Download Link: hxxp://drops-checker.info/ripper.exe
File Name: ripper.exe
File size: 206915 bytes
MD5...: 2587e804cc0901aa25be517e33599bc5
SHA1..: e47b02c339b6a77dd49693b8e58c36d9f2d8e9b6
SHA256: b0c91ceb8cbe5bb393950998db078bdd9b6436b7f506ebffc9b0b8f24ce512a6
SHA512: 7a12ad0ee9213b5f0e48e23da01a223c0d51dc1d05303807f9eb566ff714a2c4
e780268fcdeceddd910b06efef35392b7bd16450c689ed1e59f5ac7641d7eba5
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=2587e804cc0901aa25be517e33599bc5
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=F6EFA61C43D378F1286603CEA31635006DCD2610
VirusTotal Result: 18/32 (56.25%)
AntiVir: TR/Dldr.AutoIt.FA
AVG: Worm/Autoit.AAS
BitDefender: Trojan.Generic.140090
DrWeb: Trojan.Kadila
eSafe: suspicious Trojan/Worm
Ewido: Downloader.AutoIt.fa
F-Prot: W32/Downldr2.BMEZ
F-Secure: Trojan-Downloader.Win32.AutoIt.fa
FileAdvisor: High threat detected
Fortinet: W32/AutoIt.FA!tr.dldr
Ikarus: Trojan-Downloader.Win32.AutoIt.fa
Kaspersky: Trojan-Downloader.Win32.AutoIt.fa
NOD32v2: probably a variant of Win32/TrojanDownloader.Autoit
Norman: DLoader.GHCP
Prevx1: Generic.Malware
VBA32: Trojan-Downloader.Win32.AutoIt.fa
VirusBuster: Trojan.DL.AutoIt.DA
Webwasher-Gateway: Trojan.Dldr.AutoIt.FA
PE Header
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 0003
Time/Date stamp: 464C1200
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 010F
Magic: 010B
Linker version (major): 07
Linker version (minor): 0A
Size of code: 00030000
Size of initialized data: 00002000
Size of uninitialized data: 00057000
Address of entry point: 00087E10
Base of code: 00058000
Base of data: 00088000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 0008A000
Size of headers: 00001000
Checksum: 00000000
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 8000
Size of stack reserve: 00100000
Size of stack commit: 00001000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010
PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
UPX0 00057000 00001000 00000000 00000400 E0000080
UPX1 00030000 00058000 00030000 00000400 E0000040
.rsrc 00002000 00088000 00002000 00030400 C0000040
Import table (libraries: 13)
KERNEL32.DLL (imports: 6)
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
ADVAPI32.dll (imports: 1)
RegCloseKey
COMCTL32.dll (imports: 1)
ImageList_Remove
comdlg32.dll (imports: 1)
GetSaveFileNameW
GDI32.dll (imports: 1)
LineTo
MPR.dll (imports: 1)
WNetUseConnectionW
ole32.dll (imports: 1)
CoInitialize
OLEAUT32.dll (imports: 1)
#35
SHELL32.dll (imports: 1)
DragFinish
USER32.dll (imports: 1)
GetDC
VERSION.dll (imports: 1)
VerQueryValueW
WINMM.dll (imports: 1)
timeGetTime
WSOCK32.dll (imports: 1)
#13
Unpacking with UPX:
File size Ratio Format Name
-------------------- ------ ----------- -----------
432707 <- 206915 47.82% win32/pe ripper.exe
Unpacked 1 file.
