
D+iK::
DM^{0^
DMFz`?
Dn9/wWvo
dNo $K
d)QF:d}
DqPh_V
,d(tA#=
DtY8]^M
*-,du=T
DXDpH_9
dY>tr@Z
dZQk`Y
E1c)=#
e{aalt>4
e?@b:#
EBY	WF
.efj?/iQ
eGOFp,
EivCE	
-/#EO o
]ErP(,Q
e.s,/xs
eU=,qH`3e
?ExitP
eY<n *
f?=&<< 
F-<0<"t'
F 2x4'2)
F8NFP(
F\#"8Ql 
FBq?0X,
f'\'.c
fE)mw/
fepwYa
F*H;gu6{}
(Fi-$Du
$fMp	s
F_/RC*
?.FW8GWx^
F`	w!W
^F.X2z
Fx$v)Z
FYQ::AJ
g4krHB
G?]@A-P
G:CkR#}w
GDK.f'
gEg(eP
GetProcAddress
^&GF	6
g]kkkkgggCqdC4
GNCoJ$h
gNWwG(
g<=TEJu
GTGtGY
G^;WYy
$H8ernm
'@.h\f
H}fgs6
hIcA*Z
'HIjHIHjIHjHIjj@
hLCr-:d
hL&!yw
hq9(jXk
[#"HW{e
(I2LQ/
i&5"qu
'~I\%9
.i;/C|
.iCUE!
ID&jI'
iE`9!"
IE)h=6z
ih|.lA
Ih*^}R
}I ^OG
IO}Y"f
iT{j>s[g
I[,U"I8exS
i~UV7':
iwe.b_
IxtSR1"
$J-3DA41ax
j!4B2<
Ja_+5!B
ja"vxv'rX:?
j)`E3j8
:J#EM+
}J:fO}
J'I >Tr
jM7zM&
?JQw87R
Jxc7y 
k03\JA=
k1Sz.sw
K>/@>3
kernel32.dll
}(!KfFqg
]kFRm'
KGGGGKGg
Km!{^X
k/'NVE
kq$<@49
^:kq'7%
K[qOaM	
Ksf?O{
K}Yh,c
L0]@Kp
Lc+m]W0Wo
\(^L)F
lg?)5o
LK/8\K
LoadLibraryA
LQX0Oxy
lRZWo/
	]"lUA
&L\_uE
'luhT)
LYj9*.
l~=yyE
LZQ>CyZ
l'Zv`I
M/0u1g
{(]M5ti*V
m d1Fj
m"e6h??
m|f"MK
*MgI1q
MHPEhO
]:m	J%
?mJ),8YX
Mlg#cU
MnNd=hy
Mo-JJJ
;mQU8(
m>+qZD
mvN=3GD
:mx5c}L
mzub?J
N4o.E0
naolQ(%&
NbnxcN
|ngb5p
%NG;R,;
,Ni/v}
^NQPy{
&N>RLpB
Ns b`*
NSF2/J
+n.tBF
]n:U*O@
};nWl#
NWYh5V
!O32TS@
O5NlmN[a
O7">t]X
O9 @	{_
;OAqS,j
oe\8[{F
[O"En@
Ohn -:#
OJ'Q@z
on 8er
onONuS
O_ntoyt
|_OO&R
$o*',r;lH
%os5/l
O<sLE]
O#\w'l2
#'''[P
p	>04=
pbA7vy
PDUMIJ
PEC2wO
PECompact2
	`pef>#
pG`c}y
pky:>_
	^pL +>
plty	l
PN<}Zf
ppppppppppp'
'ppppppppppppppppppppppppppppp
PPP[[[qqqqqq99CC
pqgZ	(
P<@TNG
,ptqjX
p"W+i68
PY%`/v
q7x+'e
Qe.	F+02
qJQ<izL$
q-j|@V^<
,,qkC")9i`X$
Q#L( h
Q(|n?1
^qOgWdR
qqqqqq]PdC
|q"W&z
qY4G\^
QZenFC
;QzUt\?j
}(r~]*
r0!~t=
<RCyH2_K
r+DN(;
^=r>Gc
Richya
Rl[_Ox
)R'OR$
R.]RNa
rRRRr`Ed{R]4
RV)Df>.
rV]XHQ
R; X/+
RXZ&ZH
rzn%<L
S27\1]
sD)/Qj
$/sE``
|sFJ:Qp
sgiz9.
*:s>h!#
_S"iq'?
SJ zFu
SkmL9qgn;c
S:~lwb
s~(Nt(
SOE;EK
sPH(P/
sss///eeee
S$tE2T
!St?RS]m
SW*2{O
!SWVUP
<	SxVeT
sZM7fW
t8Vu3HP
ta%wDN
!T?D$"2
TDG]\x
$tFh_W
TFJ'u6
t:G+_aj#49
%|~&TH
!This program cannot be run in DOS mode.
TJuCb;X
t@{mBi
t_NetO
tts}.j
TTTaJJ
t]*XfK$
T[xNQl-z
;Ty5y$
U\3pt*Oaf;(
uCUb0r
\UDf+&j
/uGxq3
Uh]Q)FXm
 uhT6i
"U#HuC
u$j/,(
u "-rx
USQWVR
	u{	uF[
uV)wn*
 [V>{.
v3	Lq,G"{
v7D4pq
vC]'2]
vF4L]^%;
/	vF.x
VirtualAlloc
VirtualFree
v;Q=qq
VR234{
vS	_*]n<%Z]
[$_$VT
V	tM>r
VU/-	w
vXA. t|O5
vxn[7a
v- ZB5
w`(1FJ
W%2[tN
;,&;w4.
W.5-aU~
$w5hsN
w8<~6j
w)8JzU
\<W9`@
wb<+`q
WCO kiP
w~d&Bk
#|weKB
wfjR>x
wf/**R
=!$:Wgl
W"h |K
w_Lj8E
w+lq^S
W-(pbt
+w>PQG
wQ` b ,
w)qK>{
wT66:>4
w,tK"V'	
w%W)	+
WWhSFI
]'X0B?
x`84\1!,}k
X]@_8p
+__xbz
xC~jR7i
/:^XDy$
~xH.=^
>x|HX_
xiWSROP
XJ7JO)e
XmO0Z>
!X!nM2
X]`(oj
Xou{V\
x+P;b{uW
Xr9\o b
XS92q~(
XsV(h$
X)v>H|H
xw},	6c
XYa[0D
y46m<WLG
?y>"-_9]
$YAfNYi
@YAIYA
,y~B7=
?Y@&C"
+ycUtw&
Y*@$<D7
`)YDA9h,B'
Y\d;J?4
YeXYhL
y?HsF9':=
Yj0$N@
(~,y@j6
/( Y_PI/[
yqcCJ	
YsVvlt]
YWQ`+me:<
"Z3\+T
z5z~'>
"z7Mnu
z@b4<*@a
z@ BBK
Z=bl7a
	ZbZe,\
"z~c2`
ZCD[Ax
/-z_,h|
[z@ip=+F
 z}@jHID
zjl?i	[
ZLh]5oM
zM[H;`
=@zPtok
zwo]>%j
-??]Zwy8
`Zx? U
Z^_Y[]
Z^^^^^^^Z