Analysis Date2014-10-13 07:37:01
MD5a4acd21991946ae9779e340fc856f9b9
SHA1f72851c1616635198a12e711e0514ad9337d8163

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 2ef0c4b81ad524f8a798bd285d122945 sha1: 58e5896c596fb539aae71e307c8c4e33d1cae318 size: 216576
SectionUPX2 md5: e79cf2af70c05ab8da55615cd9a4e003 sha1: 4003a0be95a04b7d32cec546a11610d1180bf9b4 size: 1024
Timestamp2014-09-25 16:33:25
PackerUPX -> www.upx.sourceforge.net
PEhashf8d69f6537a890c5e7971b79f6a8097cb63fb7ef
IMPhash12949835d0cda9d5836fa2fbd6c55e3c
AV360 SafeGen:Variant.Symmi.42740
AVAd-AwareGen:Variant.Symmi.42740
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.DAVN-2798
AVAvira (antivir)TR/Hijack.218624.1
AVBullGuardGen:Variant.Symmi.42740
AVCA (E-Trust Ino)Win32/Oflwr.A!crypt
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Symmi.42740
AVEset (nod32)Win32/Agent.WCF
AVFortinetW32/Agent.WCF!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.42740
AVGrisoft (avg)Agent5.JY
AVIkarusTrojan.Win32.Agent
AVK7no_virus
AVKasperskyTrojan.Win32.Hosts2.gen
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.dx!dgb
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.42740
AVNormanwin32:win32/SB/Malware
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!Trojan.Hosts2.Win32.166

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page ➝
http://www.2345.com/?k98792151\\x00
RegistryHKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue ➝
NULL
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\Program Files\Common Files\asdqw_3104-48740.JPG
Creates FileC:\WINDOWS\system32\unrar.dll
Creates FileC:\Program Files\Common Files\shanhu_7654_356.jpg
Winsock URLhttp://d3.freep.cn/3tb_1409101837529hro538987.jpg
Winsock URLhttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
Winsock URLhttp://d3.freep.cn/3tb_140923192942q71f538987.jpg

Network Details:

DNSwebmirror.pcbeta.com
Type: A
113.107.42.25
DNSimg.freep.cn
Type: A
221.234.36.242
DNSimg.freep.cn
Type: A
221.234.42.184
DNScdn.pcbeta.attachment.inimc.com
Type: A
DNSd3.freep.cn
Type: A
HTTP GEThttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
User-Agent:
HTTP GEThttp://d3.freep.cn/3tb_140923192942q71f538987.jpg
User-Agent:
HTTP GEThttp://d3.freep.cn/3tb_1409101837529hro538987.jpg
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 113.107.42.25:80
Flows TCP192.168.1.1:1032 ➝ 221.234.36.242:80
Flows TCP192.168.1.1:1033 ➝ 221.234.36.242:80

Raw Pcap
0x00000000 (00000)   47455420 2f646174 612f6174 74616368   GET /data/attach
0x00000010 (00016)   6d656e74 2f666f72 756d2f32 30313430   ment/forum/20140
0x00000020 (00032)   392f3132 2f313733 39333769 6d617639   9/12/173937imav9
0x00000030 (00048)   79766379 636e3361 6b75612e 6a706720   yvcycn3akua.jpg 
0x00000040 (00064)   48545450 2f312e31 0d0a486f 73743a20   HTTP/1.1..Host: 
0x00000050 (00080)   63646e2e 70636265 74612e61 74746163   cdn.pcbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f337462 5f313430 39323331   GET /3tb_1409231
0x00000010 (00016)   39323934 32713731 66353338 3938372e   92942q71f538987.
0x00000020 (00032)   6a706720 48545450 2f312e31 0d0a486f   jpg HTTP/1.1..Ho
0x00000030 (00048)   73743a20 64332e66 72656570 2e636e0d   st: d3.freep.cn.
