Analysis Date2014-04-18 00:12:54
MD5198fd054105ad89a93e401d8f59320d1
SHA1e732f35529305abeda39c25c69efe00f5dfa4546

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 052a91f0756b9ae15faf33e34fd4f394 sha1: c99e2e97473006e4bab8c01aac84e50808a63b92 size: 28672
Section.rdata md5: 55687b5938a539008c45440b3341bd5d sha1: 8ac2e06e74a822d44627d817712083f282cdafc3 size: 180224
Section.data md5: 618d37821a0241dd8cb08442403d66a1 sha1: 66e5f47a3f6ee9568be33d83c4367e0d9eeba0f5 size: 4096
Section.rsrc md5: 7dc4661aadd493fc99b2ffa0890bd2ac sha1: deeb789d9ad3c53bd875b48dc660f9a0c143efc3 size: 49152
Timestamp2013-01-10 08:22:10
PackerMicrosoft Visual C++ ?.?
PEhashf773ea20910b3af449f9b4c1694656bb2f4dbdfe
IMPhash9832152ee615df5b3352d06adf8467f4
AVaviraBDS/Plugx.A.107
AVavgBackDoor.Generic16.CBVQ
AVmsseBackdoor:Win32/Plugx.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Program Files\Common Files\boot.ldr
Creates FileC:\Program Files\Common Files\NvSmart.exe
Creates FileC:\Program Files\Common Files\NvSmartMax.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\system32\msiexec.exe 209 1296
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexDBWinMutex
Creates MutexStartInstall
Winsock DNSpeaceful.linkpc.net
Winsock DNSmongolia.regionfocus.com

Process
↳ C:\Program Files\Common Files\NvSmart.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe 209 1296

Network Details:

DNSpeaceful.linkpc.net
Type: A
122.10.9.190
DNSmongolia.regionfocus.com
Type: A
0.0.0.0
HTTP POSThttp://peaceful.linkpc.net/update?id=001709f0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows TCP192.168.1.1:1032 ➝ 122.10.9.190:80
Flows TCP192.168.1.1:1033 ➝ 122.10.9.190:80

Raw Pcap
0x00000000 (00000)   a82a1629 bba44b68 b0cdc8a7 4370f9cb   .*.)..Kh....Cp..
0x00000010 (00016)   9d4d6498 333b93a3 2d38d9a7 4e20e083   .Md.3;..-8..N ..
0x00000020 (00032)   c2ab4653 8b7e                         ..FS.~

0x00000000 (00000)   504f5354 202f7570 64617465 3f69643d   POST /update?id=
0x00000010 (00016)   30303137 30396630 20485454 502f312e   001709f0 HTTP/1.
0x00000020 (00032)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000030 (00048)   582d5365 7373696f 6e3a2030 0d0a582d   X-Session: 0..X-
0x00000040 (00064)   53746174 75733a20 300d0a58 2d53697a   Status: 0..X-Siz
0x00000050 (00080)   653a2036 31343536 0d0a582d 536e3a20   e: 61456..X-Sn: 
0x00000060 (00096)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000070 (00112)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000080 (00128)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000090 (00144)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 3b205356 31290d0a 486f7374   0727; SV1)..Host
0x000000c0 (00192)   3a207065 61636566 756c2e6c 696e6b70   : peaceful.linkp
0x000000d0 (00208)   632e6e65 740d0a43 6f6e7465 6e742d4c   c.net..Content-L
0x000000e0 (00224)   656e6774 683a2030 0d0a436f 6e6e6563   ength: 0..Connec
0x000000f0 (00240)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x00000100 (00256)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000110 (00272)   206e6f2d 63616368 650d0a0d 0a          no-cache....


