Analysis Date2015-09-28 18:29:30
MD5bbd9acdd758ec2316855306e83dba469
SHA1fac8716f032910a22b7410677b9162e7ff1832dd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f9c328a88a0b0fad558ed9f5d35d02e1 sha1: 341974c976fc05cc84b522302e28735913733d91 size: 2048
SectionVProtect md5: faddf1a1352c260355b9a4aedbd0479a sha1: a60e5c8e688418388e3279ee4ca7112c7ff2bbbc size: 630272
SectionVProtect md5: 332dfbf9ccff031d67845ec89f8e20ec sha1: 478a0e57680831f7c0845de48d6f9c4dda2df392 size: 209920
SectionVProtect md5: 68d7b9b2e58398742b6c827acb9b4bb6 sha1: aaa0a3e09193e9ee0e2577c12e735ddc55a08302 size: 512
Timestamp1970-01-01 00:00:00
PEhash9118a9abf7973a7cb3a531c16a0bc9425bd66382
IMPhash89b7805d2447fd94dfb2aff8dd20ba2f
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Generic.14967861
AVDr. WebTrojan.Packed.1936
AVClamAVno_virus
AVArcabit (arcavir)Trojan.Generic.14967861
AVBullGuardTrojan.Generic.14967861
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanPSW.Magania
AVCAT (quickheal)Backdoor.Plugx.r4
AVTrend Microno_virus
AVKasperskyTrojan-Dropper.Win32.Injector.nikf
AVZillya!no_virus
AVEmsisoftTrojan.Generic.14967861
AVIkarusTrojan-Dropper.Agent
AVFrisk (f-prot)no_virus
AVAuthentiumno_virus
AVMalwareBytesno_virus
AVMicroWorld (escan)no_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx
AVK7Trojan ( 002e0ffc1 )
AVBitDefenderTrojan.Generic.14967861
AVFortinetPossibleThreat
AVSymantecno_virus
AVGrisoft (avg)PSW.OnlineGames4.LVH
AVEset (nod32)Win32/Packed.VProtect.B suspicious
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareTrojan.Generic.14967861
AVRisingno_virus
AVTwisterSuspicious.5650726F74656.mg
AVAvira (antivir)BDS/Plugx.850560
AVMcafeeno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\bug.log
Creates ProcessC:\WINDOWS\system32\svchost.exe 100 128
Creates Mutex3D21E658-B095-441a-8FE9-6C10952714C7
Creates MutexDBWinMutex
Winsock DNS210.209.115.147

Process
↳ C:\WINDOWS\system32\svchost.exe 100 128

Creates FileC:\Documents and Settings\All Users\bug.log

Network Details:

DNSwww.twititier.com
Type: A
210.209.115.147
HTTP POSThttp://210.209.115.147/update?id=0018f128
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows UDP192.168.1.1:1031 ➝ 8.8.8.8:53
Flows TCP192.168.1.1:1032 ➝ 210.209.115.147:80
Flows TCP192.168.1.1:1034 ➝ 210.209.115.147:80

Raw Pcap

Strings