File is probably dropper, trying to install dangerous malware from spinistry.com.
The malware has actually a few more steps,, creating a new file to keep running from different directory. All files will be placed on the directory about analysis.
In our case fa132c7ca003a5fd97d96c3b656212802cf70f1735283b05144bdcae03e24894.exe is dropper.
I used Immunity Debugger for this analysis to learn working with it. Also I got screenshot of all instructions after binary is decompressed.
Explanation of instructions
0x401035: Handles are used to make sure only 1 process of malware is running, so nothing will go wrong. (If EAX is equal to -1 it will ExitProcess) 0x40104A: HeapCreate and tlAllocateHeap is mostly used for stealth and show the malware as legit software, but I don't really know the usage in this malware.
0x401080: Getting TempPath, such as: "C:\Windows\Users<username>\AppData\Local\Temp".
0x4010B2: Creates file named "rewok.exe" in Temp directory. (NOTE: rewok.exe is dropper's copy) In case of success program will continue, else LEAVE.
0x4011A5: I guess it opens Temp path.
0x4011F9 - 0x4012B2 - creates Http request:
- HTTP Headers
- Method:
GET - URI:
/wp-share/7eve.exe - Version:
HTTP/1.1 - Accept:
text/*, application/* - User-Agent:
Updates downloader - Host:
spinistry.com - Cache-Control:
no-cache - Transport Layer Protocol:
TCP - Destination IP: ``
- Destination port:
443 - SSL encrypted:
Yes - Network mode:
singlehost
- Method:
If it has success it will ReadFile. (In our case it didn't, because it is late.)
0x40132F: Also, after success File is renamed rewoked.exe.
I guess it was everything about that dropper malware, I will attach all other files i used in analysis.
NOTE: I am new to Malware Analysis so I try to practice a lot to learn, if I make mistakes I would appreciate the help.