File Name: ripper.exe
File size: 432707 bytes <--- Unpacked with UPX
MD5...: 4a5b2e047eaa65ef9f5764c902668a5c
SHA1..: 4947674abe6ae85ad6587bde76b76fb387aaa494
SHA256: e79f7f12d6feb3226e8fe50111a3dc866658e8f96628951b70f0fb4469e1710f
SHA512: 8904d9be3b3dad39ba9dfe98d0c6bcc339a4be149427e64f953a7d9ad6a6c2d9
c51e6950a731505edab6fa9614885abdc25ce46065c79cf5739f332e606cc52d
File ripper_unpacked.exe
VirusTotal Result: 2/32 (6.25%)
VBA32: Trojan-Downloader.Win32.AutoIt.fa
VirusBuster: Trojan.DL.AutoIt.DA
PE Header
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 0004
Time/Date stamp: 464C1200
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 010F
Magic: 010B
Linker version (major): 07
Linker version (minor): 0A
Size of code: 00057000
Size of initialized data: 0002C800
Size of uninitialized data: 00000000
Address of entry point: 0004B998
Base of code: 00001000
Base of data: 00058000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00085000
Size of headers: 00001000
Checksum: 00000000
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 8000
Size of stack reserve: 00100000
Size of stack commit: 00001000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010
PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
.text 00056F77 00001000 00057000 00000400 60000020
.rdata 0000BD3A 00058000 0000BE00 00057400 40000040
.data 0001CBB4 00064000 00002400 00063200 C0000040
.rsrc 00004000 00081000 00004000 00065600 40000040
Import table (libraries: 13)
KERNEL32.DLL (imports: 157)
QueryPerformanceCounter
QueryPerformanceFrequency
UnmapViewOfFile
OpenProcess
CreateFileMappingW
MapViewOfFile
WriteProcessMemory
ReadProcessMemory
SetFilePointer
TerminateProcess
WaitForSingleObject
SetFileTime
GetFileAttributesW
FindFirstFileW
FindClose
DeleteFileW
FindNextFileW
lstrcmpiW
MoveFileW
CopyFileW
GetLastError
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetLocalTime
MultiByteToWideChar
WideCharToMultiByte
InterlockedIncrement
InterlockedDecrement
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
SetErrorMode
GetModuleHandleW
GetVolumeInformationW
SetVolumeLabelW
DeviceIoControl
SetFileAttributesW
GetShortPathNameW
GetEnvironmentVariableW
SetEnvironmentVariableW
SetProcessWorkingSetSize
GlobalMemoryStatus
Beep
GetComputerNameW
GetWindowsDirectoryW
GetSystemDirectoryW
GetTempPathW
GetCurrentProcessId
CreatePipe
DuplicateHandle
GetStdHandle
SetPriorityClass
WriteFile
GetFileType
PeekNamedPipe
SetLastError
GetTempPathA
GetTempFileNameA
DeleteFileA
CopyFileA
CreateFileA
ExitThread
GetModuleHandleA
ExitProcess
HeapFree
HeapAlloc
GetVersionExA
TlsAlloc
TlsFree
TlsSetValue
TlsGetValue
DeleteCriticalSection
HeapReAlloc
HeapSize
VirtualProtect
VirtualAlloc
VirtualQuery
HeapDestroy
HeapCreate
VirtualFree
UnhandledExceptionFilter
SetHandleCount
GetStartupInfoA
SetStdHandle
FlushFileBuffers
GetSystemInfo
GetCurrentProcess
GetVersionExW
GlobalFindAtomW
LoadLibraryW
LoadLibraryExW
GlobalFree
GlobalUnlock
ReadFile
GlobalLock
GlobalAlloc
GetFileSize
CreateFileW
CloseHandle
CreateProcessW
GetCurrentThreadId
Sleep
GetProcAddress
LoadLibraryA
RaiseException
GetTimeZoneInformation
GetModuleFileNameA
FreeLibrary
GetModuleFileNameW
GetFullPathNameW
SetCurrentDirectoryW
GetCurrentDirectoryW
CreateThread
ResumeThread
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetStartupInfoW
GetCommandLineA
GetCommandLineW
LCMapStringA
LCMapStringW
GetCPInfo
GetLocaleInfoA
GetStringTypeA
GetStringTypeW
RtlUnwind
GetACP
GetOEMCP
InitializeCriticalSection
GetTickCount
InterlockedExchange
SetEndOfFile
CompareStringA
CompareStringW
GetDiskFreeSpaceW
SetEnvironmentVariableA
ADVAPI32.dll (imports: 18)
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegSetValueExW
RegCreateKeyExW
GetUserNameW
RegConnectRegistryW
RegEnumKeyExW
CloseServiceHandle
UnlockServiceDatabase
LockServiceDatabase
OpenSCManagerW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
COMCTL32.dll (imports: 11)
ImageList_Remove
ImageList_Destroy
ImageList_EndDrag
ImageList_DragLeave
ImageList_DragMove
ImageList_DragEnter
ImageList_BeginDrag
ImageList_SetDragCursorImage
ImageList_ReplaceIcon
ImageList_Create
InitCommonControlsEx
comdlg32.dll (imports: 2)
GetSaveFileNameW
GetOpenFileNameW
GDI32.dll (imports: 37)
PolyBezierTo
ExtCreatePen
StrokeAndFillPath
StrokePath
EndPath
SetPixel
CloseFigure
LineTo
AngleArc
MoveToEx
GetTextExtentPoint32W
CreateDIBSection
BitBlt
GetDIBits
CreateCompatibleBitmap
CreateDCW
GetTextFaceW
Ellipse
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
DeleteDC
CreateCompatibleDC
CreateFontW
GetDeviceCaps
GetStockObject
SetBkMode
GetPixel
RoundRect
SetBkColor
SelectObject
CreatePen
CreateSolidBrush
DeleteObject
SetTextColor
MPR.dll (imports: 4)
WNetUseConnectionW
WNetGetConnectionW
WNetAddConnection2W
WNetCancelConnection2W
ole32.dll (imports: 20)
CreateStreamOnHGlobal
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoInitialize
CoUninitialize
CoCreateInstance
CoTaskMemAlloc
CoTaskMemFree
IIDFromString
StringFromIID
CLSIDFromString
OleInitialize
CreateBindCtx
CLSIDFromProgID
CoInitializeSecurity
CoCreateInstanceEx
CoSetProxyBlanket
StringFromCLSID
OleUninitialize
OLEAUT32.dll (imports: 15)
#162
#38
#39
#37
#41
#2
#24
#23
#216
#185
#9
#10
#8
#418
#35
SHELL32.dll (imports: 12)
SHBrowseForFolderW
SHFileOperationW
SHGetPathFromIDListW
SHGetDesktopFolder
SHGetMalloc
Shell_NotifyIconW
ExtractIconExW
DragFinish
DragQueryFileW
DragQueryPoint
ShellExecuteW
ShellExecuteExW
USER32.dll (imports: 149)
PeekMessageW
TranslateMessage
DispatchMessageW
GetMessageW
CharLowerBuffW
CharUpperW
OpenClipboard
IsClipboardFormatAvailable
GetClipboardData
CloseClipboard
CountClipboardFormats
EmptyClipboard
SetClipboardData
GetCursor
RegisterHotKey
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
FlashWindow
CopyImage
GetWindowTextLengthW
SetMenuDefaultItem
SetMenu
CreateMenu
DeleteMenu
DestroyMenu
DrawMenuBar
SetMenuItemInfoW
GetDC
SetWindowPos
SetWindowLongW
RedrawWindow
wsprintfW
CharNextW
IsMenu
GetActiveWindow
LockWindowUpdate
UnregisterHotKey
DestroyWindow
SetClassLongW
AdjustWindowRectEx
SetRect
SystemParametersInfoW
GetSystemMetrics
ReleaseDC
GetWindowDC
GetAsyncKeyState
MessageBeep
keybd_event
FillRect
OffsetRect
FrameRect
DrawTextW
DrawFocusRect
InflateRect
GetSysColor
CheckMenuRadioItem
GetMenuItemID
GetMenuItemCount
GetMenuItemInfoW
SetWindowTextW
ReleaseCapture
SetCapture
ClientToScreen
