Analysis Date2015-09-07 06:30:46
MD5a9c37e113ba6f40fed779a9416483be4
SHA1588519752026512055c0787d4af09305eac57694

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2cc503431551997cc1d1e86e3bda6330 sha1: 1b0c6a107f0193fbdf5891f3e8ce541c9cc2e51a size: 648192
Section.rdata md5: 01c991fe92efaa3be24e60c4b02315f2 sha1: dc8ffb9542f5552d1af5328cc052d9ae2d7a0ad6 size: 52224
Section.data md5: e8d56b46a1638d7078e5b00d35ba077a sha1: 09427449c182225bd45f45a3b3ad0fd87be0517d size: 125440
Timestamp2014-04-15 22:23:31
PackerMicrosoft Visual C++ ?.?
PEhash3d1cc42cc2c241078ff791113869fe102d736f34
IMPhashee4ea0be7aff5d170328b28a53e25450
AVDr. WebTrojan.KillFiles.28024
AVAuthentiumW32/Symmi.AH.gen!Eldorado
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVEmsisoftGen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVSymantecDownloader.Upatre!g15
AVEset (nod32)Win32/Kryptik.CCLE
AVPadvishno_virus
AVCA (E-Trust Ino)no_virus
AVFortinetRiskware/Agent
AVAvira (antivir)TR/Crypt.ZPACK.174322
AVTrend MicroTSPY_NIVDORT.SM
AVFrisk (f-prot)no_virus
AVAlwil (avast)Kryptik-PLS [Trj]
AVClamAVno_virus
AVF-SecureGen:Variant.Symmi.22722
AVMcafeeRDN/Generic PWS.y!b2e
AVTwisterTrojan.Girtk.BCFJ.cpsn.mg
AVGrisoft (avg)Win32/Cryptor
AVBitDefenderGen:Variant.Symmi.22722
AVRisingno_virus
AVIkarusTrojan.Crypt2
AVAd-AwareGen:Variant.Symmi.22722
AVCAT (quickheal)Trojan.Generic.r3
AVK7Trojan ( 0049a7ec1 )
AVVirusBlokAda (vba32)no_virus
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVKasperskyTrojan.Win32.Generic
AVBullGuardGen:Variant.Symmi.22722
AVMalwareBytesno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\yumfrwvjpt\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tt2qq9q1lpogjjnj6rrvr9r.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\tt2qq9q1lpogjjnj6rrvr9r.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\tt2qq9q1lpogjjnj6rrvr9r.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Visual Event WLAN Manager User-mode ➝
C:\WINDOWS\system32\hcoqgrn.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\yumfrwvjpt\tst
Creates FileC:\WINDOWS\system32\yumfrwvjpt\etc
Creates FileC:\WINDOWS\system32\yumfrwvjpt\lck
Creates FileC:\WINDOWS\system32\hcoqgrn.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\hcoqgrn.exe
Creates ServiceSystem Discovery Endpoint BranchCache - C:\WINDOWS\system32\hcoqgrn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 796

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1164

Process
↳ C:\WINDOWS\system32\hcoqgrn.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\tt2qq9q1rvhgjjn.exe
Creates FileC:\WINDOWS\system32\yumfrwvjpt\cfg
Creates FileC:\WINDOWS\system32\yumfrwvjpt\run
Creates FileC:\WINDOWS\system32\yumfrwvjpt\lck
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\yumfrwvjpt\tst
Creates FileC:\WINDOWS\system32\drvtmnixw.exe
Creates FileC:\WINDOWS\system32\yumfrwvjpt\rng
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "c:\windows\system32\hcoqgrn.exe"
Creates ProcessC:\WINDOWS\TEMP\tt2qq9q1rvhgjjn.exe -r 20138 tcp

Process
↳ C:\WINDOWS\system32\hcoqgrn.exe

Creates FileC:\WINDOWS\system32\yumfrwvjpt\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\hcoqgrn.exe"

