Analysis Date2015-06-04 23:46:26
MD56223dd9f6fd093090314e6bd67955223
SHA1fbde6c6669f1ef7bd2655ca0bcd2f5bd3b1b11c7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 266078bdf9667393d2a3d57fe26d9d7e sha1: 37320161924c3e8f44cc575bd21d74712ac0174d size: 454656
Section.rdata md5: d1ccd8a23c6bb93d2d97a593d124ffb2 sha1: 26161b4b17dfa355c70ed2bd9daf7c62b8580f31 size: 90112
Section.data md5: 980fd1a795a35da86d54c42ab52de5e4 sha1: fa20f926ab23214f6418a466cd44af3598f0fd6f size: 61440
Section.rsrc md5: d0a5029b234fbab69c8aaba2eec5a024 sha1: 121024f46c62e7a63cc715881a8355149f2d58b8 size: 32768
Timestamp2013-02-08 07:03:42
VersionLegalCopyright: kolmh2008 版权所有
FileVersion: 1.0.0.0
CompanyName: kolmh2008
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
ProductName: 易语言程序
ProductVersion: 1.0.0.0
FileDescription: 易语言程序
PackerMicrosoft Visual C++ v6.0
PEhash027d2f47850ba3d006867c8c33708fc3e3913f01
IMPhash5e7e169f64e5e57d2784dcb6192da3c1
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Rogue.kdv.857790
AVTwisterno_virus
AVAd-AwareTrojan.Generic.KDV.857790
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/PSW.QQPass.ONJ
AVGrisoft (avg)no_virus
AVSymantecno_virus
AVFortinetW32/QQPass.ELG!tr.pws
AVBitDefenderTrojan.Generic.KDV.857790
AVK7no_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.Generic.KDV.857790
AVMalwareBytesno_virus
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVIkarusno_virus
AVEmsisoftTrojan.Generic.KDV.857790
AVZillya!Trojan.Genome.Win32.249875
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardTrojan.Generic.KDV.857790
AVArcabit (arcavir)Trojan.Generic.KDV.857790
AVClamAVWin.Trojan.Agent-204157
AVDr. Webno_virus
AVF-SecureTrojan:W32/DelfInject.R
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:

DNSlogin.iwofeng.com
Type: A
141.8.225.80
HTTP POSThttp://login.iwofeng.com:88/login.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://login.iwofeng.com:88/login.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 141.8.225.80:88
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:88

Raw Pcap
0x00000000 (00000)   504f5354 202f6c6f 67696e2e 61737020   POST /login.asp 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a20696d 6167652f 6769662c 20696d61   : image/gif, ima
0x00000030 (00048)   67652f78 2d786269 746d6170 2c20696d   ge/x-xbitmap, im
0x00000040 (00064)   6167652f 6a706567 2c20696d 6167652f   age/jpeg, image/
0x00000050 (00080)   706a7065 672c2061 70706c69 63617469   pjpeg, applicati
0x00000060 (00096)   6f6e2f78 2d73686f 636b7761 76652d66   on/x-shockwave-f
0x00000070 (00112)   6c617368 2c206170 706c6963 6174696f   lash, applicatio
0x00000080 (00128)   6e2f766e 642e6d73 2d657863 656c2c20   n/vnd.ms-excel, 
0x00000090 (00144)   6170706c 69636174 696f6e2f 766e642e   application/vnd.
0x000000a0 (00160)   6d732d70 6f776572 706f696e 742c2061   ms-powerpoint, a
0x000000b0 (00176)   70706c69 63617469 6f6e2f6d 73776f72   pplication/mswor
0x000000c0 (00192)   642c202a 2f2a0d0a 52656665 7265723a   d, */*..Referer:
0x000000d0 (00208)   20687474 703a2f2f 6c6f6769 6e2e6977    http://login.iw
0x000000e0 (00224)   6f66656e 672e636f 6d3a3838 2f6c6f67   ofeng.com:88/log
0x000000f0 (00240)   696e2e61 73700d0a 41636365 70742d4c   in.asp..Accept-L
0x00000100 (00256)   616e6775 6167653a 207a682d 636e0d0a   anguage: zh-cn..
0x00000110 (00272)   436f6e74 656e742d 54797065 3a206170   Content-Type: ap
0x00000120 (00288)   706c6963 6174696f 6e2f782d 7777772d   plication/x-www-
0x00000130 (00304)   666f726d 2d75726c 656e636f 6465640d   form-urlencoded.
0x00000140 (00320)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000150 (00336)   2033310d 0a557365 722d4167 656e743a    31..User-Agent:
0x00000160 (00352)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000170 (00368)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000180 (00384)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000190 (00400)   2e30290d 0a486f73 743a206c 6f67696e   .0)..Host: login
0x000001a0 (00416)   2e69776f 66656e67 2e636f6d 3a38380d   .iwofeng.com:88.
0x000001b0 (00432)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x000001c0 (00448)   6e6f2d63 61636865 0d0a0d0a 49443d26   no-cache....ID=&
0x000001d0 (00464)   50573d26 5375626d 69743d2b 2b254235   PW=&Submit=++%B5
0x000001e0 (00480)   25433725 43322542 432b2b              %C7%C2%BC++