0x00000040 (00064)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000050 (00080)   6e6f2d63 61636865 0d0a0d0a 74746163   no-cache....ttac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f337462 5f313430 39313031   GET /3tb_1409101
0x00000010 (00016)   38333735 32396872 6f353338 3938372e   837529hro538987.
0x00000020 (00032)   6a706720 48545450 2f312e31 0d0a486f   jpg HTTP/1.1..Ho
0x00000030 (00048)   73743a20 64332e66 72656570 2e636e0d   st: d3.freep.cn.
0x00000040 (00064)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000050 (00080)   6e6f2d63 61636865 0d0a0d0a 74746163   no-cache....ttac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....


Strings
:D
.r
.
00
.n
.^
..
..
.
v.$T.
...C".... z
{.}'}k
v....
.
U
.....
\.
.
:D
.r
.
00
.n
.^
..
..
.
v.$T.
...C".... z
{.}'}k
v....
.
U
.....
\.
.

>	>">.
 !"#$%&'()*
'[""[@
))$"[}
0 0&0,02
010:0G0S0g0m0
~,0,271Op
@&@& $@&@&(,@&@&04@&@&<8@&@&@HB&@&LP
_&%070K0_R
(08@P`p
$(09?Ey
0A@@J	
0B=@?Bx
0/b/{m"
0@BwNl
;0G>	|A
0J	pp 
0/?k9879215
*0.(P7lg
0QBG&R
&\.0r;
0s32fta
0tS(td 
.0(UY[v
0v!H W
0vi(8PX
;1;?;{;
1 1$1(1,
1%1B1U1^1
@1`1d>
11da95:8642fc
.1.227
196h	6U91
1c8g8k8
<*>1>j>>
1K\5Ro
1K9tSh
$1M4uw.
^1poQVV
1q2	2C2
1#QNAN
1r1v1z1~1
<1vHCu
219.235
2(252;2O2
2275622D8D
?"?&?*?.?2?6?:
 2 ~/D6i
\2!G;Ad
2H_A}a
*2i,9d
\2is0~
2<MfCp7
2nt>j,
2[^(r Tk
_	2!Vj
^3&0J(W
32@3L3X:x3
32\taskmgr.exe
35138b9a-5Wl
36DefaultI
:(>->3>8>Y>w>
3c5W7J
3I$	_]
3~J?]+
3l$q(H
3P#B!5
%3+Sd|YW
^ 3sRl
3[]VV;
}4:<&~
40nB,%7
43t)gO
4463<tO
44,,B5
45678_
465p5X7
4,84<4\4`4d
$(4BAC28
4$,C4Q4a
4~f9.u
<4FTbp
4MjCv&
4M;-!X
,4;O LN
4p'"hv
4_TsBgmex
517xky.we
5(54~H5h5t5
5<6Z2ea7be1
"57-1546-4
#5C]uy
/5:@F<
5(i/K2
/5t"bu
	5YfF-.no>
647X7`
6!6(6/6N6UDx
6"7-7Q6"
6GH&	,
6k>o>s
6(PgH2
6Q617]7
6rdop3T
6TJ)p;T
6TLm|(.u
6 wG8`
!6@WjaO
6W?L[;2
7$:(:,
731o0a2`
73937Zav9yvcycn3aku
73E2147C
73G*7G
75f06e
>?77=A`
7/7Sr"818;9X9
7)8j<A
7c'5SYQ
{7F7D:
7*gic_
7J-%$J
7>n9<f
~7(pAnv2
7Uq&'`Fdjm
8273I3
@<840,<
8"8(8.848:ZF
>88@"P;	
8`@8VfB
]8.9|9
8#aO`$
8>Apc@(]/
-8au'ru!
