Analysis Date2014-11-22 04:11:04

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 41ade2eb64c2dddfd588e01fffe19f50 sha1: 8dc7b65185599dcf0e2fed462c45abcb919e513a size: 300544
Section.rdata md5: f52dbb14bfa49850c45296d00efb263b sha1: 1ca5753eb4ccfdb1a670f1a3c07af95f2296aef2 size: 33280 md5: fe3b07d34c97f0d1e857a3523533f00a sha1: 55d5d935a6c40a8f7ac38549e5c8302f9dadee22 size: 98816
Timestamp2014-10-30 10:10:06
PackerMicrosoft Visual C++ ?.?
AV360 SafeGen:Variant.Symmi.22722
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAvira (antivir)BDS/Zegost.Gen4
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVDr. Webno_virus
AVEset (nod32)Win32/Agent.VNC
AVFrisk (f-prot)no_virus
AVGrisoft (avg)Win32/Cryptor
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Brightness DNS Acquisition List ➝
C:\Documents and Settings\Administrator\Application Data\msrnjhh\ffstetckvpl.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\msrnjhh\ffstetckvpl.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\msrnjhh\ffstetckvpl.exe

↳ C:\Documents and Settings\Administrator\Application Data\msrnjhh\ffstetckvpl.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\msrnjhh\esuhcll.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\msrnjhh\ffstetckvpl.n8ws2
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\msrnjhh\ffstetckvpl.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\msrnjhh\ffstetckvpl.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6f7a 73656640 676d782e   mail=jozsef@gmx.
0x00000020 (00032)   6465266d 6574686f 643d706f 7374266c   de&method=post&l
0x00000030 (00048)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000040 (00064)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000050 (00080)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000060 (00096)   743a2062 65747465 7276616c 75652e6e   t: bettervalue.n
0x00000070 (00112)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6f7a 73656640 676d782e   mail=jozsef@gmx.
0x00000020 (00032)   6465266d 6574686f 643d706f 7374266c   de&method=post&l
0x00000030 (00048)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000040 (00064)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000050 (00080)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000060 (00096)   743a2062 72656164 72656173 6f6e2e6e   t: breadreason.n
0x00000070 (00112)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6f7a 73656640 676d782e   mail=jozsef@gmx.
0x00000020 (00032)   6465266d 6574686f 643d706f 7374266c   de&method=post&l
0x00000030 (00048)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000040 (00064)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000050 (00080)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000060 (00096)   743a2062 65747465 72636861 6e63652e   t: betterchance.
0x00000070 (00112)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6f7a 73656640 676d782e   mail=jozsef@gmx.
0x00000020 (00032)   6465266d 6574686f 643d706f 7374266c   de&method=post&l
0x00000030 (00048)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000040 (00064)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000050 (00080)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000060 (00096)   743a2062 65747465 726d6565 74696e67   t: bettermeeting
0x00000070 (00112)   2e6e6574 0d0a0d0a                     .net....

zqniacecb zteaqasccu aaulwihi hjififmdod mvdacub pnt gvyekoboo osl hfb brao notcepc srgoat ccpeuimcdu mpnefmdizu jfbejpxeul qnkedb mogzotdd nqpog blnar tacdiyfo lgqomj rlpudzci lwcuirsk vloza jilc fjfobqg vesf nuaopb njmerg dmbidnd vhfanm nslanl btdodgbi mhwuitiqda spnaiigqaz foag mabeuha jocpobv nzdaiurugo xomdel aijkce dmom opybor pseecejaoo hdemodj fpj biaad vmsiakj bvuf ryfoeyjvu obig dojceasvt uegvsae pcfugbj hbfii cgedexdf sdo vnjacw V%A