Flattr this analysis!

Tags: Neurevt

Analysis

Category Started Completed Duration
FILE 2013-11-22 15:36:16 2013-11-22 15:36:38 22 seconds

File Details

File Name 1(2).exe
File Size 226617 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c0d2e08c3f0d964858b8a9788aa6732e
SHA1 fd8749ed0eedb4ca07803565881a706c8869bd01
SHA256 917627c7e3dec25d7eb80020c98804c8ff993922da9f0076200a8d4b6927a7ef
SHA512 ac437025bae1cfa0f76ce4a26aa4efa09f5ae2e1ccbbb61b8c781ebabcfa6c4552750481eca2e98b1151bf1f2b736e051590623891f7d2d4d9249f68759a60c5
CRC32 CB0C4EFC
Ssdeep 6144:MTKdP784r0r2H/FQ4IoRKbxvXfHixWjovW1:phrJHK4L6/ixU
Yara
  • shellcode - Matched shellcode byte patterns
You need to login

Signatures

File has been identified by at least one AntiVirus on VirusTotal as malicious

Screenshots


Hosts

No hosts contacted.

Domains

No domains contacted.


Summary

C:\WINDOWS\system32\msctfime.ime
C:\DOCUME~1\User\LOCALS~1\Temp\1_2_.exe
c:\myapp.exe
C:\
C:\myapp.exe
C:\DOCUME~1
C:\DOCUME~1\User
C:\DOCUME~1\User\LOCALS~1
C:\DOCUME~1\User\LOCALS~1\Temp
PIPE\lsarpc
C:\WINDOWS\system32\ntdll.dll
HKEY_CURRENT_USER\software
HKEY_CURRENT_USER\software\Local AppWizard-Generated Applications
HKEY_CURRENT_USER\software\Local AppWizard-Generated Applications\
HKEY_CURRENT_USER\software\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1547161642-507921405-839522115-1004
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP
HKEY_CLASSES_ROOT\jarfile\shell\open\command
HKEY_CURRENT_USER\Software\Sysinternals
HKEY_CURRENT_USER\Software\mIRC
HKEY_CURRENT_USER\Software\Hex-Rays
HKEY_CURRENT_USER\Software\Immunity Inc
HKEY_CURRENT_USER\Software\CodeBlocks
HKEY_CURRENT_USER\Software\7-Zip
HKEY_CURRENT_USER\Software\PrestoSoft
HKEY_CURRENT_USER\Software\Nmap
HKEY_LOCAL_MACHINE\Software\\x089;
HKEY_CLASSES_ROOT\.vcproj
HKEY_CLASSES_ROOT\.5vw
HKEY_CURRENT_USER\Software\Valve\Steam
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\origin
HKEY_CURRENT_USER\SOFTWARE\Blizzard Entertainment
HKEY_CURRENT_USER\Software\Skype
HKEY_CURRENT_USER\Software\Microsoft\VisualStudio
HKEY_CURRENT_USER\Software\VMware, Inc.
HKEY_CURRENT_USER\Software\Win7zip
HKEY_LOCAL_MACHINE\Software\Win7zip
HKEY_CURRENT_USER\Software\Classes\CLSID\{EBA414D3-D108-C74C-9CEF-DDE750E4FF8E}\00000000\CG1
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
ShimCacheMutex
85485515

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x000081d4 0x00009000 5.98709818213
.rdata 0x0000a000 0x0000165a 0x00009000 6.16881507582
.data 0x0000c000 0x000000b4 0x00001000 0.322800881826
.rsrc 0x0000d000 0x00001c58 0x00002000 4.94507807665

Imports

Library MFC42.DLL:
0x40a078 None
0x40a07c None
0x40a080 None
0x40a084 None
0x40a088 None
0x40a08c None
0x40a090 None
0x40a094 None
0x40a098 None
0x40a09c None
0x40a0a0 None
0x40a0a4 None
0x40a0a8 None
0x40a0ac None
0x40a0b0 None
0x40a0b4 None
0x40a0b8 None
0x40a0bc None
0x40a0c0 None
0x40a0c4 None
0x40a0c8 None
0x40a0cc None
0x40a0d0 None
0x40a0d4 None
0x40a0d8 None
0x40a0dc None
0x40a0e0 None
0x40a0e4 None
0x40a0e8 None
0x40a0ec None
0x40a0f0 None
0x40a0f4 None
0x40a0f8 None
0x40a0fc None
0x40a100 None
0x40a104 None
0x40a108 None
0x40a10c None
0x40a110 None
0x40a114 None
0x40a118 None
0x40a11c None
0x40a120 None
0x40a124 None
0x40a128 None
0x40a12c None
0x40a130 None
0x40a134 None
0x40a138 None
0x40a13c None
0x40a140 None
0x40a144 None
0x40a148 None
0x40a14c None
0x40a150 None
0x40a154 None
0x40a158 None
0x40a15c None
0x40a160 None
0x40a164 None
0x40a168 None
0x40a16c None
0x40a170 None
0x40a174 None
0x40a178 None
0x40a17c None
0x40a180 None
0x40a184 None
0x40a188 None
0x40a18c None
0x40a190 None
0x40a194 None
0x40a198 None
0x40a19c None
0x40a1a0 None
0x40a1a4 None
0x40a1a8 None
0x40a1ac None
0x40a1b0 None
0x40a1b4 None
0x40a1b8 None
0x40a1bc None
0x40a1c0 None
0x40a1c4 None
0x40a1c8 None
0x40a1cc None
0x40a1d0 None
0x40a1d4 None
0x40a1d8 None
0x40a1dc None
0x40a1e0 None
0x40a1e4 None
0x40a1e8 None
0x40a1ec None
0x40a1f0 None
0x40a1f4 None
0x40a1f8 None
0x40a1fc None
0x40a200 None
0x40a204 None
0x40a208 None
0x40a20c None
0x40a210 None
0x40a214 None
0x40a218 None
0x40a21c None
0x40a220 None
0x40a224 None
0x40a228 None
0x40a22c None
0x40a230 None
0x40a234 None
0x40a238 None
0x40a23c None
0x40a240 None
0x40a244 None
0x40a248 None
0x40a24c None
0x40a250 None
0x40a254 None
0x40a258 None
0x40a25c None
0x40a260 None
0x40a264 None
0x40a268 None
0x40a26c None
0x40a270 None
0x40a274 None
0x40a278 None
0x40a27c None
0x40a280 None
0x40a284 None
0x40a288 None
0x40a28c None
0x40a290 None
0x40a294 None
0x40a298 None
0x40a29c None
0x40a2a0 None
0x40a2a4 None
0x40a2a8 None
0x40a2ac None
0x40a2b0 None
0x40a2b4 None
0x40a2b8 None
0x40a2bc None
0x40a2c0 None
0x40a2c4 None
0x40a2c8 None
0x40a2cc None
0x40a2d0 None
0x40a2d4 None
0x40a2d8 None
0x40a2dc None
0x40a2e0 None
0x40a2e4 None
0x40a2e8 None
0x40a2ec None
0x40a2f0 None
0x40a2f4 None
0x40a2f8 None
0x40a2fc None
0x40a300 None
0x40a304 None
0x40a308 None
0x40a30c None
0x40a310 None
0x40a314 None
0x40a318 None
0x40a31c None
0x40a320 None
0x40a324 None
0x40a328 None
0x40a32c None
0x40a330 None
0x40a334 None
0x40a338 None
0x40a33c None
0x40a340 None
0x40a344 None
0x40a348 None
0x40a34c None
0x40a350 None
0x40a354 None
0x40a358 None
0x40a35c None
0x40a360 None
0x40a364 None
0x40a368 None
0x40a36c None
0x40a370 None
0x40a374 None
0x40a378 None
0x40a37c None
0x40a380 None
0x40a384 None
0x40a388 None
0x40a38c None
0x40a390 None
Library MSVCRT.dll:
0x40a398 cos
0x40a39c __CxxFrameHandler
0x40a3a0 memcpy
0x40a3a4 _ftol
0x40a3a8 sin
0x40a3ac malloc
0x40a3b0 memset
Library KERNEL32.dll:
0x40a038 CreateFileW
0x40a03c GetCurrentProcessId
0x40a040 OpenProcess
0x40a044 Sleep
0x40a04c DeleteFileW
0x40a054 LocalFree
0x40a058 MapViewOfFile
0x40a05c FlushFileBuffers
0x40a060 GetCurrentThreadId
0x40a064 HeapFree
0x40a068 FindClose
0x40a06c GlobalFree
0x40a070 GetModuleFileNameW
Library USER32.dll:
0x40a3c4 DrawEdge
0x40a3c8 EnableWindow
0x40a3cc DispatchMessageA
0x40a3d0 CreateDialogParamW
0x40a3d4 InvalidateRect
0x40a3d8 ReleaseDC
0x40a3dc GetCursorPos
0x40a3e0 GetParent
0x40a3e4 GetSystemMenu
0x40a3e8 UpdateWindow
0x40a3ec MessageBoxIndirectW
Library GDI32.dll:
0x40a000 DeleteObject
0x40a004 RealizePalette
0x40a008 SelectPalette
0x40a00c CreatePalette
0x40a010 CreateDIBitmap
0x40a018 TextOutW
0x40a01c LineTo
0x40a024 CreateCompatibleDC
0x40a028 SelectObject
0x40a02c BitBlt
0x40a030 StretchDIBits
Library PSAPI.DLL:

!This program cannot be run in DOS mode.
RichyV%
`.rdata
@.data
MFC42.DLL
__CxxFrameHandler
memcpy
malloc
memset
MSVCRT.dll
GlobalFree
FindClose
HeapFree
GetCurrentThreadId
FlushFileBuffers
MapViewOfFile
LocalFree
GetCurrentDirectoryW
DeleteFileW
GetTimeZoneInformation
OpenProcess
GetCurrentProcessId
CreateFileW
GetModuleFileNameW
KERNEL32.dll
EnableWindow
UpdateWindow
SystemParametersInfoW
DrawEdge
DispatchMessageA
CreateDialogParamW
MessageBoxIndirectW
GetSystemMenu
GetParent
GetCursorPos
ReleaseDC
InvalidateRect
USER32.dll
DeleteObject
StretchDIBits
RealizePalette
SelectPalette
CreatePalette
CreateDIBitmap
GetCharacterPlacementW
TextOutW
LineTo
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
BitBlt
GDI32.dll
GetModuleFileNameExA
PSAPI.DLL
CImageGeometry
CImageProcess
Local AppWizard-Generated Applications
CImgRotateDoc
CImgRotateView
CMainFrame
m /BPi
h#29IP]l
k[MB52$
o259BM[i
liXKB722o
4559=LX]kkkk]PJ;7554
77779;JO[]ee\XND<77773
+99999<IMOX[XXPJI<99999*
!<:<:<:<CJNPWPOLD=<:<::::
8========DJLNNLJC========6
=========CDFJFEDC=========
n'CCCCCCCCDDEEEEEDCCCCCCCCCC&q
,EEEEEFFFHNFFEEEEEEEEEEEEEE,
CFFFFNSWYYYWWONFFFFFFFFFFFFC
FQNQTZZdejggdZYTQHHHHHHHQHHH
QSRUZgj~
~jf_YSSSSSSSSSSQ
Qa^dj~
~gdVYRYRYRYRUQ
~jd^VVVV^V^b?
~gd^^^^^^^v)p
}f``````cy
wwfffff{^
}wfwfwy|%
ceQjR4
S>e'Y0R
Rbc0RHQMR
Y0Rck8^'Y
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX; CLW file contains information for the MFC ClassWizard
[General Info]
Version=1
LastClass=CAboutDlg
LastTemplate=CDialog
NewFileInclude1=#include "stdafx.h"
NewFileInclude2=#include "M1.h"
ODLFile=M1.odl
LastPage=0
ClassCount=9
Class1=CM1App
Class2=CM1Doc
Class3=CM1View
Class4=CMainFrame
Class5=CInPlaceFrame
Class7=CChildFrame
Class9=CAboutDlg
ResourceCount=7
Resource1=IDD_ABOUTBOX
Resource2=IDR_MAINFRAME
Resource3=IDR_M1TYPE
Resource4=IDR_M1TYPE_CNTR_IP
Resource5=IDR_M1TYPE_SRVR_IP
Resource6=IDR_M1TYPE_SRVR_EMB
[CLS:CM1App]
Type=0
HeaderFile=M1.h
ImplementationFile=M1.cpp
Filter=N
[CLS:CM1Doc]
Type=0
HeaderFile=M1Doc.h
ImplementationFile=M1Doc.cpp
Filter=N
[CLS:CM1View]
Type=0
HeaderFile=M1View.h
ImplementationFile=M1View.cpp
Filter=C
