Analysis Date2015-08-27 16:53:37
MD53df395a538cfc6e7789eb1b372f8b15b
SHA1dadd71a67dd0339816e119e5f49f25d6ec0f0cc7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 598a5b135b72bc20139d40c8b5675c27 sha1: 56a23547dced7014ad4b30f3fbef930276319f02 size: 52736
Section.rdata md5: ad91771275f6ec43594c4043a3e9beb5 sha1: 0da6929c3382678d564b745a63cfec69217c2aa1 size: 36864
Section.data md5: 2aa66514bac235ecd8f37e771cef9695 sha1: 3bcbe592e8ce0c0bb39113ffa1b909844d0e5dad size: 7680
Section.rsrc md5: f4b13216557baf535a7eb912f3996fd9 sha1: 8dd4f3b326d6ef66cf67f738f7a83958092145a3 size: 24576
Timestamp2014-10-17 21:22:14
PackerMicrosoft Visual C++ ?.?
PEhash8136aae3935584e61e8c5a8db5aaed77745f5e4f
IMPhash1d0a7f7274a45818b089e19d2b9f2569
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Foreign.1
AVDr. WebTrojan.Backoff.5
AVClamAVno_virus
AVArcabit (arcavir)Trojan.Foreign.1
AVBullGuardTrojan.Foreign.1
AVPadvishno_virus
AVVirusBlokAda (vba32)Hoax.Foreign
AVCAT (quickheal)Trojan.Generic.B4
AVTrend Microno_virus
AVKasperskyTrojan-Ransom.Win32.Foreign.mqsb
AVZillya!no_virus
AVEmsisoftTrojan.Foreign.1
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Trojan.EZVU-1700
AVMalwareBytesno_virus
AVMicroWorld (escan)Trojan.Foreign.1
AVMicrosoft Security EssentialsBackdoor:Win32/Unskal.B
AVK7Trojan ( 004ccfa01 )
AVBitDefenderTrojan.Foreign.1
AVFortinetW32/Kryptik.DRQS!tr
AVSymantecno_virus
AVGrisoft (avg)Crypt4.BVIS
AVEset (nod32)Win32/Kryptik.DRQS
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareTrojan.Foreign.1
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.Gen4
AVMcafeeGeneric-FAVR!3DF395A538CF

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processcmd /D /R type "C:\malware.exe" > "C:\Documents and Settings\Administrator\Application Data\Database\wininit.exe"
Creates Process"C:\Documents and Settings\Administrator\Application Data\Database\wininit.exe" -m "C:\malware.exe"

Process
↳ cmd /D /R type "C:\malware.exe" > "C:\Documents and Settings\Administrator\Application Data\Database\wininit.exe"

Creates FileC:\Documents and Settings\Administrator\Application Data\Database\wininit.exe

Process
↳ "C:\Documents and Settings\Administrator\Application Data\Database\wininit.exe" -m "C:\malware.exe"

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier ➝
OjaLDQx
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\Database\wininit.exe
Creates Process"C:\Documents and Settings\Administrator\Application Data\Database\wininit.exe" -w
Creates MutexaMD6qt7lWb1N3TNBSe4N

Process
↳ "C:\Documents and Settings\Administrator\Application Data\Database\wininit.exe" -w

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\Database\wininit.exe
Creates Process"C:\Documents and Settings\Administrator\Application Data\Database\wininit.exe
Creates Mutexsdfuhsdaf<guSGYIAasd91

Process
↳ "C:\Documents and Settings\Administrator\Application Data\Database\wininit.exe

Network Details:

DNSsalosmachne.ru
Type: A
46.30.41.146
Flows TCP192.168.1.1:1031 ➝ 46.30.41.146:443
Flows TCP192.168.1.1:1032 ➝ 46.30.41.146:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings