Analysis Date2014-04-19 19:12:03
MD54caa8cf86bf42368719c4d886f6bde8c
SHA15490beac750bbe133747a49c420c6abe4387b371

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d77831890dcb52174a8aca93fc70d7f6 sha1: 159230ea0c31983c1fead07b1e099affb9d2933e size: 120832
Section.rdata md5: 5cc3933a6a08fe102bfec9103c7b0605 sha1: 97abfa5f6b8686e0c460253b72b943e5e39d9814 size: 16384
Section.data md5: 5e608910c5f01fa773d002bed9f2b4eb sha1: 398a80b64beaec8ef0f2db6549d2056bf9cd3e39 size: 17408
Timestamp2014-01-22 06:27:19
PackerMicrosoft Visual C++ ?.?
PEhash0104faf0c5ccbdf0710c0cc6336f518595fc321a
IMPhash76a01e222de0c9122b85a080004e5caa
AVmcafeeGeneric-FAOV!4CAA8CF86BF4
AVavgGeneric_r.DMB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Store TP Block Protocol BitLocker Transfer ➝
C:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\vvhkqpp.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\vvhkqpp.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\vvhkqpp.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\vvhkqpp.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\vvhkqpp.czsyw
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\ylhmexna.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\vvhkqpp.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\vvhkqpp.exe"

Network Details:

DNSnightspring.net
Type: A
66.96.160.141
DNStradespring.net
Type: A
65.49.45.219
DNSstreetsuccess.net
Type: A
68.178.254.68
DNSstreetbanker.net
Type: A
208.91.197.27
DNSbettersuccess.net
Type: A
54.209.168.250
DNSquietsuccess.net
Type: A
184.168.221.44
DNSnightguard.net
Type: A
173.199.172.26
DNSagainstfound.net
Type: A
DNSdoubtfound.net
Type: A
DNSagainstspring.net
Type: A
DNSdoubtspring.net
Type: A
DNSagainstsuccess.net
Type: A
DNSdoubtsuccess.net
Type: A
DNSagainstbanker.net
Type: A
DNSdoubtbanker.net
Type: A
DNSnightfound.net
Type: A
DNSdecidefound.net
Type: A
DNSdecidespring.net
Type: A
DNSnightsuccess.net
Type: A
DNSdecidesuccess.net
Type: A
DNSnightbanker.net
Type: A
DNSdecidebanker.net
Type: A
DNSlargefound.net
Type: A
DNScaptainfound.net
Type: A
DNSlargespring.net
Type: A
DNScaptainspring.net
Type: A
DNSlargesuccess.net
Type: A
DNScaptainsuccess.net
Type: A
DNSlargebanker.net
Type: A
DNScaptainbanker.net
Type: A
DNSrecordfound.net
Type: A
DNSelectricfound.net
Type: A
DNSrecordspring.net
Type: A
DNSelectricspring.net
Type: A
DNSrecordsuccess.net
Type: A
DNSelectricsuccess.net
Type: A
DNSrecordbanker.net
Type: A
DNSelectricbanker.net
Type: A
DNSstreetfound.net
Type: A
DNStradefound.net
Type: A
DNSstreetspring.net
Type: A
DNStradesuccess.net
Type: A
DNStradebanker.net
Type: A
DNSbetterfound.net
Type: A
DNSgatherfound.net
Type: A
DNSbetterspring.net
Type: A
DNSgatherspring.net
Type: A
DNSgathersuccess.net
Type: A
DNSbetterbanker.net
Type: A
DNSgatherbanker.net
Type: A
DNSflierfound.net
Type: A
DNSbreadfound.net
Type: A
DNSflierspring.net
Type: A
DNSbreadspring.net
Type: A
DNSfliersuccess.net
Type: A
DNSbreadsuccess.net
Type: A
DNSflierbanker.net
Type: A
DNSbreadbanker.net
Type: A
DNSquietfound.net
Type: A
DNSseasonfound.net
Type: A
DNSquietspring.net
Type: A
DNSseasonspring.net
Type: A
DNSseasonsuccess.net
Type: A
DNSquietbanker.net
Type: A
DNSseasonbanker.net
Type: A
DNSagainstairplane.net
Type: A
DNSdoubtairplane.net
Type: A
DNSagainststraight.net
Type: A
DNSdoubtstraight.net
Type: A
DNSagainstguard.net
Type: A
DNSdoubtguard.net
Type: A
DNSagainstfence.net
Type: A
DNSdoubtfence.net
Type: A
DNSnightairplane.net
Type: A
DNSdecideairplane.net
Type: A
DNSnightstraight.net
Type: A
DNSdecidestraight.net
Type: A
DNSdecideguard.net
Type: A
DNSnightfence.net
Type: A
DNSdecidefence.net
Type: A
DNSlargeairplane.net
Type: A
DNScaptainairplane.net
Type: A
DNSlargestraight.net
Type: A
DNScaptainstraight.net
Type: A
DNSlargeguard.net
Type: A
HTTP GEThttp://nightspring.net/forum/search.php?email=mirelabon@yahoo.com&method=post
User-Agent:
HTTP GEThttp://tradespring.net/forum/search.php?email=mirelabon@yahoo.com&method=post
User-Agent:
HTTP GEThttp://streetsuccess.net/forum/search.php?email=mirelabon@yahoo.com&method=post
User-Agent:
HTTP GEThttp://streetbanker.net/forum/search.php?email=mirelabon@yahoo.com&method=post
User-Agent:
HTTP GEThttp://bettersuccess.net/forum/search.php?email=mirelabon@yahoo.com&method=post
User-Agent:
HTTP GEThttp://quietsuccess.net/forum/search.php?email=mirelabon@yahoo.com&method=post
User-Agent:
HTTP GEThttp://nightguard.net/forum/search.php?email=mirelabon@yahoo.com&method=post
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 66.96.160.141:80
Flows TCP192.168.1.1:1032 ➝ 65.49.45.219:80
Flows TCP192.168.1.1:1033 ➝ 68.178.254.68:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1035 ➝ 54.209.168.250:80
Flows TCP192.168.1.1:1036 ➝ 184.168.221.44:80
Flows TCP192.168.1.1:1037 ➝ 173.199.172.26:80

