Analysis Date2015-10-13 03:13:55
MD54aae2f324cc56739a8552df7a59116f7
SHA14695be9d94692e02417ba2d7f130ea7ba0a48031

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b5ce7efe451510277b5b90271052e91e sha1: 27e410a88b3fe42508df82fa84b2842418a64137 size: 225792
Section.data md5: a41f7a49874dd46e3599d34c8bfa1a3c sha1: 80e77a25d78d4979b30ba9d2740b60c6c9f4d439 size: 20992
Section.rdata md5: 7b8250fcb771d223e129ac8dd9791e9c sha1: e78c390e0250b837baa5865a4d6496bab7d69018 size: 39936
Section.eh_fram md5: dede9e99f40112d5fd026bda42f32416 sha1: 3e59259f0e256ae6e456fda4672eed4bfbacdf18 size: 40448
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: dc694ea7a77f0f32a9de4f67729a0666 sha1: bbbf2472f3d4c3d2b1b40d5067c1dcdbbae1dd3f size: 6656
Section.CRT md5: 399611de70452cb8b4c9bf7c8e11d8d5 sha1: d235ec3b916c60895695d982e184240c0b7c8b81 size: 512
Section.tls md5: 255674fadd8cc7bc6ab4eb4e269c5241 sha1: 2b846edad7a64d2f5b163ac5c63f40a7564a16e8 size: 512
Timestamp2015-03-05 06:33:06
PEhash6864e8d60d063dd136b36e5bef0ef590ac27c38e
IMPhash0be1226c93db65b73edd95fbdf94d502
AVPadvishno_virus
AVKasperskyTrojan.Win32.Scar.lmoc
AVMalwareBytesno_virus
AVFrisk (f-prot)no_virus
AVCAT (quickheal)no_virus
AVBullGuardGen:Variant.Symmi.51758
AVEmsisoftGen:Variant.Symmi.51758
AVTwisterno_virus
AVAlwil (avast)no_virus
AVIkarusTrojan.Win32.Staser
AVTrend Microno_virus
AVAvira (antivir)TR/ATRAPS.A.8394
AVSymantecDownloader.Upatre!g16
AVMcafeeTrojan-FGOJ!4AAE2F324CC5
AVZillya!Trojan.Scar.Win32.94626
AVAd-AwareGen:Variant.Symmi.51758
AVK7Trojan ( 004c988e1 )
AVRisingno_virus
AVGrisoft (avg)Generic_s.EQC
AVEset (nod32)Win32/Agent.XDQ
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVFortinetW32/Agent.XDQ!tr
AVAuthentiumW32/S-6a8c3109!Eldorado
AVArcabit (arcavir)Gen:Variant.Symmi.51758
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!acf
AVClamAVno_virus
AVCA (E-Trust Ino)no_virus
AVDr. WebTrojan.DownLoader16.36002
AVVirusBlokAda (vba32)no_virus
AVBitDefenderGen:Variant.Symmi.51758
AVF-SecureGen:Variant.Symmi.51758

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\qfuozfqqcuc\slncdzsaouu
Creates FileC:\WINDOWS\qfuozfqqcuc\slncdzsaouu
Creates FileC:\qfuozfqqcuc\dzqulzy1n0kyfr7xaqfsofkm.exe
Deletes FileC:\WINDOWS\qfuozfqqcuc\slncdzsaouu
Creates ProcessC:\qfuozfqqcuc\dzqulzy1n0kyfr7xaqfsofkm.exe

Process
↳ C:\qfuozfqqcuc\dzqulzy1n0kyfr7xaqfsofkm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Time Compatibility Manager Connect ➝
C:\qfuozfqqcuc\algbrprziqx.exe
Creates FileC:\qfuozfqqcuc\slncdzsaouu
Creates FileC:\WINDOWS\qfuozfqqcuc\slncdzsaouu
Creates FilePIPE\lsarpc
Creates FileC:\qfuozfqqcuc\algbrprziqx.exe
Creates FileC:\qfuozfqqcuc\eqmykuuoa
Deletes FileC:\WINDOWS\qfuozfqqcuc\slncdzsaouu
Creates ProcessC:\qfuozfqqcuc\algbrprziqx.exe
Creates ServiceVirtual DCOM Services Defragmenter - C:\qfuozfqqcuc\algbrprziqx.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1908

Process
↳ Pid 1196

Process
↳ C:\qfuozfqqcuc\algbrprziqx.exe

Creates FileC:\qfuozfqqcuc\qzxv6ovylp.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\qfuozfqqcuc\slncdzsaouu
Creates FileC:\WINDOWS\qfuozfqqcuc\slncdzsaouu
Creates File\Device\Afd\Endpoint
Creates FileC:\qfuozfqqcuc\eqmykuuoa
Creates FileC:\qfuozfqqcuc\b5de4nc
Deletes FileC:\WINDOWS\qfuozfqqcuc\slncdzsaouu
Creates Processtkatvuhnrjjk "c:\qfuozfqqcuc\algbrprziqx.exe"

Process
↳ C:\qfuozfqqcuc\algbrprziqx.exe

Creates FileC:\qfuozfqqcuc\slncdzsaouu
Creates FileC:\WINDOWS\qfuozfqqcuc\slncdzsaouu
Deletes FileC:\WINDOWS\qfuozfqqcuc\slncdzsaouu

Process
↳ tkatvuhnrjjk "c:\qfuozfqqcuc\algbrprziqx.exe"

