Analysis Date2015-11-05 03:32:15
MD5220ba147758717729829451121688527
SHA14629d30be303790423986c8b3adebd18a2147428

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7be15b1f01bada05f213c36e26a3d4e3 sha1: 3c3e0a61cb0a72d6d46afd90407ef24d70931754 size: 227840
Section.data md5: 544852112c2b1afda3320eaf66c44c4a sha1: 9a5b5c391ac813c5c3120950c93890a2e2751790 size: 20992
Section.rdata md5: 3605fcde6409cbff4420b09da5f6f47a sha1: 3677074d39bcb6edc558db533fa463c34b25335e size: 40448
Section.eh_fram md5: e14cfc2b177d546853ec4d7940b28af2 sha1: ded3c44db293f2f7505362ef4108764a124edba8 size: 40448
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 56b6d7287ec60e31d01b0ace9a66c3ec sha1: 9183bfacb698400b2c873bf87389d6213ec01f95 size: 6656
Section.CRT md5: 62800891594afa7b4617386df8f3c2bd sha1: b5311211a9995c97dd967d5c0c8df99edc0c88d8 size: 512
Section.tls md5: 255674fadd8cc7bc6ab4eb4e269c5241 sha1: 2b846edad7a64d2f5b163ac5c63f40a7564a16e8 size: 512
Timestamp2015-03-05 06:26:59
PEhashb242164ce4871ba41d4b7837f3d3320796d544ad
IMPhashbae401ef76718e2bdf80ac795451cf9f
AVEset (nod32)Win32/Agent.XDQ
AVKasperskyTrojan.Win32.Scar.jnaw
AVTwisterno_virus
AVGrisoft (avg)Agent5.YDF
AVAvira (antivir)TR/ATRAPS.A.6524
AVBullGuardGen:Variant.Symmi.51758
AVPadvishno_virus
AVTrend Microno_virus
AVAd-AwareGen:Variant.Symmi.51758
AVIkarusTrojan.Win32.Agent
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Scar.r8
AVFortinetW32/Agent.XDQ!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort
AVF-SecureGen:Variant.Symmi.51758
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVSymantecDownloader.Upatre!g16
AVEmsisoftGen:Variant.Symmi.51758
AVCA (E-Trust Ino)no_virus
AVAlwil (avast)no_virus
AVK7Trojan ( 004c988e1 )
AVFrisk (f-prot)no_virus
AVZillya!Trojan.Scar.Win32.90233
AVMalwareBytesno_virus
AVBitDefenderGen:Variant.Symmi.51758
AVRisingno_virus
AVAuthentiumW32/S-6a8c3109!Eldorado
AVArcabit (arcavir)Gen:Variant.Symmi.51758
AVMcafeeRDN/Generic.dx!dsk
AVDr. Webno_virus
AVClamAVno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\lqmtcsggij\pfsz1kz1l34nhqxiyo9pd.exe
Creates FileC:\lqmtcsggij\lryrwh
Creates FileC:\WINDOWS\lqmtcsggij\lryrwh
Deletes FileC:\WINDOWS\lqmtcsggij\lryrwh
Creates ProcessC:\lqmtcsggij\pfsz1kz1l34nhqxiyo9pd.exe

Process
↳ C:\lqmtcsggij\pfsz1kz1l34nhqxiyo9pd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\RPC Adaptive Volume Mapper Drive ➝
C:\lqmtcsggij\wqjbjjyxvcjs.exe
Creates FileC:\lqmtcsggij\p2eusmx
Creates FilePIPE\lsarpc
Creates FileC:\lqmtcsggij\lryrwh
Creates FileC:\WINDOWS\lqmtcsggij\lryrwh
Creates FileC:\lqmtcsggij\wqjbjjyxvcjs.exe
Deletes FileC:\WINDOWS\lqmtcsggij\lryrwh
Creates ProcessC:\lqmtcsggij\wqjbjjyxvcjs.exe
Creates ServiceSearch Host Policy Link Reports - C:\lqmtcsggij\wqjbjjyxvcjs.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1856

Process
↳ Pid 1148

Process
↳ C:\lqmtcsggij\wqjbjjyxvcjs.exe

Creates FileC:\lqmtcsggij\pd1blsfx
Creates FileC:\lqmtcsggij\p2eusmx
Creates Filepipe\net\NtControlPipe10
Creates FileC:\lqmtcsggij\kumlylj.exe
Creates FileC:\lqmtcsggij\lryrwh
Creates FileC:\WINDOWS\lqmtcsggij\lryrwh
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\lqmtcsggij\lryrwh
Creates Processxvdh3gwkcz35 "c:\lqmtcsggij\wqjbjjyxvcjs.exe"

Process
↳ C:\lqmtcsggij\wqjbjjyxvcjs.exe

Creates FileC:\lqmtcsggij\lryrwh
Creates FileC:\WINDOWS\lqmtcsggij\lryrwh
Deletes FileC:\WINDOWS\lqmtcsggij\lryrwh