Creates FileC:\WINDOWS\system32\yumfrwvjpt\tst

Process
↳ C:\WINDOWS\TEMP\tt2qq9q1rvhgjjn.exe -r 20138 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSstickmarch.net
Type: A
69.195.129.70
DNStablefruit.net
Type: A
69.195.129.70
DNStakerush.net
Type: A
50.63.202.11
DNSyourfeet.net
Type: A
184.168.221.104
DNSyoureach.net
Type: A
63.236.74.25
DNStriesyesterday.net
Type: A
95.211.230.75
DNSmightglossary.net
Type: A
DNSrequireneither.net
Type: A
DNSgentlefriend.net
Type: A
DNSglasshealth.net
Type: A
DNSnecessarydress.net
Type: A
DNSrememberpaint.net
Type: A
DNSlittleappear.net
Type: A
DNSthroughcountry.net
Type: A
DNSwaitclock.net
Type: A
DNStakeclock.net
Type: A
DNSwaitmake.net
Type: A
DNStakemake.net
Type: A
DNSwaitrush.net
Type: A
DNStriesfifth.net
Type: A
DNSyourfifth.net
Type: A
DNStriesshine.net
Type: A
DNSyourshine.net
Type: A
DNStriesdone.net
Type: A
DNSyourdone.net
Type: A
DNStriesknew.net
Type: A
DNSyourknew.net
Type: A
DNSlrstnfifth.net
Type: A
DNSviewfifth.net
Type: A
DNSlrstnshine.net
Type: A
DNSviewshine.net
Type: A
DNSlrstndone.net
Type: A
DNSviewdone.net
Type: A
DNSlrstnknew.net
Type: A
DNSviewknew.net
Type: A
DNSplantfifth.net
Type: A
DNSfillfifth.net
Type: A
DNSplantshine.net
Type: A
DNSfillshine.net
Type: A
DNSplantdone.net
Type: A
DNSfilldone.net
Type: A
DNSplantknew.net
Type: A
DNSfillknew.net
Type: A
DNSsensefifth.net
Type: A
DNSlearnfifth.net
Type: A
DNSsenseshine.net
Type: A
DNSlearnshine.net
Type: A
DNSsensedone.net
Type: A
DNSlearndone.net
Type: A
DNSsenseknew.net
Type: A
DNSlearnknew.net
Type: A
DNStorefifth.net
Type: A
DNSfallfifth.net
Type: A
DNStoreshine.net
Type: A
DNSfallshine.net
Type: A
DNStoredone.net
Type: A
DNSfalldone.net
Type: A
DNStoreknew.net
Type: A
DNSfallknew.net
Type: A
DNSweekfifth.net
Type: A
DNSveryfifth.net
Type: A
DNSweekshine.net
Type: A
DNSveryshine.net
Type: A
DNSweekdone.net
Type: A
DNSverydone.net
Type: A
DNSweekknew.net
Type: A
DNSveryknew.net
Type: A
DNSpiecefifth.net
Type: A
DNSmuchfifth.net
Type: A
DNSpieceshine.net
Type: A
DNSmuchshine.net
Type: A
DNSpiecedone.net
Type: A
DNSmuchdone.net
Type: A
DNSpieceknew.net
Type: A
DNSmuchknew.net
Type: A
DNSwaitfifth.net
Type: A
DNStakefifth.net
Type: A
DNSwaitshine.net
Type: A
DNStakeshine.net
Type: A
DNSwaitdone.net
Type: A
DNStakedone.net
Type: A
DNSwaitknew.net
Type: A
DNStakeknew.net
Type: A
DNStriesfeet.net
Type: A
DNStrieseach.net
Type: A
DNSyouryesterday.net
Type: A
DNStrieswedge.net
Type: A
DNSyourwedge.net
Type: A
DNSlrstnfeet.net
Type: A
DNSviewfeet.net
Type: A
DNSlrstneach.net
Type: A
DNSvieweach.net
Type: A
DNSlrstnyesterday.net
Type: A
DNSviewyesterday.net
Type: A
DNSlrstnwedge.net
Type: A
HTTP GEThttp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ef4a802
User-Agent:
HTTP GEThttp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ef4a802
User-Agent:
HTTP GEThttp://takerush.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ef4a802
User-Agent:
HTTP GEThttp://yourfeet.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ef4a802
User-Agent:
HTTP GEThttp://youreach.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ef4a802
User-Agent:
HTTP GEThttp://triesyesterday.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ef4a802
User-Agent:
HTTP GEThttp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ef4a802
User-Agent:
HTTP GEThttp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ef4a802
User-Agent:
HTTP GEThttp://takerush.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ef4a802
User-Agent:
HTTP GEThttp://yourfeet.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ef4a802
User-Agent:
HTTP GEThttp://youreach.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ef4a802
User-Agent:
HTTP GEThttp://triesyesterday.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ef4a802
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1037 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1038 ➝ 50.63.202.11:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1243 ➝ 203.195.232.104:22445
