Analysis Date2015-11-12 12:29:19
MD5ab6be6ffc86dbe7b0073cf2ca68ab0e5
SHA14965cf3e3c40772cfa1c405c4367100a0e47aa00

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2894cdf8e3c807fbacc7b61ef113d137 sha1: 128a86fd56f17b2c6f000bc8de7747bc584d833b size: 822272
Section.rdata md5: 96ef3d9c404440c20f76f5da6d29aa4e sha1: c7fa8a41a9552bb30bef91d79077f6a7f35ece74 size: 336896
Section.data md5: 432a3fa509adecdc678ba5ef89db87bc sha1: cd9da7d7be2958d7e7782663d2f933ebb1e07d54 size: 8192
Timestamp2015-04-03 04:04:22
PackerMicrosoft Visual C++ ?.?
PEhashf1e7817ca98ff60f20d3579a0ebc096d852e3e07
IMPhash6cc2afae43b6b6b49d7ff5576c4a36be
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Crypt.ZPACK.197288
AVTwisterNo Virus
AVAd-AwareGen:Variant.Zusy.133308
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.DDQD
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Zusy.133308
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVMalwareBytesNo Virus
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Zusy.133308
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVPadvishNo Virus
AVBullGuardGen:Variant.Zusy.133308
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader17.37826
AVF-SecureGen:Variant.Zusy.133308

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\sh3myy1l3zqofkibeyb.exe
Creates FileC:\WINDOWS\system32\omshpqwlmqno\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\sh3myy1l3zqofkibeyb.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\sh3myy1l3zqofkibeyb.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Log Adaptive Themes Receiver Shadow DNS ➝
C:\WINDOWS\system32\vthmwatd.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\vthmwatd.exe
Creates FileC:\WINDOWS\system32\omshpqwlmqno\etc
Creates FileC:\WINDOWS\system32\omshpqwlmqno\lck
Creates FileC:\WINDOWS\system32\omshpqwlmqno\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\vthmwatd.exe
Creates ServiceNow Human ActiveX Process Accounts - C:\WINDOWS\system32\vthmwatd.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 816

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1872

Process
↳ Pid 1172

Process
↳ C:\WINDOWS\system32\vthmwatd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\omshpqwlmqno\run
Creates FileC:\WINDOWS\system32\omshpqwlmqno\cfg
Creates FileC:\WINDOWS\TEMP\sh3myy1s77qof.exe
Creates FileC:\WINDOWS\system32\omshpqwlmqno\lck
Creates FileC:\WINDOWS\system32\lyrhcvyp.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\omshpqwlmqno\rng
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\omshpqwlmqno\tst
Creates ProcessWATCHDOGPROC "c:\windows\system32\vthmwatd.exe"
Creates ProcessC:\WINDOWS\TEMP\sh3myy1s77qof.exe -r 41931 tcp

Process
↳ C:\WINDOWS\system32\vthmwatd.exe

Creates FileC:\WINDOWS\system32\omshpqwlmqno\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\vthmwatd.exe"

