Analysis Date2015-11-05 04:46:48
MD55d1b99f99abc98ebbeeb3485a3f1b6c7
SHA16e63ac9f30623cf9453e3d7eacf47be20f9ad661

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4e3ce9cd0c0efbcbcbbecce402b8098a sha1: 3a127b138ea7e26f9b5c80ffd46861b97307a988 size: 844288
Section.rdata md5: 6cef3b1aa4a9cfb2696d445ae5004fa7 sha1: 2bc25639cdc6cb6920991f12e270f70ba328ab7b size: 325632
Section.data md5: 676804539c3954387aae07130fa3e629 sha1: 65194de5a82bfb4f8b9a6a0b2be5dc6bbc923d81 size: 7680
Timestamp2015-04-15 02:05:27
PackerMicrosoft Visual C++ ?.?
PEhashc68e94bb3a609994fae69a82644e6f7bf99e7339
IMPhash8e2af33a3f1a23915b4e43ff1e8f5325
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Zusy.133308
AVDr. WebTrojan.DownLoader17.37768
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVBullGuardGen:Variant.Zusy.133308
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Zusy.133308
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVK7Trojan ( 004cd0081 )
AVBitDefenderGen:Variant.Zusy.133308
AVFortinetW32/Bayrob.X!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Kryptik.DDQD
AVAlwil (avast)Downloader-TLD [Trj]
AVAd-AwareGen:Variant.Zusy.133308
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVMcafeeno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hbkqzi1l4umcdcaekxoux.exe
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\hbkqzi1l4umcdcaekxoux.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\hbkqzi1l4umcdcaekxoux.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Workstation Panel Logon Locator Now ➝
C:\WINDOWS\system32\lmszrzlgmf.exe
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\lck
Creates FileC:\WINDOWS\system32\lmszrzlgmf.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\etc
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\lmszrzlgmf.exe
Creates ServiceStorage Audio Identity Interface Tools Portable - C:\WINDOWS\system32\lmszrzlgmf.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1868

Process
↳ Pid 1164

Process
↳ C:\WINDOWS\system32\lmszrzlgmf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\cfg
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\rng
Creates FileC:\WINDOWS\system32\dklnpjj.exe
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\lck
Creates FileC:\WINDOWS\TEMP\hbkqzi1sfvmcdca.exe
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\run
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\tst
Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\hbkqzi1sfvmcdca.exe -r 35963 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\lmszrzlgmf.exe"

Process
↳ C:\WINDOWS\system32\lmszrzlgmf.exe

Creates FileC:\WINDOWS\system32\gtfixvkttwfel\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\lmszrzlgmf.exe"

Creates FileC:\WINDOWS\system32\gtfixvkttwfel\tst

Process
↳ C:\WINDOWS\TEMP\hbkqzi1sfvmcdca.exe -r 35963 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSnailthere.net
Type: A
98.139.135.129
DNSgroupgrain.net
Type: A
208.91.197.241
DNSthreeonly.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSsaltwear.net
Type: A
50.63.202.34
DNSequalfind.net
Type: A
208.100.26.234
DNSwatchfind.net
Type: A
69.172.201.208
DNSwatchwear.net
Type: A
184.168.221.96
DNSfairwear.net
Type: A
208.91.197.27
DNSdreamwear.net
Type: A
185.53.177.8
DNSspothelp.net
Type: A
184.168.221.40
DNSgrouphelp.net
Type: A
193.34.69.203
DNSableread.net
Type: A
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSfridayloss.net
Type: A
DNSwrongbelow.net
Type: A
DNShilldance.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSsaltfind.net
Type: A
DNSspotwear.net
Type: A
DNSspothurt.net
Type: A
DNSsalthurt.net
Type: A
DNSgladtold.net
Type: A
DNStakentold.net
Type: A
DNSgladfind.net
Type: A
DNStakenfind.net
Type: A
DNSgladwear.net
Type: A
DNStakenwear.net
Type: A
DNSgladhurt.net
Type: A
DNStakenhurt.net
Type: A
DNSequaltold.net
Type: A
DNSgrouptold.net
Type: A
DNSgroupfind.net
Type: A
DNSequalwear.net
Type: A
DNSgroupwear.net
Type: A
DNSequalhurt.net
Type: A
DNSgrouphurt.net
Type: A
DNSspoketold.net
Type: A
DNSvisittold.net
Type: A
DNSspokefind.net
Type: A
DNSvisitfind.net
Type: A
DNSspokewear.net
Type: A
DNSvisitwear.net
Type: A
DNSspokehurt.net
Type: A
DNSvisithurt.net
Type: A
DNSwatchtold.net
Type: A
DNSfairtold.net
Type: A
DNSfairfind.net
Type: A
DNSwatchhurt.net
Type: A
DNSfairhurt.net
Type: A
DNSdreamtold.net
Type: A
DNSthistold.net
Type: A
DNSdreamfind.net
Type: A
DNSthisfind.net
Type: A
DNSthiswear.net
Type: A
DNSdreamhurt.net
Type: A
DNSthishurt.net
Type: A
DNSariveslow.net
Type: A
DNSsouthslow.net
Type: A
DNSarivefebruary.net
Type: A
DNSsouthfebruary.net
Type: A
DNSarivehelp.net
Type: A
DNSsouthhelp.net
Type: A
DNSarivenovember.net
Type: A
DNSsouthnovember.net
Type: A
DNSuponslow.net
Type: A
DNSwhichslow.net
Type: A
DNSuponfebruary.net
Type: A
DNSwhichfebruary.net
Type: A
DNSuponhelp.net
Type: A
DNSwhichhelp.net
Type: A
DNSuponnovember.net
Type: A
DNSwhichnovember.net
Type: A
DNSspotslow.net
Type: A
DNSsaltslow.net
Type: A
DNSspotfebruary.net
Type: A
DNSsaltfebruary.net
Type: A
DNSsalthelp.net
Type: A
DNSspotnovember.net
Type: A
DNSsaltnovember.net
Type: A
DNSgladslow.net
Type: A
DNStakenslow.net
Type: A
DNSgladfebruary.net
Type: A
DNStakenfebruary.net
Type: A
DNSgladhelp.net
Type: A
DNStakenhelp.net
Type: A
DNSgladnovember.net
Type: A
DNStakennovember.net
Type: A
DNSequalslow.net
Type: A
DNSgroupslow.net
Type: A
DNSequalfebruary.net
Type: A
DNSgroupfebruary.net
Type: A
DNSequalhelp.net
Type: A
DNSequalnovember.net
Type: A
DNSgroupnovember.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://groupgrain.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://threeonly.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://saltwear.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://equalfind.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://watchfind.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://watchwear.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://fairwear.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://dreamwear.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://spothelp.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://grouphelp.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1044 ➝ 61.160.221.52:888
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1042 ➝ 50.63.202.34:80
Flows TCP192.168.1.1:1043 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1044 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1045 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1047 ➝ 185.53.177.8:80
Flows TCP192.168.1.1:1048 ➝ 184.168.221.40:80
Flows TCP192.168.1.1:1049 ➝ 193.34.69.203:80
Flows TCP192.168.1.1:1050 ➝ 8.5.1.16:80

Raw Pcap

Strings