Analysis Date2015-01-31 07:28:18
MD58af3db269ede71009cc7ad4f3b686378
SHA1e41b48d51149fa9b2c2d4bf3492ecc655ef4fd37

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 984dfeff737935f78877d3d08b82ef95 sha1: d37c898578b52c62ca8c93757e64b07939999701 size: 72192
Section.rdata md5: 0fb0a72395723950e1915d6bf373f506 sha1: 904ad0342509a0b37abfcefd6606a12adbdc7707 size: 7680
Section.data md5: 11ffdfc240c81dfe9d957f6bf1761f00 sha1: f0f691437eb067b4de686e8b7225b8e4127cb275 size: 512
Section.CRT md5: a5ba361df79e0a565f00bd42dc501625 sha1: a91ea47a0eb05af400245bce0fd66b2bec2b6335 size: 512
Section.rsrc md5: 1285ef10fd521f02cfdc1dc5b0c29d9d sha1: d825bfff12556e6659ee01a7375558e1d25707a1 size: 14336
Timestamp2011-05-28 16:04:29
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhash4374e2e4c4a57bc8130f9dd8af9fa283a16eaf3c
IMPhashdbb1eb5c3476069287a73206929932fd
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.12200667
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)Trojan.Generic.12200667
AVAuthentiumW32/Trojan.QQAR-0201
AVAvira (antivir)no_virus
AVBullGuardTrojan.Generic.12200667
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Generic.12200667
AVEset (nod32)NSIS/TrojanDownloader.Chindo.E
AVFortinetW32/Chindo.B!tr.dldr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)Dropper.Generic_c.ADNV
AVIkarusno_virus
AVK7Trojan-Downloader ( 004af0161 )
AVKasperskyHEUR:Downloader.NSIS.Feasu.heur
AVMalwareBytesno_virus
AVMcafeeRDN/Downloader.a!um
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.Generic.12200667[ZP]
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates File360l131l32838.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File__tmp_rar_sfx_access_check_119171
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes File__tmp_rar_sfx_access_check_119171
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:


Raw Pcap

Strings
\_
.\
:\\
...
010A___
.
.
x
S
%08x
(&A)
about:blank
ASKNEXTVOL
</b> 
 <b>
(&B)...
<br>
b<style>body{font-family:"Arial,
%c:\
(&C)
ccpp
 %d 
(&D)
Delete
(&E):
EDIT
-el -s2 "-d%s" "-p%s" "-sp%s"
.exe
";font-size:12;}</style><ul><li>
GETPASSWORD1
<head><meta http-equiv="content-type" content="text/html; charset=
hRichEdit20W
</html>
<html>
.inf
Install
jmsctls_progress32
kernel32
(&L)
<li>
</li><br><br>
</li><br><br>c<style>body{font-family:"Arial,
</li><br><br> <li>
License
LICENSEDLG
LICENSEDLG	RENAMEDLG
</li></ul>
.lnk
*messages***
(&N)
@&nbsp;
Overwrite
</p>
Path
Presetup
ProgramFilesDir
(&R)
.rar
RarHtmlClassName
RarSFX
RENAMEDLG
REPLACEFILEDLG
riched20.dll
riched32.dll
r%.*s(%d)%s
rtmp%d
runas
 "%s" 
 %s 
"%s"
SavePath
 %s CRC 
%s CRC 
%s.%d.tmp
SeRestorePrivilege
SeSecurityPrivilege
Setup
sfxcmd
sfxname
Shell.Explorer
Shortcut
Silent
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s %s
%s%s%d
%s %s %s
STARTDLG
STATIC
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
TempMode
Text
Title
__tmp_rar_sfx_access_check_%u
Update
utf-8"></head>
(&W)...