[CLS:CMainFrame]
Type=0
HeaderFile=MainFrm.h
ImplementationFile=MainFrm.cpp
Filter=T
[CLS:CInPlaceFrame]
Type=0
HeaderFile=IpFrame.h
ImplementationFile=IpFrame.cpp
Filter=T
[CLS:CChildFrame]
Type=0
HeadJe"
HtqL+
F1tA96
RO*y?]\SH
;T_u9H
kDY^Z^
reFRk7
f4%\Shp
z}W5_p
BDcqUJ
=(ZCz~_&
({dGmy
y49h%-]
K^_]W
IR>q)
{vgwD@V7of)
DhJ{w/
>{sbxa
bXBoX3
"HcjnjK[y
.=xKso
]t;.j1
3?~gnH
m[]Pgt
yjl&3tzI
>Qf"j7$
F5;M&j
)5lF[0
io!EG|n%
RYRVPv
t!l:U6
vID!pJD
Kg=AuEi&G{
_x"P/(
!B{&nl?
43mfW#
4m[<{"J
R="5$5"
>@1jm{
Fz=KNl
q,c*xH0
h=N|W
Vr'"xp
1Gwhs|
&y$#M G
qy_?"IDlju
v]C}\[
uhKx_
?UFx(`
j8rM8"E+{
IA'"0-
6_@epQ
yP+;=j
,&mFxe
qx6e4+
\,kpfqzI?
9\cJ6-
fMF59\
vxzEf?
a26;qz
1a({xf
kd0S
s)m).x3
'T*s/.
DO~;S0
AQ s:hi
Scgu^(
qmb+!<
V[r7XD
_`G:!f
?fO0;q
,/?M;{Z
f'yY'"
(`=p;0
JsUoIb
K`NmEA
;mHj>Na
rb2SiL
"YQk+,
|WZjb}5
66+/`f
}T5}6t
!J>qpu=Vv
<Y|fwt
J!HZUrf
CC50<zh
9>[G^c
Pzh@Cr
7t<Ucv
~_GYs;
;;"`Gc
WbJdh:
>1bE7kD
o9^!F}o
X1|rQlP-4x
H\m>^7
db/b|{
$ h[h6/W%
q#j7#\
mW!N7H
CEhzJf
@hA|._-l
J4<*>H!
V3J#R
u^~F9_
b)VRmi~
`|YDfJ
rF<I~<
ZlnP65
U)80V\
yd<E&s
2S,{.OS8
,c#F,Pa
E?k=Mw
#xDsJT
VkNyNn
psGrKU
FvD.M4/
SsEO>9mhXK?B
$h"1!Bb
%RRC.
)cl9k9
5y0M%g
q{jX,p9
bW**RT
;Q;!@MX:
.<Em6w
c~Q@Af
hcHQe^(
d'fwuI
R"$Wy2v_*>
~ygGg~
P{+{z{
&p5^TuD
zXWNm%
diO7K)
Ggz\@9|6
6kTzvPcO(
l,+SsKbV
*m^QX9
VSjb"o
d+t8[i
REMZT
!9rBVt
?g/mW
O1#$9,
hLX Si
d{(PD9r
rSngo:
ULTHUg
;R[F|C
N3ul$C
wY|3eO
b]t]ZT
Q1!h.s-tY&
[MDt^F&,lrQv
|6'sN=
`!IY(l
sF(~t{_
Se&66Y3
6Lv#S{Oim*
D)a"?*<
%0,iH
>I9$+D|
&R$uW.
xTdgYf
%RGQ9Q$
dZ1?T7~
/r~&vU
WuY]@q
{`}g>'
DFI%LO-
"k)Sm;
BW?a6n
5OG7t[
dx.#n]
"P#+\4'v
JTwW4Y
^vuO=U
_~cYhw
cQc#IV
[475+l
$zP\<:
I~^4mU
6.I">AO
;UfDITh
Q&Q9.%
%Xin$K
PX_BE(
=Lb7]`M
#Fx7J.
&pP0 ]
&Q_w3_
BnD#Ug
0>$s,{
I@v@|
iC6MD^
3*8IX}y{
Gw6ER-#
6PyT)`
=_E4I7
BwdD{+W7
i|,D(&
K2;LMGL
J#^N<zj
vcT\ZK
907EG*
N>qG"H
<hTZj;w
I)Ao,M
Z_iFVT
FoF:%g
UA4nhA
C^V,*=#WY
d~l;Q;O
s~`1X"[p
55;|N2=[]_w
[u`])-
yE/UYNd
feV"^{
T};h]@
%K*^[c^
Bx8s?"
Aib/fC
WiU2r|+
8]`u*n
~4vCS3
i3)8vx
`:ho>
M#c]vg
2P/^v
Ak)q-W
t<{zKl
QdSDJpn
ue01ZK
&]Ol5i
b<\48d
y}bpnA
EF_v_j
f# nb$
df=u>>
:+kSkS,
,I:U!6
`kh{B0
&`5"mW_
EC^043
C45G~l
wq+qa7q
K-By=L
sp9:Ej
;V3@Sf/
Kdvz6>
/<4e<LC
x.4j8Q
OE>\}@0'I
