Analysis Date2015-10-01 18:16:13
MD56bc8bd63acb3d1e94ecc6c9e85838a6e
SHA1121a4777baf20da85466861c01c0b3679601bfb8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dbff9923a6f5e8c223cd07c455d2e659 sha1: c43cde86d3151c71ac59ed0b6acd46e1c7dd2417 size: 801792
Section.rdata md5: c93c3e30705b9386e9b4ac529eec1687 sha1: cd70d9a9f898635df74829d2c826c2407f1dc856 size: 59904
Section.data md5: 230f386185788890163fb0c48610e43d sha1: ae3e66d0847da4c0fcfef6ae0c65fc4b909d6831 size: 404480
Timestamp2015-01-27 09:20:11
PackerMicrosoft Visual C++ ?.?
PEhash9b4d98a62b548d4ddb86b768dd89e74fab7df2d7
IMPhashf1f415f32c76b309810f1d1b9ecf10fc
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. WebTrojan.DownLoader16.24880
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend MicroTROJ_WONTON.SMJ1
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVK7Trojan ( 004cd0081 )
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Kryptik.DDQD!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Kryptik.CCLE
AVAlwil (avast)Downloader-TLD [Trj]
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.Xpack.251960
AVMcafeeno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\qfhnfxoup\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ph6wvr8o1kq3kwlg3abkyl.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ph6wvr8o1kq3kwlg3abkyl.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ph6wvr8o1kq3kwlg3abkyl.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Foundation Services Profile Power Transaction ➝
C:\WINDOWS\system32\lhnklidjbso.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\qfhnfxoup\tst
Creates FileC:\WINDOWS\system32\qfhnfxoup\lck
Creates FileC:\WINDOWS\system32\lhnklidjbso.exe
Creates FileC:\WINDOWS\system32\qfhnfxoup\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\lhnklidjbso.exe
Creates ServiceProtocol Trap Device Acquisition WWAN - C:\WINDOWS\system32\lhnklidjbso.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1120

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1160

Process
↳ C:\WINDOWS\system32\lhnklidjbso.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\qfhnfxoup\cfg
Creates FileC:\WINDOWS\TEMP\ph6wvr8o1qjakw.exe
Creates FileC:\WINDOWS\system32\btayvkzzua.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\qfhnfxoup\tst
Creates FileC:\WINDOWS\system32\qfhnfxoup\lck
Creates FileC:\WINDOWS\system32\qfhnfxoup\rng
Creates FileC:\WINDOWS\system32\qfhnfxoup\run
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\ph6wvr8o1qjakw.exe -r 38855 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\lhnklidjbso.exe"

Process
↳ C:\WINDOWS\system32\lhnklidjbso.exe

Creates FileC:\WINDOWS\system32\qfhnfxoup\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\lhnklidjbso.exe"

