Analysis Date2015-08-03 04:22:34
MD5f86907081ea9dd01a3f6e3c6f9a54792
SHA168d7b11798569ed09eb09b6610699b0037a044d0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d681917c3ddae662efeab180c83e94a8 sha1: e78568cb7017b4ec983c68c38bff3e55cb570643 size: 295424
Section.rdata md5: 17779c065de7cb300c5a6274044cee08 sha1: 05cc2eb4e1a009bc0957c802891d97f547fc0571 size: 34304
Section.data md5: 59c2fd1cc7625090da3816ba79d82dc4 sha1: 5e19ad5df5c50fdbe3cc24f4c4ed995ae3a48620 size: 99328
Timestamp2014-10-30 10:05:07
PackerMicrosoft Visual C++ ?.?
PEhash2957e80ee89c54984af0d71d13763008a975d0aa
IMPhasha726a98f438c818dcba38b4c514bd1b0
AVRisingno_virus
AVMcafeeTrojan-FEMT!F86907081EA9
AVAvira (antivir)BDS/Zegost.Gen4
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B2.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.FBAccountLock
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_NIVDORT.SMB
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. WebTrojan.DownLoader15.19373
AVF-SecureGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HomeGroup Distributed Workstation Policy ➝
C:\Documents and Settings\Administrator\Application Data\bymukbgciq\kkejsztc.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\bymukbgciq\kkejsztc.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\bymukbgciq\kkejsztc.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\bymukbgciq\kkejsztc.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\bymukbgciq\xnpxwhhpdiex.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\bymukbgciq\kkejsztc.tyx0h
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\bymukbgciq\kkejsztc.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\bymukbgciq\kkejsztc.exe"

Network Details:

DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.165.76.66
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
52.2.15.20
DNSmountaincountry.net
Type: A
75.119.220.11
DNSwindowpower.net
Type: A
95.211.230.75
DNSmountainfamous.net
Type: A
DNSpossiblefamous.net
Type: A
DNSmountainpower.net
Type: A
DNSpossiblepower.net
Type: A
DNSpossiblecountry.net
Type: A
DNSperhapscentury.net
Type: A
DNSwindowcentury.net
Type: A
DNSperhapsfamous.net
Type: A
DNSwindowfamous.net
Type: A
DNSperhapspower.net
Type: A
DNSperhapscountry.net
Type: A
DNSwindowcountry.net
Type: A
DNSwintercentury.net
Type: A
DNSsubjectcentury.net
Type: A
DNSwinterfamous.net
Type: A
DNSsubjectfamous.net
Type: A
DNSwinterpower.net
Type: A
DNSsubjectpower.net
Type: A
DNSwintercountry.net
Type: A
DNSsubjectcountry.net
Type: A
DNSfinishcentury.net
Type: A
DNSleavecentury.net
Type: A
DNSfinishfamous.net
Type: A
DNSleavefamous.net
Type: A
DNSfinishpower.net
Type: A
DNSleavepower.net
Type: A
DNSfinishcountry.net
Type: A
DNSleavecountry.net
Type: A
DNSsweetcentury.net
Type: A
DNSprobablycentury.net
Type: A
DNSsweetfamous.net
Type: A
DNSprobablyfamous.net
Type: A
DNSsweetpower.net
Type: A
DNSprobablypower.net
Type: A
DNSsweetcountry.net
Type: A
DNSprobablycountry.net
Type: A
DNSseveralcentury.net
Type: A
DNSmaterialcentury.net
Type: A
DNSseveralfamous.net
Type: A
DNSmaterialfamous.net
Type: A
DNSseveralpower.net
Type: A
DNSmaterialpower.net
Type: A
DNSseveralcountry.net
Type: A
DNSmaterialcountry.net
Type: A
DNSseverasurprise.net
Type: A
DNSlaughsurprise.net
Type: A
DNSseverabeside.net
Type: A
DNSlaughbeside.net
Type: A
DNSseveraletter.net
Type: A
DNSlaughletter.net
Type: A
DNSseveradifferent.net
Type: A
DNSlaughdifferent.net
Type: A
DNSsimplesurprise.net
Type: A
DNSmothersurprise.net
Type: A
DNSsimplebeside.net
Type: A
DNSmotherbeside.net
Type: A
DNSsimpleletter.net
Type: A
DNSmotherletter.net
Type: A
DNSsimpledifferent.net
Type: A
DNSmotherdifferent.net
Type: A
DNSmountainsurprise.net
Type: A
DNSpossiblesurprise.net
Type: A
DNSmountainbeside.net
Type: A
DNSpossiblebeside.net
Type: A
DNSmountainletter.net
Type: A
DNSpossibleletter.net
Type: A
DNSmountaindifferent.net
Type: A
DNSpossibledifferent.net
Type: A
DNSperhapssurprise.net
Type: A
DNSwindowsurprise.net
Type: A
DNSperhapsbeside.net
Type: A
DNSwindowbeside.net
Type: A
DNSperhapsletter.net
Type: A
DNSwindowletter.net
Type: A
DNSperhapsdifferent.net
Type: A
DNSwindowdifferent.net
Type: A
DNSwintersurprise.net
Type: A
DNSsubjectsurprise.net
Type: A
DNSwinterbeside.net
Type: A
DNSsubjectbeside.net
Type: A
DNSwinterletter.net
Type: A
DNSsubjectletter.net
Type: A
DNSwinterdifferent.net
Type: A
HTTP GEThttp://mountainpower.net/index.php?email=dominique@wahoye.com&method=post&len
User-Agent:
HTTP GEThttp://mountaincountry.net/index.php?email=dominique@wahoye.com&method=post&len
User-Agent:
HTTP GEThttp://windowpower.net/index.php?email=dominique@wahoye.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 54.165.76.66:80
Flows TCP192.168.1.1:1032 ➝ 75.119.220.11:80
Flows TCP192.168.1.1:1033 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d646f6d 696e6971 75654077   mail=dominique@w
0x00000020 (00032)   61686f79 652e636f 6d266d65 74686f64   ahoye.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206d6f 756e7461   se..Host: mounta
0x00000070 (00112)   696e706f 7765722e 6e65740d 0a0d0a     inpower.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d646f6d 696e6971 75654077   mail=dominique@w
0x00000020 (00032)   61686f79 652e636f 6d266d65 74686f64   ahoye.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206d6f 756e7461   se..Host: mounta
0x00000070 (00112)   696e636f 756e7472 792e6e65 740d0a0d   incountry.net...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d646f6d 696e6971 75654077   mail=dominique@w
0x00000020 (00032)   61686f79 652e636f 6d266d65 74686f64   ahoye.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207769 6e646f77   se..Host: window
0x00000070 (00112)   706f7765 722e6e65 740d0a0d 0a0d0a0d   power.net.......
0x00000080 (00128)   0a                                    .


Strings