Strings
.CC
 
YZu.(

(&A) ...
 (C) 2012
(&F)
                                 H
         (((((                  H
(&H)
         h((((                  H
jjjj
Shell5
SHELL5
Shell5 1.0 
(&X)
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0.2`-ei
0A@@Ju
0ENcY:
0*	isB
0k`2Y	3
0SSSSS
0WWWWW
0&(yjf?
1ETCjR8
(1[pCj=
=1>Vx|
2111](S
~2[cBm
2`]@F-
#2mW{p
&2`wB%
3FQI3X$
#	3GW>
}{3Q-S
4~f9.u
4Iz|C2
4y42n~
58F8|:
5b]ZBi
{5/DQq9(
5eaU[Z[
5/p#E<q
63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:
_:6ag2
6}"EQ 
7\?bc+p
:]7`g 
7hV/YG
7-j%9{
!|~7k6
.~|7ob
$>7rb;
$8nkA0
\8RNVy
8xDD?d
9R#CM:yl
9==.UY
9xuL'i
a'3;O>v
-[]a5hD?
A7dpl;
A[\9.Z5+
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
AcV	^ryX
AKoj],
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
+awHI~Z
A$y5<_b
B#-5?z
b6D62?
BBFFf;
BC9Z@D
BeginPaint
bgY%ea!
BhF3haK&"e
Bh?_h>
%bmg\G
bO3&>V
 .B^O9
+B">q&
@bwb+lP
B.y5v5Pt
c*3e\2
c9>V.n
,[?CEb
CFx(y{
c^hw\?
=CJSNz
 !CLQ8
co	qAQ
CorExitProcess
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
*`[cPH 
CPXI1s(4F
CqfNBlY
CreateWindowExW
- CRT not initialized
CsBgJF
+cTKl19X*a=
//|d><
D$$_^[
d\1WqYQ
;D6QsC
D8x5^p
D$8(XC
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
DefWindowProcW
DeleteCriticalSection
de%OE{
DestroyWindow
DialogBoxParamW
DispatchMessageW
.dn2=,8
DOMAIN error
d]`whK6
D^~z`k
E3K>W 
E4FpfS{
E*7}v/1
EEFMnf|
EeI|XS
EJlZ&+
EncodePointer
EndDialog
EndPaint
EnterCriticalSection
e}SbI`G
ExitProcess
F%0kp|
@@f98u
= fA=P
February
FfBrkWIM
Fh=8EC
- floating point not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
|FM]r)A
f&PYf)
f}QS1%8D
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
g2111,
g2+wIz
g\5o$TK
g*6q&	.]
G8b"*fA2
('G{b$
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
G.`[f=S
$GKp}Q
gLUh)f%
"#GntkA
'gPcb\09
[g;`^)v
gYU.;T
-h7BT=
~*h7(h)
h7o:nj
H}\bzJ?
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
HnuH$}
h|R8{6
HrCg@b	g 
hw-X~osv15hV
hXavWP/
I3')+*+)))*))()*+++,6J!54 CBA
I%Emlt
IF;PzL
I;G)(	rR
Ik@L#r>
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
io/.\UC
I{:R,]
ir"g	O
IsDebuggerPresent
j0az6QL
J@ 3A*%[
J6*S<[
J7LCf:
J>ajqiUQ
J|]A!L
?jA+_N8H
JanFebMarAprMayJunJulAugSepOctNovDec
January
;j,bWp
jdh(XC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
JHHGGGGGGGGHI
JI-LS{0
JJIIIIJIIIIJJ
J|]jN6 
j(j ^V
j~OVEq
Ju/@{ 
 j?#U|s
JW8r"C\
jYPQTVTSkllZTTXRTUiHceWda/
jY@/`TG'|
ke]L8H
K@eM/ZAg<w
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
KK2AH&
kOVFqeW
kPYHQu
KT$G(,@(g
@k_wr|
L1v2h6-
LCMapStringA
LCMapStringW
