Analysis Date2015-10-05 21:00:09
MD560902e49fed988d056d75973a7c6b86f
SHA12ec05a62994a0e59f41faf42dabeba9cba453ff9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2a79d960788eb30edab92db0a1419d29 sha1: 31cde4cf8b85715fbab27ad3ec54cbd7c70ff63a size: 295936
Section.rdata md5: f0e7703c9baee73bd8dc511b45e5d0e7 sha1: d3ad930f27e4aa24021427c109be4067b08c59e5 size: 34304
Section.data md5: 364eacd1b63ba787e683e1654c7ed502 sha1: 77365f1f059f05721d9224711b1cbf26963f1184 size: 101888
Timestamp2015-01-29 10:21:01
PackerMicrosoft Visual C++ ?.?
PEhash41e0ae3bae12f4130dece16977876cf727dabdcb
IMPhashaaaacb69f122da7a56b714b5bf8245cf
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeTrojan-FEMT!60902E49FED9
AVAvira (antivir)BDS/Zegost.Gen4
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cb2771 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusno_virus
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_NIVDORT.SMB
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Error Scanning File
AVClamAVno_virus
AVDr. WebTrojan.DownLoader16.33249
AVF-SecureGen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Peer Device Process Color System Credential ➝
C:\Documents and Settings\Administrator\Application Data\zlsuesadcpilde\pejowgfau.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\zlsuesadcpilde\pejowgfau.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\zlsuesadcpilde\pejowgfau.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\zlsuesadcpilde\pejowgfau.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\zlsuesadcpilde\xhzsudwhnpv.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\zlsuesadcpilde\pejowgfau.yj
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\zlsuesadcpilde\pejowgfau.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\zlsuesadcpilde\pejowgfau.exe"

Network Details:

DNSflierneedle.net
Type: A
93.115.38.30
DNSseasonnature.net
Type: A
95.211.230.75
DNSdoubtfurther.net
Type: A
72.52.4.90
DNSlargecompany.net
Type: A
8.5.1.51
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSrecordcompany.net
Type: A
69.172.201.208
DNSelectriccompany.net
Type: A
207.148.248.143
DNStradebecome.net
Type: A
72.52.4.90
DNStradecompany.net
Type: A
207.148.248.143
DNSbetterfurther.net
Type: A
195.22.26.254
DNSbetterfurther.net
Type: A
195.22.26.231
DNSbetterfurther.net
Type: A
195.22.26.252
DNSbetterfurther.net
Type: A
195.22.26.253
DNSbettercover.net
Type: A
196.25.69.13
DNSgathercover.net
Type: A
208.100.26.234
DNSbettercompany.net
Type: A
121.254.178.252
DNSbreadfurther.net
Type: A
98.139.135.129
DNSbreadcompany.net
Type: A
23.236.62.147
DNSquietcompany.net
Type: A
164.109.45.92
DNSquietcompany.net
Type: A
164.109.153.213
DNSgatherneedle.net
Type: A
DNSbetterenough.net
Type: A
DNSgatherenough.net
Type: A
DNSbettergovern.net
Type: A
DNSgathergovern.net
Type: A
DNSfliernature.net
Type: A
DNSbreadnature.net
Type: A
DNSbreadneedle.net
Type: A
DNSflierenough.net
Type: A
DNSbreadenough.net
Type: A
DNSfliergovern.net
Type: A
DNSbreadgovern.net
Type: A
DNSquietnature.net
Type: A
DNSquietneedle.net
Type: A
DNSseasonneedle.net
Type: A
DNSquietenough.net
Type: A
DNSseasonenough.net
Type: A
DNSquietgovern.net
Type: A
DNSseasongovern.net
Type: A
DNSagainstfurther.net
Type: A
DNSagainstcover.net
Type: A
DNSdoubtcover.net
Type: A
DNSagainstbecome.net
Type: A
DNSdoubtbecome.net
Type: A
DNSagainstcompany.net
Type: A
DNSdoubtcompany.net
Type: A
DNSnightfurther.net
Type: A
DNSdecidefurther.net
Type: A
DNSnightcover.net
Type: A
DNSdecidecover.net
Type: A
DNSnightbecome.net
Type: A
DNSdecidebecome.net
Type: A
DNSnightcompany.net
Type: A
DNSdecidecompany.net
Type: A
DNSlargefurther.net
Type: A
DNScaptainfurther.net
Type: A
DNSlargecover.net
Type: A
DNScaptaincover.net
Type: A
DNSlargebecome.net
Type: A
DNScaptainbecome.net
Type: A
DNScaptaincompany.net
Type: A
DNSrecordfurther.net
Type: A
DNSelectricfurther.net
Type: A
DNSrecordcover.net
Type: A
DNSelectriccover.net
Type: A
DNSrecordbecome.net
Type: A
DNSelectricbecome.net
Type: A
DNSstreetfurther.net
Type: A
DNStradefurther.net
Type: A
DNSstreetcover.net
Type: A
DNStradecover.net
Type: A
DNSstreetbecome.net
Type: A
DNSstreetcompany.net
Type: A
DNSgatherfurther.net
Type: A
DNSbetterbecome.net
Type: A
DNSgatherbecome.net
Type: A
DNSgathercompany.net
Type: A
DNSflierfurther.net
Type: A
DNSfliercover.net
Type: A
DNSbreadcover.net
Type: A
DNSflierbecome.net
Type: A
DNSbreadbecome.net
Type: A
DNSfliercompany.net
Type: A
DNSquietfurther.net
Type: A
DNSseasonfurther.net
Type: A
DNSquietcover.net
Type: A
DNSseasoncover.net
Type: A
DNSquietbecome.net
Type: A
DNSseasonbecome.net
Type: A
DNSseasoncompany.net
Type: A
HTTP GEThttp://flierneedle.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://seasonnature.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://doubtfurther.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://largecompany.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://captaincompany.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://recordcompany.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://electriccompany.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://tradebecome.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://tradecompany.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://betterfurther.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://bettercover.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://gathercover.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://bettercompany.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://breadfurther.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://breadcompany.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://quietcompany.net/index.php?email=masuncic@yahoo.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 93.115.38.30:80
Flows TCP192.168.1.1:1032 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1033 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1034 ➝ 8.5.1.51:80
Flows TCP192.168.1.1:1035 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1036 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1037 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1038 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1039 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1040 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1041 ➝ 196.25.69.13:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1043 ➝ 121.254.178.252:80
Flows TCP192.168.1.1:1044 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1045 ➝ 23.236.62.147:80
Flows TCP192.168.1.1:1046 ➝ 164.109.45.92:80

Raw Pcap

Strings