Analysis Date2015-10-02 21:59:45
MD520918f6adfa8ee535d270a16e214c7ad
SHA147dcd1a2764b0f0f0d8c65d3a6509bfe7a39e0ca

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bb14abb20f97d0e74cb1b7e69f63b3aa sha1: 95f45faf9a423df4e4bc4bf0cb874eb36db338e4 size: 826880
Section.rdata md5: 1850a6009f8912f1ba9d487832598e21 sha1: cfb676552d9d986df53c273b2d24fd8dbfbaf633 size: 318976
Section.data md5: 2791d11c07891742cafad73fa73e8d33 sha1: 65651c6b8b16729658879c32848c816ae9461b96 size: 7680
Timestamp2015-04-03 04:02:33
PackerMicrosoft Visual C++ ?.?
PEhashdc5da7db958d304600d602910a2c9f101bad84b7
IMPhashf5e73afb40142832268b33b16b58beb9
AVZillya!Trojan.Kryptik.Win32.752035
AVK7Trojan ( 004bb8ba1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVAlwil (avast)Downloader-TLD [Trj]
AVIkarusTrojan.Win32.Crypt
AVCAT (quickheal)no_virus
AVTwisterno_virus
AVBitDefenderGen:Variant.Zusy.133308
AVEmsisoftGen:Variant.Zusy.133308
AVTrend Microno_virus
AVMalwareBytesno_virus
AVCA (E-Trust Ino)no_virus
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVRisingno_virus
AVAd-AwareGen:Variant.Zusy.133308
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVF-SecureGen:Variant.Zusy.133308
AVDr. Webno_virus
AVMcafeeno_virus
AVFortinetW32/Kryptik.DDQD!tr
AVVirusBlokAda (vba32)no_virus
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVClamAVno_virus
AVEset (nod32)Win32/Kryptik.DDQD
AVAvira (antivir)TR/Crypt.Xpack.26584
AVKasperskyTrojan.Win32.Generic
AVBullGuardGen:Variant.Zusy.133308
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVPadvishno_virus
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\lveqxcnjg\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rurkeqzksfkzomsetiwmsz.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\rurkeqzksfkzomsetiwmsz.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\rurkeqzksfkzomsetiwmsz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Initiator Backup Net.Tcp Engine TPM ➝
C:\WINDOWS\system32\qpcynttzmot.exe
Creates FileC:\WINDOWS\system32\qpcynttzmot.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\lveqxcnjg\tst
Creates FileC:\WINDOWS\system32\lveqxcnjg\lck
Creates FileC:\WINDOWS\system32\lveqxcnjg\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\qpcynttzmot.exe
Creates ServiceServices Trap Registrar Time Network - C:\WINDOWS\system32\qpcynttzmot.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\47DCD1A2764B0F0F0D8C65D3A6509-39458D38.pf
Creates FileC:\WINDOWS\Prefetch\QPCYNTTZMOT.EXE-26EF9B28.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\RURKEQZKSFKZOMSETIWMSZ.EXE-1D6077EA.pf
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\Prefetch\LUJXXBT.EXE-0E9BCF66.pf
Creates FileC:\WINDOWS\Prefetch\RURKEQZL0U3ZOM.EXE-33F91A83.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1204

Process
↳ Pid 1308

Process
↳ Pid 1848

Process
↳ Pid 460

Process
↳ C:\WINDOWS\system32\qpcynttzmot.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\lveqxcnjg\lck
Creates FileC:\WINDOWS\system32\lujxxbt.exe
Creates FileC:\WINDOWS\system32\lveqxcnjg\run
Creates FileC:\WINDOWS\TEMP\rurkeqzl0u3zom.exe
Creates FileC:\WINDOWS\system32\lveqxcnjg\cfg
Creates FileC:\WINDOWS\system32\lveqxcnjg\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\lveqxcnjg\rng
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\TEMP\rurkeqzl0u3zom.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\qpcynttzmot.exe"
Creates ProcessC:\WINDOWS\TEMP\rurkeqzl0u3zom.exe -r 39982 tcp

Process
↳ C:\WINDOWS\system32\qpcynttzmot.exe

Creates FileC:\WINDOWS\system32\lveqxcnjg\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\qpcynttzmot.exe"

