Analysis Date2015-08-19 10:04:50
MD51584967e067e2e855d756ef662b27bd8
SHA11dfd85278ea5b71d51e6008e4cf38ddb88ff07b9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 974b8f28f315ccf31c306dddd16b17de sha1: 95845ba2dd654bbbab596ee38384ff327a162958 size: 295936
Section.rdata md5: 73a8c25e4d2b5111d4898794275e1be2 sha1: 317a5ec81d4d2e7e13de3248922118e872533dfe size: 35328
Section.data md5: 804200efe05c89dc773edc95547343b6 sha1: 8e293f66f122e50d7d19ca148768b106fd6c1b42 size: 98816
Timestamp2014-10-30 10:27:24
PackerMicrosoft Visual C++ ?.?
PEhashfcb781d44e9d9cdbcd53068db2f5f2b37028e6ee
IMPhash795ef7d8bc671fad912ab378a7a2ed8d
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. WebTrojan.DownLoader15.28401
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVTrend MicroTSPY_NIVDORT.SMB
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusTrojan.FBAccountLock
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVMalwareBytesTrojan.Zbot.WHE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVK7Trojan ( 004cb2771 )
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Agent.VNC!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.VNC
AVAlwil (avast)Downloader-TLD [Trj]
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAvira (antivir)BDS/Zegost.Gen4
AVMcafeeTrojan-FEMT!1584967E067E
AVRising0x5800b250

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Volume Acquisition Machine ➝
C:\Documents and Settings\Administrator\Application Data\unjshdtimmbvrs\frqsageoe.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\unjshdtimmbvrs\frqsageoe.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\unjshdtimmbvrs\frqsageoe.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\unjshdtimmbvrs\frqsageoe.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\unjshdtimmbvrs\frqsageoe.m0
Creates FileC:\Documents and Settings\Administrator\Application Data\unjshdtimmbvrs\zxcfeogv.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\unjshdtimmbvrs\frqsageoe.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\unjshdtimmbvrs\frqsageoe.exe"

Network Details:

DNSmountainsupply.net
Type: A
67.18.199.2
DNSwindowsupply.net
Type: A
173.236.172.44
DNSsweetoffice.net
Type: A
162.213.251.173
DNSmaterialsupply.net
Type: A
184.168.221.36
DNSlaughstrong.net
Type: A
50.21.189.209
DNSpossiblesupply.net
Type: A
DNSmountaindistance.net
Type: A
DNSpossibledistance.net
Type: A
DNSmountainoffice.net
Type: A
DNSpossibleoffice.net
Type: A
DNSmountainarrive.net
Type: A
DNSpossiblearrive.net
Type: A
DNSperhapssupply.net
Type: A
DNSperhapsdistance.net
Type: A
DNSwindowdistance.net
Type: A
DNSperhapsoffice.net
Type: A
DNSwindowoffice.net
Type: A
DNSperhapsarrive.net
Type: A
DNSwindowarrive.net
Type: A
DNSwintersupply.net
Type: A
DNSsubjectsupply.net
Type: A
DNSwinterdistance.net
Type: A
DNSsubjectdistance.net
Type: A
DNSwinteroffice.net
Type: A
DNSsubjectoffice.net
Type: A
DNSwinterarrive.net
Type: A
DNSsubjectarrive.net
Type: A
DNSfinishsupply.net
Type: A
DNSleavesupply.net
Type: A
DNSfinishdistance.net
Type: A
DNSleavedistance.net
Type: A
DNSfinishoffice.net
Type: A
DNSleaveoffice.net
Type: A
DNSfinisharrive.net
Type: A
DNSleavearrive.net
Type: A
DNSsweetsupply.net
Type: A
DNSprobablysupply.net
Type: A
DNSsweetdistance.net
Type: A
DNSprobablydistance.net
Type: A
DNSprobablyoffice.net
Type: A
DNSsweetarrive.net
Type: A
DNSprobablyarrive.net
Type: A
DNSseveralsupply.net
Type: A
DNSseveraldistance.net
Type: A
DNSmaterialdistance.net
Type: A
DNSseveraloffice.net
Type: A
DNSmaterialoffice.net
Type: A
DNSseveralarrive.net
Type: A
DNSmaterialarrive.net
Type: A
DNSseverastrong.net
Type: A
DNSseveratrouble.net
Type: A
DNSlaughtrouble.net
Type: A
DNSseverapresident.net
Type: A
DNSlaughpresident.net
Type: A
DNSseveracaught.net
Type: A
DNSlaughcaught.net
Type: A
DNSsimplestrong.net
Type: A
DNSmotherstrong.net
Type: A
DNSsimpletrouble.net
Type: A
DNSmothertrouble.net
Type: A
DNSsimplepresident.net
Type: A
DNSmotherpresident.net
Type: A
DNSsimplecaught.net
Type: A
DNSmothercaught.net
Type: A
DNSmountainstrong.net
Type: A
DNSpossiblestrong.net
Type: A
DNSmountaintrouble.net
Type: A
DNSpossibletrouble.net
Type: A
DNSmountainpresident.net
Type: A
DNSpossiblepresident.net
Type: A
DNSmountaincaught.net
Type: A
DNSpossiblecaught.net
Type: A
DNSperhapsstrong.net
Type: A
DNSwindowstrong.net
Type: A
DNSperhapstrouble.net
Type: A
DNSwindowtrouble.net
Type: A
DNSperhapspresident.net
Type: A
DNSwindowpresident.net
Type: A
DNSperhapscaught.net
Type: A
DNSwindowcaught.net
Type: A
DNSwinterstrong.net
Type: A
DNSsubjectstrong.net
Type: A
DNSwintertrouble.net
Type: A
DNSsubjecttrouble.net
Type: A
DNSwinterpresident.net
Type: A
HTTP GEThttp://mountainsupply.net/index.php?email=brees-rushing@vsuch.com&method=post&len
User-Agent:
HTTP GEThttp://windowsupply.net/index.php?email=brees-rushing@vsuch.com&method=post&len
User-Agent:
HTTP GEThttp://sweetoffice.net/index.php?email=brees-rushing@vsuch.com&method=post&len
User-Agent:
HTTP GEThttp://materialsupply.net/index.php?email=brees-rushing@vsuch.com&method=post&len
User-Agent:
HTTP GEThttp://laughstrong.net/index.php?email=brees-rushing@vsuch.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 67.18.199.2:80
Flows TCP192.168.1.1:1032 ➝ 173.236.172.44:80
Flows TCP192.168.1.1:1033 ➝ 162.213.251.173:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1035 ➝ 50.21.189.209:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d627265 65732d72 75736869   mail=brees-rushi
0x00000020 (00032)   6e674076 73756368 2e636f6d 266d6574   ng@vsuch.com&met
0x00000030 (00048)   686f643d 706f7374 266c656e 20485454   hod=post&len HTT
0x00000040 (00064)   502f312e 300d0a41 63636570 743a202a   P/1.0..Accept: *
0x00000050 (00080)   2f2a0d0a 436f6e6e 65637469 6f6e3a20   /*..Connection: 
0x00000060 (00096)   636c6f73 650d0a48 6f73743a 206d6f75   close..Host: mou
0x00000070 (00112)   6e746169 6e737570 706c792e 6e65740d   ntainsupply.net.
0x00000080 (00128)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d627265 65732d72 75736869   mail=brees-rushi
0x00000020 (00032)   6e674076 73756368 2e636f6d 266d6574   ng@vsuch.com&met
0x00000030 (00048)   686f643d 706f7374 266c656e 20485454   hod=post&len HTT
0x00000040 (00064)   502f312e 300d0a41 63636570 743a202a   P/1.0..Accept: *
0x00000050 (00080)   2f2a0d0a 436f6e6e 65637469 6f6e3a20   /*..Connection: 
0x00000060 (00096)   636c6f73 650d0a48 6f73743a 2077696e   close..Host: win
0x00000070 (00112)   646f7773 7570706c 792e6e65 740d0a0d   dowsupply.net...
0x00000080 (00128)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d627265 65732d72 75736869   mail=brees-rushi
0x00000020 (00032)   6e674076 73756368 2e636f6d 266d6574   ng@vsuch.com&met
0x00000030 (00048)   686f643d 706f7374 266c656e 20485454   hod=post&len HTT
0x00000040 (00064)   502f312e 300d0a41 63636570 743a202a   P/1.0..Accept: *
0x00000050 (00080)   2f2a0d0a 436f6e6e 65637469 6f6e3a20   /*..Connection: 
0x00000060 (00096)   636c6f73 650d0a48 6f73743a 20737765   close..Host: swe
0x00000070 (00112)   65746f66 66696365 2e6e6574 0d0a0d0a   etoffice.net....
0x00000080 (00128)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d627265 65732d72 75736869   mail=brees-rushi
0x00000020 (00032)   6e674076 73756368 2e636f6d 266d6574   ng@vsuch.com&met
0x00000030 (00048)   686f643d 706f7374 266c656e 20485454   hod=post&len HTT
0x00000040 (00064)   502f312e 300d0a41 63636570 743a202a   P/1.0..Accept: *
0x00000050 (00080)   2f2a0d0a 436f6e6e 65637469 6f6e3a20   /*..Connection: 
0x00000060 (00096)   636c6f73 650d0a48 6f73743a 206d6174   close..Host: mat
0x00000070 (00112)   65726961 6c737570 706c792e 6e65740d   erialsupply.net.
0x00000080 (00128)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d627265 65732d72 75736869   mail=brees-rushi
0x00000020 (00032)   6e674076 73756368 2e636f6d 266d6574   ng@vsuch.com&met
0x00000030 (00048)   686f643d 706f7374 266c656e 20485454   hod=post&len HTT
0x00000040 (00064)   502f312e 300d0a41 63636570 743a202a   P/1.0..Accept: *
0x00000050 (00080)   2f2a0d0a 436f6e6e 65637469 6f6e3a20   /*..Connection: 
0x00000060 (00096)   636c6f73 650d0a48 6f73743a 206c6175   close..Host: lau
0x00000070 (00112)   67687374 726f6e67 2e6e6574 0d0a0d0a   ghstrong.net....
0x00000080 (00128)   0a0d0a                                ...


Strings