Flows TCP192.168.1.1:1041 ➝ 63.236.74.25:80
Flows TCP192.168.1.1:1042 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1043 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1044 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1045 ➝ 50.63.202.11:80
Flows TCP192.168.1.1:1046 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1047 ➝ 63.236.74.25:80
Flows TCP192.168.1.1:1048 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303238 26736f78 3d336566 34613830   =028&sox=3ef4a80
0x00000040 (00064)   32204854 54502f31 2e300d0a 41636365   2 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207374 69636b6d 61726368 2e6e6574   : stickmarch.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303238 26736f78 3d336566 34613830   =028&sox=3ef4a80
0x00000040 (00064)   32204854 54502f31 2e300d0a 41636365   2 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207461 626c6566 72756974 2e6e6574   : tablefruit.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303238 26736f78 3d336566 34613830   =028&sox=3ef4a80
0x00000040 (00064)   32204854 54502f31 2e300d0a 41636365   2 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207461 6b657275 73682e6e 65740d0a   : takerush.net..
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303238 26736f78 3d336566 34613830   =028&sox=3ef4a80
0x00000040 (00064)   32204854 54502f31 2e300d0a 41636365   2 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20796f 75726665 65742e6e 65740d0a   : yourfeet.net..
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303238 26736f78 3d336566 34613830   =028&sox=3ef4a80
0x00000040 (00064)   32204854 54502f31 2e300d0a 41636365   2 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20796f 75726561 63682e6e 65740d0a   : youreach.net..
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303238 26736f78 3d336566 34613830   =028&sox=3ef4a80
0x00000040 (00064)   32204854 54502f31 2e300d0a 41636365   2 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207472 69657379 65737465 72646179   : triesyesterday
0x00000080 (00128)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303238 26736f78 3d336566 34613830   =028&sox=3ef4a80
0x00000040 (00064)   32204854 54502f31 2e300d0a 41636365   2 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207374 69636b6d 61726368 2e6e6574   : stickmarch.net
0x00000080 (00128)   0d0a0d0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303238 26736f78 3d336566 34613830   =028&sox=3ef4a80
0x00000040 (00064)   32204854 54502f31 2e300d0a 41636365   2 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207461 626c6566 72756974 2e6e6574   : tablefruit.net
0x00000080 (00128)   0d0a0d0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303238 26736f78 3d336566 34613830   =028&sox=3ef4a80
0x00000040 (00064)   32204854 54502f31 2e300d0a 41636365   2 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207461 6b657275 73682e6e 65740d0a   : takerush.net..
0x00000080 (00128)   0d0a0d0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303238 26736f78 3d336566 34613830   =028&sox=3ef4a80
0x00000040 (00064)   32204854 54502f31 2e300d0a 41636365   2 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20796f 75726665 65742e6e 65740d0a   : yourfeet.net..
0x00000080 (00128)   0d0a0d0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303238 26736f78 3d336566 34613830   =028&sox=3ef4a80
0x00000040 (00064)   32204854 54502f31 2e300d0a 41636365   2 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20796f 75726561 63682e6e 65740d0a   : youreach.net..
0x00000080 (00128)   0d0a0d0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303238 26736f78 3d336566 34613830   =028&sox=3ef4a80
0x00000040 (00064)   32204854 54502f31 2e300d0a 41636365   2 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207472 69657379 65737465 72646179   : triesyesterday
0x00000080 (00128)   2e6e6574 0d0a0d0a                     .net....


Strings