GetKeyState
WindowFromPoint
GetClientRect
TrackPopupMenuEx
GetCursorPos
IsDialogMessageW
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
ScreenToClient
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
SendMessageTimeoutW
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
CreateIcon
SetForegroundWindow
IsIconic
FindWindowW
SetKeyboardState
LoadImageW
GetKeyboardState
GetFocus
GetWindowTextW
EnumChildWindows
CharUpperBuffW
GetClassNameW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
DefWindowProcW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
VkKeyScanA
GetKeyboardLayoutNameA
MessageBoxW
LoadStringW
DialogBoxParamW
EndDialog
SendDlgItemMessageW
GetMenu
CopyRect
IsChild
GetWindow
GetNextDlgTabItem
GetClassWord
PtInRect
GetDlgItem
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
DestroyIcon
SubtractRect
EndPaint
BeginPaint
DrawFrameControl
InsertMenuItemW
SetCursor
VERSION.dll (imports: 3)
GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW
WINMM.dll (imports: 3)
waveOutSetVolume
timeGetTime
mciSendStringW
WSOCK32.dll (imports: 21)
#151
#16
#19
#23
#4
#3
#2
#18
#1
#9
#20
#17
#15
#111
#10
#116
#11
#52
#115
#57
#13
Process Info:
Process ID 1784
Filename C:\ripper.exe <--- Packed with UPX
Filesize 206915 bytes
MD5 2587e804cc0901aa25be517e33599bc5
File System Activities:
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\file.exe (OPEN_EXISTING)
Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:\autoexec.bat (OPEN_EXISTING)
Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Find File: C:\WINDOWS\system32\Ras\*.pbk
Find File: C:\Documents and Settings\Sandbox\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Create/Open File: \Device\Tcp6 (OPEN_ALWAYS)
Create File: C:\rip1.dat
Open File: c:\rip1.dat (OPEN_EXISTING)
Registry Reads:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
Service Management:
Open Service Manager - Name: "SCM"
Open Service - Name: "RASMAN"
System Info:
Get System Directory
Get Computer Name
User Management:
Impersonate User - Domain: () User: (Sandbox)
Impersonate User - Domain: () User: (Sandbox)
Network Activity:
Download URLs:
hxxp://81.176.236.12/reklama.txt (81.176.236.12)
Outgoing connection to remote server: 81.176.236.12 TCP port 80
WHOIS - 81.176.236.12
Location: Russian Federation (high) [City: Moscow, Moskva]
inetnum: 81.176.236.0 - 81.176.237.255
netname: OPENHOSTING-RT
descr: VPS Hosting
descr: 3, Ostapovsky pr.
descr: 109316, Moscow, Russia
country: RU
admin-c: DK1481-RIPE
tech-c: DK1481-RIPE
status: ASSIGNED PA
notify: ****@openhosting.ru
notify: ***@rtcomm.ru
mnt-by: AS8342-MNT
changed: **********@rtcomm.ru 20070404
source: RIPE
person: Dmitry Kischukov
address: VPS Hosting
address: 3, Ostapovsky pr.
address: 109316, Moscow, Russia
e-mail: ****@openhosting.ru
phone: +74995020299
fax-no: +74995020299
notify: ****@openhosting.ru
nic-hdl: DK1481-RIPE
changed: ****@openhosting.ru 20070403
source: RIPE
% Information related to '81.176.0.0/15AS8342'
route: 81.176.0.0/15
descr: RTCOMM-RU
origin: AS8342
notify: ***@rtcomm.ru
mnt-by: AS8342-MNT
changed: ***@rt.ru 20030120
changed: ***@rt.ru 20031105
changed: ***@rt.ru 20040809
source: RIPE