Analysis Date2018-03-26 09:24:24
MD59ea0b423fbd86c23acd07fab3439e5bb
SHA100d0e3583eb608947e29dc230d2d48bf2251da5e

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows
PEhash
AVArcabit (arcavir)Gen:Trojan.Brresmon.Gen.1
AVAuthentiumW32/VBcrypt.AP.gen!Eldorado
AVGrisoft (avg)Win32/VBCrypt
AVAvira (antivir)TR/Dropper.VB.Gen2
AVAlwil (avast)Downloader-QSK [Trj]
AVAd-AwareGen:Trojan.Brresmon.Gen.1
AVBitDefenderGen:Trojan.Brresmon.Gen.1
AVBullGuardError Scanning File
AVClamAVError Scanning File
AVDr. WebTrojan.Siggen4.20010
AVEmsisoftGen:Trojan.Brresmon.Gen.1
AVMicroWorld (escan)Gen:Trojan.Brresmon.Gen.1
AVCA (E-Trust Ino)Error Scanning File
AVFortinetW32/VBKrypt.MBW!tr
AVFrisk (f-prot)W32/VBcrypt.AP.gen!Eldorado
AVF-SecureGen:Trojan.Brresmon.Gen.1
AVIkarusError Scanning File
AVK7Trojan ( 003eb2561 )
AVKasperskyError Scanning File
AVMalwareBytesTrojan.Downloader.ED
AVMcafeeNo Virus
AVMicrosoft Security EssentialsNo Virus
AVNANOTrojan.Win32.VBKrypt.cinaxd
AVEset (nod32)Win32/VB.QMS
AVPadvishTrojan.Win32.VBKrypt.nrww
AVCAT (quickheal)VirTool.DelfInject.A3
AVRisingTrojan.Win32.Generic.1331EC28
AV360 SafeNo Virus
AVSUPERAntiSpywareTrojan.Agent/Gen-VBKrypt
AVSymantecTrojan.Zbot
AVTrend MicroTSPY_DO.3B89E239
AVTwisterVirus.E2A13A750CB0FD5B
AVVirusBlokAda (vba32)Trojan.VBKrypt
AVWindows DefenderTrojan:Win32/Toga!rfn
AVZillya!Error Scanning File

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\00d0e3583eb608947e29dc230d2d48bf2251da5e.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\00d0e3583eb608947e29dc230d2d48bf2251da5e.exe

Creates FileC:\Windows\System32\wshom.ocx
Creates FileC:\Users\Phil\AppData\Local\Temp\LTLAU.txt
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
Creates FileC:\Users\Phil\Desktop\desktop.ini

Process
↳ C:\Windows\SysWOW64\cmd.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\LTLAU.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\LTLAU.bat
Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\LTLAU.bat

Process
↳ C:\Windows\SysWOW64\reg.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svhust ➝
C:\Users\Phil\AppData\Roaming\svhust\svhust.exe

Process
↳ C:\Windows\explorer.exe

Process
↳ C:\Users\Phil\AppData\Roaming\svhust\svhust.exe

Process
↳ C:\Users\Phil\AppData\Roaming\svhust\svhust.exe

Creates FileC:\Windows\System32\wshom.ocx
Creates FileC:\Windows\System32\wshom.ocx
Creates FileC:\Windows\System32\wshom.ocx
Creates FileC:\Windows\System32\wshom.ocx
Creates FileC:\Windows\System32\wshom.ocx
Creates FileC:\Windows\System32\wshom.ocx
Creates FileC:\Windows\System32\wshom.ocx
Creates FileC:\Windows\System32\wshom.ocx
Creates FileC:\Windows\System32\wshom.ocx
Creates FileC:\Windows\System32\wshom.ocx

Process
↳ C:\Users\Phil\AppData\Roaming\svhust\svhust.exe

Creates FileC:\Windows\System32\ShellStyle.dll
Creates FileC:\Windows\System32\oleaccrc.dll
Creates FileC:\
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
Creates FileC:\Users\desktop.ini
Creates FileC:\Users
Creates FileC:\Users\Phil
Creates FileC:\Users\Phil\AppData
Creates FileC:\Users\Phil\AppData\Roaming
Creates FileC:\
Creates FileC:\
Creates FileC:\Windows
Creates FileC:\
Creates FileC:\Users
Creates FileC:\Users\Phil
Creates FileC:\Users\Phil\AppData
Creates FileC:\Users\Phil\AppData\Roaming
Creates FileC:\Users\Phil\AppData\Roaming\svhust

