Analysis Date2015-11-15 15:59:47
MD597c0e93283562b675cf12d0b66a27144
SHA1380db14e270f9b75f4a7c5eddf2486f832168ad2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 401c375cd1c569e9e3cc9de854329a76 sha1: 7f6463b5f643aade44c6a12d2ec9c3100f9c25bf size: 184320
Section.rdata md5: 984f98f5d11d4115ea659c06a51e02cb sha1: d3910248c1cb5048059746ca6773cfc11ed3e4d3 size: 32768
Section.data md5: 8d3f2844a212ed70ee61cd6095f90ed0 sha1: 97975c4e8d3c1c5261af1653285ab7d8efccfa29 size: 16384
Section.reloc md5: 3f9bba8f85a2588440cc0520f44d8632 sha1: 8ed613521a570aa0d7cdf2622ccc8de0e0fbd225 size: 8192
Section.x64 md5: 117d9bbd90171b88fe6050c0f939d89d sha1: 309025e9d889723e1829138255347b6ab157694c size: 401408
Section.params md5: 7872245610eabe64724b5a02d6634d34 sha1: 2388c57460ef74289c170da9dc750f2568f6edd2 size: 4096
Timestamp2015-10-14 11:56:42
Pdb pathC:\work\itco\core\bin\x86\Release\core.pdb
PEhash3f49c00c6748181d8cb41369a576cfc24063e5db
IMPhash63c53219cb193f80ff22f173a8ffef05
AVMcafeeRDN/Generic.grp
AVAuthentiumW32/Trojan.YWZK-2396
AVVirusBlokAda (vba32)Trojan.Win64.CoreBot
AVRisingno_virus
AVGrisoft (avg)Agent5.AHFF
AVMalwareBytesno_virus
AVKasperskyTrojan.Win32.Pincav.bqjbv
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVCA (E-Trust Ino)no_virus
AVTwisterno_virus
AVEset (nod32)Win32/Agent.RCJ
AVBitDefenderGen:Variant.Graftor.253960
AVMicroWorld (escan)Gen:Variant.Graftor.253960
AVFrisk (f-prot)no_virus
AVZillya!no_virus
AVTrend Microno_virus
AVPadvishno_virus
AVArcabit (arcavir)Gen:Variant.Graftor.253960:Trojan.Generic.15219061
AVDr. WebTrojan.DownLoader17.37846
AVF-SecureGen:Variant.Graftor.253960
AVAuthentiumW32/Trojan.YWZK-2396
AVAvira (antivir)TR/Crypt.ZPACK.Gen2
AVAd-AwareGen:Variant.Graftor.253960
AVAlwil (avast)Corebot-G [Trj]
AVSymantecno_virus
AVFortinetW32/Pincav.BQJBV!tr
AVK7Trojan ( 004cd4691 )
AVMicrosoft Security EssentialsTrojan:Win32/Corebot.A
AVAd-AwareGen:Variant.Graftor.253960
AVMicrosoft Security EssentialsTrojan:Win32/Corebot.A
AVIkarusTrojan.Win32.Agent
AVEmsisoftGen:Variant.Graftor.253960
AVRisingno_virus
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.Gen2
AVMcafeeRDN/Generic.grp
AVEset (nod32)Win32/Agent.RCJ
AVK7Trojan ( 004cd4691 )
AVAlwil (avast)Corebot-G [Trj]
AVBullGuardGen:Variant.Graftor.253960
AVGrisoft (avg)Agent5.AHFF
AVBitDefenderGen:Variant.Graftor.253960
AVFortinetW32/Pincav.BQJBV!tr
AVSymantecno_virus
AVMicroWorld (escan)Gen:Variant.Graftor.253960
AVMalwareBytesno_virus
AVIkarusTrojan.Win32.Agent
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\35615d4a-b366-428a-294b-55bd0991785e\0c35517e-6951-444e-3511-2b1f9fd6bca8
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\35615d4a-b366-428a-294b-55bd0991785e\ed1de5e4-5e29-4394-2766-a52ac920fa5e
Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates Mutex::62DFDF4F-C9F7-4416-9688-41C7791D0C33

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\bea4dab3-73c8-4227-35d9-8fb3b954dabc\1f4475c0-21e2-415d-8449-c5bd8ca6b682.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\35615d4a-b366-428a-294b-55bd0991785e\0c35517e-6951-444e-3511-2b1f9fd6bca8
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\bea4dab3-73c8-4227-35d9-8fb3b954dabc\1f4475c0-21e2-415d-8449-c5bd8ca6b682.exe
Creates Mutex::62DFDF4F-C9F7-4416-9688-41C7791D0C33

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\bea4dab3-73c8-4227-35d9-8fb3b954dabc\1f4475c0-21e2-415d-8449-c5bd8ca6b682.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\35615d4a-b366-428a-294b-55bd0991785e\0c35517e-6951-444e-3511-2b1f9fd6bca8
Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates Mutex::62DFDF4F-C9F7-4416-9688-41C7791D0C33