Creates FileC:\WINDOWS\system32\lveqxcnjg\tst

Process
↳ C:\WINDOWS\TEMP\rurkeqzl0u3zom.exe -r 39982 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSnailthere.net
Type: A
98.139.135.129
DNSbothplain.net
Type: A
208.91.197.241
DNSgroupgrain.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSlookhouse.net
Type: A
114.32.109.72
DNSlookgift.net
Type: A
119.10.36.28
DNSlordhouse.net
Type: A
217.70.184.38
DNSthreepeace.net
Type: A
216.230.250.158
DNSablehome.net
Type: A
209.17.116.7
DNSpickover.net
Type: A
50.3.48.132
DNSroomhome.net
Type: A
213.171.195.105
DNSableread.net
Type: A
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSfridayloss.net
Type: A
DNSwrongbelow.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSfeltgift.net
Type: A
DNSfelttuesday.net
Type: A
DNSlooktuesday.net
Type: A
DNSfeltpeace.net
Type: A
DNSlookpeace.net
Type: A
DNSthreehouse.net
Type: A
DNSthreegift.net
Type: A
DNSlordgift.net
Type: A
DNSthreetuesday.net
Type: A
DNSlordtuesday.net
Type: A
DNSlordpeace.net
Type: A
DNSdrinkhouse.net
Type: A
DNSwifehouse.net
Type: A
DNSdrinkgift.net
Type: A
DNSwifegift.net
Type: A
DNSdrinktuesday.net
Type: A
DNSwifetuesday.net
Type: A
DNSdrinkpeace.net
Type: A
DNSwifepeace.net
Type: A
DNSknowhome.net
Type: A
DNSknowover.net
Type: A
DNSableover.net
Type: A
DNSknowgrain.net
Type: A
DNSablegrain.net
Type: A
DNSknowgold.net
Type: A
DNSablegold.net
Type: A
DNSpickhome.net
Type: A
DNSsonghome.net
Type: A
DNSsongover.net
Type: A
DNSpickgrain.net
Type: A
DNSsonggrain.net
Type: A
DNSpickgold.net
Type: A
DNSsonggold.net
Type: A
DNSsignhome.net
Type: A
DNSroomover.net
Type: A
DNSsignover.net
Type: A
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=044&sox=4b39ac00&lenhdr
User-Agent:
HTTP GEThttp://bothplain.net/index.php?method=validate&mode=sox&v=044&sox=4b39ac00&lenhdr
User-Agent:
HTTP GEThttp://groupgrain.net/index.php?method=validate&mode=sox&v=044&sox=4b39ac00&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=044&sox=4b39ac00&lenhdr
User-Agent:
HTTP GEThttp://lookhouse.net/index.php?method=validate&mode=sox&v=044&sox=4b39ac00&lenhdr
User-Agent:
HTTP GEThttp://lookgift.net/index.php?method=validate&mode=sox&v=044&sox=4b39ac00&lenhdr
User-Agent:
HTTP GEThttp://lordhouse.net/index.php?method=validate&mode=sox&v=044&sox=4b39ac00&lenhdr
User-Agent:
HTTP GEThttp://threepeace.net/index.php?method=validate&mode=sox&v=044&sox=4b39ac00&lenhdr
User-Agent:
HTTP GEThttp://ablehome.net/index.php?method=validate&mode=sox&v=044&sox=4b39ac00&lenhdr
User-Agent:
HTTP GEThttp://pickover.net/index.php?method=validate&mode=sox&v=044&sox=4b39ac00&lenhdr
User-Agent:
HTTP GEThttp://roomhome.net/index.php?method=validate&mode=sox&v=044&sox=4b39ac00&lenhdr
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1041 ➝ 114.32.109.72:80
Flows TCP192.168.1.1:1042 ➝ 119.10.36.28:80
Flows TCP192.168.1.1:1043 ➝ 217.70.184.38:80
Flows TCP192.168.1.1:1044 ➝ 216.230.250.158:80
Flows TCP192.168.1.1:1045 ➝ 209.17.116.7:80
Flows TCP192.168.1.1:1046 ➝ 50.3.48.132:80
Flows TCP192.168.1.1:1047 ➝ 213.171.195.105:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3426736f   ode=sox&v=044&so
0x00000030 (00048)   783d3462 33396163 3030266c 656e6864   x=4b39ac00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206e61 696c7468 6572652e 6e65740d   : nailthere.net.
0x00000080 (00128)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3426736f   ode=sox&v=044&so
0x00000030 (00048)   783d3462 33396163 3030266c 656e6864   x=4b39ac00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20626f 7468706c 61696e2e 6e65740d   : bothplain.net.
0x00000080 (00128)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3426736f   ode=sox&v=044&so
0x00000030 (00048)   783d3462 33396163 3030266c 656e6864   x=4b39ac00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206772 6f757067 7261696e 2e6e6574   : groupgrain.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3426736f   ode=sox&v=044&so
0x00000030 (00048)   783d3462 33396163 3030266c 656e6864   x=4b39ac00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206e61 696c6465 65702e63 6f6d0d0a   : naildeep.com..
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3426736f   ode=sox&v=044&so
0x00000030 (00048)   783d3462 33396163 3030266c 656e6864   x=4b39ac00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c6f 6f6b686f 7573652e 6e65740d   : lookhouse.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3426736f   ode=sox&v=044&so
0x00000030 (00048)   783d3462 33396163 3030266c 656e6864   x=4b39ac00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c6f 6f6b6769 66742e6e 65740d0a   : lookgift.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3426736f   ode=sox&v=044&so
0x00000030 (00048)   783d3462 33396163 3030266c 656e6864   x=4b39ac00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c6f 7264686f 7573652e 6e65740d   : lordhouse.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3426736f   ode=sox&v=044&so
0x00000030 (00048)   783d3462 33396163 3030266c 656e6864   x=4b39ac00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207468 72656570 65616365 2e6e6574   : threepeace.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3426736f   ode=sox&v=044&so
0x00000030 (00048)   783d3462 33396163 3030266c 656e6864   x=4b39ac00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206162 6c65686f 6d652e6e 65740d0a   : ablehome.net..
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3426736f   ode=sox&v=044&so
0x00000030 (00048)   783d3462 33396163 3030266c 656e6864   x=4b39ac00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207069 636b6f76 65722e6e 65740d0a   : pickover.net..
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3426736f   ode=sox&v=044&so
0x00000030 (00048)   783d3462 33396163 3030266c 656e6864   x=4b39ac00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20726f 6f6d686f 6d652e6e 65740d0a   : roomhome.net..
0x00000080 (00128)   0d0a0d0a                              ....


Strings