<8C8J8Q8
8.~GM+1
8IuA ( iM
8M44h88*
8MZpH<
8pT:'cu
`8;qdt
$8S(_#
~8!S^G
#8UP*+
`8Z8d8
8Zt_h9
942q71f
94a2afdb0c
959@9y9
96>NH9N
9%)7:e
}9, %8
98:T:\:d:u:
9abcdef
9`:i:r:~:
="=9=J=
9J:n:t:z:
_9~X~Bv
]<$'-A
a@4xn+8XM
__ab@,
+,-.//:;<=>?@ABC
A!BM,mX
)-<Ac_
A~$CJx
ACL@TM
ADVAPI32.dll
ADVAPIo
_+ad	wVJ
{a@Fh@:w
?_AFX_
?AfxOldhPro
?a-h#p
aIHtl-
aitrSNiC&
AK2UA(
and Object
AOLEPRO
",A,PW2
ar%'MDIFr
Array<char>
A{@]t(
ATE_TLS: 
ATL.DLL
>~Augus
^AUkW}
<AYF(%Q
A"Z2p	P
B$$<,)
!-B!5[p
b7<Q%Gr
b8Cx_{_
 @B8TX/
::bad_a2
**BCCxh1
!b<F<H4
BfJcG ;B
?B?F?J?N?R?
bfndmm
B:% |g<5
B {g&s
BH!G0"
BitBlt
B<Jxu[
&^bP\n
bR@<@u
]%bs3j
bS@Dt9
Buff#Uppw
Bu.hX3
BWideC
B;Zu$L
<BZ$=Yv
=	 &(C3
.@C:3M8
C8OF{=
"(C` A 
C`abP`|
%cAn!E`!
C$EA)9dJb^C
cg-i"V.
c$[I`A
clB127.0
ClosePrinter
\CLSID
CmdTar
cn/bbs
COMCTL32.dll
CONOUT$
cripth.
CryptKeyCacheI:[4
c>sgB;C
$CT#2%
c!Vd9}
c_W:-E
CWinApp
C/yptl
c%ZxH8
D0J0P0V0\
d1.0">
D48`}<j
 ]d 6{
D7m7y7
d9fbd-8
dBc*m>r[sK
dc71cb684l2c45`
D(CR^2
Dc?THREAD{
d|cWN5
~d\Fold
D\$	gxv)
\.`dhl.
>>+DHrE 
d(ib{J
D	JV (/clr)
dK$w555
d $$L!
DnE"yPF
%DO	x2
dqw_3104-4
DragFinish
&,dR,lP+
dsL&bJ
DSVliabH
:dtZ6(
<D>V4:
*dw}}F)
dX\`do
)dxu2Z
;.e:$:
e1pU4P
e3pv5ReZ
E<4K*>U(
E]APyhF
))EE	F
}_e?FlAn@
E;mbA91kd
~em$qqri1Fre
EnumDisplay/L5g
:EP_3I(
er 8^D
ER)i!S
\etc\ho(s);Bw
e>X86"6f
ExitProcess
f1r3|3v3
FC~T$*L$
?f/DWe
fElehmd
	fg1w1
^?fg?t
FkB`>H^0-:
fmo_hy
fMt.B2
foh4aWJ
/Format
fp`Shz
fstVkH 
F,tv(V
|%Ft&xRn
,F	{Y(P
fzhWfv
g#3)k@=
,G94952
G99j{AS$
GDI32.dll
GetProcAddress
g:g97~<
g:HTTP+
gHV%@o
GLOBAL_HEA
 gpl|n
g	SPPR?
-+*G=$wO|&
G?$'y@6t44
h3"t^9
h595b64144ccf1d
 "H7/Bj)
$$H8`{I
HA<@[ 
Hdqqpo
<"H#D$S
./HFD?
&h*f,l
H{`iB'o
HKEY_LOC
H[l8}W
?hl-sms=P
}%H:%M
HMzF"\
Hnew_9d"M
h`nH$x
 H)R:t
/:H %s
HsH D H+
?(?H?T?X?h?
