Analysis Date2016-02-05 08:44:36
MD5b40b92b91773009907d5f61de6eb9e96
SHA15251a9350c5919c4d51e11f4ead8274855d34e71

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ede08067be66deae13a24b61b334e63d sha1: 191f4465e58f5da4fd3cf7efbb662881b2338f00 size: 38912
Section.rdata md5: eaa118f1d61634ed44387e2dbdf057fc sha1: 1553b510e632e38ae604747accfee19953f84c79 size: 5120
Section.data md5: 77d93b7d26d90e0f95c47f87c5dd592b sha1: b2124ebd9838d9161f1a9d24624f836b6ae49759 size: 14336
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp2016-01-19 04:37:06
PackerMicrosoft Visual C++ v6.0
PEhashc1df959d058ad68d8f211699566c3a7c332c2da6
IMPhashde5f08865deaad730f92e3de7f18e3e6
AVCA (E-Trust Ino)Win32/Nitol.A!generic
AVRisingBackdoor.Overie!486D
AVMcafeeRDN/Generic Downloader.x
AVAvira (antivir)WORM/Rbot.Gen
AVTwisterNo Virus
AVAd-AwareGeneric.ServStart.2F8CFB4E
AVAlwil (avast)ServStart-B [Trj]
AVEset (nod32)Win32/ServStart.DT
AVGrisoft (avg)DDoS.AC
AVSymantecBackdoor.Nitol
AVFortinetW32/ServStart.AS!tr
AVBitDefenderGeneric.ServStart.2F8CFB4E
AVK7Trojan ( 0048e9e01 )
AVMicrosoft Security EssentialsDDoS:Win32/Nitol.A
AVMicroWorld (escan)Generic.ServStart.2F8CFB4E
AVMalwareBytesNo Virus
AVAuthentiumW32/QQhelper.C.gen!Eldorado
AVEmsisoftGeneric.ServStart.2F8CFB4E
AVFrisk (f-prot)W32/QQhelper.C.gen!Eldorado
AVIkarusTrojan.Win32.ServStart
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_VSTART.SMA
AVVirusBlokAda (vba32)BScope.Trojan.Win32.Inject.2
AVCAT (quickheal)Trojan.ServStart.A4
AVBullGuardGeneric.ServStart.2F8CFB4E
AVArcabit (arcavir)Generic.ServStart.2F8CFB4E
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.10094
AVF-SecureGeneric.ServStart.2F8CFB4E

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Media Player ServiceswilWindows Media Player Servicesixy Instruments Domain Service\Description ➝
Windows Media Player Servicesbdm
Creates FileC:\WINDOWS\system32\vipxie.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\5251A9~1.EXE > nul
Creates ServiceWindows Media Player Servicesixy Instruments Domain Service - C:\WINDOWS\system32\vipxie.exe

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\5251A9~1.EXE > nul

Creates Filenul
Deletes FileC:\malware.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 816

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1180

Process
↳ C:\WINDOWS\system32\vipxie.exe

Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates MutexWindows Media Player ServiceswilWindows Media Player Servicesixy Instruments Domain Service

Network Details:

DNShes1970.codns.com
Type: A
127.0.0.1
Flows TCP192.168.1.1:1031 ➝ 49.174.104.185:2015
Flows TCP192.168.1.1:1031 ➝ 49.174.104.185:2015
Flows TCP192.168.1.1:1033 ➝ 49.174.104.185:2015
Flows TCP192.168.1.1:1035 ➝ 49.174.104.185:2015
Flows TCP192.168.1.1:1037 ➝ 49.174.104.185:2015
Flows TCP192.168.1.1:1039 ➝ 49.174.104.185:2015
Flows TCP192.168.1.1:1041 ➝ 49.174.104.185:2015
Flows TCP192.168.1.1:1043 ➝ 49.174.104.185:2015
Flows TCP192.168.1.1:1045 ➝ 49.174.104.185:2015
Flows TCP192.168.1.1:1047 ➝ 49.174.104.185:2015
Flows TCP192.168.1.1:1049 ➝ 49.174.104.185:2015

Raw Pcap

Strings