 Windows 
WinRAR 
winrarsfxmappingfile.tmp
(&Y)
 !"#$%&
?*<>|"
{{{{{{{{{
01vRVQ
05rl E
 (08@P`p
0;E-gto<
0Ev\4c
0Fh*2y
]0g2"b7
0IoF{I
/	%0'}mT
/'[,\\0]^_\\\Q
;`@0rR
11t|>D
>{1>NJ
<1W9QY
=2)$$d
/2HnGm
2O8;0|
2"PrqhR
2TF,"=P
2xL~S.v Am
`|3\]0D5
33!D	3
3,45657879
360l131l32838.exe
3H*Er/(+k
&3Iwl|
3n[[T~
3Sb/mg:
)3sGF(
_{3S"w
<3\u1WV
%%3[xK
:(,4;<=>;?@
4pU Gq/
4Y_cOW
4Y_cOW	
.?5E52
'5%%#I
(^<5w<O
&"5XNc
	5`Yn%
,?69h%
6R[+[X
6^=uug
6??z,A#
6+ ZM|
6}Zy>D(
7EOhGd
7Mg>ab
7mr|3^
$7:N!S
7^*q[-
7W4rS 
8888888888887
8888888888{x7
8A3ggi
`?8-n^"=4pv
%@8W|*
97)E9B
9jTCv=
`9<kFL
9	S|rB5
9ty:!L
9:xrM&ge
a_3VY*x*
'A,4;BC
A7kS}t
aaaaaaaaaaaaaaaaaaaaf~leQmux
AdjustTokenPrivileges
ADVAPI32.dll
afd9hX
A*HYF}e
.a,ijXT
AirP&!
  </application>
  <application>
</asmv3:application>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  </asmv3:windowsSettings>
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
A#t,S\
~:_b.@
(b3sE(&
B#7*v/T
^b9+]R
bad allocation
BA@F	 HV
bcGqNQd~e
`bE2TW
BG:>]@
@b	gck(W
<B@II;
BmTR7)
{b@;$R
)BT.AW:T
BT*Y&l
C08o{U
C<=a/+%
CCv$}J
ceQ&^	gdk
CharToOemA
CharToOemBuffA
CharToOemBuffW
CharUpperA
CharUpperW
Ch(opm
Ci~u~lO
CloseHandle
CLSIDFromString
|CMq#)
\,C<O5
CoCreateInstance
COMCTL32.dll
COMDLG32.dll
CommDlgExtendedError
CompareStringA
CompareStringW
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CopyRect
CO!rfy
cPE\U%gH
CreateCompatibleBitmap
CreateCompatibleDC
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileMappingW
CreateFileW
CreateStreamOnHGlobal
CreateWindowExW
CV]DW/
CvG4rn:[
cVMSHUT
C'{x\a
cZm8G^
?.d< )
 "D@3C
''''''''''''''''''DaJKHPam
@.data
Dcf+hQ
ddddddd
dddddddd
DefWindowProcW
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
</dependency>
<dependency>
  </dependentAssembly>
  <dependentAssembly>
<description>WinRAR SFX module</description>
DestroyIcon
DestroyWindow
?d*FB/
DialogBoxParamW
DispatchMessageW
djIkd/
?\DL3ifs2
dl8#tE
DosDateTimeToFileTime
    <dpiAware>true</dpiAware>
>dPLCCQ
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
{dqe!O
D>&r5Jt
`drmKc
\dwno'
Dx#:&L
e2+x]E
 e6+t*
E8Fu{d
EAoby>
e+bZCZjI
EfvdfJ
EnableWindow
EndDialog
eS[VI|
ExitProcess
ExpandEnvironmentStringsW
F _^[]
f!1Z?x
f90u2h
fbc:N:
@^FF(!
FFF))EE	FFFF))))))
=FHYFkr
f,iL9<
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceW
FindWindowExW
@}F=O*
FreeLibrary
<F"t	@f9
`; FUc3
;Fu':UD
f,<,WM
*fwQbL4
FyK*H%AWG%
g33WwQ
,G8[ws
;~_gB>
GDI32.dll
GetClassNameW
GetClientRect
GetCommandLineW
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetDateFormatW
GetDeviceCaps
GetDlgItem
GetDlgItemTextW
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetMessageW
GetModuleFileNameW
GetModuleHandleW
GetNumberFormatW
GetObjectW
GetOpenFileNameW
GetParent
GetProcAddress
GetProcessHeap
GetSaveFileNameW
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTime
GetTempPathW
GetTickCount
GetTimeFormatW
GetVersionExW
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
\ G**f
gH)x[O{
G*j**Q6
"(GLOa
GlobalAlloc
-GLS &XX
gU"R2c
gwS3	3
gwS37%w`	
=}:H23
# h[8aI
h^>9$\
h]b?mw
HD!f Ob
HeapAlloc
HeapFree
HeapReAlloc
He*gHt
hHPa! 
