Analysis Date2015-08-26 11:08:52
MD5d63ad33d1364bb6bfe40e90560882d00
SHA1302bc5b195f90d45214f26b6e42f4a8856f88932

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: de094fa8b7f3ac8052e8a98099b8b842 sha1: abb8475c36efccc0ddf862857b6b47d2e7f89f8c size: 49152
SectionUPX1 md5: 0394edfdf0edc65f66b335d0d3130856 sha1: 9acb7cae10366eb7b71dc2f01571f721634a2889 size: 24576
Section.rsrc md5: b4e701f8dbb8bd0981a0d369b36f9766 sha1: f8c79db5d2352432802dceae120179adc5fcc634 size: 12288
Section.pb md5: 64dfd226a259e93d476dee4c58a2a967 sha1: beef1bb60cc20f30442abb1d393e9bb63d2db3ab size: 1536
Timestamp2012-05-09 22:09:24
PackerInstaller VISE Custom
PEhash4d7e125f0694ea2d64e4196e434f01d9e8f1e670
IMPhashd18ad0f8e91ed44a5eebeeb11ba906a1
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Strictor.226
AVDr. WebTrojan.Inject1.2047
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Strictor.226
AVBullGuardGen:Variant.Strictor.226
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanDownloader.Small
AVCAT (quickheal)no_virus
AVTrend MicroTROJ_RANSOM.SMU
AVKasperskyTrojan-Downloader.Win32.Small.ckrh
AVZillya!Downloader.Small.Win32.78147
AVEmsisoftGen:Variant.Strictor.226
AVIkarusTrojan-Downloader.Win32.Kuluoz
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Trojan.YENS-5428
AVMalwareBytesTrojan.Upatre.Gen
AVMicroWorld (escan)Gen:Variant.Strictor.226
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Kuluoz.A
AVK7Trojan ( 0038e9931 )
AVBitDefenderGen:Variant.Strictor.226
AVFortinetW32/Zortob.AA!tr
AVSymantecSuspicious.Emit
AVGrisoft (avg)Downloader.Generic12.BZNW
AVEset (nod32)Win32/TrojanDownloader.Zortob.A
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareGen:Variant.Strictor.226
AVTwisterTrojanDldr.Zortob.A.tjuy
AVAvira (antivir)TR/Agent.JH.31
AVMcafeeKuluoz-FAAD!D63AD33D1364

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processsvchost.exe

Process
↳ svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSaboutnorth2012.ru
Winsock DNStwitter.com
Winsock DNSgoogle.com
Winsock DNSfb.com
Winsock DNSbing.com

Network Details:

DNSbing.com
Type: A
204.79.197.200
DNStwitter.com
Type: A
199.16.156.6
DNStwitter.com
Type: A
199.16.156.38
DNStwitter.com
Type: A
199.16.156.102
DNStwitter.com
Type: A
199.16.156.198
DNSgoogle.com
Type: A
216.58.219.142
DNSfb.com
Type: A
173.252.74.22
DNSaboutnorth2012.ru
Type: A
HTTP GEThttp://bing.com/afyu/index.php?r=gate&id=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://twitter.com/nygul/index.php?r=gate&ac=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://google.com/efwgh/index.php?r=gate&cc=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://fb.com/dwrgh/index.php?r=gate&fg=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://bing.com/afyu/index.php?r=gate&id=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://twitter.com/nygul/index.php?r=gate&ac=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://google.com/efwgh/index.php?r=gate&cc=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://fb.com/dwrgh/index.php?r=gate&fg=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://bing.com/afyu/index.php?r=gate&id=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://twitter.com/nygul/index.php?r=gate&ac=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://google.com/efwgh/index.php?r=gate&cc=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://fb.com/dwrgh/index.php?r=gate&fg=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://bing.com/afyu/index.php?r=gate&id=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://twitter.com/nygul/index.php?r=gate&ac=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://google.com/efwgh/index.php?r=gate&cc=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://fb.com/dwrgh/index.php?r=gate&fg=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://bing.com/afyu/index.php?r=gate&id=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://twitter.com/nygul/index.php?r=gate&ac=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://google.com/efwgh/index.php?r=gate&cc=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://fb.com/dwrgh/index.php?r=gate&fg=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://bing.com/afyu/index.php?r=gate&id=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://twitter.com/nygul/index.php?r=gate&ac=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://google.com/efwgh/index.php?r=gate&cc=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://fb.com/dwrgh/index.php?r=gate&fg=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://bing.com/afyu/index.php?r=gate&id=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://twitter.com/nygul/index.php?r=gate&ac=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://google.com/efwgh/index.php?r=gate&cc=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://fb.com/dwrgh/index.php?r=gate&fg=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://bing.com/afyu/index.php?r=gate&id=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://twitter.com/nygul/index.php?r=gate&ac=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://google.com/efwgh/index.php?r=gate&cc=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://fb.com/dwrgh/index.php?r=gate&fg=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://bing.com/afyu/index.php?r=gate&id=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://twitter.com/nygul/index.php?r=gate&ac=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://google.com/efwgh/index.php?r=gate&cc=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://fb.com/dwrgh/index.php?r=gate&fg=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://bing.com/afyu/index.php?r=gate&id=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://twitter.com/nygul/index.php?r=gate&ac=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://google.com/efwgh/index.php?r=gate&cc=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://fb.com/dwrgh/index.php?r=gate&fg=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
HTTP GEThttp://bing.com/afyu/index.php?r=gate&id=c059900a&group=26.04.2012b&debug=0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Flows TCP192.168.1.1:1031 ➝ 204.79.197.200:80
Flows TCP192.168.1.1:1032 ➝ 199.16.156.6:80
Flows TCP192.168.1.1:1033 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1034 ➝ 173.252.74.22:80
Flows TCP192.168.1.1:1035 ➝ 204.79.197.200:80
Flows TCP192.168.1.1:1036 ➝ 199.16.156.6:80
Flows TCP192.168.1.1:1037 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1038 ➝ 173.252.74.22:80
Flows TCP192.168.1.1:1039 ➝ 204.79.197.200:80
Flows TCP192.168.1.1:1040 ➝ 199.16.156.6:80
Flows TCP192.168.1.1:1041 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1042 ➝ 173.252.74.22:80
Flows TCP192.168.1.1:1043 ➝ 204.79.197.200:80
Flows TCP192.168.1.1:1044 ➝ 199.16.156.6:80
Flows TCP192.168.1.1:1045 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1046 ➝ 173.252.74.22:80
Flows TCP192.168.1.1:1047 ➝ 204.79.197.200:80
Flows TCP192.168.1.1:1048 ➝ 199.16.156.6:80
Flows TCP192.168.1.1:1049 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1050 ➝ 173.252.74.22:80
Flows TCP192.168.1.1:1051 ➝ 204.79.197.200:80
Flows TCP192.168.1.1:1052 ➝ 199.16.156.6:80
Flows TCP192.168.1.1:1053 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1054 ➝ 173.252.74.22:80
Flows TCP192.168.1.1:1055 ➝ 204.79.197.200:80
Flows TCP192.168.1.1:1056 ➝ 199.16.156.6:80
Flows TCP192.168.1.1:1057 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1058 ➝ 173.252.74.22:80
Flows TCP192.168.1.1:1059 ➝ 204.79.197.200:80
Flows TCP192.168.1.1:1060 ➝ 199.16.156.6:80
Flows TCP192.168.1.1:1061 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1062 ➝ 173.252.74.22:80
Flows TCP192.168.1.1:1063 ➝ 204.79.197.200:80
Flows TCP192.168.1.1:1064 ➝ 199.16.156.6:80
Flows TCP192.168.1.1:1065 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1066 ➝ 173.252.74.22:80
Flows TCP192.168.1.1:1067 ➝ 204.79.197.200:80
Flows TCP192.168.1.1:1068 ➝ 199.16.156.6:80
Flows TCP192.168.1.1:1069 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1070 ➝ 173.252.74.22:80
Flows TCP192.168.1.1:1071 ➝ 204.79.197.200:80

Raw Pcap

Strings