Analysis | #totalhash

Analysis Date	2014-04-19 19:12:03
MD5	4caa8cf86bf42368719c4d886f6bde8c
SHA1	5490beac750bbe133747a49c420c6abe4387b371

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: d77831890dcb52174a8aca93fc70d7f6 sha1: 159230ea0c31983c1fead07b1e099affb9d2933e size: 120832
Section	.rdata md5: 5cc3933a6a08fe102bfec9103c7b0605 sha1: 97abfa5f6b8686e0c460253b72b943e5e39d9814 size: 16384
Section	.data md5: 5e608910c5f01fa773d002bed9f2b4eb sha1: 398a80b64beaec8ef0f2db6549d2056bf9cd3e39 size: 17408
Timestamp	2014-01-22 06:27:19
Packer	Microsoft Visual C++ ?.?
PEhash	0104faf0c5ccbdf0710c0cc6336f518595fc321a
IMPhash	76a01e222de0c9122b85a080004e5caa
AV	mcafee	Generic-FAOV!4CAA8CF86BF4
AV	avg	Generic_r.DMB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Store TP Block Protocol BitLocker Transfer ➝ C:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\vvhkqpp.exe
Creates File	C:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\vvhkqpp.exe
Creates Process	C:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\vvhkqpp.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\vvhkqpp.exe

Creates File	C:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\vvhkqpp.czsyw
Creates File	\Device\Afd\Endpoint
Creates File	C:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\ylhmexna.exe
Creates Process	WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\vvhkqpp.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\eipxcaifpfvp\vvhkqpp.exe"

Network Details:

DNS	nightspring.net Type: A 66.96.160.141
DNS	tradespring.net Type: A 65.49.45.219
DNS	streetsuccess.net Type: A 68.178.254.68
DNS	streetbanker.net Type: A 208.91.197.27
DNS	bettersuccess.net Type: A 54.209.168.250
DNS	quietsuccess.net Type: A 184.168.221.44
DNS	nightguard.net Type: A 173.199.172.26
DNS	againstfound.net Type: A
DNS	doubtfound.net Type: A
DNS	againstspring.net Type: A
DNS	doubtspring.net Type: A
DNS	againstsuccess.net Type: A
DNS	doubtsuccess.net Type: A
DNS	againstbanker.net Type: A
DNS	doubtbanker.net Type: A
DNS	nightfound.net Type: A
DNS	decidefound.net Type: A
DNS	decidespring.net Type: A
DNS	nightsuccess.net Type: A
DNS	decidesuccess.net Type: A
DNS	nightbanker.net Type: A
DNS	decidebanker.net Type: A
DNS	largefound.net Type: A
DNS	captainfound.net Type: A
DNS	largespring.net Type: A
DNS	captainspring.net Type: A
DNS	largesuccess.net Type: A
DNS	captainsuccess.net Type: A
DNS	largebanker.net Type: A
DNS	captainbanker.net Type: A
DNS	recordfound.net Type: A
DNS	electricfound.net Type: A
DNS	recordspring.net Type: A
DNS	electricspring.net Type: A
DNS	recordsuccess.net Type: A
DNS	electricsuccess.net Type: A
DNS	recordbanker.net Type: A
DNS	electricbanker.net Type: A
DNS	streetfound.net Type: A
DNS	tradefound.net Type: A
DNS	streetspring.net Type: A
DNS	tradesuccess.net Type: A
DNS	tradebanker.net Type: A
DNS	betterfound.net Type: A
DNS	gatherfound.net Type: A
DNS	betterspring.net Type: A
DNS	gatherspring.net Type: A
DNS	gathersuccess.net Type: A
DNS	betterbanker.net Type: A
DNS	gatherbanker.net Type: A
DNS	flierfound.net Type: A
DNS	breadfound.net Type: A
DNS	flierspring.net Type: A
DNS	breadspring.net Type: A
DNS	fliersuccess.net Type: A
DNS	breadsuccess.net Type: A
DNS	flierbanker.net Type: A
DNS	breadbanker.net Type: A
DNS	quietfound.net Type: A
DNS	seasonfound.net Type: A
DNS	quietspring.net Type: A
DNS	seasonspring.net Type: A
DNS	seasonsuccess.net Type: A
DNS	quietbanker.net Type: A
DNS	seasonbanker.net Type: A
DNS	againstairplane.net Type: A
DNS	doubtairplane.net Type: A
DNS	againststraight.net Type: A
DNS	doubtstraight.net Type: A
DNS	againstguard.net Type: A
DNS	doubtguard.net Type: A
DNS	againstfence.net Type: A
DNS	doubtfence.net Type: A
DNS	nightairplane.net Type: A
DNS	decideairplane.net Type: A
DNS	nightstraight.net Type: A
DNS	decidestraight.net Type: A
DNS	decideguard.net Type: A
DNS	nightfence.net Type: A
DNS	decidefence.net Type: A
DNS	largeairplane.net Type: A
DNS	captainairplane.net Type: A
DNS	largestraight.net Type: A
DNS	captainstraight.net Type: A
DNS	largeguard.net Type: A
HTTP GET	http://nightspring.net/forum/search.php?email=mirelabon@yahoo.com&method=post User-Agent:
HTTP GET	http://tradespring.net/forum/search.php?email=mirelabon@yahoo.com&method=post User-Agent:
HTTP GET	http://streetsuccess.net/forum/search.php?email=mirelabon@yahoo.com&method=post User-Agent:
HTTP GET	http://streetbanker.net/forum/search.php?email=mirelabon@yahoo.com&method=post User-Agent:
HTTP GET	http://bettersuccess.net/forum/search.php?email=mirelabon@yahoo.com&method=post User-Agent:
HTTP GET	http://quietsuccess.net/forum/search.php?email=mirelabon@yahoo.com&method=post User-Agent:
HTTP GET	http://nightguard.net/forum/search.php?email=mirelabon@yahoo.com&method=post User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 66.96.160.141:80
Flows TCP	192.168.1.1:1032 ➝ 65.49.45.219:80
Flows TCP	192.168.1.1:1033 ➝ 68.178.254.68:80
Flows TCP	192.168.1.1:1034 ➝ 208.91.197.27:80
Flows TCP	192.168.1.1:1035 ➝ 54.209.168.250:80
Flows TCP	192.168.1.1:1036 ➝ 184.168.221.44:80
Flows TCP	192.168.1.1:1037 ➝ 173.199.172.26:80

