Analysis Date2015-11-28 07:38:38
MD5e1bef895010466088918ef891e88c2b1
SHA1f9b43425c8efa03ff827413b7b25def60a6b16bb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e4983de0e9bb6268f01f5b33beb05174 sha1: 3cbc847d5ab052b2b9cd4c3289d5db99d48d3694 size: 204800
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: e14ca25f4c7e5d1a1b671dd5f00623e8 sha1: 9cf2e2bbe343915742d89bcd843911cbd885ee38 size: 32768
Sectionumwzqtw md5: cf6342cd4d0471bd6a9c17468f1fd850 sha1: f700663fc70ae0b505b05eb18970fb2ede1d5a07 size: 61440
Sectionwloylpz md5: 34d3510f43f36d0a25942f27b907e20a sha1: 497bbea5b08cdcb9c054a6b856f71cab16697e80 size: 32768
Sectiongcxubpk md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2003-04-08 18:09:29
VersionLegalCopyright: sdgfhytrsdfbnvc
InternalName: zfxdvvxzcv
FileVersion: 541.23.0152
CompanyName: sdghfseyrtxdvb
LegalTrademarks: sadfhdsfhg
Comments: dfghjvcbn
ProductName: fdgnbcxvbr
ProductVersion: 541.23.0152
FileDescription: dsfhcnbvm
OriginalFilename: zfxdvvxzcv.exe
PackerMicrosoft Visual Basic v5.0
PEhash93acf99e46ecc06cd111fbc089ddc7ca5b3154dd
IMPhashac27d9cfe8b6c341dc579b64eb3cf363
AVRisingno_virus
AVMcafeeBackDoor-FCQK!E1BEF8950104
AVAvira (antivir)TR/Dropper.Gen
AVTwisterno_virus
AVAd-AwareGen:Heur.ManBat.1
AVAlwil (avast)Virtu-F:Win32:Virtu-F
AVEset (nod32)Win32/Blohi.A
AVGrisoft (avg)Luhe.Gen.B
AVSymantecno_virus
AVFortinetW32/KillMBR.NAG!tr
AVBitDefenderGen:Heur.ManBat.1
AVK7Trojan ( 004986d91 )
AVMicrosoft Security EssentialsBackdoor:Win32/Blohi!rfn
AVMicroWorld (escan)Gen:Heur.ManBat.1
AVMalwareBytesno_virus
AVAuthentiumW32/VBInject.J.gen!Eldorado
AVFrisk (f-prot)W32/VBInject.J.gen!Eldorado
AVIkarusBackdoor.Win32.Blohi
AVEmsisoftGen:Heur.ManBat.1
AVZillya!Trojan.Writos.Win32.739
AVKasperskyTrojan.Win32.Writos.vhu
AVTrend MicroBKDR_BLOHI.SM
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)Trojan.Writos
AVPadvishno_virus
AVBullGuardGen:Heur.ManBat.1
AVArcabit (arcavir)Gen:Heur.ManBat.1
AVClamAVWin.Trojan.Agent-954690
AVDr. WebTrojan.DownLoader12.61857
AVF-SecureGen:Heur.ManBat.1
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeBackDoor-FCQK!E1BEF8950104
AVAvira (antivir)TR/Dropper.Gen
AVTwisterno_virus
AVAd-AwareGen:Heur.ManBat.1
AVAlwil (avast)Virtu-F:Win32:Virtu-F
AVEset (nod32)Win32/Blohi.A
AVGrisoft (avg)Luhe.Gen.B
AVSymantecno_virus
AVFortinetW32/KillMBR.NAG!tr
AVBitDefenderGen:Heur.ManBat.1
AVK7Trojan ( 004986d91 )
AVMicrosoft Security EssentialsBackdoor:Win32/Blohi!rfn
AVMicroWorld (escan)Gen:Heur.ManBat.1
AVMalwareBytesno_virus
AVAuthentiumW32/VBInject.J.gen!Eldorado
AVFrisk (f-prot)W32/VBInject.J.gen!Eldorado
AVIkarusBackdoor.Win32.Blohi

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSpds27.egloos.com
Winsock URLhttp://pds27.egloos.com/pds/201501/19/49/DS021dffa.jpg

Network Details:

DNSpds27.egloos.com
Type: A
125.141.132.107
HTTP GEThttp://pds27.egloos.com/pds/201501/19/49/DS021dffa.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 125.141.132.107:80

Raw Pcap

Strings