Analysis Date2015-11-05 00:08:29
MD5e4692cf1aad207fedb23e1e2cf0a777e
SHA159ea9575a8bf05be658f5b8b1f211ed5977bd352

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dfb82813094d8918493b1c751fa86658 sha1: aaf00c5cbf94309cb419a7298097592951fd8378 size: 224256
Section.data md5: d99184e49b875fd450bd530419d31106 sha1: 5c1329285c62ac6f26308a92ef778b67b78b7f17 size: 20480
Section.rdata md5: 13ede62b311cb1dda4c902eda406c355 sha1: 2f12b0eccbac2751086aee8d261e87ae96b59404 size: 40960
Section.eh_fram md5: 52a18ec114155656912663ec78ca7a00 sha1: 94cb28ff54d8fd4b52c322d8391421630a44d1ea size: 40448
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 421e755d37f4d90366f0d67683bf0728 sha1: faf93cb073907da642f39eae3b78e788cbdca516 size: 6144
Section.CRT md5: 6e6cc9ae6106988d9d0f81c1e3d3b844 sha1: 67c03ce2d72c164e84c1f54bd338164a0ee2caf0 size: 512
Section.tls md5: e90daa8998d10d73d6f426823a7c9ca7 sha1: d009a4e5ef89ba9eb1e446ba06fe359e6ec8df29 size: 512
Timestamp2015-03-05 06:10:34
PEhash2c8c221e05884bb97332e0b06fc03dac706a4fc5
IMPhash6129fa530b6850df33326b2f8e286f42
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeTrojan-FGOJ!E4692CF1AAD2
AVAvira (antivir)TR/ATRAPS.A.10611
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.51758
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Agent.XDQ
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g16
AVFortinetW32/Agent.XDQ!tr
AVBitDefenderGen:Variant.Symmi.51758
AVK7Trojan ( 004c988e1 )
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVMalwareBytesno_virus
AVAuthentiumW32/S-6a8c3109!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusno_virus
AVEmsisoftGen:Variant.Symmi.51758
AVZillya!no_virus
AVKasperskyTrojan.Win32.Scar.lmey
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.51758
AVArcabit (arcavir)Gen:Variant.Symmi.51758
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.39201
AVF-SecureGen:Variant.Symmi.51758

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\ejtsqv4ort6\vr8y4gimn
Creates FileC:\ejtsqv4ort6\sscbsj1klrhkkyhtzarie.exe
Creates FileC:\ejtsqv4ort6\vr8y4gimn
Deletes FileC:\WINDOWS\ejtsqv4ort6\vr8y4gimn
Creates ProcessC:\ejtsqv4ort6\sscbsj1klrhkkyhtzarie.exe

Process
↳ C:\ejtsqv4ort6\sscbsj1klrhkkyhtzarie.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Spooler Human Alerts Isolation WMI Key ➝
C:\ejtsqv4ort6\evfdrx8hff.exe
Creates FileC:\ejtsqv4ort6\arg54lc
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\ejtsqv4ort6\vr8y4gimn
Creates FileC:\ejtsqv4ort6\evfdrx8hff.exe
Creates FileC:\ejtsqv4ort6\vr8y4gimn
Deletes FileC:\WINDOWS\ejtsqv4ort6\vr8y4gimn
Creates ProcessC:\ejtsqv4ort6\evfdrx8hff.exe
Creates ServiceList WinHTTP Encrypting - C:\ejtsqv4ort6\evfdrx8hff.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1880

Process
↳ Pid 1164

Process
↳ C:\ejtsqv4ort6\evfdrx8hff.exe

Creates FileC:\ejtsqv4ort6\arg54lc
Creates Filepipe\net\NtControlPipe10
Creates FileC:\ejtsqv4ort6\vgo5pqwdg
Creates FileC:\ejtsqv4ort6\msteeh7amtyi.exe
Creates FileC:\WINDOWS\ejtsqv4ort6\vr8y4gimn
Creates File\Device\Afd\Endpoint
Creates FileC:\ejtsqv4ort6\vr8y4gimn
Deletes FileC:\WINDOWS\ejtsqv4ort6\vr8y4gimn
Creates Processbvr8lcloxxny "c:\ejtsqv4ort6\evfdrx8hff.exe"

Process
↳ C:\ejtsqv4ort6\evfdrx8hff.exe

Creates FileC:\WINDOWS\ejtsqv4ort6\vr8y4gimn
Creates FileC:\ejtsqv4ort6\vr8y4gimn
Deletes FileC:\WINDOWS\ejtsqv4ort6\vr8y4gimn

Process
↳ bvr8lcloxxny "c:\ejtsqv4ort6\evfdrx8hff.exe"