0x00000000 (00000)   504f5354 202f6c6f 67696e2e 61737020   POST /login.asp 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a20696d 6167652f 6769662c 20696d61   : image/gif, ima
0x00000030 (00048)   67652f78 2d786269 746d6170 2c20696d   ge/x-xbitmap, im
0x00000040 (00064)   6167652f 6a706567 2c20696d 6167652f   age/jpeg, image/
0x00000050 (00080)   706a7065 672c2061 70706c69 63617469   pjpeg, applicati
0x00000060 (00096)   6f6e2f78 2d73686f 636b7761 76652d66   on/x-shockwave-f
0x00000070 (00112)   6c617368 2c206170 706c6963 6174696f   lash, applicatio
0x00000080 (00128)   6e2f766e 642e6d73 2d657863 656c2c20   n/vnd.ms-excel, 
0x00000090 (00144)   6170706c 69636174 696f6e2f 766e642e   application/vnd.
0x000000a0 (00160)   6d732d70 6f776572 706f696e 742c2061   ms-powerpoint, a
0x000000b0 (00176)   70706c69 63617469 6f6e2f6d 73776f72   pplication/mswor
0x000000c0 (00192)   642c202a 2f2a0d0a 52656665 7265723a   d, */*..Referer:
0x000000d0 (00208)   20687474 703a2f2f 6c6f6769 6e2e6977    http://login.iw
0x000000e0 (00224)   6f66656e 672e636f 6d3a3838 2f6c6f67   ofeng.com:88/log
0x000000f0 (00240)   696e2e61 73700d0a 41636365 70742d4c   in.asp..Accept-L
0x00000100 (00256)   616e6775 6167653a 207a682d 636e0d0a   anguage: zh-cn..
0x00000110 (00272)   436f6e74 656e742d 54797065 3a206170   Content-Type: ap
0x00000120 (00288)   706c6963 6174696f 6e2f782d 7777772d   plication/x-www-
0x00000130 (00304)   666f726d 2d75726c 656e636f 6465640d   form-urlencoded.
0x00000140 (00320)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000150 (00336)   2033310d 0a557365 722d4167 656e743a    31..User-Agent:
0x00000160 (00352)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000170 (00368)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000180 (00384)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000190 (00400)   2e30290d 0a486f73 743a206c 6f67696e   .0)..Host: login
0x000001a0 (00416)   2e69776f 66656e67 2e636f6d 3a38380d   .iwofeng.com:88.
0x000001b0 (00432)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x000001c0 (00448)   6e6f2d63 61636865 0d0a0d0a 49443d26   no-cache....ID=&
0x000001d0 (00464)   50573d26 5375626d 69743d2b 2b254235   PW=&Submit=++%B5
0x000001e0 (00480)   25433725 43322542 432b2b              %C7%C2%BC++


Strings