Raw Pcap
0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 6d697265   h.php?email=mire
0x00000020 (00032)   6c61626f 6e407961 686f6f2e 636f6d26   labon@yahoo.com&
0x00000030 (00048)   6d657468 6f643d70 6f737420 48545450   method=post HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 6e696768   lose..Host: nigh
0x00000070 (00112)   74737072 696e672e 6e65740d 0a0d0a     tspring.net....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 6d697265   h.php?email=mire
0x00000020 (00032)   6c61626f 6e407961 686f6f2e 636f6d26   labon@yahoo.com&
0x00000030 (00048)   6d657468 6f643d70 6f737420 48545450   method=post HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 74726164   lose..Host: trad
0x00000070 (00112)   65737072 696e672e 6e65740d 0a0d0a     espring.net....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 6d697265   h.php?email=mire
0x00000020 (00032)   6c61626f 6e407961 686f6f2e 636f6d26   labon@yahoo.com&
0x00000030 (00048)   6d657468 6f643d70 6f737420 48545450   method=post HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 73747265   lose..Host: stre
0x00000070 (00112)   65747375 63636573 732e6e65 740d0a0d   etsuccess.net...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 6d697265   h.php?email=mire
0x00000020 (00032)   6c61626f 6e407961 686f6f2e 636f6d26   labon@yahoo.com&
0x00000030 (00048)   6d657468 6f643d70 6f737420 48545450   method=post HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 73747265   lose..Host: stre
0x00000070 (00112)   65746261 6e6b6572 2e6e6574 0d0a0d0a   etbanker.net....
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 6d697265   h.php?email=mire
0x00000020 (00032)   6c61626f 6e407961 686f6f2e 636f6d26   labon@yahoo.com&
0x00000030 (00048)   6d657468 6f643d70 6f737420 48545450   method=post HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 62657474   lose..Host: bett
0x00000070 (00112)   65727375 63636573 732e6e65 740d0a0d   ersuccess.net...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 6d697265   h.php?email=mire
0x00000020 (00032)   6c61626f 6e407961 686f6f2e 636f6d26   labon@yahoo.com&
0x00000030 (00048)   6d657468 6f643d70 6f737420 48545450   method=post HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 71756965   lose..Host: quie
0x00000070 (00112)   74737563 63657373 2e6e6574 0d0a0d0a   tsuccess.net....
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 6d697265   h.php?email=mire
0x00000020 (00032)   6c61626f 6e407961 686f6f2e 636f6d26   labon@yahoo.com&
0x00000030 (00048)   6d657468 6f643d70 6f737420 48545450   method=post HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 6e696768   lose..Host: nigh
0x00000070 (00112)   74677561 72642e6e 65740d0a 0d0a0d0a   tguard.net......
0x00000080 (00128)   0a                                    .


