Analysis Date2015-07-25 06:03:27
MD52c18a8c83f0344adc9819426147435fc
SHA16e3938113dcff47183447edde57df95293472ca7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8f82eb3f2dffc1e5deed05548e8f90ca sha1: 0285ffa6d34e214ff7d51faa5e767daed47590bb size: 163328
Section.rdata md5: c7810c66169632f140503d6bc3daafd0 sha1: a0470a69c252ca2fccc9268f8e8bd147e584b726 size: 38912
Section.data md5: ebdfefb7d91b344fca430aab8c7cf960 sha1: c34511ea5437f347b248b8275e0c5a27e5e59fd9 size: 6656
Timestamp2015-03-13 09:37:16
PackerMicrosoft Visual C++ ?.?
PEhashc735088165d4c3872d104bd0dba859d9e73d1401
IMPhash1721f0e5bf0cfcaf33a4ba049aa22635
AVGrisoft (avg)Win32/Cryptor
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVMcafeeTrojan-FEVX!2C18A8C83F03
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVK7no_virus
AVFrisk (f-prot)no_virus
AVFortinetW32/Rodecap.BJ!tr
AVAvira (antivir)TR/Crypt.ZPACK.75740
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVAd-AwareGen:Variant.Rodecap.1
AVSymantecDownloader.Upatre!g15
AVVirusBlokAda (vba32)no_virus
AVKasperskyTrojan.Win32.Generic
AVIkarusTrojan-Spy.Win32.Nivdort
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVBitDefenderGen:Variant.Rodecap.1
AVEset (nod32)Win32/Rodecap.BJ
AVTwisterTrojan.Scar.ixfl.kswu
AVClamAVno_virus
AVDr. WebTrojan.DownLoader13.10038
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Generic.r3
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVBullGuardGen:Variant.Rodecap.1
AVPadvishno_virus
AVTrend Microno_virus
AVZillya!Trojan.Rodecap.Win32.2080
AVEmsisoftGen:Variant.Rodecap.1
AVF-SecureGen:Variant.Rodecap.1
AVMalwareBytesTrojan.Agent

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\iunirjbw\yaec2qufr
Creates FileC:\WINDOWS\iunirjbw\yaec2qufr
Creates FileC:\iunirjbw\sm1lf9ghhratsgtm.exe
Deletes FileC:\WINDOWS\iunirjbw\yaec2qufr
Creates ProcessC:\iunirjbw\sm1lf9ghhratsgtm.exe

Process
↳ C:\iunirjbw\sm1lf9ghhratsgtm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Store Debugger Office Workstation Card Search ➝
C:\iunirjbw\eufztknpxqx.exe
Creates FileC:\iunirjbw\zfjhzfk
Creates FileC:\iunirjbw\yaec2qufr
Creates FileC:\iunirjbw\eufztknpxqx.exe
Creates FileC:\WINDOWS\iunirjbw\yaec2qufr
Deletes FileC:\WINDOWS\iunirjbw\yaec2qufr
Creates ProcessC:\iunirjbw\eufztknpxqx.exe
Creates ServiceBiometric Diagnostic Defragmenter System - C:\iunirjbw\eufztknpxqx.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERd3c9.dir00\svchost.exe.hdmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERd3c9.dir00\svchost.exe.mdmp
Creates Filepipe\PCHFaultRepExecPipe
Creates ProcessC:\WINDOWS\system32\dumprep.exe 1028 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERd3c9.dir00\svchost.exe.hdmp 16325836412031060
Creates ProcessC:\WINDOWS\system32\dumprep.exe 1028 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERd3c9.dir00\svchost.exe.mdmp 16325836412031040

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1860

Process
↳ Pid 1160

Process
↳ C:\iunirjbw\eufztknpxqx.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\iunirjbw\mprbkhxmyku.exe
Creates FileC:\iunirjbw\zfjhzfk
Creates FileC:\iunirjbw\yaec2qufr
Creates FileC:\iunirjbw\feebvqhiu
Creates FileC:\WINDOWS\iunirjbw\yaec2qufr
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\iunirjbw\yaec2qufr
Creates Processysq3tzwfbgrt "c:\iunirjbw\eufztknpxqx.exe"

Process
↳ C:\iunirjbw\eufztknpxqx.exe

Creates FileC:\iunirjbw\yaec2qufr
Creates FileC:\WINDOWS\iunirjbw\yaec2qufr
Deletes FileC:\WINDOWS\iunirjbw\yaec2qufr

Process
↳ C:\WINDOWS\system32\dumprep.exe 1028 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERd3c9.dir00\svchost.exe.mdmp 16325836412031040

Process
↳ C:\WINDOWS\system32\dumprep.exe 1028 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERd3c9.dir00\svchost.exe.hdmp 16325836412031060

Process
↳ ysq3tzwfbgrt "c:\iunirjbw\eufztknpxqx.exe"

Creates FileC:\iunirjbw\yaec2qufr
Creates FileC:\WINDOWS\iunirjbw\yaec2qufr
Deletes FileC:\WINDOWS\iunirjbw\yaec2qufr

Network Details:

DNSwomanhealth.net
Type: A
69.89.22.137
DNSpartyclothes.net
Type: A
109.68.33.25
DNSfreshcatch.net
Type: A
192.155.217.146
DNScrowdcatch.net
Type: A
50.63.202.47
DNSsummerdress.net
Type: A
50.87.150.116
DNSpartydress.net
Type: A
208.73.211.183
DNSpartydress.net
Type: A
208.73.211.192
DNSpartydress.net
Type: A
208.73.211.195
DNSpartydress.net
Type: A
208.73.211.179
DNSlaughnotice.net
Type: A
95.211.230.75
DNSsmokehealth.net
Type: A
DNSwomanclothes.net
Type: A
DNSsmokeclothes.net
Type: A
DNSwomandistant.net
Type: A
DNSsmokedistant.net
Type: A
DNSpartyseparate.net
Type: A
DNSfightseparate.net
Type: A
DNSpartyhealth.net
Type: A
DNSfighthealth.net
Type: A
DNSfightclothes.net
Type: A
DNSpartydistant.net
Type: A
DNSfightdistant.net
Type: A
DNSexperiencecatch.net
Type: A
DNSfresheearly.net
Type: A
DNSexperienceeearly.net
Type: A
DNSfreshpublic.net
Type: A
DNSexperiencepublic.net
Type: A
DNSfreshdress.net
Type: A
DNSexperiencedress.net
Type: A
DNSgentlemancatch.net
Type: A
DNSalreadycatch.net
Type: A
DNSgentlemaneearly.net
Type: A
DNSalreadyeearly.net
Type: A
DNSgentlemanpublic.net
Type: A
DNSalreadypublic.net
Type: A
DNSgentlemandress.net
Type: A
DNSalreadydress.net
Type: A
DNSfollowcatch.net
Type: A
DNSmembercatch.net
Type: A
DNSfolloweearly.net
Type: A
DNSmembereearly.net
Type: A
DNSfollowpublic.net
Type: A
DNSmemberpublic.net
Type: A
DNSfollowdress.net
Type: A
DNSmemberdress.net
Type: A
DNSbegincatch.net
Type: A
DNSknowncatch.net
Type: A
DNSbegineearly.net
Type: A
DNSknowneearly.net
Type: A
DNSbeginpublic.net
Type: A
DNSknownpublic.net
Type: A
DNSbegindress.net
Type: A
DNSknowndress.net
Type: A
DNSsummercatch.net
Type: A
DNSsummereearly.net
Type: A
DNScrowdeearly.net
Type: A
DNSsummerpublic.net
Type: A
DNScrowdpublic.net
Type: A
DNScrowddress.net
Type: A
DNSthoughtcatch.net
Type: A
DNSwatercatch.net
Type: A
DNSthoughteearly.net
Type: A
DNSwatereearly.net
Type: A
DNSthoughtpublic.net
Type: A
DNSwaterpublic.net
Type: A
DNSthoughtdress.net
Type: A
DNSwaterdress.net
Type: A
DNSwomancatch.net
Type: A
DNSsmokecatch.net
Type: A
DNSwomaneearly.net
Type: A
DNSsmokeeearly.net
Type: A
DNSwomanpublic.net
Type: A
DNSsmokepublic.net
Type: A
DNSwomandress.net
Type: A
DNSsmokedress.net
Type: A
DNSpartycatch.net
Type: A
DNSfightcatch.net
Type: A
DNSpartyeearly.net
Type: A
DNSfighteearly.net
Type: A
DNSpartypublic.net
Type: A
DNSfightpublic.net
Type: A
DNSfightdress.net
Type: A
DNSseveralength.net
Type: A
DNSlaughlength.net
Type: A
DNSseveranotice.net
Type: A
DNSseveraindeed.net
Type: A
DNSlaughindeed.net
Type: A
DNSseveraduring.net
Type: A
HTTP GEThttp://womanhealth.net/index.php?method&len
User-Agent:
HTTP GEThttp://partyclothes.net/index.php?method&len
User-Agent:
HTTP GEThttp://freshcatch.net/index.php?method&len
User-Agent:
HTTP GEThttp://crowdcatch.net/index.php?method&len
User-Agent:
HTTP GEThttp://summerdress.net/index.php?method&len
User-Agent:
HTTP GEThttp://partydress.net/index.php?method&len
User-Agent:
HTTP GEThttp://laughnotice.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 69.89.22.137:80
Flows TCP192.168.1.1:1032 ➝ 109.68.33.25:80
Flows TCP192.168.1.1:1033 ➝ 192.155.217.146:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.47:80
Flows TCP192.168.1.1:1035 ➝ 50.87.150.116:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.183:80
Flows TCP192.168.1.1:1037 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a20776f 6d616e68   se..Host: womanh
0x00000050 (00080)   65616c74 682e6e65 740d0a0d 0a         ealth.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207061 72747963   se..Host: partyc
0x00000050 (00080)   6c6f7468 65732e6e 65740d0a 0d0a       lothes.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206672 65736863   se..Host: freshc
0x00000050 (00080)   61746368 2e6e6574 0d0a0d0a 0d0a       atch.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206372 6f776463   se..Host: crowdc
0x00000050 (00080)   61746368 2e6e6574 0d0a0d0a 0d0a       atch.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207375 6d6d6572   se..Host: summer
0x00000050 (00080)   64726573 732e6e65 740d0a0d 0a0a       dress.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207061 72747964   se..Host: partyd
0x00000050 (00080)   72657373 2e6e6574 0d0a0d0a 0a0a       ress.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206c61 7567686e   se..Host: laughn
0x00000050 (00080)   6f746963 652e6e65 740d0a0d 0a0a       otice.net.....


Strings