Analysis Date2015-10-30 23:01:04
MD5433ae165cd370dd0fe6698d7367226f0
SHA1f2cf8496565289f1b1a6058ae01a6c42906cecbe

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 55d7fd3983790c10e3f5f302dece38c6 sha1: 465167461352ed9314983ee8921dda04141e5220 size: 659968
SectionDATA md5: 61fc285ec123d9b0b84acfa60f0b70f7 sha1: 5146829ab1fa11d1f52c71a8c104dc69f7f739ea size: 11264
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 5d7a3c64ab4862bf46df1965c69e2d19 sha1: 95232c28b8d619c102359cff433ddb5397a8b9d1 size: 13312
Section.tls md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: f954f99d0d76132e88be20e8761dfa51 sha1: 2d573349b9ba629c75a59c859009406e11454a40 size: 512
Section.reloc md5: 124c8a174a8d401e983c141eb6954942 sha1: 475c8aa561652140c7494cfbf3c61df519c731cc size: 41984
Section.rsrc md5: cb7dfc1ce56f6cdf500a284aeceee93d sha1: a4a662cbbfdf19951aebbab10e8b0341b063a554 size: 86016
Timestamp1992-06-19 22:22:17
PEhash56473f6df7fa89f329489b8135f0b8f65eb7ceba
IMPhashc803d2adce390063c48254ca4395b0ed
AVCA (E-Trust Ino)Win32/Hupigon.A!generic
AVF-SecureBackdoor:W32/Hupigon.NMV
AVDr. WebBackDoor.Pigeon1.10587
AVClamAVTrojan.Delf-1066
AVArcabit (arcavir)Generic.Hupigon.YQA.2FDD5925:Backdoor.Generic.753596
AVBullGuardGeneric.Hupigon.YQA.2FDD5925
AVPadvishMalware.Trojan.Hupigon-9123
AVVirusBlokAda (vba32)SScope.Backdoor.Win32.Hupigon.cmpw
AVCAT (quickheal)Backdoor.Hupigon.DI10
AVTrend MicroBKDR_HUPIGON.EWE
AVKasperskyBackdoor.Win32.Hupigon.pv
AVZillya!Backdoor.Hupigon.Win32.1
AVEmsisoftGeneric.Hupigon.YQA.2FDD5925
AVIkarusBackdoor.Win32.Hupigon
AVFrisk (f-prot)W32/Backdoor2.ADNF
AVAuthentiumW32/Backdoor.KKWE-3597
AVMalwareBytesBackdoor.Hupigon
AVMicroWorld (escan)Generic.Hupigon.YQA.2FDD5925
AVMicrosoft Security EssentialsBackdoor:Win32/Hupigon
AVK7Backdoor ( 00014abd1 )
AVBitDefenderGeneric.Hupigon.YQA.2FDD5925
AVFortinetW32/Hupigon.FG!tr.bdr
AVSymantecBackdoor.Graybird
AVGrisoft (avg)BackDoor.Hupigon5.AWPZ
AVEset (nod32)Win32/Hupigon
AVAlwil (avast)Hupigon-IG [Trj]:GenMalicious-BND [Trj]
AVAd-AwareGeneric.Hupigon.YQA.2FDD5925
AVTwisterTrojan.A46AB7533B647040
AVAvira (antivir)BDS/Hupigon.A
AVMcafeeBackDoor-AWQ.b
AVRisingBackdoor.Gpigeon.fad

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\HQAPUS.DAT
Creates FileC:\WINDOWS\Hacker.com.cn.exe
Creates MutexHacker.com.cn_MUTEX
Creates ServiceGrayPigeon_Hacker.com.cn - C:\WINDOWS\Hacker.com.cn.exe
Starts ServiceGrayPigeon_Hacker.com.cn

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1860

Process
↳ Pid 1124

Process
↳ C:\WINDOWS\Hacker.com.cn.exe

Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates ProcessC:\Program Files\Internet Explorer\IEXPLORE.EXE

Process
↳ C:\Program Files\Internet Explorer\IEXPLORE.EXE

Network Details:

DNSp5601950.eicp.net
Type: A
174.128.255.231
Flows TCP192.168.1.1:1031 ➝ 174.128.255.231:8000
Flows TCP192.168.1.1:1032 ➝ 174.128.255.231:8000

Raw Pcap

Strings