@.1Y1G
-[z&a?
mP&4wn
X|EWE2vT
5~<.FE
FDO0+k
-F@\E|p
PJZ<hT
P/L^Q*
2LDC[R_G
jD]l 5Jf
oII9n`
/cB\,6
^@>:#
W &/{W
(iUTj
(V]y@x
\<D28\
J.)=9Lj
t=Y`L4.$
qX1=xg
xep8dq
6hhETZ[
J{5'2xNf2f6
9_hG[c
SEif]\
tV<X/
^!G7V(
'Gq?#,
C#fE//
0[_C+P
xR~\;+>
f}64*%.
,C+7ZKhk
m6le#8Y
e9#hxr
@Euuu-
vt,*+.
}quu&#F
tuu&&v&w
tuu&&v&t
tuu&&p&w
@tuu5
uEuu%&
uEuu"&
$Hueuu
ueuuXueuu
tHueuu
**,)(#
Antivirus Signature
Bkav Clean
MicroWorld-eScan Gen:Variant.Kazy.291512
nProtect Trojan/W32.Inject.226617
CAT-QuickHeal Trojan.CeeInject.gen
McAfee RDN/Generic.dx!ct3
Malwarebytes Spyware.Zbot.ED
K7AntiVirus Trojan ( 0048ed611 )
K7GW Trojan ( 0048ed611 )
TheHacker Clean
NANO-Antivirus Trojan.Win32.Neurevt.cmwknh
F-Prot Clean
Symantec WS.Reputation.1
Norman Suspicious_Gen4.FIMPH
TotalDefense Win32/Tnega.FIEIET
TrendMicro-HouseCall TROJ_SPNV.01KF13
Avast Win32:Crypt-QEA [Trj]
ClamAV Clean
Kaspersky Trojan.Win32.Neurevt.kb
BitDefender Gen:Variant.Kazy.291512
Agnitum Clean
ViRobot Clean
Emsisoft Gen:Variant.Kazy.291512 (B)
Comodo Clean
F-Secure Gen:Variant.Kazy.291512
DrWeb Trojan.DownLoader9.22851
VIPRE Trojan.Win32.Generic!BT
AntiVir TR/Buzus.226617.1
TrendMicro TROJ_SPNV.01KF13
McAfee-GW-Edition RDN/Generic.dx!ct3
Sophos Mal/Generic-S
Jiangmin TrojanSpy.Zbot.fpam
Antiy-AVL Trojan/Win32.Neurevt
Kingsoft Clean
Microsoft VirTool:Win32/CeeInject
SUPERAntiSpyware Clean
AhnLab-V3 Clean
GData Gen:Variant.Kazy.291512
Commtouch Clean
ByteHero Clean
VBA32 Clean
Panda Trj/Zbot.M
ESET-NOD32 a variant of Win32/Injector.AQZT
Rising Clean
Ikarus Trojan.Inject2
Fortinet W32/Neurevt.KB!tr
AVG Inject2.GPM
Baidu-International Trojan.Win32.Injector.AQZE

  • 1_2_.exe 1088
    • 1_2_.exe 868
1_2_.exe, PID: 1088, Parent PID: 1824

network filesystem registry process services synchronization

1_2_.exe, PID: 868, Parent PID: 1088

network filesystem registry process services synchronization

Domains

No domains contacted.

Hosts

No hosts contacted.

HTTP Requests

No HTTP requests performed.

IRC Traffic

No IRC traffic.

SMTP Requests

No SMTP requests performed.

Sorry! No dropped files.
Bummer! No comments yet.

You have to login to comment.