Analysis Date2014-10-14 11:34:03
MD51b95d0997f05a069384a7f3f5a5d1df8
SHA103f60bc59331dc665cd5117703465309bcb0d392

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e2529546b03c9299b2a0b640baeab321 sha1: 4f7b9b995e2eea0897d4590b4e4ca12dc4ce784c size: 122368
Section.rdata md5: 11505ee4199e3d5b2651d0f7f7701cde sha1: 55d129e74439f74ab8999d025169f67521c60109 size: 16384
Section.data md5: f71b44dec7211cb9b2fc4a8dc39e7f01 sha1: 9958ab1f65dcdad1f1881087f575eb00e251e055 size: 16896
Timestamp2014-01-22 06:31:48
PackerMicrosoft Visual C++ ?.?
PEhash8a12eebfe9c45e5aea90159a0475a8c840b12a28
IMPhash4955babec5a2efab33f589b517f5a99b
AV360 SafeTrojan.GenericKD.1905773
AVAd-AwareTrojan.GenericKD.1905773
AVAlwil (avast)Downloader-UVI [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Agent.NK2.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen8
AVBullGuardTrojan.GenericKD.1905773
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoader9.49600
AVEmsisoftTrojan.GenericKD.1905773
AVEset (nod32)Win32/Agent.VNC
AVFortinetW32/Agent.VNC!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.1905773
AVGrisoft (avg)Generic_r.DMA
AVIkarusTrojan.FBLock
AVK7no_virus
AVKasperskyTrojan.Win32.Generic:Trojan.Win32.PEF.pf.silent.342863:Trojan.Win32.PEF.pf.silent.347637:Trojan.Win32.PEF.pf.silent.348577:Trojan.Win32.PEF.pf.silent.349247:Trojan.Win32.PEF.pf.silent.349979:Trojan.Win32.PEF.pf.silent.375505:Trojan.Win32.PEF.pf.silent.376163:Trojan.Win32.PEF.pf.silent.377057:Trojan.Win32.PEF.pf.silent.377789:Trojan.Win32.PEF.pf.silent.378627:Trojan.Win32.PEF.pf.silent.379268:Trojan.Win32.PEF.pf.silent.380179:Trojan.Win32.PEF.pf.silent.380996:Trojan.Win32.PEF.pf.silent.412526:Trojan.Win32.PEF.pf.silent.433356:Trojan.Win32.PEF.pf.silent.453058
AVMalwareBytesTrojan.Agent
AVMcafeeGeneric-FAOV!1B95D0997F05
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort
AVMicroWorld (escan)Trojan.GenericKD.1905773
AVNormanwinpe/Troj_Generic.WEVOZ
AVRisingno_virus
AVSophosMal/Agent-ALA
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Socket Resource Trap DCOM Identity Offline ➝
C:\Documents and Settings\Administrator\Application Data\ihvkmyx\xtpogsjodw.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\ihvkmyx\xtpogsjodw.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\ihvkmyx\xtpogsjodw.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\ihvkmyx\xtpogsjodw.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\ihvkmyx\xnkfqny.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\ihvkmyx\xtpogsjodw.en
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\ihvkmyx\xtpogsjodw.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\ihvkmyx\xtpogsjodw.exe"

Network Details:

DNSmorningbusiness.net
Type: A
213.186.33.5
DNShistorybusiness.net
Type: A
173.236.22.102
DNSthinkbright.net
Type: A
69.90.230.171
DNSmorningbright.net
Type: A
216.185.144.185
DNSalonemanner.net
Type: A
DNSoftenanother.net
Type: A
DNSaloneanother.net
Type: A
DNSoftenbusiness.net
Type: A
DNSalonebusiness.net
Type: A
DNSoftenappear.net
Type: A
DNSaloneappear.net
Type: A
DNSmiddlemanner.net
Type: A
DNStwelvemanner.net
Type: A
DNSmiddleanother.net
Type: A
DNStwelveanother.net
Type: A
DNSmiddlebusiness.net
Type: A
DNStwelvebusiness.net
Type: A
DNSmiddleappear.net
Type: A
DNStwelveappear.net
Type: A
DNSrathermanner.net
Type: A
DNSmorningmanner.net
Type: A
DNSratheranother.net
Type: A
DNSmorninganother.net
Type: A
DNSratherbusiness.net
Type: A
DNSratherappear.net
Type: A
DNSmorningappear.net
Type: A
DNSstrangemanner.net
Type: A
DNShistorymanner.net
Type: A
DNSstrangeanother.net
Type: A
DNShistoryanother.net
Type: A
DNSstrangebusiness.net
Type: A
DNSstrangeappear.net
Type: A
DNShistoryappear.net
Type: A
DNSamountmanner.net
Type: A
DNSweathermanner.net
Type: A
DNSamountanother.net
Type: A
DNSweatheranother.net
Type: A
DNSamountbusiness.net
Type: A
DNSweatherbusiness.net
Type: A
DNSamountappear.net
Type: A
DNSweatherappear.net
Type: A
DNSthickmanner.net
Type: A
DNSclassmanner.net
Type: A
DNSthickanother.net
Type: A
DNSclassanother.net
Type: A
DNSthickbusiness.net
Type: A
DNSclassbusiness.net
Type: A
DNSthickappear.net
Type: A
DNSclassappear.net
Type: A
DNSthinkinstead.net
Type: A
DNSpresentinstead.net
Type: A
DNSthinkexplain.net
Type: A
DNSpresentexplain.net
Type: A
DNSpresentbright.net
Type: A
DNSthinkinside.net
Type: A
DNSpresentinside.net
Type: A
DNSchiefinstead.net
Type: A
DNScollegeinstead.net
Type: A
DNSchiefexplain.net
Type: A
DNScollegeexplain.net
Type: A
DNSchiefbright.net
Type: A
DNScollegebright.net
Type: A
DNSchiefinside.net
Type: A
DNScollegeinside.net
Type: A
DNSofteninstead.net
Type: A
DNSaloneinstead.net
Type: A
DNSoftenexplain.net
Type: A
DNSaloneexplain.net
Type: A
DNSoftenbright.net
Type: A
DNSalonebright.net
Type: A
DNSofteninside.net
Type: A
DNSaloneinside.net
Type: A
DNSmiddleinstead.net
Type: A
DNStwelveinstead.net
Type: A
DNSmiddleexplain.net
Type: A
DNStwelveexplain.net
Type: A
DNSmiddlebright.net
Type: A
DNStwelvebright.net
Type: A
DNSmiddleinside.net
Type: A
DNStwelveinside.net
Type: A
DNSratherinstead.net
Type: A
DNSmorninginstead.net
Type: A
DNSratherexplain.net
Type: A
DNSmorningexplain.net
Type: A
DNSratherbright.net
Type: A
HTTP GEThttp://morningbusiness.net/forum/search.php?email=dragnecornelia@yahoo.com&method=post
User-Agent:
HTTP GEThttp://historybusiness.net/forum/search.php?email=dragnecornelia@yahoo.com&method=post
User-Agent:
HTTP GEThttp://thinkbright.net/forum/search.php?email=dragnecornelia@yahoo.com&method=post
User-Agent:
HTTP GEThttp://morningbright.net/forum/search.php?email=dragnecornelia@yahoo.com&method=post
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 213.186.33.5:80
Flows TCP192.168.1.1:1032 ➝ 173.236.22.102:80
Flows TCP192.168.1.1:1033 ➝ 69.90.230.171:80
Flows TCP192.168.1.1:1034 ➝ 216.185.144.185:80

Raw Pcap
0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 64726167   h.php?email=drag
0x00000020 (00032)   6e65636f 726e656c 69614079 61686f6f   necornelia@yahoo
0x00000030 (00048)   2e636f6d 266d6574 686f643d 706f7374   .com&method=post
0x00000040 (00064)   20485454 502f312e 300d0a41 63636570    HTTP/1.0..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 436f6e6e 65637469   t: */*..Connecti
0x00000060 (00096)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000070 (00112)   206d6f72 6e696e67 62757369 6e657373    morningbusiness
0x00000080 (00128)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 64726167   h.php?email=drag
0x00000020 (00032)   6e65636f 726e656c 69614079 61686f6f   necornelia@yahoo
0x00000030 (00048)   2e636f6d 266d6574 686f643d 706f7374   .com&method=post
0x00000040 (00064)   20485454 502f312e 300d0a41 63636570    HTTP/1.0..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 436f6e6e 65637469   t: */*..Connecti
0x00000060 (00096)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000070 (00112)   20686973 746f7279 62757369 6e657373    historybusiness
0x00000080 (00128)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 64726167   h.php?email=drag
0x00000020 (00032)   6e65636f 726e656c 69614079 61686f6f   necornelia@yahoo
0x00000030 (00048)   2e636f6d 266d6574 686f643d 706f7374   .com&method=post
0x00000040 (00064)   20485454 502f312e 300d0a41 63636570    HTTP/1.0..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 436f6e6e 65637469   t: */*..Connecti
0x00000060 (00096)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000070 (00112)   20746869 6e6b6272 69676874 2e6e6574    thinkbright.net
0x00000080 (00128)   0d0a0d0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 64726167   h.php?email=drag
0x00000020 (00032)   6e65636f 726e656c 69614079 61686f6f   necornelia@yahoo
0x00000030 (00048)   2e636f6d 266d6574 686f643d 706f7374   .com&method=post
0x00000040 (00064)   20485454 502f312e 300d0a41 63636570    HTTP/1.0..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 436f6e6e 65637469   t: */*..Connecti
0x00000060 (00096)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000070 (00112)   206d6f72 6e696e67 62726967 68742e6e    morningbright.n
0x00000080 (00128)   65740d0a 0d0a0d0a                     et......