Process
↳ xvdh3gwkcz35 "c:\lqmtcsggij\wqjbjjyxvcjs.exe"

Creates FileC:\lqmtcsggij\lryrwh
Creates FileC:\WINDOWS\lqmtcsggij\lryrwh
Deletes FileC:\WINDOWS\lqmtcsggij\lryrwh

Network Details:

DNSearnestinesullivan.net
Type: A
195.22.26.252
DNSearnestinesullivan.net
Type: A
195.22.26.253
DNSearnestinesullivan.net
Type: A
195.22.26.254
DNSearnestinesullivan.net
Type: A
195.22.26.231
DNSbartholomewsullivan.net
Type: A
DNSwilloughbysullivan.net
Type: A
DNSchristianamargaret.net
Type: A
DNSdulcibellamargaret.net
Type: A
DNSchristianacherokee.net
Type: A
DNSdulcibellacherokee.net
Type: A
DNSchristianaarabella.net
Type: A
DNSdulcibellaarabella.net
Type: A
DNSchristianasullivan.net
Type: A
DNSdulcibellasullivan.net
Type: A
DNSwashingtonmargaret.net
Type: A
DNSearnestinemargaret.net
Type: A
DNSwashingtoncherokee.net
Type: A
DNSearnestinecherokee.net
Type: A
DNSwashingtonarabella.net
Type: A
DNSearnestinearabella.net
Type: A
DNSwashingtonsullivan.net
Type: A
DNSsacheverellmargaret.net
Type: A
DNSwilhelminamargaret.net
Type: A
DNSsacheverellcherokee.net
Type: A
DNSwilhelminacherokee.net
Type: A
DNSsacheverellarabella.net
Type: A
DNSwilhelminaarabella.net
Type: A
DNSsacheverellsullivan.net
Type: A
DNSwilhelminasullivan.net
Type: A
DNSmaximillianmargaret.net
Type: A
DNSgwendolinemargaret.net
Type: A
DNSmaximilliancherokee.net
Type: A
DNSgwendolinecherokee.net
Type: A
DNSmaximillianarabella.net
Type: A
DNSgwendolinearabella.net
Type: A
DNSmaximilliansullivan.net
Type: A
DNSgwendolinesullivan.net
Type: A
DNSbeauregardmargaret.net
Type: A
DNSevangelinamargaret.net
Type: A
DNSbeauregardcherokee.net
Type: A
DNSevangelinacherokee.net
Type: A
DNSbeauregardarabella.net
Type: A
DNSevangelinaarabella.net
Type: A
DNSbeauregardsullivan.net
Type: A
DNSevangelinasullivan.net
Type: A
DNSrichardinemargaret.net
Type: A
DNSevangelinemargaret.net
Type: A
DNSrichardinecherokee.net
Type: A
DNSevangelinecherokee.net
Type: A
DNSrichardinearabella.net
Type: A
DNSevangelinearabella.net
Type: A
DNSrichardinesullivan.net
Type: A
DNSevangelinesullivan.net
Type: A
DNSalexandrinastrudwick.net
Type: A
DNSmariabellastrudwick.net
Type: A
DNSalexandrinaconstable.net
Type: A
DNSmariabellaconstable.net
Type: A
DNSalexandrinadonaldson.net
Type: A
DNSmariabelladonaldson.net
Type: A
DNSalexandrinaharoldson.net
Type: A
DNSmariabellaharoldson.net
Type: A
DNSbartholomewstrudwick.net
Type: A
DNSwilloughbystrudwick.net
Type: A
DNSbartholomewconstable.net
Type: A
DNSwilloughbyconstable.net
Type: A
DNSbartholomewdonaldson.net
Type: A
DNSwilloughbydonaldson.net
Type: A
DNSbartholomewharoldson.net
Type: A
DNSwilloughbyharoldson.net
Type: A
DNSchristianastrudwick.net
Type: A
DNSdulcibellastrudwick.net
Type: A
DNSchristianaconstable.net
Type: A
DNSdulcibellaconstable.net
Type: A
DNSchristianadonaldson.net
Type: A
DNSdulcibelladonaldson.net
Type: A
DNSchristianaharoldson.net
Type: A
DNSdulcibellaharoldson.net
Type: A
DNSwashingtonstrudwick.net
Type: A
DNSearnestinestrudwick.net
Type: A
DNSwashingtonconstable.net
Type: A
DNSearnestineconstable.net
Type: A
DNSwashingtondonaldson.net
Type: A
DNSearnestinedonaldson.net
Type: A
DNSwashingtonharoldson.net
Type: A
DNSearnestineharoldson.net
Type: A
DNSsacheverellstrudwick.net
Type: A
DNSwilhelminastrudwick.net
Type: A
DNSsacheverellconstable.net
Type: A
HTTP GEThttp://earnestinesullivan.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.252:80

Raw Pcap

Strings