Creates FileC:\WINDOWS\system32\omshpqwlmqno\tst

Process
↳ C:\WINDOWS\TEMP\sh3myy1s77qof.exe -r 41931 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
208.91.197.241
DNSnailthere.net
Type: A
98.139.135.129
DNSbothplain.net
Type: A
208.91.197.241
DNSgroupgrain.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSlookbest.net
Type: A
192.64.80.111
DNSlookeasy.net
Type: A
203.169.178.121
DNSthreeeasy.net
Type: A
54.169.63.43
DNSablegoes.net
Type: A
195.22.28.199
DNSablegoes.net
Type: A
195.22.28.196
DNSablegoes.net
Type: A
195.22.28.197
DNSablegoes.net
Type: A
195.22.28.198
DNSroomlight.net
Type: A
208.100.26.234
DNSsignlight.net
Type: A
62.233.121.61
DNSmovelight.net
Type: A
217.70.184.38
DNSjumplight.net
Type: A
72.9.249.107
DNShilllight.net
Type: A
192.0.78.24
DNShilllight.net
Type: A
192.0.78.25
DNSlordlight.net
Type: A
188.138.14.204
DNSdrinklight.net
Type: A
66.96.163.131
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSfridayloss.net
Type: A
DNSwrongbelow.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSlookthem.net
Type: A
DNSfeltbest.net
Type: A
DNSfeltconsiderable.net
Type: A
DNSlookconsiderable.net
Type: A
DNSfelteasy.net
Type: A
DNSthreethem.net
Type: A
DNSlordthem.net
Type: A
DNSthreebest.net
Type: A
DNSlordbest.net
Type: A
DNSthreeconsiderable.net
Type: A
DNSlordconsiderable.net
Type: A
DNSlordeasy.net
Type: A
DNSdrinkthem.net
Type: A
DNSwifethem.net
Type: A
DNSdrinkbest.net
Type: A
DNSwifebest.net
Type: A
DNSdrinkconsiderable.net
Type: A
DNSwifeconsiderable.net
Type: A
DNSdrinkeasy.net
Type: A
DNSwifeeasy.net
Type: A
DNSknowgoes.net
Type: A
DNSknowfool.net
Type: A
DNSablefool.net
Type: A
DNSknowlight.net
Type: A
DNSablelight.net
Type: A
DNSknowgone.net
Type: A
DNSablegone.net
Type: A
DNSpickgoes.net
Type: A
DNSsonggoes.net
Type: A
DNSpickfool.net
Type: A
DNSsongfool.net
Type: A
DNSpicklight.net
Type: A
DNSsonglight.net
Type: A
DNSpickgone.net
Type: A
DNSsonggone.net
Type: A
DNSroomgoes.net
Type: A
DNSsigngoes.net
Type: A
DNSroomfool.net
Type: A
DNSsignfool.net
Type: A
DNSroomgone.net
Type: A
DNSsigngone.net
Type: A
DNSmovegoes.net
Type: A
DNSjumpgoes.net
Type: A
DNSmovefool.net
Type: A
DNSjumpfool.net
Type: A
DNSmovegone.net
Type: A
DNSjumpgone.net
Type: A
DNShillgoes.net
Type: A
DNSwhomgoes.net
Type: A
DNShillfool.net
Type: A
DNSwhomfool.net
Type: A
DNSwhomlight.net
Type: A
DNShillgone.net
Type: A
DNSwhomgone.net
Type: A
DNSfeltgoes.net
Type: A
DNSlookgoes.net
Type: A
DNSfeltfool.net
Type: A
DNSlookfool.net
Type: A
DNSfeltlight.net
Type: A
DNSlooklight.net
Type: A
DNSfeltgone.net
Type: A
DNSlookgone.net
Type: A
DNSthreegoes.net
Type: A
DNSlordgoes.net
Type: A
DNSthreefool.net
Type: A
DNSlordfool.net
Type: A
DNSthreelight.net
Type: A
DNSthreegone.net
Type: A
DNSlordgone.net
Type: A
DNSdrinkgoes.net
Type: A
DNSwifegoes.net
Type: A
DNSdrinkfool.net
Type: A
DNSwifefool.net
Type: A
DNSwifelight.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://bothplain.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://groupgrain.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://lookbest.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://lookeasy.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://threeeasy.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://ablegoes.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://roomlight.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://signlight.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://movelight.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://jumplight.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://hilllight.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://lordlight.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://drinklight.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://bothplain.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://groupgrain.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://lookbest.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://lookeasy.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://threeeasy.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://ablegoes.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://roomlight.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://signlight.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://movelight.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://jumplight.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://hilllight.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://lordlight.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
HTTP GEThttp://drinklight.net/index.php?method=validate&mode=sox&v=044&sox=4ba89400&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 65.33.236.173:443
Flows TCP192.168.1.1:1037 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1042 ➝ 192.64.80.111:80
Flows TCP192.168.1.1:1043 ➝ 203.169.178.121:80
Flows TCP192.168.1.1:1044 ➝ 54.169.63.43:80
Flows TCP192.168.1.1:1045 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1046 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1047 ➝ 62.233.121.61:80
Flows TCP192.168.1.1:1048 ➝ 217.70.184.38:80
Flows TCP192.168.1.1:1049 ➝ 72.9.249.107:80
Flows TCP192.168.1.1:1050 ➝ 192.0.78.24:80
Flows TCP192.168.1.1:1051 ➝ 188.138.14.204:80
Flows TCP192.168.1.1:1052 ➝ 66.96.163.131:80
Flows TCP192.168.1.1:1053 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1054 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1055 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1057 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1058 ➝ 192.64.80.111:80
Flows TCP192.168.1.1:1059 ➝ 203.169.178.121:80
Flows TCP192.168.1.1:1060 ➝ 54.169.63.43:80
Flows TCP192.168.1.1:1061 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1062 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1063 ➝ 62.233.121.61:80
Flows TCP192.168.1.1:1064 ➝ 217.70.184.38:80
Flows TCP192.168.1.1:1065 ➝ 72.9.249.107:80
Flows TCP192.168.1.1:1066 ➝ 192.0.78.24:80
Flows TCP192.168.1.1:1067 ➝ 188.138.14.204:80
Flows TCP192.168.1.1:1068 ➝ 66.96.163.131:80

Raw Pcap

Strings