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\e1f63730-3c6d-4396-3a94-cf0122baf7b6 ➝
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\bea4dab3-73c8-4227-35d9-8fb3b954dabc\1f4475c0-21e2-415d-8449-c5bd8ca6b682.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\35615d4a-b366-428a-294b-55bd0991785e\0c35517e-6951-444e-3511-2b1f9fd6bca8
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Filepipe\core_ps
Deletes FileC:\malware.exe
Creates ProcessC:\WINDOWS\system32\dllhost.exe
Creates Mutex{F4EE296B-9B08-4B04-8443-7E76A45FE740}
Creates Mutex::62DFDF4F-C9F7-4416-9688-41C7791D0C33
Winsock DNSgoogle.com
Winsock DNSwww.microsoft.com
Winsock DNSpomppondy.net

Process
↳ C:\WINDOWS\system32\dllhost.exe

Network Details:

DNSe10088.dspb.akamaiedge.net
Type: A
104.91.205.87
DNSgoogle.com
Type: A
216.58.192.78
DNSpomppondy.net
Type: A
DNSwww.microsoft.com
Type: A
DNSujepgvw8g01bw6w0ytklm.ddns.net
Type: A
DNS1dkb7dijwj7ds2shq8u.ddns.net
Type: A
DNSe6mb32ujolivkpcf1ro.ddns.net
Type: A
DNSuf3jepq214c6k05haps.ddns.net
Type: A
DNSsr52cpw6ujwjkxwf3n32g6k.ddns.net
Type: A
DNSurodspevshs6505hab7.ddns.net
Type: A
DNSg0spgts27johy2q.ddns.net
Type: A
DNSwdyl50a8efalshejq2mt5nu.ddns.net
Type: A
DNSklspy8ah3xori2i.ddns.net
Type: A
DNSe6ytc2mrwluvkvutslyfcbw.ddns.net
Type: A
DNS1fal5rkp3byh5bw.ddns.net
Type: A
DNSq4ct5r1to2a0wxa0s6oxk8y.ddns.net
Type: A
DNSwled1234ory83x38it5.ddns.net
Type: A
DNSi0otmrofshytc4s.ddns.net
Type: A
DNSixelm6y052w650k0s2wr3pm.ddns.net
Type: A
DNSmdc4qdaf38q21lqrslyhwlg.ddns.net
Type: A
DNSubyj1nojwberohc.ddns.net
Type: A
DNSobklu8ud3jqhab5.ddns.net
Type: A
DNS5nstk85nq2347jg63tin5x5.ddns.net
Type: A
DNSspc616ix16k4k63davylsd3.ddns.net
Type: A
DNSyl3jclm8shi6olcrsnerobq.ddns.net
Type: A
DNSsfopk2m6yj7vk41x32y.ddns.net
Type: A
DNS5pup3j50cv34e8epklw.ddns.net
Type: A
DNS1diba0sdw458whc.ddns.net
Type: A
DNSiv3x7tslmdutw6s.ddns.net
Type: A
DNS3v1n5bm23ri4y6wtgla.ddns.net
Type: A
DNSclqxs6ihafk2e458q2ctkj1.ddns.net
Type: A
DNSufq8c23nenkjc4sna4ghmr3.ddns.net
Type: A
DNSax1rivwfmjw4w0sxgl1.ddns.net
Type: A
DNSshqjmx5tepcha6y.ddns.net
Type: A
DNSo6cvspidcpi0sxobghi.ddns.net
Type: A
DNSivcr5hsj107hyrkb1h18m83.ddns.net
Type: A
DNSyxqb58s0o65jct5258wl1v1.ddns.net
Type: A
DNSely2sbc0cr56wvwxuf5r56y.ddns.net
Type: A
DNSi8ih187pknsno8sxipk.ddns.net
Type: A
DNSgxaruxw6u45xox5.ddns.net
Type: A
DNScv565luti4w2u2cdits.ddns.net
Type: A
DNSghyfgfe43b5hivi.ddns.net
Type: A
DNSwlktypyt3pkxmx36yhqnyj7.ddns.net
Type: A
DNSwvmb5py6i67xkvi.ddns.net
Type: A
HTTP GEThttp://www.microsoft.com/
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
HTTP GEThttp://google.com/
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Flows UDP192.168.1.1:1033 ➝ 8.8.8.8:53
Flows TCP192.168.1.1:1034 ➝ 104.91.205.87:80
Flows TCP192.168.1.1:1035 ➝ 216.58.192.78:80
Flows UDP192.168.1.1:1036 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1037 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1038 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1039 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1040 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1041 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1042 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1043 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1044 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1045 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1046 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1047 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1048 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1049 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1050 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1051 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1052 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1053 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1054 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1055 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1056 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1057 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1058 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1059 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1060 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1061 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1062 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1063 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1064 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1065 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1066 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1067 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1068 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1069 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1070 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1071 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1072 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1073 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1074 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1075 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1076 ➝ 8.8.8.8:53

Raw Pcap

Strings