Analysis Date2015-10-12 14:04:00
MD5ca2f45907cbbc30e56461fe68afa43b8
SHA12f1d227bb0b2f35d3d0bc4f4c6cc18eff86f5406

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 89360bbed15b9362c1e1fbf796f1c374 sha1: f2d33aa13ab6839f3e0d61651f718c28c060db1d size: 299520
Section.rdata md5: d0eb82adc2a6a47a332583fbfb5ef01f sha1: e6610f4cde5dbf76faa6fe3e49ef1ba8d383b8fb size: 34304
Section.data md5: c64cecd6c6978dc6ffa572a32e60727e sha1: cb231ce12bea989e66ffaa9ff766deeff9661558 size: 102912
Timestamp2014-10-30 10:05:52
PackerMicrosoft Visual C++ ?.?
PEhash16349859423f274f279a0112f5ea8c1c5c7943f6
IMPhash0133f1040ddccdb1891aca2429b84536
AVCA (E-Trust Ino)no_virus
AVRisingError Scanning File
AVMcafeeTrojan-FEMT!CA2F45907CBB
AVAvira (antivir)BDS/Zegost.Gen4
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Kryptik-PJW [Trj]
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cb2771 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.FBAccountLock
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_FORUCON.BMC
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureGen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ordering Backup Files Registry ➝
C:\Documents and Settings\Administrator\Application Data\uztdnfzytokk\nolrsizln.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\uztdnfzytokk\nolrsizln.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\uztdnfzytokk\nolrsizln.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\uztdnfzytokk\nolrsizln.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\uztdnfzytokk\rdrvdevhqonf.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\uztdnfzytokk\nolrsizln.exksy
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\uztdnfzytokk\nolrsizln.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\uztdnfzytokk\nolrsizln.exe"

Network Details:

DNSpresentbottom.net
Type: A
98.139.135.129
DNSchiefbeyond.net
Type: A
195.22.26.252
DNSchiefbeyond.net
Type: A
195.22.26.253
DNSchiefbeyond.net
Type: A
195.22.26.254
DNSchiefbeyond.net
Type: A
195.22.26.231
DNSchiefbeing.net
Type: A
72.52.4.90
DNSalonebeing.net
Type: A
98.139.135.129
DNStwelveforever.net
Type: A
157.166.173.157
DNSratherforever.net
Type: A
208.100.26.234
DNShistoryforever.net
Type: A
72.52.4.90
DNSweatherforever.net
Type: A
50.63.202.42
DNSclassbeyond.net
Type: A
50.63.202.50
DNSthinkflower.net
Type: A
194.117.254.31
DNSpresentflower.net
Type: A
54.64.68.178
DNScollegecorner.net
Type: A
68.94.84.52
DNSoftenflower.net
Type: A
72.52.4.90
DNSthinkbottom.net
Type: A
DNScollegebeyond.net
Type: A
DNScollegebeing.net
Type: A
DNSchiefforever.net
Type: A
DNScollegeforever.net
Type: A
DNSchiefbottom.net
Type: A
DNScollegebottom.net
Type: A
DNSoftenbeyond.net
Type: A
DNSalonebeyond.net
Type: A
DNSoftenbeing.net
Type: A
DNSoftenforever.net
Type: A
DNSaloneforever.net
Type: A
DNSoftenbottom.net
Type: A
DNSalonebottom.net
Type: A
DNSmiddlebeyond.net
Type: A
DNStwelvebeyond.net
Type: A
DNSmiddlebeing.net
Type: A
DNStwelvebeing.net
Type: A
DNSmiddleforever.net
Type: A
DNSmiddlebottom.net
Type: A
DNStwelvebottom.net
Type: A
DNSratherbeyond.net
Type: A
DNSmorningbeyond.net
Type: A
DNSratherbeing.net
Type: A
DNSmorningbeing.net
Type: A
DNSmorningforever.net
Type: A
DNSratherbottom.net
Type: A
DNSmorningbottom.net
Type: A
DNSstrangebeyond.net
Type: A
DNShistorybeyond.net
Type: A
DNSstrangebeing.net
Type: A
DNShistorybeing.net
Type: A
DNSstrangeforever.net
Type: A
DNSstrangebottom.net
Type: A
DNShistorybottom.net
Type: A
DNSamountbeyond.net
Type: A
DNSweatherbeyond.net
Type: A
DNSamountbeing.net
Type: A
DNSweatherbeing.net
Type: A
DNSamountforever.net
Type: A
DNSamountbottom.net
Type: A
DNSweatherbottom.net
Type: A
DNSthickbeyond.net
Type: A
DNSthickbeing.net
Type: A
DNSclassbeing.net
Type: A
DNSthickforever.net
Type: A
DNSclassforever.net
Type: A
DNSthickbottom.net
Type: A
DNSclassbottom.net
Type: A
DNSthinkminute.net
Type: A
DNSpresentminute.net
Type: A
DNSthinkspecial.net
Type: A
DNSpresentspecial.net
Type: A
DNSthinkcorner.net
Type: A
DNSpresentcorner.net
Type: A
DNSchiefflower.net
Type: A
DNScollegeflower.net
Type: A
DNSchiefminute.net
Type: A
DNScollegeminute.net
Type: A
DNSchiefspecial.net
Type: A
DNScollegespecial.net
Type: A
DNSchiefcorner.net
Type: A
DNSaloneflower.net
Type: A
DNSoftenminute.net
Type: A
DNSaloneminute.net
Type: A
DNSoftenspecial.net
Type: A
DNSalonespecial.net
Type: A
DNSoftencorner.net
Type: A
DNSalonecorner.net
Type: A
DNSmiddleflower.net
Type: A
DNStwelveflower.net
Type: A
DNSmiddleminute.net
Type: A
HTTP GEThttp://presentbottom.net/index.php?email=notifications-customersupport@revromania.zendesk.com&method=post&len
User-Agent:
HTTP GEThttp://chiefbeyond.net/index.php?email=notifications-customersupport@revromania.zendesk.com&method=post&len
User-Agent:
HTTP GEThttp://chiefbeing.net/index.php?email=notifications-customersupport@revromania.zendesk.com&method=post&len
User-Agent:
HTTP GEThttp://alonebeing.net/index.php?email=notifications-customersupport@revromania.zendesk.com&method=post&len
User-Agent:
HTTP GEThttp://twelveforever.net/index.php?email=notifications-customersupport@revromania.zendesk.com&method=post&len
User-Agent:
HTTP GEThttp://ratherforever.net/index.php?email=notifications-customersupport@revromania.zendesk.com&method=post&len
User-Agent:
HTTP GEThttp://historyforever.net/index.php?email=notifications-customersupport@revromania.zendesk.com&method=post&len
User-Agent:
HTTP GEThttp://weatherforever.net/index.php?email=notifications-customersupport@revromania.zendesk.com&method=post&len
User-Agent:
HTTP GEThttp://classbeyond.net/index.php?email=notifications-customersupport@revromania.zendesk.com&method=post&len
User-Agent:
HTTP GEThttp://thinkflower.net/index.php?email=notifications-customersupport@revromania.zendesk.com&method=post&len
User-Agent:
HTTP GEThttp://presentflower.net/index.php?email=notifications-customersupport@revromania.zendesk.com&method=post&len
User-Agent:
HTTP GEThttp://collegecorner.net/index.php?email=notifications-customersupport@revromania.zendesk.com&method=post&len
User-Agent:
HTTP GEThttp://oftenflower.net/index.php?email=notifications-customersupport@revromania.zendesk.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1033 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1034 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1035 ➝ 157.166.173.157:80
Flows TCP192.168.1.1:1036 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1037 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1038 ➝ 50.63.202.42:80
Flows TCP192.168.1.1:1039 ➝ 50.63.202.50:80
Flows TCP192.168.1.1:1040 ➝ 194.117.254.31:80
Flows TCP192.168.1.1:1041 ➝ 54.64.68.178:80
Flows TCP192.168.1.1:1042 ➝ 68.94.84.52:80
Flows TCP192.168.1.1:1043 ➝ 72.52.4.90:80

Raw Pcap

Strings