Multi-License Discount Quote

Change Region

English
Threat Database Worms Worm.Slugin

Worm.Slugin

By CagedTech in Worms

Analysis Report

General information

Family Name: Worm.Slugin
Signature status: No Signature

Known Samples

MD5: eec26d4a198a1679b00c271b5881950b
SHA1: ecf828cceadc16297b6423cdbeb5259db120f38e
SHA256: 6B15A188C23264CBFAAC8E627F876149FE6E7B5C78715AA525541407D33E2972
File Size: 250.34 KB, 250339 bytes
MD5: ffbb1bf2a664a27bfb9a536d0d4e6cd2
SHA1: 7e6f36fc5883036f7a901cd73109f6636649be55
SHA256: 5A9DA80CE8CBDC4289F3D8366B04F76C05296D43B473ED9635BD000D7CDEC368
File Size: 631.27 KB, 631267 bytes
MD5: a9ea924991e0caf59d50530a3a31fd37
SHA1: 1c5338763ce1748ba0f5b7c6aa07f6bb2ec6a90a
SHA256: 64F4CE326620DAB608FA127AD67E9AB83761E963B935BD02E9F696B8F26A3A36
File Size: 3.32 MB, 3319418 bytes
MD5: 69a3fae97187de5b1c5160d2c6adcbe6
SHA1: 5f92b757c960ea692561c8e24a85e449f454fa33
SHA256: 9522A37F753154F9ACD81701AD8477DC0B9194381D915B26E8F1C1B59A1FB63D
File Size: 1.74 MB, 1738607 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • Autodesk, Inc.
  • 上海鸿隆电子技术有限公司
File Description
  • AdskLicense MFC Application
  • T88 Manager
File Version
  • 3.0.0.0
  • 1, 0, 0, 2
Internal Name
  • AdskLicense
  • www.honglong.cn
Legal Copyright Copyright (C) 1999
Original Filename AdskLicense.EXE
Product Name
  • AdskLicense Application
  • T88 Bill Aceptor
Product Version
  • 1.0.0.0
  • 1, 0, 0, 2

File Traits

  • 2+ executable sections
  • big overlay
  • BINinO
  • dll
  • HighEntropy
  • MZ (In Overlay)
  • No Version Info
  • x86

Block Information

Total Blocks: 1
Potentially Malicious Blocks: 1
Whitelisted Blocks: 0
Unknown Blocks: 0

Visual Map

x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Webalta.A

Files Modified

File Attributes
\device\harddisk0\dr0 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\95a004 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\e_4\com.run Generic Write,Read Attributes
c:\users\user\appdata\local\temp\e_4\dp1.fne Generic Write,Read Attributes
c:\users\user\appdata\local\temp\e_4\eapi.fne Generic Write,Read Attributes
c:\users\user\appdata\local\temp\e_4\internet.fne Generic Write,Read Attributes
c:\users\user\appdata\local\temp\e_4\krnln.fnr Generic Write,Read Attributes
c:\users\user\appdata\local\temp\e_4\regex.fnr Generic Write,Read Attributes
c:\users\user\appdata\local\temp\e_4\shell.fne Generic Write,Read Attributes
c:\users\user\appdata\local\temp\e_4\spec.fne Generic Write,Read Attributes
Show More
c:\users\user\appdata\roaming\wplugin.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\explorer.exe.local Generic Write,Read Attributes
c:\windows\system.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\syswow64\xp-d41d8cd9.exe Generic Write,Read Attributes
c:\windows\syswow64\xp-d41d8cd9.exe Synchronize,Write Attributes
c:\windows\wplugin.dll Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\wplugin.dll Generic Write,Read Attributes,Delete,LEFT 262144
c:\windows\wplugin.dll Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\windows\ws2help.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\ws2help.dll Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua RegNtPreCreateKey
HKCU\software\user914\1214104697::1919251317 - RegNtPreCreateKey
HKCU\software\user914\1214104697::-456464662 RegNtPreCreateKey
HKCU\software\user914\1214104697::1462786655 RegNtPreCreateKey
HKCU\software\user914\1214104697::-912929324 # RegNtPreCreateKey
HKCU\software\user914\1214104697::1006321993 ½ RegNtPreCreateKey
HKCU\software\user914\1214104697::-1369393986 http://lpbmx.ru/logos.gifhttp://macedonia.my1.ru/mainh.gifht RegNtPreCreateKey
HKCU\software\user914\1214104697::549857331 RegNtPreCreateKey
Show More
HKCU\software\user914::u1_0 ⠺첖 RegNtPreCreateKey
HKCU\software\user914::u2_0 RegNtPreCreateKey
HKCU\software\user914::u3_0 晁ă RegNtPreCreateKey
HKCU\software\user914::u4_0 RegNtPreCreateKey

Windows API Usage

Category API
Other Suspicious
  • SetWindowsHookEx
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation

Shell Command Execution

explorer c:\users\user\downloads\5f92b757c960ea692561c8e24a85e449f454fa33_0001738607
C:\WINDOWS\system32\XP-D41D8CD9.EXE
explorer C:\WINDOWS\SysWOW64\XP-D41D8CD9

Trending

Most Viewed

Loading...