hU(>$@
huVrQB
HXtB+<9
(h;=x}W
\HZ,$%zb
?I:1(0%}
I 6qUC
I8p0{m
i-Bi);
I|Close
Ieet2t
iEz fa
iGtt4e
i~h"[`
IH,P}g
IJKLMNO
IkHzfY
ileNameW
iLURk 
I*m@ut
~im!;w
i_n`cy
i#NDh&%X
InternetOpenA
$|i'PHeaVw
?iQIYI\QiyiI
i~<r_J
IsDE5p
 @ise,rp
i:Y`Gvb
I|Z|[Z
!+J,%\^
j\3Hf$
JD<4,T
;j`h8N
J_JxrYRV
^J@][N
jO57OO[
j\S_[R
JSzICC
@j<t`e?m
jtiPP(
!jtS?I9
j.W)uQ
\ JyO$Dw
]J>|!z9
K30000
+k7hPD
K8\8j8
kCfi<c
\@KERN8
KERNEL32.DLL
K&hT?+
K|Hz-c
klm&pqHuvwx
\Km;\9
k=o=s=w
[k%,p4H
kP#qRy
&k#[s8
,KSfz3
k Source D
-?KWW_=
kWwktZ
Kxw" 7
L6d6h6
L8.m~?
([l:92
la/4.0 (%
LASSES_ROOT
?la;T8
ld?<`1
L*.DLL
/LfarV
Lg-,xqju}Mp
<l<-<=<J<z<
lkGwGvQ0
l%]L}k~
L>l>p>
L{M{DQj
l/mV p
.>L\n:
lnkwu@Sy
LoadLibraryA
L=`.om
Lo$upValue
l#PL-(;=
)~|lPM
l<Pybl5
|l\RB4{
LRH&hI
lus)(j
[lV.0D
l.yi85
<<((!M
M0s041<1
M,3'\%=
MACHjE\SOFTWAR
<$MA(+i
m.c	* 
mEpg8l7
.mijr@zK
MiscS$
^mkw'P
mlns="
M~lPPM8
^Mma`q8z
=MODULE_~
	&m|rl_DZgL
MSILCf
Msug@wue
Mu B.r#
MU%WU*
M 'X2h/9
n/3tb_
%(N6S5
n_7,UHs
{!{$nA
\nbwnX
netATqBlt
NH-6>Y
NH(L/F
nIW3RFQ
;nKCiVX
nK&L(z
nl_,\1
n]LLxG3
N#nrO-uID
no"Ilh
No such.
NotSupp
NpDNI 
NPgR/S
nPv`~p
n.te_oB
ntf :x
nu(2,$,&54rH80$
n _vec
nW^^Rmn
(Nx>XM
nY>_IZ
$*{o? 
O.340Z
o6l Dlg
o8s8w8{8
o92rej|h$XB9
=OA0QaJ
|oapoO7notz
o%c(U!aS08j
od$~aFK0
OdN52^
o[euoGetM i
O~,h%4
Ohl%`K gC(g=H
Oi73aGA
O^Ia'a
ole32.dll
OLEAUT32.dll
oledlg.dll
OleRun
OMA$#R60
O.mpGpM
omPoizo'
opyright 19
>OXJB|H=
O .XS#
Oy	HDG
~*OYSTEM
ozInfo
/p3_kS
p{4L2U
P8VWaz
[(pAho{e7
PathMatchSpecA
PBIwoqbi
PBL"Po7
pcLCT-
pCPPZbugHook
pdXL@4=
PG$GhI
piW0gSNA
pI,XI;1u
pj:A:Q
pkcWMG
@p]l"a
pld,4&tf
{p`(`;l&I
Pm?Nl$}	
posiyxf"0
:.pp0|
>PPADD
PPJ!P#
PreviewPages
@p.Rs{
pr:VTofj
ptb7i=n
'PuB	 
~Pu"hi
@PUY^C*x
PXY]SM
py+$.C{'
pZ_-B	
pZe%.\
pZp~d2t
;*'/;Q
\Q 2`FI6
Q&((2r9
?[Q_7654,56
\QBqwl
[qfI@EH
qno=d b,
Q qiUM
Q>.S',?
q.(tl<	
	qtn,=
(q-t/r
?+\Q%u
  qui*
&_Q*V0
qY?Oa)
(QY|PP
R9XwX\
r,9YUq`I
r\Advl
*Rais#
RB8~QN
rdi2b.c: L
RegFlushKey
rf2w!*3
r	F=/lG	Q
rHEhu,
RichEdit
rLPTX\r
R@LXl 
#r: m.v1"@
Rn^^j?