Creates FileC:\WINDOWS\ejtsqv4ort6\vr8y4gimn
Creates FileC:\ejtsqv4ort6\vr8y4gimn
Deletes FileC:\WINDOWS\ejtsqv4ort6\vr8y4gimn

Network Details:

DNSearnestinesullivan.net
Type: A
195.22.26.254
DNSearnestinesullivan.net
Type: A
195.22.26.231
DNSearnestinesullivan.net
Type: A
195.22.26.252
DNSearnestinesullivan.net
Type: A
195.22.26.253
DNSchristianamargaret.net
Type: A
DNSdulcibellamargaret.net
Type: A
DNSchristianacherokee.net
Type: A
DNSdulcibellacherokee.net
Type: A
DNSchristianaarabella.net
Type: A
DNSdulcibellaarabella.net
Type: A
DNSchristianasullivan.net
Type: A
DNSdulcibellasullivan.net
Type: A
DNSwashingtonmargaret.net
Type: A
DNSearnestinemargaret.net
Type: A
DNSwashingtoncherokee.net
Type: A
DNSearnestinecherokee.net
Type: A
DNSwashingtonarabella.net
Type: A
DNSearnestinearabella.net
Type: A
DNSwashingtonsullivan.net
Type: A
DNSsacheverellmargaret.net
Type: A
DNSwilhelminamargaret.net
Type: A
DNSsacheverellcherokee.net
Type: A
DNSwilhelminacherokee.net
Type: A
DNSsacheverellarabella.net
Type: A
DNSwilhelminaarabella.net
Type: A
DNSsacheverellsullivan.net
Type: A
DNSwilhelminasullivan.net
Type: A
DNSmaximillianmargaret.net
Type: A
DNSgwendolinemargaret.net
Type: A
DNSmaximilliancherokee.net
Type: A
DNSgwendolinecherokee.net
Type: A
DNSmaximillianarabella.net
Type: A
DNSgwendolinearabella.net
Type: A
DNSmaximilliansullivan.net
Type: A
DNSgwendolinesullivan.net
Type: A
DNSbeauregardmargaret.net
Type: A
DNSevangelinamargaret.net
Type: A
DNSbeauregardcherokee.net
Type: A
DNSevangelinacherokee.net
Type: A
DNSbeauregardarabella.net
Type: A
DNSevangelinaarabella.net
Type: A
DNSbeauregardsullivan.net
Type: A
DNSevangelinasullivan.net
Type: A
DNSrichardinemargaret.net
Type: A
DNSevangelinemargaret.net
Type: A
DNSrichardinecherokee.net
Type: A
DNSevangelinecherokee.net
Type: A
DNSrichardinearabella.net
Type: A
DNSevangelinearabella.net
Type: A
DNSrichardinesullivan.net
Type: A
DNSevangelinesullivan.net
Type: A
DNSalexandrinastrudwick.net
Type: A
DNSmariabellastrudwick.net
Type: A
DNSalexandrinaconstable.net
Type: A
DNSmariabellaconstable.net
Type: A
DNSalexandrinadonaldson.net
Type: A
DNSmariabelladonaldson.net
Type: A
DNSalexandrinaharoldson.net
Type: A
DNSmariabellaharoldson.net
Type: A
DNSbartholomewstrudwick.net
Type: A
DNSwilloughbystrudwick.net
Type: A
DNSbartholomewconstable.net
Type: A
DNSwilloughbyconstable.net
Type: A
DNSbartholomewdonaldson.net
Type: A
DNSwilloughbydonaldson.net
Type: A
DNSbartholomewharoldson.net
Type: A
DNSwilloughbyharoldson.net
Type: A
DNSchristianastrudwick.net
Type: A
DNSdulcibellastrudwick.net
Type: A
DNSchristianaconstable.net
Type: A
DNSdulcibellaconstable.net
Type: A
DNSchristianadonaldson.net
Type: A
DNSdulcibelladonaldson.net
Type: A
DNSchristianaharoldson.net
Type: A
DNSdulcibellaharoldson.net
Type: A
DNSwashingtonstrudwick.net
Type: A
DNSearnestinestrudwick.net
Type: A
DNSwashingtonconstable.net
Type: A
DNSearnestineconstable.net
Type: A
DNSwashingtondonaldson.net
Type: A
DNSearnestinedonaldson.net
Type: A
DNSwashingtonharoldson.net
Type: A
DNSearnestineharoldson.net
Type: A
DNSsacheverellstrudwick.net
Type: A
DNSwilhelminastrudwick.net
Type: A
DNSsacheverellconstable.net
Type: A
DNSwilhelminaconstable.net
Type: A
DNSsacheverelldonaldson.net
Type: A
HTTP GEThttp://earnestinesullivan.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.254:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   61726e65 7374696e 6573756c 6c697661   arnestinesulliva
0x00000050 (00080)   6e2e6e65 740d0a0d 0a                  n.net....


Strings