Analysis Date2015-11-26 18:40:47
MD5ffd81181d5430eb1fb6ad79783bed4e6
SHA13c88c332d91193649b35183794dfaec7842db1d1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e64a02f96d9ddd4a5488bbb0c18f161a sha1: 4df15925de1e8ebf30ef60886c6f182ecd33eb9d size: 850944
Section.rdata md5: fe34ad9004906ab8024eec0f691b0f4b sha1: 4a81c78aa56b1b85b394084e7018ab0ac44aeb63 size: 336384
Section.data md5: eb6c75326fb06a16f867f88fb195a190 sha1: ff3886a5e6481bac0012db6de20c58b538cda3a8 size: 8192
Timestamp2015-03-13 07:31:50
PackerMicrosoft Visual C++ ?.?
PEhashb4c25a55ced7e73bab36d07af64ed14237b90d42
IMPhashedaddeb6e60de8482d82b41f6b0eb5ad
AVF-SecureGen:Variant.Zusy.133308
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVMalwareBytesno_virus
AVDr. WebTrojan.DownLoader12.61357
AVGrisoft (avg)Crypt4.GO
AVMalwareBytesno_virus
AVEset (nod32)Win32/Kryptik.DDQD
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVTrend Microno_virus
AVClamAVno_virus
AVAd-AwareGen:Variant.Zusy.133308
AVEset (nod32)Win32/Kryptik.DDQD
AVBitDefenderGen:Variant.Zusy.133308
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVAlwil (avast)Kryptik-PHB [Trj]
AVFortinetW32/Kryptik.DDQD!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVIkarusTrojan.Win32.Crypt
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVMcafeeno_virus
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVAlwil (avast)Kryptik-PHB [Trj]
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVRisingno_virus
AVMcafeeno_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.133308
AVGrisoft (avg)Crypt4.GO
AVSymantecDownloader.Upatre!g15
AVBitDefenderGen:Variant.Zusy.133308
AVK7Trojan ( 004cd0081 )
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Variant.Zusy.133308
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.133308
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\oqyxrl1l7gpybpnwb4lulwq.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\oqyxrl1l7gpybpnwb4lulwq.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\oqyxrl1l7gpybpnwb4lulwq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Diagnostic Resolution Audio Firewall Registrar ➝
C:\WINDOWS\system32\yvzuezgzlu.exe
Creates FileC:\WINDOWS\system32\yvzuezgzlu.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\zsohlmvvwx\lck
Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst
Creates FileC:\WINDOWS\system32\zsohlmvvwx\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\yvzuezgzlu.exe
Creates ServiceEncryption Storage Offline UserMode - C:\WINDOWS\system32\yvzuezgzlu.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1852

Process
↳ Pid 1128

Process
↳ C:\WINDOWS\system32\yvzuezgzlu.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\zsohlmvvwx\run
Creates FileC:\WINDOWS\system32\zsohlmvvwx\cfg
Creates FileC:\WINDOWS\TEMP\oqyxrl1sh6pybpn.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\zsohlmvvwx\lck
Creates FileC:\WINDOWS\system32\zsohlmvvwx\rng
Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\zbuiplgo.exe
Creates ProcessC:\WINDOWS\TEMP\oqyxrl1sh6pybpn.exe -r 31531 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\yvzuezgzlu.exe"

Process
↳ C:\WINDOWS\system32\yvzuezgzlu.exe

Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\yvzuezgzlu.exe"

Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst

Process
↳ C:\WINDOWS\TEMP\oqyxrl1sh6pybpn.exe -r 31531 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
208.91.197.241
DNSmuchhappy.net
Type: A
208.91.197.241
DNScallmile.net
Type: A
208.91.197.241
DNSnailthere.net
Type: A
98.139.135.129
DNSbothplain.net
Type: A
208.91.197.241
DNSwalkword.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSdeadscene.net
Type: A
184.168.221.14
DNSsouthnoise.net
Type: A
143.95.159.241
DNSgroupfruit.net
Type: A
74.208.237.33
DNSequalrise.net
Type: A
208.100.26.234
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSmonthnext.net
Type: A
DNSstoryocean.net
Type: A
DNSdecemberknew.net
Type: A
DNSmouthgray.net
Type: A
DNSfridayloss.net
Type: A
DNSeggbraker.com
Type: A
DNSwentscene.net
Type: A
DNSspendscene.net
Type: A
DNSwentgreat.net
Type: A
DNSspendgreat.net
Type: A
DNSwentdont.net
Type: A
DNSspenddont.net
Type: A
DNSfrontaunt.net
Type: A
DNSofferaunt.net
Type: A
DNSfrontscene.net
Type: A
DNSofferscene.net
Type: A
DNSfrontgreat.net
Type: A
DNSoffergreat.net
Type: A
DNSfrontdont.net
Type: A
DNSofferdont.net
Type: A
DNShangaunt.net
Type: A
DNSseptemberaunt.net
Type: A
DNShangscene.net
Type: A
DNSseptemberscene.net
Type: A
DNShanggreat.net
Type: A
DNSseptembergreat.net
Type: A
DNShangdont.net
Type: A
DNSseptemberdont.net
Type: A
DNSjoinaunt.net
Type: A
DNSwishaunt.net
Type: A
DNSjoinscene.net
Type: A
DNSwishscene.net
Type: A
DNSjoingreat.net
Type: A
DNSwishgreat.net
Type: A
DNSjoindont.net
Type: A
DNSwishdont.net
Type: A
DNSdeadaunt.net
Type: A
DNSrockaunt.net
Type: A
DNSrockscene.net
Type: A
DNSdeadgreat.net
Type: A
DNSrockgreat.net
Type: A
DNSdeaddont.net
Type: A
DNSrockdont.net
Type: A
DNSwrongaunt.net
Type: A
DNSmadeaunt.net
Type: A
DNSwrongscene.net
Type: A
DNSmadescene.net
Type: A
DNSwronggreat.net
Type: A
DNSmadegreat.net
Type: A
DNSwrongdont.net
Type: A
DNSmadedont.net
Type: A
DNSarivefruit.net
Type: A
DNSsouthfruit.net
Type: A
DNSariverise.net
Type: A
DNSsouthrise.net
Type: A
DNSarivenoise.net
Type: A
DNSarivepull.net
Type: A
DNSsouthpull.net
Type: A
DNSuponfruit.net
Type: A
DNSwhichfruit.net
Type: A
DNSuponrise.net
Type: A
DNSwhichrise.net
Type: A
DNSuponnoise.net
Type: A
DNSwhichnoise.net
Type: A
DNSuponpull.net
Type: A
DNSwhichpull.net
Type: A
DNSspotfruit.net
Type: A
DNSsaltfruit.net
Type: A
DNSspotrise.net
Type: A
DNSsaltrise.net
Type: A
DNSspotnoise.net
Type: A
DNSsaltnoise.net
Type: A
DNSspotpull.net
Type: A
DNSsaltpull.net
Type: A
DNSgladfruit.net
Type: A
DNStakenfruit.net
Type: A
DNSgladrise.net
Type: A
DNStakenrise.net
Type: A
DNSgladnoise.net
Type: A
DNStakennoise.net
Type: A
DNSgladpull.net
Type: A
DNStakenpull.net
Type: A
DNSequalfruit.net
Type: A
DNSgrouprise.net
Type: A
DNSequalnoise.net
Type: A
DNSgroupnoise.net
Type: A
DNSequalpull.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://callmile.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://bothplain.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://walkword.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://offeraunt.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://deadscene.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://southnoise.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://groupfruit.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://equalrise.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://callmile.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=041&sox=47f8a802&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1044 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1045 ➝ 184.168.221.14:80
Flows TCP192.168.1.1:1046 ➝ 143.95.159.241:80
Flows TCP192.168.1.1:1047 ➝ 74.208.237.33:80
Flows TCP192.168.1.1:1048 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1049 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1050 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1051 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1052 ➝ 98.139.135.129:80

Raw Pcap

Strings