Pondus
2
Norman sandbox - -http://180.113.179.100/WIN32.EXE
WIN32.EXE : Not detected by Sandbox (Signature: NO_VIRUS)
[ DetectionInfo ]
* Filename: C:\analyzer\scan\WIN32.EXE.
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.
[ General information ]
* Decompressing UPX3.
* File length: 324522 bytes.
* MD5 hash: fc841cdc6d09e3638e40b9c32b7d0cec.
* SHA1 hash: f74de43c0988f160f1a310f308da631a0ad3ee60.
[ Changes to filesystem ]
* Creates directory C:.
* Creates directory C:\WINDOWS.
* Creates directory C:\WINDOWS\TEMP.
* Creates directory C:\WINDOWS\TEMP\RarSFX0.
* Creates file C:\WINDOWS\TEMP\RarSFX0__tmp_rar_sfx_access_check_55378667.
* Deletes file C:\WINDOWS\TEMP\RarSFX0__tmp_rar_sfx_access_check_55378667.
* Creates file C:\WINDOWS\TEMP\RarSFX0\UHARC.exe.
* Creates file C:\WINDOWS\TEMP\RarSFX0\file.uha.
[ Process/window information ]
* Creates a window with caption WinRAR \xea\xe3\x8b\x87\xf6 and classname #32770.
* Creates dialog control (static) with id 108 and caption .
* Creates dialog control (static) with id 101 and caption \xee\x07\x87\xf69(&D).
* Creates dialog control (combobox) with id 102 and caption .
* Creates dialog control (button) with id 103 and caption O\xc8(&W)…
* Pressing button with id 1.
* Attempts to (null) C:\WINDOWS\TE.
* Attempts to (null) uharc.exe e file.uha.
* Creates process “uharc.exe”.
[ Signature Scanning ]
* C:\WINDOWS\TEMP\RarSFX0\UHARC.exe (111104 bytes) : no signature detection.
* C:\WINDOWS\TEMP\RarSFX0\file.uha (118440 bytes) : no signature detection.
Malwarebytes detect it as - Trojan.Serverstart
SuperAntiSpyware does not detect
ThreatExpert
http://www.threatexpert.com/report.aspx?md5=fc841cdc6d09e3638e40b9c32b7d0cec