Analysis Date2015-07-14 06:24:41
MD526ae49cfdba82d0fa23005797b42f931
SHA1f2686b233094ea188c0c8c47b16a385bab319248

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 817f34241dccc1d891c242ddd8ad86fb sha1: f3e7fd4dcc8bfa310aa1d4080e338918c8d81b07 size: 450560
Section.rdata md5: 8a7f5513a1a9e5dae9b23d2d4b00868f sha1: 544ad636113136826f64b5952100d6c8c642690b size: 81920
Section.data md5: c6ef2aaac7cc3f5491d8690c40af13fe sha1: 1c5654970dd8738c489fa003ad844af008460f1c size: 65536
Section.rsrc md5: 417d79f0b0d9bb6b288f7b0ec7a705b2 sha1: 7c2b677be216722775d677200abe280da96f91f0 size: 45056
Timestamp2015-06-23 07:07:34
VersionLegalCopyright: 作者版权所有 请尊重并使用正版
FileVersion: 1.0.0.0
Comments: 撸出翔V3.0
ProductName: 撸出翔V3.0
ProductVersion: 1.0.0.0
FileDescription: 撸出翔V3.0
PackerMicrosoft Visual C++ v6.0
PEhashdea45acab94531ce6177b717f567d652651c7c8e
IMPhash0924e7ba3d9b66b98d30316d340e5bc3
AVRisingno_virus
AVMcafeeRDN/PWS-Mmorpg!na
AVAvira (antivir)TR/Rogue.647168.108
AVTwisterno_virus
AVAd-AwareTrojan.Generic.14767971
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)no_virus
AVGrisoft (avg)PSW.Generic12.BZOQ
AVSymantecno_virus
AVFortinetRiskware/FlyStudio
AVBitDefenderTrojan.Generic.14767971
AVK7no_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.Generic.14767971
AVMalwareBytesno_virus
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVIkarusno_virus
AVEmsisoftTrojan.Generic.14767971
AVZillya!no_virus
AVKasperskyno_virus
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardTrojan.Generic.14767971
AVArcabit (arcavir)Trojan.Generic.14767971
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureTrojan.Generic.14767971
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015071320150714\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\logo[1].gif
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\2345[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\logo[1].gif
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\ttx123[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Mutex_!SHMSFTHISTORY!_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012015071320150714!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.2345.com
Winsock DNS66.85.165.90
Winsock DNSwww.ttx123.cn

Network Details:

DNSwww.2345.com
Type: A
42.62.30.180
DNSwww.ttx123.cn
Type: A
223.4.32.53
HTTP GEThttp://www.2345.com/?k33996798
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://66.85.165.90/forum.php?mod=forumdisplay&action=list&fid=215
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.ttx123.cn/?u=xxoo986
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.2345.com/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.ttx123.cn/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 42.62.30.180:80
Flows TCP192.168.1.1:1033 ➝ 66.85.165.90:80
Flows TCP192.168.1.1:1034 ➝ 223.4.32.53:80
Flows TCP192.168.1.1:1035 ➝ 42.62.30.180:80
Flows TCP192.168.1.1:1036 ➝ 223.4.32.53:80

