Analysis Date2015-12-10 19:08:10
MD588ede04f065d0c125839f9129cb4b125
SHA1fc6bbdca05a54dc9ee09dcd265b56fde15cabdc7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 399636e1cf123faa9dc0c1c1ed9a4a52 sha1: b9c148ae173ae0199117108a51a43a804f9c774c size: 23552
Section.rdata md5: f359cd50555a06c1946c9624440c5811 sha1: a690108149264d1570b007b23c31b99ab560d759 size: 4608
Section.data md5: b6778f27be20a78cfc5e0496758eda32 sha1: b05b6101c9eafdbd641b4b0352741892ae2ce668 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 54309eea4a06faee7e6b6ab97c6117c2 sha1: 49e322ca6fab4f67cb3565836613af5edab5285e size: 74752
Timestamp2007-03-31 15:09:55
PEhashb15fabceb577ae41405d245adceb45c6615883a9
IMPhash4d17be67c8d0394c5c1b8e725359ed89
AVAd-AwareDropped:Trojan.Generic.15287587
AVGrisoft (avg)Packed3_c.CLW
AVCAT (quickheal)no_virus
AVIkarusTrojan.MSIL.Injector
AVAvira (antivir)TR/Dropper.Gen
AVK7Trojan ( 004d2d661 )
AVClamAVno_virus
AVKasperskyTrojan.Win32.Generic
AVArcabit (arcavir)Dropped:Trojan.Generic.15287587:Trojan.Generic.15287587
AVMalwareBytesno_virus
AVDr. WebTrojan.DownLoader17.55424
AVMcafeeRDN/Generic.dx
AVBitDefenderDropped:Trojan.Generic.15287587
AVMicrosoft Security EssentialsTrojan:MSIL/Toauta!rfn
AVEmsisoftDropped:Trojan.Generic.15287587
AVMicroWorld (escan)Dropped:Trojan.Generic.15287587
AVAlwil (avast)Malware-gen:Evo-gen [Susp]:Win32:Malware-gen
AVEset (nod32)MSIL/Bladabindi.Q
AVRisingno_virus
AVBullGuardDropped:Trojan.Generic.15287587
AVFortinetW32/Generic.Q!tr
AVSymantecno_virus
AVAuthentiumW32/MSIL_Agent.V.gen!Eldorado
AVTrend Microno_virus
AVFrisk (f-prot)no_virus
AVTwisterno_virus
AVCA (E-Trust Ino)no_virus
AVVirusBlokAda (vba32)no_virus
AVF-SecureDropped:Trojan.Generic.15287587
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\IconSearch.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\photo9823_932847589345_2362736327362002932837173626747373335344335434.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso1.tmp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\photo9823_932847589345_2362736327362002932837173626747373335344335434.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\IconSearch.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\photo9823_932847589345_2362736327362002932837173626747373335344335434.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\server.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\server.exe"
Creates Mutexddb6296f0d347670374a22ca63785a04

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\IconSearch.exe

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\server.exe"

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ddb6296f0d347670374a22ca63785a04 ➝
"C:\Documents and Settings\Administrator\Local Settings\Temp\server.exe" ..\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ddb6296f0d347670374a22ca63785a04 ➝
"C:\Documents and Settings\Administrator\Local Settings\Temp\server.exe" ..\\x00
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
RegistryHKEY_CURRENT_USER\Software\ddb6296f0d347670374a22ca63785a04\[kl] ➝
\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Processnetsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\server.exe" "server.exe" ENABLE
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME
Creates Mutexddb6296f0d347670374a22ca63785a04
Winsock DNSsiteslist.noip.me

Process
↳ netsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\server.exe" "server.exe" ENABLE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\server.exe ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\server.exe:*:Enabled:server.exe\\x00
Creates FilePIPE\lsarpc

Network Details:

DNSsiteslist.noip.me
Type: A
154.108.16.112
Flows TCP192.168.1.1:1031 ➝ 154.108.16.112:1177
Flows TCP192.168.1.1:1033 ➝ 154.108.16.112:1177
Flows TCP192.168.1.1:1034 ➝ 154.108.16.112:1177

Raw Pcap
0x00000000 (00000)   313731                                171

0x00000000 (00000)   313731                                171

0x00000000 (00000)   313731                                171


Strings