Analysis Date | 2015-10-13 01:18:48 |
---|---|
MD5 | c5c1a9a77fd20e3516ae1323b4c03f19 |
SHA1 | 3a41a94936d2ed5319142e7d19f2afb1565e0c77 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 591af15af5033b755b7a6a3817c39b58 sha1: 92142ece45985035b80e8b0a3af2b6d4aed48df6 size: 221696 | |
Section | .data md5: f85852a66ee2a83181da66c83dd5b59c sha1: a80ef6f1b0d29b5eed2ad8e5382bf24911b35359 size: 20992 | |
Section | .rdata md5: 2ce3f754f59ed6f3c2cb71e45a107a9d sha1: bdd88fbda12f5221e90a9adc9634b6c8609ffc0b size: 40448 | |
Section | .eh_fram md5: c943c6543d3a5ad72f8c336978cbb338 sha1: 46f7417335e255bb4c0ffe6dbf7ae831d48609a4 size: 40448 | |
Section | .bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0 | |
Section | .idata md5: 5b782bf1e129acadb08aedd3091c073f sha1: bd6c3a9963de546361fe8883d30752fdf038298e size: 6656 | |
Section | .CRT md5: 8ac116641532fe38d86119d25035c28b sha1: c96e69a9cb1a3c70f1b9e0bb472832d74e7b733d size: 512 | |
Section | .tls md5: bb26d9c5aefc6c61ade45477c4a18756 sha1: a12bdb7979d4d623e99c865ceac89938b586550d size: 512 | |
Timestamp | 2015-03-05 06:19:56 | |
PEhash | 77372f0b4ff663b75f72209f86d328da21297186 | |
IMPhash | 42779f90777f63b8babd642e960b2e78 | |
AV | VirusBlokAda (vba32) | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Symmi.51758 |
AV | F-Secure | Gen:Variant.Symmi.51758 |
AV | Padvish | no_virus |
AV | Dr. Web | Trojan.DownLoader16.24800 |
AV | Zillya! | no_virus |
AV | Twister | no_virus |
AV | Ikarus | Trojan.Win32.Staser |
AV | Emsisoft | Gen:Variant.Symmi.51758 |
AV | BitDefender | Gen:Variant.Symmi.51758 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Alwil (avast) | Agent-AZPC [Trj] |
AV | MalwareBytes | no_virus |
AV | Eset (nod32) | Win32/Agent.XDQ |
AV | CAT (quickheal) | no_virus |
AV | Fortinet | W32/Agent.XDQ!tr |
AV | Frisk (f-prot) | no_virus |
AV | Avira (antivir) | TR/ATRAPS.A.8334 |
AV | BullGuard | Gen:Variant.Symmi.51758 |
AV | Kaspersky | Trojan.Win32.Scar.lmnu |
AV | Authentium | W32/S-6a8c3109!Eldorado |
AV | K7 | Trojan ( 004c988e1 ) |
AV | ClamAV | no_virus |
AV | CA (E-Trust Ino) | no_virus |
AV | MicroWorld (escan) | Gen:Variant.Symmi.51758 |
AV | Mcafee | Trojan-FGOJ!C5C1A9A77FD2 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort!rfn |
AV | Rising | no_virus |
AV | Trend Micro | no_virus |
AV | Ad-Aware | Gen:Variant.Symmi.51758 |
AV | Symantec | Downloader.Upatre!g16 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\uchylqj\wi1dxbczzasp |
---|---|
Creates File | C:\WINDOWS\uchylqj\wi1dxbczzasp |
Creates File | C:\uchylqj\wgszpy1kkwyav6ypr8vzw4.exe |
Deletes File | C:\WINDOWS\uchylqj\wi1dxbczzasp |
Creates Process | C:\uchylqj\wgszpy1kkwyav6ypr8vzw4.exe |
Process
↳ C:\uchylqj\wgszpy1kkwyav6ypr8vzw4.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Telephony Time Proxy Volume SPP ➝ C:\uchylqj\dksueop6xajh2.exe |
---|---|
Creates File | C:\uchylqj\ltximqu |
Creates File | C:\uchylqj\wi1dxbczzasp |
Creates File | C:\WINDOWS\uchylqj\wi1dxbczzasp |
Creates File | C:\uchylqj\dksueop6xajh2.exe |
Creates File | PIPE\lsarpc |
Deletes File | C:\WINDOWS\uchylqj\wi1dxbczzasp |
Creates Process | C:\uchylqj\dksueop6xajh2.exe |
Creates Service | Routing Function Files Log - C:\uchylqj\dksueop6xajh2.exe |
Process
↳ Pid 800
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | pipe\PCHFaultRepExecPipe |
---|
Process
↳ Pid 1108
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1860
Process
↳ Pid 1132
Process
↳ C:\uchylqj\dksueop6xajh2.exe
Creates File | C:\uchylqj\ltximqu |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\uchylqj\begtspv |
Creates File | C:\uchylqj\wi1dxbczzasp |
Creates File | C:\WINDOWS\uchylqj\wi1dxbczzasp |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\uchylqj\bhsuhvyizmy.exe |
Deletes File | C:\WINDOWS\uchylqj\wi1dxbczzasp |
Creates Process | bpwxqfhxgxxu "c:\uchylqj\dksueop6xajh2.exe" |
Process
↳ C:\uchylqj\dksueop6xajh2.exe
Creates File | C:\uchylqj\wi1dxbczzasp |
---|---|
Creates File | C:\WINDOWS\uchylqj\wi1dxbczzasp |
Deletes File | C:\WINDOWS\uchylqj\wi1dxbczzasp |
Process
↳ bpwxqfhxgxxu "c:\uchylqj\dksueop6xajh2.exe"
Creates File | C:\uchylqj\wi1dxbczzasp |
---|---|
Creates File | C:\WINDOWS\uchylqj\wi1dxbczzasp |
Deletes File | C:\WINDOWS\uchylqj\wi1dxbczzasp |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 61746865 72696e65 616e6465 72736f6e atherineanderson 0x00000050 (00080) 2e6e6574 0d0a0d0a .net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 6861726c 6f747465 616e6173 74616369 harlotteanastaci 0x00000050 (00080) 612e6e65 740d0a0d 0a a.net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 6861726c 6f747465 616e6465 72736f6e harlotteanderson 0x00000050 (00080) 2e6e6574 0d0a0d0a 0a .net..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206b : close..Host: k 0x00000040 (00064) 696d6265 726c6565 6368616d 6265726c imberleechamberl 0x00000050 (00080) 61696e2e 6e65740d 0a0d0a ain.net....
Strings