~ldza$
LeaveCriticalSection
l ~:EGfL
lE#[Hd
#L'ELU
<lePls
lERb;+
];,>")Lfa
l:_Izv
LNP9lD
LoadAcceleratorsW
LoadCursorW
LoadIconW
LoadLibraryA
LoadStringW
>{-L`u@
`L>+v>
LvgL(w
Lx1fBzP
m1&je9&
%M.D`E
@m	dP#
m:EofwY>
MessageBoxA
Microsoft Visual C++ Runtime Library
mk19,!I
MM/dd/yy
MNr8Y!
Monday
MqAR>[
mscoree.dll
 MS_Ukc~D
MT*C$E
MultiByteToWideChar
Mx4fYI
mY<lG`&
MyXNc/
N42[:P
^,n50(
n!dJin
`.nDmz
N""fGO
' NfX0
N^L*0TyK
NmhP/:)4v
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
n.PSL%
 nTeyX 
Nw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
o6?mSS\
O(@>=77A779?<8;$O' 
October
o'-Da7
|O, I:
O%JEEEEEEEEEFFB
OKE&`_
`O^%LO'
Op5$.7
o*/tj#
Ov%^1f
OxGX>9
OYI b&
P1111	
P /F&(.
p+	'l`
Please contact the application's support team for more information.
P\LZsE
/%pMpr5
%PN4i$
PostQuitMessage
PPPPPPPP
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
Program: 
<program name unknown>
pS6Dz,
- pure virtual function call
pwwwwwwww
pwwwwwwwwwwwwwwwp
pxDDDDDDDDD@
pxDDDDDDDDDDDDDDpx
pxDDDDDDDDDH
pxDDDDDDpx
`PxdNC@e
pxwwwwwwpxDDD
pxwwwwwwwwwwwwwxpx
PyC41&
P.YDx|
q5[?i5 
QDbQ|t
Q"g1js
}>qooggggggg1`_fhsnHK
qq1T)Q
QQSVWh
QueryPerformanceCounter
Q[`!xo-1
qy`R&j
)[.r],
|^R:0[=@
r0}Ip)
r42*q[
`.rdata
R\e.8\
RegisterClassExW
&rI<Sv
rK<5>S
r$\)	M
rN8KvFM
r)=rW;ip
RtlUnwind
runtime error 
Runtime Error!
r&uQdj
rZ#3(s
rzB>w 
!s2$m|s
s7rVP1
s*&8$*
	S>`8H
Sa1 'z
Saturday
sbl/I;
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
(SGTJ4zz
ShowWindow
SING error
^sLm_MS
SO>70V
Sunday
SunMonTueWedThuFriSat
S\=V?3==
SXV)kD
S@yF-n
t276M,
t^9(uZ
TA]R+(
tbg	<S(W
tD9(u@
{TD iR
TerminateProcess
T!e:/S/bT
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t<+N>>
?#T$,o1
&TOG*k
TranslateAcceleratorW
TranslateMessage
ttf_Ho$
Tuesday
;t$,v-
t+WWVPV
Udh<4]
Uj#'~a#^S
[Uk^j]I
uL9=lWC
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UpdateWindow
u;Qc;|
UQPXY]Y[
U^+r<_
URPQQhlS@
]##Us$
USER32.dll
USER32.DLL
`uvoM$ZVf
uw	P'l
Uys;6F
U@zG~mf
v$;5TKC
V)c,js
VirtualAlloc
VirtualFree
VMxZ}Ep
v	N+D$
vO)<a<X
vS#4y^
vY$/pJhv_
v	{YXTVn`
W1&o`!
W6P_Tf
{+W.'b
~WdxYxE
Wednesday
WideCharToMultiByte
WkV21TSav^8{
*,WOh82
w,|ovD6
]w.#p*
w|QMHi
W=Qq\;
WriteFile
wrU0eymr
Wto=0KC
WV0rJ8
wwwwwwwpx
wwwwwwwwwwwwwwwpx
,x	"!1
{`[x1F
X]ETMs
X	GvTu,
xIER?C~
X:/J,7R
xL0WlE
x&LS]nr{
XM>}.x
Xz	=^H5
~&Y8?lu
:Ya[_s
Y;=(EC
YF'$JTl;<
|$#yjat
yJPh.o
Y[M	]dY
^YNObAu<
yO/9s-
yrRx\R
>=Yt/j
yvLHjy
{|yvrrwsqpon
|;Y+wck
@yxx/A=
YYu-9D$
YYuTVWh
y(z%tR&l
@Zd*Cj
ZLD\;oTt
zO3IdX
zPn&us*
Zqk	bd
Z)U8>BQ
(zUofOt
\Zy %f]
}zy|yx~