Analysis Date2015-10-26 12:37:19
MD5c6e8f4e54750737927ef1cfa8176d44b
SHA10afee7549e01b451fe79a061c48eb7e298305eb8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c535b454bbbfb201f3fca1ab634f1ed7 sha1: eb7056f6ac0dadce21b7442d247bc4155e684a48 size: 836096
Section.rdata md5: 591037848a3b53f710b6e08f4d450042 sha1: 69f80cea134c0885fff31d8a64e87c63ad38d6c5 size: 316928
Section.data md5: 17bcbe891f2728f837436b3674b3468c sha1: 12e0a390da02cceb9fba725b6c4a48da4198eb04 size: 7680
Timestamp2015-04-15 02:27:21
PackerMicrosoft Visual C++ ?.?
PEhashb29cadb12ac9993fed76644cf6cdba5247399a9f
IMPhashe1c0e102c4b5d0ae65d8ecacd5ed98e2
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.Xpack.306165
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.133308
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Kryptik.DDQD
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.CXVL!tr
AVBitDefenderGen:Variant.Zusy.133308
AVK7no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVMalwareBytesno_virus
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Zusy.133308
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.133308
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureGen:Variant.Zusy.133308

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\lucedhi1jrdgquuqyhznqy.exe
Creates FileC:\WINDOWS\system32\tmsfrbill\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\lucedhi1jrdgquuqyhznqy.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\lucedhi1jrdgquuqyhznqy.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Application Launcher Wired Process ➝
C:\WINDOWS\system32\mtzrzsjzet.exe
Creates FileC:\WINDOWS\system32\mtzrzsjzet.exe
Creates FileC:\WINDOWS\system32\tmsfrbill\tst
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\tmsfrbill\etc
Creates FileC:\WINDOWS\system32\tmsfrbill\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\mtzrzsjzet.exe
Creates ServiceColor Studio Builder Windows - C:\WINDOWS\system32\mtzrzsjzet.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1856

Process
↳ Pid 1168

Process
↳ C:\WINDOWS\system32\mtzrzsjzet.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\tmsfrbill\tst
Creates FileC:\WINDOWS\system32\tmsfrbill\cfg
Creates FileC:\WINDOWS\system32\tmsfrbill\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\lucedhi1qtpgquu.exe
Creates FileC:\WINDOWS\system32\bkhmfrjdq.exe
Creates FileC:\WINDOWS\system32\tmsfrbill\run
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\tmsfrbill\lck
Creates ProcessC:\WINDOWS\TEMP\lucedhi1qtpgquu.exe -r 43370 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\mtzrzsjzet.exe"

Process
↳ C:\WINDOWS\system32\mtzrzsjzet.exe

Creates FileC:\WINDOWS\system32\tmsfrbill\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\mtzrzsjzet.exe"

Creates FileC:\WINDOWS\system32\tmsfrbill\tst

Process
↳ C:\WINDOWS\TEMP\lucedhi1qtpgquu.exe -r 43370 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSnailthere.net
Type: A
98.139.135.129
DNSgroupgrain.net
Type: A
208.91.197.241
DNSableread.net
Type: A
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSfridayloss.net
Type: A
DNSwrongbelow.net
Type: A
DNShilldance.net
Type: A
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=048&sox=4e8e9a00&lenhdr
User-Agent:
HTTP GEThttp://groupgrain.net/index.php?method=validate&mode=sox&v=048&sox=4e8e9a00&lenhdr
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1032 ➝ 113.29.226.130:443
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3826736f   ode=sox&v=048&so
0x00000030 (00048)   783d3465 38653961 3030266c 656e6864   x=4e8e9a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206e61 696c7468 6572652e 6e65740d   : nailthere.net.
0x00000080 (00128)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3826736f   ode=sox&v=048&so
0x00000030 (00048)   783d3465 38653961 3030266c 656e6864   x=4e8e9a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206772 6f757067 7261696e 2e6e6574   : groupgrain.net
0x00000080 (00128)   0d0a0d0a                              ....


Strings