Analysis Date2015-10-11 20:39:40
MD58d05850803ed88d6d168a922ba8abd9b
SHA1443086df67364ece83320d5b0d35796a7ae1150a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 44f3853af2a2dd4c325ed4307f2963e9 sha1: d1218a734abcf0040dab99b7e562c0d223428c55 size: 292864
Section.rdata md5: 1d68ea8e7d8649b8ffdc823a0708ae0a sha1: 75c91795b440a8a4482ff3cba605ee205fe2edad size: 43520
Section.data md5: 52d085925ee52e0e5d3f94d2409a1f10 sha1: f4a30ae713b03eaaf0e377a643fa9d3c02537e8b size: 6656
Section.reloc md5: b475ae94bb19ab3bde4998e1bcd878d1 sha1: afd478d8f2c8397fa9a0e8340ff50ea741fa22ba size: 24576
Timestamp2015-05-21 04:34:28
PackerMicrosoft Visual C++ ?.?
PEhash080aed5361fe2b79e88eeee5f62fc18b95b67ebb
IMPhashb1ef7138ebdbde3f202e04762bb38e3b
AVMcafeeTrojan-FGIJ!8D05850803ED
AVEmsisoftGen:Variant.Diley.1
AVBitDefenderGen:Variant.Diley.1
AVMicroWorld (escan)Gen:Variant.Diley.1
AVAvira (antivir)TR/Crypt.ZPACK.175177
AVAd-AwareGen:Variant.Diley.1
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVClamAVno_virus
AVZillya!no_virus
AVF-SecureGen:Variant.Diley.1
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVBullGuardGen:Variant.Diley.1
AVFrisk (f-prot)no_virus
AVEset (nod32)Win32/Bayrob.Z
AVAuthentiumW32/Scar.V.gen!Eldorado
AVDr. WebTrojan.DownLoader13.28051
AVArcabit (arcavir)Gen:Variant.Diley.1
AVTwisterno_virus
AVK7Trojan ( 004c77f41 )
AVMalwareBytesTrojan.Agent.KVTGen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVVirusBlokAda (vba32)no_virus
AVFortinetW32/Babrob.Y!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort
AVIkarusTrojan.Win32.Bayrob
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\hualcmsb\wplmeii
Creates FileC:\hualcmsb\rr1kg4hjubrsiyhaw.exe
Creates FileC:\WINDOWS\hualcmsb\wplmeii
Deletes FileC:\WINDOWS\hualcmsb\wplmeii
Creates ProcessC:\hualcmsb\rr1kg4hjubrsiyhaw.exe

Process
↳ C:\hualcmsb\rr1kg4hjubrsiyhaw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Engine Print Bus Certificate Brightness ➝
C:\hualcmsb\zcantxj.exe
Creates FileC:\hualcmsb\lgmk1bg3t
Creates FileC:\hualcmsb\wplmeii
Creates FileC:\hualcmsb\zcantxj.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\hualcmsb\wplmeii
Deletes FileC:\WINDOWS\hualcmsb\wplmeii
Creates ProcessC:\hualcmsb\zcantxj.exe
Creates ServiceUser Topology Protection Card Provider - C:\hualcmsb\zcantxj.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1872

Process
↳ Pid 1172

Process
↳ C:\hualcmsb\zcantxj.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\hualcmsb\pmxlcwmx.exe
Creates FileC:\hualcmsb\lgmk1bg3t
Creates FileC:\hualcmsb\wplmeii
Creates FileC:\WINDOWS\hualcmsb\wplmeii
Creates File\Device\Afd\Endpoint
Creates FileC:\hualcmsb\ccbskmnola
Deletes FileC:\WINDOWS\hualcmsb\wplmeii
Creates Processthsqsfakl6cw "c:\hualcmsb\zcantxj.exe"

Process
↳ C:\hualcmsb\zcantxj.exe

Creates FileC:\hualcmsb\wplmeii
Creates FileC:\WINDOWS\hualcmsb\wplmeii
Deletes FileC:\WINDOWS\hualcmsb\wplmeii

Process
↳ thsqsfakl6cw "c:\hualcmsb\zcantxj.exe"

Creates FileC:\hualcmsb\wplmeii
Creates FileC:\WINDOWS\hualcmsb\wplmeii
Deletes FileC:\WINDOWS\hualcmsb\wplmeii

Network Details:

DNSelectricstation.net
Type: A
50.63.202.37
DNSstreetstation.net
Type: A
72.52.4.90
DNStradestation.net
Type: A
65.211.211.21
DNSdoubttravel.net
Type: A
72.52.4.90
DNSnightspace.net
Type: A
91.250.101.43
DNSlargespace.net
Type: A
62.22.102.59
DNScaptainspace.net
Type: A
208.100.26.234
DNScaptaintravel.net
Type: A
184.168.221.96
DNStradespace.net
Type: A
207.148.248.143
DNSdecideobject.net
Type: A
DNSnightchildhood.net
Type: A
DNSdecidechildhood.net
Type: A
DNSlargestation.net
Type: A
DNScaptainstation.net
Type: A
DNSlargethird.net
Type: A
DNScaptainthird.net
Type: A
DNSlargeobject.net
Type: A
DNScaptainobject.net
Type: A
DNSlargechildhood.net
Type: A
DNScaptainchildhood.net
Type: A
DNSrecordstation.net
Type: A
DNSrecordthird.net
Type: A
DNSelectricthird.net
Type: A
DNSrecordobject.net
Type: A
DNSelectricobject.net
Type: A
DNSrecordchildhood.net
Type: A
DNSelectricchildhood.net
Type: A
DNSstreetthird.net
Type: A
DNStradethird.net
Type: A
DNSstreetobject.net
Type: A
DNStradeobject.net
Type: A
DNSstreetchildhood.net
Type: A
DNStradechildhood.net
Type: A
DNSbetterstation.net
Type: A
DNSgatherstation.net
Type: A
DNSbetterthird.net
Type: A
DNSgatherthird.net
Type: A
DNSbetterobject.net
Type: A
DNSgatherobject.net
Type: A
DNSbetterchildhood.net
Type: A
DNSgatherchildhood.net
Type: A
DNSflierstation.net
Type: A
DNSbreadstation.net
Type: A
DNSflierthird.net
Type: A
DNSbreadthird.net
Type: A
DNSflierobject.net
Type: A
DNSbreadobject.net
Type: A
DNSflierchildhood.net
Type: A
DNSbreadchildhood.net
Type: A
DNSquietstation.net
Type: A
DNSseasonstation.net
Type: A
DNSquietthird.net
Type: A
DNSseasonthird.net
Type: A
DNSquietobject.net
Type: A
DNSseasonobject.net
Type: A
DNSquietchildhood.net
Type: A
DNSseasonchildhood.net
Type: A
DNSagainstspace.net
Type: A
DNSdoubtspace.net
Type: A
DNSagainsttravel.net
Type: A
DNSagainstyellow.net
Type: A
DNSdoubtyellow.net
Type: A
DNSagainstclose.net
Type: A
DNSdoubtclose.net
Type: A
DNSdecidespace.net
Type: A
DNSnighttravel.net
Type: A
DNSdecidetravel.net
Type: A
DNSnightyellow.net
Type: A
DNSdecideyellow.net
Type: A
DNSnightclose.net
Type: A
DNSdecideclose.net
Type: A
DNSlargetravel.net
Type: A
DNSlargeyellow.net
Type: A
DNScaptainyellow.net
Type: A
DNSlargeclose.net
Type: A
DNScaptainclose.net
Type: A
DNSrecordspace.net
Type: A
DNSelectricspace.net
Type: A
DNSrecordtravel.net
Type: A
DNSelectrictravel.net
Type: A
DNSrecordyellow.net
Type: A
DNSelectricyellow.net
Type: A
DNSrecordclose.net
Type: A
DNSelectricclose.net
Type: A
DNSstreetspace.net
Type: A
HTTP GEThttp://electricstation.net/index.php
User-Agent:
HTTP GEThttp://streetstation.net/index.php
User-Agent:
HTTP GEThttp://tradestation.net/index.php
User-Agent:
HTTP GEThttp://doubttravel.net/index.php
User-Agent:
HTTP GEThttp://nightspace.net/index.php
User-Agent:
HTTP GEThttp://largespace.net/index.php
User-Agent:
HTTP GEThttp://captainspace.net/index.php
User-Agent:
HTTP GEThttp://captaintravel.net/index.php
User-Agent:
HTTP GEThttp://tradespace.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.37:80
Flows TCP192.168.1.1:1032 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1033 ➝ 65.211.211.21:80
Flows TCP192.168.1.1:1034 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1035 ➝ 91.250.101.43:80
Flows TCP192.168.1.1:1036 ➝ 62.22.102.59:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1039 ➝ 207.148.248.143:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6c656374 72696373 74617469 6f6e2e6e   lectricstation.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74726565 74737461 74696f6e 2e6e6574   treetstation.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   72616465 73746174 696f6e2e 6e65740d   radestation.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f756274 74726176 656c2e6e 65740d0a   oubttravel.net..
0x00000050 (00080)   0d0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   69676874 73706163 652e6e65 740d0a0d   ightspace.net...
0x00000050 (00080)   0a0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61726765 73706163 652e6e65 740d0a0d   argespace.net...
0x00000050 (00080)   0a0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e7370 6163652e 6e65740d   aptainspace.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e7472 6176656c 2e6e6574   aptaintravel.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   72616465 73706163 652e6e65 740d0a0d   radespace.net...
0x00000050 (00080)   0a0a0d0a 0d0a                         ......


Strings