Analysis Date2015-08-14 14:54:03
MD501df1f00232a7c6278b26754593c2512
SHA1f600f5f0dd04b295ea69973e166d228d7415f0f2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 388a5adbee137e462cbbab07de08361d sha1: bdabef0b9447e0848c24e2d5c951c4b59d1e2f8f size: 638464
Section.itext md5: bd9a6a167767cfb50454df6470438cd6 sha1: 78b938815430924c7836cda2bed190e07272a70d size: 3072
Section.data md5: 7ee274780e36ee364ece1e8689abcf1a sha1: 400f33a4548b73a9c59a9cf18950e449adf5f69f size: 558080
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: ead356ac6c93850bb893301b2b8ebf56 sha1: 8b0b1336fba9fae653aeab2043688a0a05d349ed size: 12288
Section.tls md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: b98490e793b8f3b220fb9d3a17b0dfc1 sha1: fca1352570aae0adff5390ca9e5e97a99c81e713 size: 512
Section.reloc md5: 02aabc16bdbe9f7a41d0a5ec7f6b46d0 sha1: 625424c6b5e3606ccd07596df6dad104590ff577 size: 44032
Section.rsrc md5: 544fcdb5747e7edb30754c4ba26908e2 sha1: 237ab3549d693d0d74fb16f050510277143cf4c1 size: 53248
Timestamp2011-11-09 07:39:30
PackerBobSoft Mini Delphi -> BoB / BobSoft
PEhashb8fe5014fc5278bf7b58219e458a28f8ecd42968
IMPhash85a7c00d4da04141220f00c2443f8f0b
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Generic.14486249
AVDr. WebBackDoor.Bifrost.15005
AVClamAVWin.Trojan.Bifrose-2285
AVArcabit (arcavir)Trojan.Generic.14486249
AVBullGuardTrojan.Generic.14486249
AVPadvishno_virus
AVVirusBlokAda (vba32)Trojan.Redosdru
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyno_virus
AVZillya!Trojan.Redosdru.Win32.3810
AVEmsisoftTrojan.Generic.14486249
AVIkarusTrojan.Fraud
AVFrisk (f-prot)no_virus
AVAuthentiumW32/A-3475dff0!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Trojan.Generic.14486249
AVMicrosoft Security Essentialsno_virus
AVK7Trojan ( 0048351c1 )
AVBitDefenderTrojan.Generic.14486249
AVFortinetW32/GenericR.DCS!tr
AVSymantecno_virus
AVGrisoft (avg)no_virus
AVEset (nod32)Win32/Packed.DRMSoft.C suspicious
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareTrojan.Generic.14486249
AVTwisterno_virus
AVAvira (antivir)TR/Fraud.Gen7
AVMcafeeGenericR-DCS!01DF1F00232A
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.qiaqing.net

Network Details:

DNSqiaqing.net
Type: A
184.168.221.21
DNSwww.qiaqing.net
Type: A
HTTP GEThttp://www.qiaqing.net/lb/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 184.168.221.21:80

Raw Pcap

Strings