Raw Pcap

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 6d697265   h.php?email=mire
0x00000020 (00032)   6c61626f 6e407961 686f6f2e 636f6d26   labon@yahoo.com&
0x00000030 (00048)   6d657468 6f643d70 6f737420 48545450   method=post HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 6e696768   lose..Host: nigh
0x00000070 (00112)   74737072 696e672e 6e65740d 0a0d0a     tspring.net....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 6d697265   h.php?email=mire
0x00000020 (00032)   6c61626f 6e407961 686f6f2e 636f6d26   labon@yahoo.com&
0x00000030 (00048)   6d657468 6f643d70 6f737420 48545450   method=post HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 74726164   lose..Host: trad
0x00000070 (00112)   65737072 696e672e 6e65740d 0a0d0a     espring.net....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 6d697265   h.php?email=mire
0x00000020 (00032)   6c61626f 6e407961 686f6f2e 636f6d26   labon@yahoo.com&
0x00000030 (00048)   6d657468 6f643d70 6f737420 48545450   method=post HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 73747265   lose..Host: stre
0x00000070 (00112)   65747375 63636573 732e6e65 740d0a0d   etsuccess.net...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 6d697265   h.php?email=mire
0x00000020 (00032)   6c61626f 6e407961 686f6f2e 636f6d26   labon@yahoo.com&
0x00000030 (00048)   6d657468 6f643d70 6f737420 48545450   method=post HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 73747265   lose..Host: stre
0x00000070 (00112)   65746261 6e6b6572 2e6e6574 0d0a0d0a   etbanker.net....
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 6d697265   h.php?email=mire
0x00000020 (00032)   6c61626f 6e407961 686f6f2e 636f6d26   labon@yahoo.com&
0x00000030 (00048)   6d657468 6f643d70 6f737420 48545450   method=post HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 62657474   lose..Host: bett
0x00000070 (00112)   65727375 63636573 732e6e65 740d0a0d   ersuccess.net...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 6d697265   h.php?email=mire
0x00000020 (00032)   6c61626f 6e407961 686f6f2e 636f6d26   labon@yahoo.com&
0x00000030 (00048)   6d657468 6f643d70 6f737420 48545450   method=post HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 71756965   lose..Host: quie
0x00000070 (00112)   74737563 63657373 2e6e6574 0d0a0d0a   tsuccess.net....
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 6d697265   h.php?email=mire
0x00000020 (00032)   6c61626f 6e407961 686f6f2e 636f6d26   labon@yahoo.com&
0x00000030 (00048)   6d657468 6f643d70 6f737420 48545450   method=post HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 6e696768   lose..Host: nigh
0x00000070 (00112)   74677561 72642e6e 65740d0a 0d0a0d0a   tguard.net......
0x00000080 (00128)   0a                                    .