Creates FileC:\WINDOWS\system32\qfhnfxoup\tst

Process
↳ C:\WINDOWS\TEMP\ph6wvr8o1qjakw.exe -r 38855 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSenemyguess.net
Type: A
208.91.197.241
DNSqueentell.net
Type: A
208.91.197.241
DNSwednesdayhalf.net
Type: A
208.91.197.241
DNSmouthrest.net
Type: A
208.91.197.241
DNSdrivethirteen.net
Type: A
208.91.197.241
DNSfaceboat.net
Type: A
208.91.197.241
DNSmuchhappy.net
Type: A
208.91.197.241
DNSsignimportant.net
Type: A
95.211.230.75
DNSlooknice.net
Type: A
72.52.4.91
DNSfeltelse.net
Type: A
195.22.26.231
DNSfeltelse.net
Type: A
195.22.26.252
DNSfeltelse.net
Type: A
195.22.26.253
DNSfeltelse.net
Type: A
195.22.26.254
DNSknowsleep.net
Type: A
208.91.197.27
DNSableread.net
Type: A
DNSsoilunder.net
Type: A
DNSsensesound.net
Type: A
DNSknowelse.net
Type: A
DNSableelse.net
Type: A
DNSknowimportant.net
Type: A
DNSableimportant.net
Type: A
DNSpickfine.net
Type: A
DNSsongfine.net
Type: A
DNSpicknice.net
Type: A
DNSsongnice.net
Type: A
DNSpickelse.net
Type: A
DNSsongelse.net
Type: A
DNSpickimportant.net
Type: A
DNSsongimportant.net
Type: A
DNSroomfine.net
Type: A
DNSsignfine.net
Type: A
DNSroomnice.net
Type: A
DNSsignnice.net
Type: A
DNSroomelse.net
Type: A
DNSsignelse.net
Type: A
DNSroomimportant.net
Type: A
DNSmovefine.net
Type: A
DNSjumpfine.net
Type: A
DNSmovenice.net
Type: A
DNSjumpnice.net
Type: A
DNSmoveelse.net
Type: A
DNSjumpelse.net
Type: A
DNSmoveimportant.net
Type: A
DNSjumpimportant.net
Type: A
DNShillfine.net
Type: A
DNSwhomfine.net
Type: A
DNShillnice.net
Type: A
DNSwhomnice.net
Type: A
DNShillelse.net
Type: A
DNSwhomelse.net
Type: A
DNShillimportant.net
Type: A
DNSwhomimportant.net
Type: A
DNSfeltfine.net
Type: A
DNSlookfine.net
Type: A
DNSfeltnice.net
Type: A
DNSlookelse.net
Type: A
DNSfeltimportant.net
Type: A
DNSlookimportant.net
Type: A
DNSthreefine.net
Type: A
DNSlordfine.net
Type: A
DNSthreenice.net
Type: A
DNSlordnice.net
Type: A
DNSthreeelse.net
Type: A
DNSlordelse.net
Type: A
DNSthreeimportant.net
Type: A
DNSlordimportant.net
Type: A
DNSdrinkfine.net
Type: A
DNSwifefine.net
Type: A
DNSdrinknice.net
Type: A
DNSwifenice.net
Type: A
DNSdrinkelse.net
Type: A
DNSwifeelse.net
Type: A
DNSdrinkimportant.net
Type: A
DNSwifeimportant.net
Type: A
DNSablesleep.net
Type: A
DNSknowheight.net
Type: A
DNSableheight.net
Type: A
DNSknowheld.net
Type: A
DNSableheld.net
Type: A
DNSknowrain.net
Type: A
DNSablerain.net
Type: A
DNSpicksleep.net
Type: A
DNSsongsleep.net
Type: A
DNSpickheight.net
Type: A
DNSsongheight.net
Type: A
DNSpickheld.net
Type: A
DNSsongheld.net
Type: A
DNSpickrain.net
Type: A
DNSsongrain.net
Type: A
DNSroomsleep.net
Type: A
DNSsignsleep.net
Type: A
DNSroomheight.net
Type: A
DNSsignheight.net
Type: A
DNSroomheld.net
Type: A
DNSsignheld.net
Type: A
DNSroomrain.net
Type: A
DNSsignrain.net
Type: A
DNSmovesleep.net
Type: A
HTTP GEThttp://enemyguess.net/index.php?method=validate&mode=sox&v=036&sox=47ef9400&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=036&sox=47ef9400&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=036&sox=47ef9400&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=036&sox=47ef9400&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=036&sox=47ef9400&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=036&sox=47ef9400&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=036&sox=47ef9400&lenhdr
User-Agent:
HTTP GEThttp://signimportant.net/index.php?method=validate&mode=sox&v=036&sox=47ef9400&lenhdr
User-Agent:
HTTP GEThttp://looknice.net/index.php?method=validate&mode=sox&v=036&sox=47ef9400&lenhdr
User-Agent:
HTTP GEThttp://feltelse.net/index.php?method=validate&mode=sox&v=036&sox=47ef9400&lenhdr
User-Agent:
HTTP GEThttp://knowsleep.net/index.php?method=validate&mode=sox&v=036&sox=47ef9400&lenhdr
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1045 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1046 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1047 ➝ 208.91.197.27:80

Raw Pcap

Strings