HIB?,+
HkIS8	
H%r|ksA
HtCHt<Ht5H
HtEHt7
HtFHt8Ht*Ht
HtoHt>
HtOHt^HtBHu#
hV@oP5w
I'%`{$&
i0{^Mm
IBrt;Z"
?IE2\*c
.;I=f.
IJKL=MNOPQ
i;k&it
InitCommonControlsEx
(%Is#\
IsDBCSLeadByte
IsWindow
IsWindowVisible
IWj\_f9>u?f9~
	I)Xk	\C
:j*/0+
,j2R"1
#JeF?T
+^JFG!
Jgg!> /
JJJJJJJJJJJJJJJJJJJaieQRamu
jks3HJmt2
 J?Mk!p
Jn;6Z!
;J:\p_
j Y+L$
$K5Nu?C
k9X4# 
kB:fmrQ
-	K,ck
KERNEL32.dll
?kgzK)
kj!phpA3
,kKA-o
kkkkkkkkkkkjhjjjo
K:)KW'
,)k_\lr
K_MB<IF
'K	!%qW
ku@j2AZ
#%kVjl
KxHK?2
`kxoDXT
      language="*"/>
,+L^)b
lE1Ow=<
&lGXY0
lH?A#*
Lj_/x<i
lk3/q{?m.f:&
Lkvd	m\
,lN4D05
LoadBitmapW
LoadCursorW
LoadIconW
LoadLibraryW
LoadStringW
LocalFileTimeToFileTime
l;oh#c
LookupPrivilegeValueW
{lo:Z@
-lP4Ee
m!	5)=
MapViewOfFile
MapWindowPoints
;!Mb*G6
MessageBoxW
*messages***
m{-eu[
MFi:xx
MKa	w0,
mmrrrrs
MoveFileExW
MoveFileW
M%PwHy
MSR[#z
Mt),ym
MultiByteToWideChar
MV#F*E
	]mvV#%X
M|WAxG
MZZm(,
N(	}}$
N='3E>2\
N4Y_cOW
~]N7pd
      name="Microsoft.Windows.Common-Controls"
  name="WinRAR SFX"
nAU}z*a
N{a`y+,
n:(hHG
NJKp`>/*G
NNu$j	
@n/(q[
`Nr;_~@2$
NT!]f-
NTpz\@
*NW[&{PA
n;#wZn
NYPup>`
O\3{c4
}=O)5P
}|[O7=
/^o7k89N
OemToCharA
OemToCharBuffA
`O/f&Tnx
|oGwp>
o@iqFA
OKmy%qZb8
	`#oKp
"\oL$|
ole32.dll
OLEAUT32.dll
OleInitialize
OleUninitialize
)OL_#n
oN/S]H
ooG:Ge
OpenFileMappingW
OpenProcessToken
>Op	^NC
oR@0G_c
or>dl2
p01_jI
?<p4^X
=p6@vl
P9]pu;
P9]pu+
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDRar!
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
Pc1li 6
PeekMessageW
penc-N
peU5X9
pgh	wn
Ph7Gk@
pIg5)f
P^|mz?