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   504f5354 202f6b6b 2f204854 54502f31   POST /kk/ HTTP/1
0x00000010 (00016)   2e300d0a 486f7374 3a206767 706f7765   .0..Host: ggpowe
0x00000020 (00032)   722e696e 666f0d0a 4b656570 2d416c69   r.info..Keep-Ali
0x00000030 (00048)   76653a20 3330300d 0a436f6e 6e656374   ve: 300..Connect
0x00000040 (00064)   696f6e3a 206b6565 702d616c 6976650d   ion: keep-alive.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f352e30 20285769 6e646f77   illa/5.0 (Window
0x00000070 (00112)   73204e54 20362e31 29204170 706c6557   s NT 6.1) AppleW
0x00000080 (00128)   65624b69 742f3533 342e3632 2e302028   ebKit/534.62.0 (
0x00000090 (00144)   4b48544d 4c2c206c 696b6520 4765636b   KHTML, like Geck
0x000000a0 (00160)   6f292056 65727369 6f6e2f35 2e312e36   o) Version/5.1.6
0x000000b0 (00176)   20536166 6172692f 3533342e 31362e34    Safari/534.16.4
0x000000c0 (00192)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x000000d0 (00208)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x000000e0 (00224)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x000000f0 (00240)   640d0a43 6f6e7465 6e742d4c 656e6774   d..Content-Lengt
0x00000100 (00256)   683a2034 310d0a52 65666572 65723a20   h: 41..Referer: 
0x00000110 (00272)   37367235 372e636f 6d0d0a0d 0a6d3d42   76r57.com....m=B
0x00000120 (00288)   41373444 42343037 46373739 43354645   A74DB407F779C5FE
0x00000130 (00304)   31414342 46303944 44353235 43353226   1ACBF09DD525C52&
0x00000140 (00320)   6f3d267a 3d30                         o=&z=0

0x00000000 (00000)   47455420 2f6b6b2f 3f657272 6f723d54   GET /kk/?error=T
0x00000010 (00016)   6865206f 70657261 74696f6e 20636f6d   he operation com
0x00000020 (00032)   706c6574 65642073 75636365 73736675   pleted successfu
0x00000030 (00048)   6c6c7926 636f6465 3d302048 5454502f   lly&code=0 HTTP/
0x00000040 (00064)   312e300d 0a486f73 743a2064 6430732e   1.0..Host: dd0s.
0x00000050 (00080)   77730d0a 4b656570 2d416c69 76653a20   ws..Keep-Alive: 
0x00000060 (00096)   3330300d 0a436f6e 6e656374 696f6e3a   300..Connection:
0x00000070 (00112)   206b6565 702d616c 6976650d 0a557365    keep-alive..Use
0x00000080 (00128)   722d4167 656e743a 204f7065 72612f39   r-Agent: Opera/9
0x00000090 (00144)   2e383020 2857696e 646f7773 204e5420   .80 (Windows NT 
0x000000a0 (00160)   362e313b 20574f57 36343b20 553b2072   6.1; WOW64; U; r
0x000000b0 (00176)   75292050 72657374 6f2f322e 31302e32   u) Presto/2.10.2
0x000000c0 (00192)   32392056 65727369 6f6e2f31 312e3131   29 Version/11.11
0x000000d0 (00208)   0d0a5265 66657265 723a207a 32327763   ..Referer: z22wc
0x000000e0 (00224)   3536386c 31347033 682e696e 666f0d0a   568l14p3h.info..
0x000000f0 (00240)   0d0a0a43 6f6e7465 6e742d4c 656e6774   ...Content-Lengt
0x00000100 (00256)   683a2034 310d0a52 65666572 65723a20   h: 41..Referer: 
0x00000110 (00272)   37367235 372e636f 6d0d0a0d 0a6d3d42   76r57.com....m=B
0x00000120 (00288)   41373444 42343037 46373739 43354645   A74DB407F779C5FE
0x00000130 (00304)   31414342 46303944 44353235 43353226   1ACBF09DD525C52&
0x00000140 (00320)   6f3d267a 3d30                         o=&z=0

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a30300d 0a436f6e 6e656374 696f6e3a   .00..Connection:
0x00000070 (00112)   206b6565 702d616c 6976650d 0a557365    keep-alive..Use
0x00000080 (00128)   722d4167 656e743a 204f7065 72612f39   r-Agent: Opera/9
0x00000090 (00144)   2e383020 2857696e 646f7773 204e5420   .80 (Windows NT 
0x000000a0 (00160)   362e313b 20574f57 36343b20 553b2072   6.1; WOW64; U; r
0x000000b0 (00176)   75292050 72657374 6f2f322e 31302e32   u) Presto/2.10.2
0x000000c0 (00192)   32392056 65727369 6f6e2f31 312e3131   29 Version/11.11
0x000000d0 (00208)   0d0a5265 66657265 723a207a 32327763   ..Referer: z22wc
0x000000e0 (00224)   3536386c 31347033 682e696e 666f0d0a   568l14p3h.info..
0x000000f0 (00240)   0d0a0a43 6f6e7465 6e742d4c 656e6774   ...Content-Lengt
0x00000100 (00256)   683a2034 310d0a52 65666572 65723a20   h: 41..Referer: 
0x00000110 (00272)   37367235 372e636f 6d0d0a0d 0a6d3d42   76r57.com....m=B
0x00000120 (00288)   41373444 42343037 46373739 43354645   A74DB407F779C5FE
0x00000130 (00304)   31414342 46303944 44353235 43353226   1ACBF09DD525C52&
0x00000140 (00320)   6f3d267a 3d30                         o=&z=0

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e32 30353a35 3335370d 0a0d0a3c   00.205:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a643561 31616238 302d6462 35662d34   :d5a1ab80-db5f-4
0x00000280 (00640)   3133332d 62393430 2d346135 62666265   133-b940-4a5bfbe
0x00000290 (00656)   65356566 313c2f77 73613a4d 65737361   e5ef1</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3966 64363632   >urn:uuid:9fd662
0x00000340 (00832)   33322d61 3832632d 34366537 2d623063   32-a82c-46e7-b0c
0x00000350 (00848)   612d3265 38306634 35306134 30393c2f   a-2e80f450a409</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>


Strings