Strings

.
-E-
-0
-0010+-0
0
-0
CC
.00-+ 
.
-e-
. 
\
 
00
.
:\
:..
...........?- 
0
0
0
0
-
.
u
Bjjjjh
E(null)
                                 H
         (((((                  H
         h((((                  H
jjjjh
KERNEL32.DLL
mscoree.dll
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
\0:4r}
0A@@Ju
0SSSSS
0WWWWW
1#QNAN
1#SNAN
\3aJ.b
8uN:Rl
8VVVVV
9: ^qm
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
:%AFjUz2<
An application has made an attempt to load the C runtime library incorrectly.
aT8KVOy
<at9<rt,<wt
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
.?AVexception@std@@
.?AVlength_error@std@@
.?AVlogic_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
bad allocation
bad exception
 Base Class Array'
 Base Class Descriptor at (
__based(
BeginPaint
__cdecl
 Class Hierarchy Descriptor'
CloseHandle
__clrcall
CompareStringA
CompareStringW
 Complete Object Locator'
CONOUT$
`copy constructor closure'
CopyFileA
CorExitProcess
CreateDirectoryA
CreateEventA
CreateFileA
CreateIconFromResourceEx
CreateProcessA
CreateStreamOnHGlobal
CreateThread
CreateTimerQueue
CreateToolhelp32Snapshot
CreateWindowExA
- CRT not initialized
D$`_^][
D$<^][
D$ [_^]
D$$_^][
D$80`@
@.data
D$$;D$
dddd, MMMM dd, yyyy
D$\+D$TQ+
D$`+D$X+
December
DecodePointer
`default constructor closure'
DefWindowProcA
 delete
 delete[]
Delete
DeleteCriticalSection
D$ hx=B
DispatchMessageA
DOMAIN error
D$PPQWS
D$PPQWSS
D$PPVWU
DPtoLP
D$XUVW
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
EncodePointer
EndPaint
EnterCriticalSection
ExitProcess
__fastcall
February
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
ForceRemove
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
^F<-uB
GA8m:Th=
GAIsProcessorFeaturePresent
GDI32.dll
GdiComment
GetACP
GetActiveWindow
GetClipboardSequenceNumber
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDesktopWindow
GetDeviceCaps
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileSize
GetFileType
GetFullPathNameA
GetGUIThreadInfo
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMapMode
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetTitleBarInfo
GetUserObjectInformationA
GetWindowDC
GetWindowRect
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
`h````
H0uF$j
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
`h`hhh
HH:mm:ss
HHtXHHt
+hUhF]F@~6
`}!i&{
>If90t
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
InvalidateRect
invalid string position
IsDebuggerPresent
IsValidCodePage
JanFebMarAprMayJunJulAugSepOctNovDec
January
j h4>B
j,h` B
j~hx<B
j@j ^V
\$,j~Pf
j"^SSSSS
jvwe5;(m
KERNEL32
KERNEL32.dll
)K+R5Y
L$4QRP
L$8RPQ
LCMapStringA
LCMapStringW
LeaveCriticalSection
L$HQVPW
LoadCursorA
LoadLibraryA
LocalHandle
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
L$PQVWPP
LPtoDP
L$,QRW
L$ QUV
L$$QWR
L$t][3
L$ VSj
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
MoveWindow
MulDiv
MultiByteToWideChar
 new[]
NoRemove
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
(null)
October
O#GTj3
Oj'V05
ole32.dll
OLEAUT32.dll
`omni callsig'
OpenEventA
OpenProcess
operator
__pascal
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
PostQuitMessage
PPPPPPPP
Process32First
Process32Next
Program: 
<program name unknown>
__ptr64
- pure virtual function call
	]Qa=5G
QG'/ZM
QQSVWd
QueryPerformanceCounter
RaiseException
`.rdata
ReadFile
RegCloseKey
RegisterClassExA
RegOpenKeyA
RegSetValueExA
__restrict
RtlUnwind
runtime error 
Runtime Error!
RYxi	,
s5?A/}
Saturday
`scalar deleting destructor'
September
SetEndOfFile
SetEnvironmentVariableA
SetEvent
SetFileAttributesA
SetFilePointer
SetFocus
SetHandleCount
SetLastError
SetMapMode
SetStdHandle
SetUnhandledExceptionFilter
SetWindowTextA
ShowWindow
SING error
s[S;7|G;w
^SSSSS
__stdcall
`string'
string too long
Sunday
SunMonTueWedThuFriSat
TerminateProcess
tGHt.Ht&
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
t$<hPVB
Thursday
< tK<	tG
TLOSS error
T$LPWQRS
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
<\tM</tI
T$PRPW
T$PRVW
T$`QPR
tR99u2
TrackMouseEvent
TranslateMessage
t"SS9]
T$ SSVh
<+t(<-t$:
t$<"u	3
Tuesday
;t$,v-
t+WWVPV
 Type Descriptor'
`typeof'
>:u8FV
uBh!IA
`udt returning'
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
Unknown exception
UpdateWindow
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
u[SSSP
UTF-16LE
v$;5,nB
`vbase destructor'
`vbtable'
`vcall'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
VirtualAlloc
`virtual displacement map'
VirtualFree
v	N+D$
_VVVVV
VVVVVQRSSj
WaitForSingleObject
Wednesday
)w:	&@f
WideCharToMultiByte
WriteConsoleA
WriteConsoleW
WriteFile
WritePrivateProfileSectionA
WS2_32.dll
^WWWWW
xppwpp
xpxxxx
<xtX<XtT
=X*!	u
/xX25_XM
>=Yt1j
(zP88M6