PN'X<\
PostMessageW
PpU&ZUG
pR0P0O
      processorArchitecture="*"
  processorArchitecture="*"
pscPv}
      publicKeyToken="6595b64144ccf1df"
PWhx8A
PwY$7oo
q1?C>~=
~Q*>"A
@{qf>dX
\Q>"j#>U;:
qm09Q^
qNINob
{qqj{,Q
QQSVWh
qrv]:97;
qv41$5?t
@q]x<{
qZ5@Ut87w0
-qz'Sf
r0h,	3z
R5kR0L
/\$R8n
__rar_
r_.: D/
`.rdata
r	DO)Z
ReadFile
RegCloseKey
RegCreateKeyExW
RegisterClassExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ReleaseDC
      <requestedExecutionLevel level="asInvoker"            
    </requestedPrivileges>
    <requestedPrivileges>
R.{kWW
!R[m7)
rMCDrMO$|
@rn/kf>z#4b!
rrrrrmm
rrrrrr
rrrrrrr
rrrrrrrr
rrrrrrrrrrrrrppps
@.rsrc
RSTU0VWXYZH
rW#t j
RZ%Oy{
s0H%qd
S5~auv
s7t"+I
S7umX`!
^sBwp{/4}
%.*s(%d)%s
  </security>
  <security>
SelectObject
SendDlgItemMessageW
SendMessageW
SetCurrentDirectoryW
SetDlgItemTextW
SetDllDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetForegroundWindow
SetLastError
SetWindowLongW
SetWindowPos
SetWindowTextW
SHAutoComplete
SHBrowseForFolderW
SHChangeNotify
SHELL32.dll
ShellExecuteExW
SHFileOperationW
SHGetFileInfoW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHLWAPI.dll
ShowWindow
)s<Ki@
S#.L<C
##sLW{SR
s*N[R9
,SP"]=
StretchBlt
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
(SVWj 
`SVWjh
SystemTimeToFileTime
t0ht6A
t0SSSj
t.3t7C
t4SSVW
t7r{$o
+t8B0(
+T_DB:
t	FAA;t$
(@Tgeo
    <!--The ID below indicates application support for Windows 7 -->
    <!--The ID below indicates application support for Windows Vista -->
t!hh3A
!This program cannot be run in DOS mode.
T{iDW)$
tIw2>>
t?nv~~
tqmxzz
_TQ#;w
TQwpEN
TranslateMessage
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
 tSj X
t<SSSS
<*t*<?t
;.)tUV
t~V13K
      type="win32"
  type="win32"/>
;\u0VW
(<\u$8F
U!A@{d
uc<g GkF 
{u(cp@#G
U)E>5a
u[)eA`
`UfI&^
u h\3A
u!hp8A
      uiAccess="false"/>
UJts34[
UnmapViewOfFile
UpdateWindow
U~#QemV
U::RbW
{URich
uSefLy%
USER32.dll
us/OR3
uUK^hXS*
uV{4n[
u?]|^w
u#$xz<7
:$v%@:
V@@AAf
\\`Ve}b
  version="1.0.0.0"
      version="6.0.0.0"
V/G~+D
vhQ9tD'
~VI>/;
viY"vF
V}] KWJ
v	N+D$
?vNj@_+
VRH%qM
~vrrrrr
~vrrrrs
vs`4]U
VSSSSh
vXg_xy
w5SSSS
w;8Qku
WaitForInputIdle
WaitForSingleObject
?wbk:H
~.w;h'
@WhP6A
WideCharToMultiByte
WINRAR.SFX
Wj<_WS
wm2cM%*
!W	Px~
WriteFile
]wsaj@
wvsprintfA
wvsprintfW
w'V*yj
[Ww#aH
Wwgu"'P
_WwO#5
WwR"'P
WwS7'u
wwwwwwww
'WxYg=u
$W Y9'm_
X1'z;ew
X5ncQB
.xbulo
x!~}p}=
=X?s S
XTTX,g
xxk}p0
'x*xo0
xY)*viW
$y!2	C
y;;+-]5%&@
/[Y'(a
;yd =9
YDU.x VK#c
YNANRC
YP<!u1
?YpYy'
YQ60u\
yrrrpps
yrrrps
YtJ=)iQ
YVXc~c
Z2fQ`E
Z^]2{kJH1
z(?2n~
zD4//2
_zH|#V4
ZkC;m5e
Z|m`dW
Zqb[Pp
zRsSNzW|
|ZSHDY@wR
zuFhl3A
ZXYZaabbe
z[;`zj