Analysis Date2015-07-30 13:01:45
MD594fb34a9759574d177298cfb5793c130
SHA1fb782f2cb53bb594b1f86239ed84e75404229972

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 940e12a325ff9cd179f5d07fb0510637 sha1: c32e51a12e4c532ae80c79ec9340022960f299fd size: 250880
Section.rdata md5: 5b1b9ee99e165a46499f1537af7b3888 sha1: f7fbe24b5f32ddb28db634bdcd4f4e7e3e225100 size: 65024
Section.data md5: df9f20b4e592cffb989dfd3da06161ff sha1: 7c0c3b7367a409edcc7adc63a08871cc7720334e size: 90112
Section.rsrc md5: a2835fb76d40522ea05f803cb5202382 sha1: c47e02a2cf6ad5448c1e2e619cafe5b46d37dd9a size: 81408
Section.reloc md5: 99089f52312fa1f952e840912d33e9f9 sha1: c4f1c8f09ea01ea8bac08c9f3a209b05c1ff81ab size: 38912
Timestamp2015-07-26 13:11:01
Pdb pathC:\唐盛武\work\DownUi2.0\Release\demo1.pdb
VersionLegalCopyright: TODO: (C) <公司名>。保留所有权利。
InternalName: demo1.exe
FileVersion: 1.0.0.1
CompanyName: TODO: <公司名>
ProductName: TODO: <产品名>
ProductVersion: 1.0.0.1
FileDescription: TODO: <文件说明>
OriginalFilename: demo1.exe
PackerMicrosoft Visual C++ ?.?
PEhash7c54bcb290b63cf17a9470a38643e20602aace30
IMPhash5dc76303e3a11b6cbe0de9d9caad7cff
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)no_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Mikey.20467
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/RiskWare.Chindo.M
AVGrisoft (avg)Win32/DH{gRKBE0EgIiU2PQ}
AVSymantecDownloader.Upatre
AVFortinetRiskware/Chindo
AVBitDefenderGen:Variant.Mikey.20467
AVK7Riskware ( 004c93f61 )
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVMalwareBytesTrojan.Agent
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusno_virus
AVEmsisoftGen:Variant.Mikey.20467
AVZillya!no_virus
AVKasperskyno_virus
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.Ngrbot
AVPadvishno_virus
AVBullGuardGen:Variant.Mikey.20467
AVArcabit (arcavir)Gen:Variant.Mikey.20467
AVCA (E-Trust Ino)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureGen:Variant.Mikey.20467

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2796_appcompat.txt
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1188 -e 380 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 420
Creates Mutex143623123y75241237437315232835431520000000014533
Creates MutexDBWinMutex

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 420

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1188 -e 380 -g

Network Details:

DNSint.dpool.sina.com.cn
Type: A
180.149.136.219
HTTP GEThttp://int.dpool.sina.com.cn/iplookup/iplookup.php
User-Agent: WinInetGet/0.1
Flows TCP192.168.1.1:1031 ➝ 180.149.136.219:80

Raw Pcap
0x00000000 (00000)   47455420 2f69706c 6f6f6b75 702f6970   GET /iplookup/ip
0x00000010 (00016)   6c6f6f6b 75702e70 68702048 5454502f   lookup.php HTTP/
0x00000020 (00032)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000030 (00048)   2057696e 496e6574 4765742f 302e310d    WinInetGet/0.1.
0x00000040 (00064)   0a486f73 743a2069 6e742e64 706f6f6c   .Host: int.dpool
0x00000050 (00080)   2e73696e 612e636f 6d2e636e 0d0a436f   .sina.com.cn..Co
0x00000060 (00096)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x00000070 (00112)   6c697665 0d0a4361 6368652d 436f6e74   live..Cache-Cont
0x00000080 (00128)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000090 (00144)   0a                                    .


Strings