Raw Pcap
0x00000000 (00000)   47455420 2f3f6b33 33393936 37393820   GET /?k33996798 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d4c61   : */*..Accept-La
0x00000030 (00048)   6e677561 67653a20 656e2d75 730d0a41   nguage: en-us..A
0x00000040 (00064)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x00000050 (00080)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x00000060 (00096)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000070 (00112)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000080 (00128)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000090 (00144)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x000000a0 (00160)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x000000b0 (00176)   35303732 37290d0a 486f7374 3a207777   50727)..Host: ww
0x000000c0 (00192)   772e3233 34352e63 6f6d0d0a 436f6e6e   w.2345.com..Conn
0x000000d0 (00208)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000e0 (00224)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f666f72 756d2e70 68703f6d   GET /forum.php?m
0x00000010 (00016)   6f643d66 6f72756d 64697370 6c617926   od=forumdisplay&
0x00000020 (00032)   61637469 6f6e3d6c 69737426 6669643d   action=list&fid=
0x00000030 (00048)   32313520 48545450 2f312e31 0d0a4163   215 HTTP/1.1..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000050 (00080)   742d4c61 6e677561 67653a20 656e2d75   t-Language: en-u
0x00000060 (00096)   730d0a41 63636570 742d456e 636f6469   s..Accept-Encodi
0x00000070 (00112)   6e673a20 677a6970 2c206465 666c6174   ng: gzip, deflat
0x00000080 (00128)   650d0a55 7365722d 4167656e 743a204d   e..User-Agent: M
0x00000090 (00144)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x000000a0 (00160)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000b0 (00176)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000c0 (00192)   3b205356 313b202e 4e455420 434c5220   ; SV1; .NET CLR 
0x000000d0 (00208)   322e302e 35303732 37290d0a 486f7374   2.0.50727)..Host
0x000000e0 (00224)   3a203636 2e38352e 3136352e 39300d0a   : 66.85.165.90..
0x000000f0 (00240)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000100 (00256)   2d416c69 76650d0a 0d0a                -Alive....

0x00000000 (00000)   47455420 2f6c6f67 6f2e6769 66204854   GET /logo.gif HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a526566 65726572 3a206874   */*..Referer: ht
0x00000030 (00048)   74703a2f 2f777777 2e323334 352e636f   tp://www.2345.co
0x00000040 (00064)   6d2f3f6b 33333939 36373938 0d0a4163   m/?k33996798..Ac
0x00000050 (00080)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000060 (00096)   6e2d7573 0d0a4163 63657074 2d456e63   n-us..Accept-Enc
0x00000070 (00112)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000080 (00128)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000090 (00144)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x000000a0 (00160)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x000000b0 (00176)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x000000c0 (00192)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000d0 (00208)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000e0 (00224)   6f73743a 20777777 2e323334 352e636f   ost: www.2345.co
0x000000f0 (00240)   6d0d0a43 6f6e6e65 6374696f 6e3a204b   m..Connection: K
0x00000100 (00256)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f3f753d 78786f6f 39383620   GET /?u=xxoo986 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d4c61   : */*..Accept-La
0x00000030 (00048)   6e677561 67653a20 656e2d75 730d0a41   nguage: en-us..A
0x00000040 (00064)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x00000050 (00080)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x00000060 (00096)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000070 (00112)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000080 (00128)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000090 (00144)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x000000a0 (00160)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x000000b0 (00176)   35303732 37290d0a 486f7374 3a207777   50727)..Host: ww
0x000000c0 (00192)   772e7474 78313233 2e636e0d 0a436f6e   w.ttx123.cn..Con
0x000000d0 (00208)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000e0 (00224)   6976650d 0a0d0a54 68697320 69732074   ive....This is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a                     </html>.

0x00000000 (00000)   47455420 2f6c6f67 6f2e6769 66204854   GET /logo.gif HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a526566 65726572 3a206874   */*..Referer: ht
0x00000030 (00048)   74703a2f 2f777777 2e747478 3132332e   tp://www.ttx123.
0x00000040 (00064)   636e2f3f 753d7878 6f6f3938 360d0a41   cn/?u=xxoo986..A
0x00000050 (00080)   63636570 742d4c61 6e677561 67653a20   ccept-Language: 
0x00000060 (00096)   656e2d75 730d0a41 63636570 742d456e   en-us..Accept-En
0x00000070 (00112)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000080 (00128)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000090 (00144)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x000000a0 (00160)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x000000b0 (00176)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x000000c0 (00192)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x000000d0 (00208)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000e0 (00224)   486f7374 3a207777 772e7474 78313233   Host: www.ttx123
0x000000f0 (00240)   2e636e0d 0a436f6e 6e656374 696f6e3a   .cn..Connection:
0x00000100 (00256)   204b6565 702d416c 6976650d 0a0d0a09    Keep-Alive.....
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a                     </html>.


Strings