Strings
.
-E-
-0
-0010+-0
0
-0
.CC
00-+ 
.
-e-
. 
\
 
00
.
:\
:..
...........?- 
0
0
0
0
-
W
..
u
                                 H
         (((((                  H
         h((((                  H
jjjjh
jjjjj
KERNEL32.DLL
mscoree.dll
(null)
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
0WWWWW
1#QNAN
1#SNAN
4saYi'^F
|$&8\$%
8VVVVV
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
AddFontMemResourceEx
ADVAPI32.dll
An application has made an attempt to load the C runtime library incorrectly.
<at9<rt,<wt
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
.?AVexception@std@@
.?AVlength_error@std@@
.?AVlogic_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
bad allocation
bad exception
 Base Class Array'
 Base Class Descriptor at (
__based(
BeginPaint
b*:{(y
__cdecl
 Class Hierarchy Descriptor'
CloseHandle
__clrcall
cLwJER
CompareStringA
CompareStringW
 Complete Object Locator'
CONOUT$
`copy constructor closure'
CopyFileA
CorExitProcess
CreateDirectoryA
CreateEventA
CreateFileA
CreateIconFromResourceEx
CreateProcessA
CreateStreamOnHGlobal
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
- CRT not initialized
D$`_^][
D$(_^[
D$(_^][
D$0+D$x
D$4j h
@.data
dddd, MMMM dd, yyyy
D$\+D$T
D$`+D$X+
December
DecodePointer
`default constructor closure'
DefWindowProcA
 delete
 delete[]
Delete
DeleteCriticalSection
D$hSVW
DispatchMessageA
DOMAIN error
D$(PQR
D$PQRP
DPtoLP
D$T;D$,
D$TPQV
D$TPQVS
D$TPQVSS
D$TPWV
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
EncodePointer
EndPaint
EnterCriticalSection
EqualPrefixSid
ExitProcess
ExpandEnvironmentStringsA
__fastcall
February
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
ForceRemove
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
^F<-uB
GAIsProcessorFeaturePresent
GDI32.dll
GetACP
GetActiveWindow
GetCommandLineA
GetCommConfig
GetCommProperties
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDesktopWindow
GetDeviceCaps
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileSize
GetFileType
GetFullPathNameA
GetKeyboardLayoutList
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMapMode
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetTitleBarInfo
GetUserObjectInformationA
GetWindowDC
GetWindowRect
GetWindowThreadProcessId
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
`h````
H5|F$rX#
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
`h`hhh
HH:mm:ss
HHtXHHt
>If90t
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
InvalidateRect
invalid string position
IsDebuggerPresent
IsValidCodePage
iYhbay
JanFebMarAprMayJunJulAugSepOctNovDec
January
j h(UB
j@j ^V
j"^SSSSS
KERNEL32
KERNEL32.dll
L$|_^][3
L$4-*~
LCMapStringA
LCMapStringW
LeaveCriticalSection
L$HQRP
LoadCursorA
LoadLibraryA
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
LookupIconIdFromDirectoryEx
L$PRPQV
LPtoDP
L$$QRW
L$ QUV
L$(QVVj
L$TQRVWW
L$TQWVS
L$ WQP
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
MoveWindow
MulDiv
MultiByteToWideChar
 new[]
nnD;97"
NoRemove
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
(null)
October
ole32.dll
OLEAUT32.dll
`omni callsig'
OpenProcess
operator
__pascal
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
PostQuitMessage
PPPPPPPP
Process32First
Process32Next
Program: 
<program name unknown>
__ptr64
- pure virtual function call
~pwu?+s
QQSVWd
QueryPerformanceCounter
RaiseException
`.rdata
ReadFile
RegCloseKey
RegisterClassExA
RegOpenKeyA
RegSetValueExA
__restrict
RtlUnwind
runtime error 
Runtime Error!
Saturday
`scalar deleting destructor'
September
SetEndOfFile
SetEnvironmentVariableA
SetEvent
SetFileAttributesA
SetFilePointer
SetFocus
SetHandleCount
SetLastError
SetMapMode
SetStdHandle
SetUnhandledExceptionFilter
SetWindowTextA
ShowWindow
SING error
SRSSSh
s[S;7|G;w
^SSSSS
__stdcall
`string'
string too long
Sunday
SunMonTueWedThuFriSat
t$0WSQ3
TerminateProcess
tGHt.Ht&
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
<\tM</tI
to=8mB
tR99u2
TranslateMessage
T$\RVPW
t"SS9]
<+t(<-t$:
T$TRPV
T$TRWVSS
t$<"u	3
Tuesday
;t$,v-
t$<WPR
t+WWVPV
 Type Descriptor'
`typeof'
>:u8FV
`udt returning'
^Uh <B
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
Unknown exception
UP~#*(
UpdateWindow
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
u[SSSP
UTF-16LE
u`VWj4h8WB
v$;5\mB
'V>9WH
`vbase destructor'
`vbtable'
`vcall'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
VirtualAlloc
`virtual displacement map'
VirtualFree
v	N+D$
_VVVVV
VVVVVQRSSj
WaitForSingleObject
Wednesday
WideCharToMultiByte
WinHelpA
w>(iUQ
WriteConsoleA
WriteConsoleW
WriteFile
WS2_32.dll
^WWWWW
XA6P XX
x`In!3
xppwpp
xpxxxx
<xtX<XtT
>=Yt1j