Strings
.
-E-
-0
-0010+-0
0
-0
CC
.00-+ 
.
-e-
. 
\
 
00
.
:\
:..
...........?- 
0
0
0
0
-
.
u
Bjjjjh
E(null)
                                 H
         (((((                  H
         h((((                  H
jjjjh
KERNEL32.DLL
mscoree.dll
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
\0:4r}
0A@@Ju
0SSSSS
0WWWWW
1#QNAN
1#SNAN
\3aJ.b
8uN:Rl
8VVVVV
9: ^qm
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
:%AFjUz2<
An application has made an attempt to load the C runtime library incorrectly.
aT8KVOy
<at9<rt,<wt
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
.?AVexception@std@@
.?AVlength_error@std@@
.?AVlogic_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
bad allocation
bad exception
 Base Class Array'
 Base Class Descriptor at (
__based(
BeginPaint
__cdecl
 Class Hierarchy Descriptor'
CloseHandle
__clrcall
CompareStringA
CompareStringW
 Complete Object Locator'
CONOUT$
`copy constructor closure'
CopyFileA
CorExitProcess
CreateDirectoryA
CreateEventA
CreateFileA
CreateIconFromResourceEx
CreateProcessA
CreateStreamOnHGlobal
CreateThread
CreateTimerQueue
CreateToolhelp32Snapshot
CreateWindowExA
- CRT not initialized
D$`_^][
D$<^][
D$ [_^]
D$$_^][
D$80`@
@.data
D$$;D$
dddd, MMMM dd, yyyy
D$\+D$TQ+
D$`+D$X+
December
DecodePointer
`default constructor closure'
DefWindowProcA
 delete
 delete[]
Delete
DeleteCriticalSection
D$ hx=B
DispatchMessageA
DOMAIN error
D$PPQWS
D$PPQWSS
D$PPVWU
DPtoLP
D$XUVW
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
EncodePointer
EndPaint
EnterCriticalSection
ExitProcess
__fastcall
February
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
ForceRemove
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
^F<-uB
GA8m:Th=
GAIsProcessorFeaturePresent
GDI32.dll
GdiComment
GetACP
GetActiveWindow
GetClipboardSequenceNumber
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDesktopWindow
GetDeviceCaps
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileSize
GetFileType
GetFullPathNameA
GetGUIThreadInfo
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMapMode
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetTitleBarInfo
GetUserObjectInformationA
GetWindowDC
GetWindowRect
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
`h````
H0uF$j
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
`h`hhh
HH:mm:ss
HHtXHHt
+hUhF]F@~6
`}!i&{
>If90t
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
InvalidateRect
invalid string position
IsDebuggerPresent
IsValidCodePage
JanFebMarAprMayJunJulAugSepOctNovDec
January
j h4>B
j,h` B
j~hx<B
j@j ^V
\$,j~Pf
j"^SSSSS
jvwe5;(m
KERNEL32
KERNEL32.dll
)K+R5Y
L$4QRP
L$8RPQ
LCMapStringA
LCMapStringW
LeaveCriticalSection
L$HQVPW
LoadCursorA
LoadLibraryA
LocalHandle
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
L$PQVWPP
LPtoDP
L$,QRW
L$ QUV
L$$QWR
L$t][3
L$ VSj
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
MoveWindow
MulDiv
MultiByteToWideChar
 new[]
NoRemove
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
(null)
October
O#GTj3
Oj'V05
ole32.dll
OLEAUT32.dll
`omni callsig'
OpenEventA
OpenProcess
operator
__pascal
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
PostQuitMessage
PPPPPPPP
Process32First
Process32Next
Program: 
<program name unknown>
__ptr64
- pure virtual function call
	]Qa=5G
QG'/ZM
QQSVWd
QueryPerformanceCounter
RaiseException
`.rdata
ReadFile
RegCloseKey
RegisterClassExA
RegOpenKeyA
RegSetValueExA
__restrict
RtlUnwind
runtime error 
Runtime Error!
RYxi	,
s5?A/}
Saturday
`scalar deleting destructor'
September
SetEndOfFile
SetEnvironmentVariableA
SetEvent
SetFileAttributesA
SetFilePointer
SetFocus
SetHandleCount
SetLastError
SetMapMode
SetStdHandle
SetUnhandledExceptionFilter
SetWindowTextA
ShowWindow
SING error
s[S;7|G;w
^SSSSS
__stdcall
`string'
string too long
Sunday
SunMonTueWedThuFriSat
TerminateProcess
tGHt.Ht&
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
t$<hPVB
Thursday
< tK<	tG
TLOSS error
T$LPWQRS
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
<\tM</tI
T$PRPW
T$PRVW
T$`QPR
tR99u2
TrackMouseEvent
TranslateMessage
t"SS9]
T$ SSVh
<+t(<-t$:
t$<"u	3
Tuesday
;t$,v-
t+WWVPV
 Type Descriptor'
`typeof'
>:u8FV
uBh!IA
`udt returning'
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
Unknown exception
UpdateWindow
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
u[SSSP
UTF-16LE
v$;5,nB
`vbase destructor'
`vbtable'
`vcall'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
VirtualAlloc
`virtual displacement map'
VirtualFree
v	N+D$
_VVVVV
VVVVVQRSSj
WaitForSingleObject
Wednesday
)w:	&@f
WideCharToMultiByte
WriteConsoleA
WriteConsoleW
WriteFile
WritePrivateProfileSectionA
WS2_32.dll
^WWWWW
xppwpp
xpxxxx
<xtX<XtT
=X*!	u
/xX25_XM
>=Yt1j
(zP88M6