Creates FileC:\qfuozfqqcuc\slncdzsaouu
Creates FileC:\WINDOWS\qfuozfqqcuc\slncdzsaouu
Deletes FileC:\WINDOWS\qfuozfqqcuc\slncdzsaouu

Network Details:

DNScharlotteanastacia.net
Type: A
195.22.26.253
DNScharlotteanastacia.net
Type: A
195.22.26.254
DNScharlotteanastacia.net
Type: A
195.22.26.231
DNScharlotteanastacia.net
Type: A
195.22.26.252
DNScharlotteanderson.net
Type: A
46.30.212.212
DNSkimberleechamberlain.net
Type: A
217.160.165.207
DNScharlottecharisma.net
Type: A
DNSstephaniecharisma.net
Type: A
DNSstephanieanastacia.net
Type: A
DNSstephanieanderson.net
Type: A
DNSkimberlynbernadine.net
Type: A
DNSglanvillebernadine.net
Type: A
DNSkimberlyncharisma.net
Type: A
DNSglanvillecharisma.net
Type: A
DNSkimberlynanastacia.net
Type: A
DNSglanvilleanastacia.net
Type: A
DNSkimberlynanderson.net
Type: A
DNSglanvilleanderson.net
Type: A
DNSjessaminebernadine.net
Type: A
DNSgenevievebernadine.net
Type: A
DNSjessaminecharisma.net
Type: A
DNSgenevievecharisma.net
Type: A
DNSjessamineanastacia.net
Type: A
DNSgenevieveanastacia.net
Type: A
DNSjessamineanderson.net
Type: A
DNSgenevieveanderson.net
Type: A
DNSzechariahbernadine.net
Type: A
DNSmarmadukebernadine.net
Type: A
DNSzechariahcharisma.net
Type: A
DNSmarmadukecharisma.net
Type: A
DNSzechariahanastacia.net
Type: A
DNSmarmadukeanastacia.net
Type: A
DNSzechariahanderson.net
Type: A
DNSmarmadukeanderson.net
Type: A
DNSkristopherbrassington.net
Type: A
DNScassandrabrassington.net
Type: A
DNSkristopherecclestone.net
Type: A
DNScassandraecclestone.net
Type: A
DNSkristopherchamberlain.net
Type: A
DNScassandrachamberlain.net
Type: A
DNSkristopheranthonyson.net
Type: A
DNScassandraanthonyson.net
Type: A
DNSmaximilianbrassington.net
Type: A
DNSkimberleebrassington.net
Type: A
DNSmaximilianecclestone.net
Type: A
DNSkimberleeecclestone.net
Type: A
DNSmaximilianchamberlain.net
Type: A
DNSmaximiliananthonyson.net
Type: A
DNSkimberleeanthonyson.net
Type: A
DNScatherinabrassington.net
Type: A
DNScatherinebrassington.net
Type: A
DNScatherinaecclestone.net
Type: A
DNScatherineecclestone.net
Type: A
DNScatherinachamberlain.net
Type: A
DNScatherinechamberlain.net
Type: A
DNScatherinaanthonyson.net
Type: A
DNScatherineanthonyson.net
Type: A
DNSantonettebrassington.net
Type: A
DNSmadeleinebrassington.net
Type: A
DNSantonetteecclestone.net
Type: A
DNSmadeleineecclestone.net
Type: A
DNSantonettechamberlain.net
Type: A
DNSmadeleinechamberlain.net
Type: A
DNSantonetteanthonyson.net
Type: A
DNSmadeleineanthonyson.net
Type: A
DNScharlottebrassington.net
Type: A
DNSstephaniebrassington.net
Type: A
DNScharlotteecclestone.net
Type: A
DNSstephanieecclestone.net
Type: A
DNScharlottechamberlain.net
Type: A
DNSstephaniechamberlain.net
Type: A
DNScharlotteanthonyson.net
Type: A
DNSstephanieanthonyson.net
Type: A
DNSkimberlynbrassington.net
Type: A
DNSglanvillebrassington.net
Type: A
DNSkimberlynecclestone.net
Type: A
DNSglanvilleecclestone.net
Type: A
DNSkimberlynchamberlain.net
Type: A
DNSglanvillechamberlain.net
Type: A
DNSkimberlynanthonyson.net
Type: A
DNSglanvilleanthonyson.net
Type: A
DNSjessaminebrassington.net
Type: A
DNSgenevievebrassington.net
Type: A
DNSjessamineecclestone.net
Type: A
DNSgenevieveecclestone.net
Type: A
DNSjessaminechamberlain.net
Type: A
DNSgenevievechamberlain.net
Type: A
DNSjessamineanthonyson.net
Type: A
HTTP GEThttp://charlotteanastacia.net/index.php
User-Agent:
HTTP GEThttp://charlotteanderson.net/index.php
User-Agent:
HTTP GEThttp://kimberleechamberlain.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1032 ➝ 46.30.212.212:80
Flows TCP192.168.1.1:1033 ➝ 217.160.165.207:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   6861726c 6f747465 616e6173 74616369   harlotteanastaci
0x00000050 (00080)   612e6e65 740d0a0d 0a                  a.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   6861726c 6f747465 616e6465 72736f6e   harlotteanderson
0x00000050 (00080)   2e6e6574 0d0a0d0a 0a                  .net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206b   : close..Host: k
0x00000040 (00064)   696d6265 726c6565 6368616d 6265726c   imberleechamberl
0x00000050 (00080)   61696e2e 6e65740d 0a0d0a              ain.net....


Strings