RTTIvAk
r' 	vH<>>
rwiqa^oX
rxkPO`
.RyGtk&
RZ\=F+K
S0#l(%
`:s1'p%
s8(`O4
Saf1Dhk
SCAz_x
[S d`a
^SER32VSPLAY
sf8002*<>|"
sGagIs
shadu007qK
SHaoZip
ShBtBl
SHELL32.dll
SHLWAPI.dll
 SH~yQ
&s>$I 
_SIMULDk
/sJJf[
}sjxun9
;Sl\C$
sM{6 29
So|Bge
sO;>|C;
S @#P@
s.s^X2
SU'#NAX
SV1)Wk
s-:X+&
$sX@ad
.,$s/z \
-t,0tRi
T2X2h2x2
t3lZ6m6Ir5_vl..U-@A1
t 6zVhDJP
t8-WWB2
]T:a*s>zC	
tBaS"87
)tFAP@
!This program cannot be run in DOS mode.
Th spa
Th$s'Wed
TiNi_W
T#|IVdpZ+
#Tj _f
@TL\vJb\0
tNJ JK
tO.PsG
TPLD0(
TPLHD@y
tQq[C2
	^$* tr
t'" rl
t*SWp7
t&=,Vg
TV`\W8
TyLHXV
u0E0xC
U4804w6i0
{u	9ga
u	\f&j$
Ug\E@E
U.hU5R
u:huWX
u.Ic}W
uixK+p
UJ'}9V
UJD,xV~OfU
#u.]ph
$	 UPx
uR{0X@2
uRFGHt
uRz"uR	-4
USER32.dll
uSq/Rp
v1RP-t,&
V4lZLfp
"V5M|V
V5(pQo
V7=6X=
]*VA,@
>v	A`dH
v](b=i
	v(~b_OE=7
`Vc};2`
VC20XC00
vc521'
([V||h
vH:mm:ss>
VH, UP
VHUPq(
VirtualAlloc
VirtualFree
VirtualProtect
 VisUC++ RAL
Vj(@B$
v"n!P)ga
vo }{g
,&[vrH
[{$ vt
VTkROJ7
$*v/$tmi
$Vt	n*RY
vVge&7!
vvX tn1|
;VY,X 9
V?Z?^?b?f?j?n?r?v?z?~?
:vZz9f9l9r9z9
:*]w(1
w2&9 #p
W<@3H,
w50o0y0
was about o
wbe*d!
)W*=bS
 WdD'Y
;|w\E|"*+
We4-;i
w@FBC(|
WFVvA*
w"F$WR
Wi74s+^,(8	7
WININET.dll
WINSPOOL.DRV
wj4Ni?
 --wj-la
	w$,k(>
.wn/,w
wOlgIU
wo_OG?
Wp' >bSr
wsgwdn
WTK0s(VS
(*wVtG
w>VUSWY
w< }z"
<_+",X
X$\0t	
X1\1hP
X8_8f8
 X=8l8>Y8[
%XCx.C3W
XD+UP71`T
X-!GGG{
+Xi!PCM
xnS4YD
\?X=O+
XPTPSW
'X)!RF\
Xt+DPI
-/~;@Y
y2AUdz6p
Y3d3p3
y<840,
yc7t+*n_P
y}C!L@L
yINSZd
ykPnm`
/YM0]W#X
_yn1Zfrtg
Yos MS
yotW. I
ypdXP^D
yPibly
{<:y&q?	
"yR$c=
[Y/vof
y#X:fd>
y_xkX-
y|xtpl
YY;\YYy
z64lbt4x
Z8B_7u
zBjP AR
~z,BOR.
Zc@:,	
*[Z	NG
,@=ZnQ
=ZVP	"
Z<Vp}N
Z[\X`?