Analysis Date2015-11-26 17:21:10
MD5e01fb8a090e4fc836bf49a64b08dab21
SHA13ee1801d522bcbc31292e90139e0d65772648b9d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 64ca5011958d123b65325d8853a164a3 sha1: 474eb2a5ff470d2037dce1040ef749ba053e177c size: 797184
Section.rdata md5: 10b5ddddccbfff14534ee1564c0ba1c9 sha1: dfc164f5e352eab580cb74151b0e7221bc9fe09f size: 58880
Section.data md5: f47cfe6be2eee8365254c940591c9935 sha1: fe8d052da9a3186e51ee94852f7cbda77bb6f7c6 size: 402432
Timestamp2014-10-30 01:02:23
PackerMicrosoft Visual C++ ?.?
PEhash277af0a302a8bc797244c8f29b999608d04dd636
IMPhashd8808a250616d3414f664228d5fa067f
AVF-SecureGen:Variant.Symmi.22722
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVMalwareBytesTrojan.FakePDF
AVDr. WebTrojan.DownLoader17.49543
AVGrisoft (avg)Win32/Cryptor
AVMalwareBytesTrojan.FakePDF
AVEset (nod32)Win32/Kryptik.CCLE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVTrend MicroTROJ_WONTON.SMJ1
AVClamAVno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVEset (nod32)Win32/Kryptik.CCLE
AVBitDefenderGen:Variant.Symmi.22722
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVAvira (antivir)BDS/Zegost.Gen
AVAlwil (avast)Downloader-TLD [Trj]
AVFortinetW32/Kryptik.DDQD!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVIkarusTrojan.Win32.Crypt
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVMcafeeno_virus
AVTwisterno_virus
AVAvira (antivir)BDS/Zegost.Gen
AVAlwil (avast)Downloader-TLD [Trj]
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVRising0x5941363a
AVMcafeeno_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cd0081 )
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus
AVRising0x5941363a
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\leuqo4j1mkxzlxuoy5lrx.exe
Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\leuqo4j1mkxzlxuoy5lrx.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\leuqo4j1mkxzlxuoy5lrx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Diagnostic Resolution Audio Firewall Registrar ➝
C:\WINDOWS\system32\yvzuezgzlu.exe
Creates FileC:\WINDOWS\system32\yvzuezgzlu.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\zsohlmvvwx\lck
Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst
Creates FileC:\WINDOWS\system32\zsohlmvvwx\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\yvzuezgzlu.exe
Creates ServiceEncryption Storage Offline UserMode - C:\WINDOWS\system32\yvzuezgzlu.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1176

Process
↳ C:\WINDOWS\system32\yvzuezgzlu.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\zsohlmvvwx\run
Creates FileC:\WINDOWS\system32\zsohlmvvwx\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\zsohlmvvwx\rng
Creates FileC:\WINDOWS\system32\zsohlmvvwx\lck
Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst
Creates FileC:\WINDOWS\TEMP\leuqo4j1t2gzlxu.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\zbuiplgo.exe
Creates ProcessC:\WINDOWS\TEMP\leuqo4j1t2gzlxu.exe -r 29072 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\yvzuezgzlu.exe"

Process
↳ C:\WINDOWS\system32\yvzuezgzlu.exe

Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\yvzuezgzlu.exe"

Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst

Process
↳ C:\WINDOWS\TEMP\leuqo4j1t2gzlxu.exe -r 29072 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSsaltsecond.net
Type: A
74.220.199.6
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSableread.net
Type: A
208.91.197.241
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNShumanscene.net
Type: A
184.168.221.52
DNSmusicscene.net
Type: A
74.220.199.8
DNSyarddont.net
Type: A
208.100.26.234
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSdeadscene.net
Type: A
184.168.221.14
DNSsouthnoise.net
Type: A
143.95.159.241
DNSsouthblood.net
Type: A
DNSwifefruit.net
Type: A
DNSpickgrave.net
Type: A
DNSroomstock.net
Type: A
DNSwatcheasy.net
Type: A
DNSuponmail.net
Type: A
DNStakenhand.net
Type: A
DNShairaunt.net
Type: A
DNShairscene.net
Type: A
DNShumangreat.net
Type: A
DNShairgreat.net
Type: A
DNShumandont.net
Type: A
DNShairdont.net
Type: A
DNSyardaunt.net
Type: A
DNSmusicaunt.net
Type: A
DNSyardscene.net
Type: A
DNSyardgreat.net
Type: A
DNSmusicgreat.net
Type: A
DNSmusicdont.net
Type: A
DNSwentaunt.net
Type: A
DNSspendaunt.net
Type: A
DNSwentscene.net
Type: A
DNSspendscene.net
Type: A
DNSwentgreat.net
Type: A
DNSspendgreat.net
Type: A
DNSwentdont.net
Type: A
DNSspenddont.net
Type: A
DNSfrontaunt.net
Type: A
DNSofferaunt.net
Type: A
DNSfrontscene.net
Type: A
DNSofferscene.net
Type: A
DNSfrontgreat.net
Type: A
DNSoffergreat.net
Type: A
DNSfrontdont.net
Type: A
DNSofferdont.net
Type: A
DNShangaunt.net
Type: A
DNSseptemberaunt.net
Type: A
DNShangscene.net
Type: A
DNSseptemberscene.net
Type: A
DNShanggreat.net
Type: A
DNSseptembergreat.net
Type: A
DNShangdont.net
Type: A
DNSseptemberdont.net
Type: A
DNSjoinaunt.net
Type: A
DNSwishaunt.net
Type: A
DNSjoinscene.net
Type: A
DNSwishscene.net
Type: A
DNSjoingreat.net
Type: A
DNSwishgreat.net
Type: A
DNSjoindont.net
Type: A
DNSwishdont.net
Type: A
DNSdeadaunt.net
Type: A
DNSrockaunt.net
Type: A
DNSrockscene.net
Type: A
DNSdeadgreat.net
Type: A
DNSrockgreat.net
Type: A
DNSdeaddont.net
Type: A
DNSrockdont.net
Type: A
DNSwrongaunt.net
Type: A
DNSmadeaunt.net
Type: A
DNSwrongscene.net
Type: A
DNSmadescene.net
Type: A
DNSwronggreat.net
Type: A
DNSmadegreat.net
Type: A
DNSwrongdont.net
Type: A
DNSmadedont.net
Type: A
DNSarivefruit.net
Type: A
DNSsouthfruit.net
Type: A
DNSariverise.net
Type: A
DNSsouthrise.net
Type: A
DNSarivenoise.net
Type: A
DNSarivepull.net
Type: A
DNSsouthpull.net
Type: A
DNSuponfruit.net
Type: A
DNSwhichfruit.net
Type: A
DNSuponrise.net
Type: A
DNSwhichrise.net
Type: A
DNSuponnoise.net
Type: A
DNSwhichnoise.net
Type: A
DNSuponpull.net
Type: A
DNSwhichpull.net
Type: A
DNSspotfruit.net
Type: A
DNSsaltfruit.net
Type: A
DNSspotrise.net
Type: A
DNSsaltrise.net
Type: A
DNSspotnoise.net
Type: A
DNSsaltnoise.net
Type: A
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://wifefruit.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://pickgrave.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://roomstock.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://watcheasy.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://uponmail.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://takenhand.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://humanscene.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://musicscene.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://yarddont.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://offeraunt.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://deadscene.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://southnoise.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://wifefruit.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://pickgrave.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://roomstock.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://watcheasy.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://uponmail.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://takenhand.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://humanscene.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://musicscene.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://yarddont.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://offeraunt.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://deadscene.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://southnoise.net/index.php?method=validate&mode=sox&v=033&sox=47f8a802&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1037 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1038 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1041 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1042 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1043 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1044 ➝ 184.168.221.52:80
Flows TCP192.168.1.1:1046 ➝ 74.220.199.8:80
Flows TCP192.168.1.1:1047 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1048 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1049 ➝ 184.168.221.14:80
Flows TCP192.168.1.1:1050 ➝ 143.95.159.241:80
Flows TCP192.168.1.1:1051 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1052 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1053 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1054 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1055 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1056 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1057 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1058 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1059 ➝ 184.168.221.52:80
Flows TCP192.168.1.1:1060 ➝ 74.220.199.8:80
Flows TCP192.168.1.1:1061 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1062 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1063 ➝ 184.168.221.14:80
Flows TCP192.168.1.1:1064 ➝ 143.95.159.241:80

Raw Pcap

Strings