7a4d1babde751f080cc65a306a0ae79c

From aldeid
Jump to: navigation, search

Description

Summary

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Identification

MD5 7a4d1babde751f080cc65a306a0ae79c
SHA1 dafe57b9c86466f687b91e153bdec7838fb70d35
SHA256 398f7503ccdc6b761db1e787f41c81b91cec46f59dc9f334390905b413d42644
ssdeep 384:PQ2r/xXRVlON9pZbUJvanjBf9cY8jbubGer/yQqZ1xcQblSXFWDIWN:PQ2VBVEN/ZbUdAjNfjDijz0IDj
imphash f433e7fcc51e68080022754836705744
File size 21.4 KB ( 21873 bytes )
File type Win32 EXE
Magic literal PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Antivirus detection

Antivirus Result Update
AVG BackDoor.RBot.KB 20140228
Ad-Aware Win32.Worm.AutoRun.KZ 20140228
Agnitum Worm.Hamweg.A 20140228
AhnLab-V3 Trojan/Win32.Pakes 20140228
AntiVir TR/Autorun.21873 20140228
Avast Win32:AutoRun-AFC [Wrm] 20140228
Baidu-International Trojan.Win32.Pakes.aZAx 20140228
BitDefender Win32.Worm.AutoRun.KZ 20140228
Bkav W32.PeerBotO.Worm 20140227
ByteHero Trojan.Win32.Heur.087 20140228
CAT-QuickHeal Worm.AutoRun.dmh.n4 20140228
CMC Generic.Win32.7a4d1babde!MD 20140220
Commtouch W32/Backdoor.X.gen!Eldorado 20140228
DrWeb Trojan.Packed.162 20140228
ESET-NOD32 Win32/Inject.NAX 20140228
Emsisoft Win32.Worm.AutoRun.KZ (B) 20140228
F-Prot W32/Onlinegames.BID 20140228
F-Secure Win32.Worm.AutoRun.KZ 20140228
Fortinet W32/AutoRun.DMH!worm 20140228
GData Win32.Worm.AutoRun.KZ 20140228
Ikarus Trojan.Win32.Pakes 20140228
Jiangmin Worm/AutoRun.ahu 20140228
K7AntiVirus EmailWorm ( 0003b4f91 ) 20140227
K7GW P2PWorm ( 000116c21 ) 20140227
Kaspersky Trojan.Win32.Pakes.jzm 20140228
McAfee W32/Autorun.worm.g 20140228
McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.C 20140228
MicroWorld-eScan Win32.Worm.AutoRun.KZ 20140228
Microsoft Worm:Win32/Hamweq.C 20140228
NANO-Antivirus Trojan.Win32.Pakes.bdatt 20140228
Norman Malware 20140228
Panda W32/Autorun.UT.worm 20140228
Qihoo-360 Win32/Trojan.2fe 20140228
Rising PE:Trojan.Win32.Undef.gjn!1075134976 20140227
Sophos W32/AutoRun-BIA 20140228
Symantec W32.IRCBot 20140228
TheHacker W32/AutoRun.dmh 20140226
TotalDefense Win32/Hamweq.C 20140227
TrendMicro WORM_SCRYPT.J 20140228
TrendMicro-HouseCall WORM_SCRYPT.J 20140228
VBA32 Trojan-PSW.Win32.Gomex.Gen 20140227
VIPRE Win32.Autorun.gen (v) 20140228
nProtect Trojan/W32.Agent.21873 20140227
Antiy-AVL 20140228
ClamAV 20140227
Comodo 20140228
Kingsoft 20130829
Malwarebytes 20140228
SUPERAntiSpyware 20140228
ViRobot 20140228

Defensive mechanisms

TLS callback

TLS callback is used in this malware. To bypass this defense, we locate it with IDA-Pro:

7a4d1babde751f080cc65a306a0ae79c-TLS-callback.png

In OllyDbg, we choose to pause at the system breakpoint instead of the default WinMain:

7a4d1babde751f080cc65a306a0ae79c-pause-system-breakpoint.png

And we go to the TLS callback location: press Ctrl+G and enter "410ea1"

Artifacts

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Static analysis

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Comments

blog comments powered by Disqus