Analysis | #totalhash

Analysis Date	2015-11-05 04:46:48
MD5	5d1b99f99abc98ebbeeb3485a3f1b6c7
SHA1	6e63ac9f30623cf9453e3d7eacf47be20f9ad661

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 4e3ce9cd0c0efbcbcbbecce402b8098a sha1: 3a127b138ea7e26f9b5c80ffd46861b97307a988 size: 844288
Section	.rdata md5: 6cef3b1aa4a9cfb2696d445ae5004fa7 sha1: 2bc25639cdc6cb6920991f12e270f70ba328ab7b size: 325632
Section	.data md5: 676804539c3954387aae07130fa3e629 sha1: 65194de5a82bfb4f8b9a6a0b2be5dc6bbc923d81 size: 7680
Timestamp	2015-04-15 02:05:27
Packer	Microsoft Visual C++ ?.?
PEhash	c68e94bb3a609994fae69a82644e6f7bf99e7339
IMPhash	8e2af33a3f1a23915b4e43ff1e8f5325
AV	Rising	no_virus
AV	CA (E-Trust Ino)	no_virus
AV	F-Secure	Gen:Variant.Zusy.133308
AV	Dr. Web	Trojan.DownLoader17.37768
AV	ClamAV	no_virus
AV	Arcabit (arcavir)	Gen:Variant.Zusy.133308
AV	BullGuard	Gen:Variant.Zusy.133308
AV	Padvish	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	CAT (quickheal)	no_virus
AV	Trend Micro	no_virus
AV	Kaspersky	Trojan.Win32.Generic
AV	Zillya!	no_virus
AV	Emsisoft	Gen:Variant.Zusy.133308
AV	Ikarus	Trojan.Win32.Crypt
AV	Frisk (f-prot)	no_virus
AV	Authentium	W32/Zusy.X.gen!Eldorado
AV	MalwareBytes	no_virus
AV	MicroWorld (escan)	Gen:Variant.Zusy.133308
AV	Microsoft Security Essentials	Trojan:Win32/Dynamer!ac
AV	K7	Trojan ( 004cd0081 )
AV	BitDefender	Gen:Variant.Zusy.133308
AV	Fortinet	W32/Bayrob.X!tr
AV	Symantec	Downloader.Upatre!g15
AV	Grisoft (avg)	Win32/Cryptor
AV	Eset (nod32)	Win32/Kryptik.DDQD
AV	Alwil (avast)	Downloader-TLD [Trj]
AV	Ad-Aware	Gen:Variant.Zusy.133308
AV	Twister	no_virus
AV	Avira (antivir)	TR/Crypt.XPACK.Gen2
AV	Mcafee	no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\hbkqzi1l4umcdcaekxoux.exe
Creates File	C:\WINDOWS\system32\gtfixvkttwfel\tst
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\hbkqzi1l4umcdcaekxoux.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\hbkqzi1l4umcdcaekxoux.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Workstation Panel Logon Locator Now ➝ C:\WINDOWS\system32\lmszrzlgmf.exe
Creates File	C:\WINDOWS\system32\gtfixvkttwfel\lck
Creates File	C:\WINDOWS\system32\lmszrzlgmf.exe
Creates File	C:\WINDOWS\system32\drivers\etc\hosts
Creates File	C:\WINDOWS\system32\gtfixvkttwfel\etc
Creates File	C:\WINDOWS\system32\gtfixvkttwfel\tst
Deletes File	C:\WINDOWS\system32\\drivers\etc\hosts
Creates Process	C:\WINDOWS\system32\lmszrzlgmf.exe
Creates Service	Storage Audio Identity Interface Tools Portable - C:\WINDOWS\system32\lmszrzlgmf.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates File	WMIDataDevice

Process
↳ Pid 1868

Process
↳ Pid 1164

Process
↳ C:\WINDOWS\system32\lmszrzlgmf.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1
Creates File	C:\WINDOWS\system32\gtfixvkttwfel\cfg
Creates File	C:\WINDOWS\system32\gtfixvkttwfel\rng
Creates File	C:\WINDOWS\system32\dklnpjj.exe
Creates File	C:\WINDOWS\system32\gtfixvkttwfel\lck
Creates File	C:\WINDOWS\TEMP\hbkqzi1sfvmcdca.exe
Creates File	C:\WINDOWS\system32\gtfixvkttwfel\run
Creates File	C:\WINDOWS\system32\gtfixvkttwfel\tst
Creates File	pipe\net\NtControlPipe10
Creates File	\Device\Afd\Endpoint
Creates Process	C:\WINDOWS\TEMP\hbkqzi1sfvmcdca.exe -r 35963 tcp
Creates Process	WATCHDOGPROC "c:\windows\system32\lmszrzlgmf.exe"

Process
↳ C:\WINDOWS\system32\lmszrzlgmf.exe

Creates File	C:\WINDOWS\system32\gtfixvkttwfel\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\lmszrzlgmf.exe"

Creates File	C:\WINDOWS\system32\gtfixvkttwfel\tst

Process
↳ C:\WINDOWS\TEMP\hbkqzi1sfvmcdca.exe -r 35963 tcp

Creates File	\Device\Afd\Endpoint
Winsock DNS	239.255.255.250

Network Details:

DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	nailthere.net Type: A 98.139.135.129
DNS	groupgrain.net Type: A 208.91.197.241
DNS	threeonly.net Type: A 208.91.197.241
DNS	naildeep.com Type: A 74.220.215.218
DNS	saltwear.net Type: A 50.63.202.34
DNS	equalfind.net Type: A 208.100.26.234
DNS	watchfind.net Type: A 69.172.201.208
DNS	watchwear.net Type: A 184.168.221.96
DNS	fairwear.net Type: A 208.91.197.27
DNS	dreamwear.net Type: A 185.53.177.8
DNS	spothelp.net Type: A 184.168.221.40
DNS	grouphelp.net Type: A 193.34.69.203
DNS	ableread.net Type: A
DNS	fearstate.net Type: A
DNS	longcold.net Type: A
DNS	fridayloss.net Type: A
DNS	wrongbelow.net Type: A
DNS	hilldance.net Type: A
DNS	eggbraker.com Type: A
DNS	ithouneed.com Type: A
DNS	saltfind.net Type: A
DNS	spotwear.net Type: A
DNS	spothurt.net Type: A
DNS	salthurt.net Type: A
DNS	gladtold.net Type: A
DNS	takentold.net Type: A
DNS	gladfind.net Type: A
DNS	takenfind.net Type: A
DNS	gladwear.net Type: A
DNS	takenwear.net Type: A
DNS	gladhurt.net Type: A
DNS	takenhurt.net Type: A
DNS	equaltold.net Type: A
DNS	grouptold.net Type: A
DNS	groupfind.net Type: A
DNS	equalwear.net Type: A
DNS	groupwear.net Type: A
DNS	equalhurt.net Type: A
DNS	grouphurt.net Type: A
DNS	spoketold.net Type: A
DNS	visittold.net Type: A
DNS	spokefind.net Type: A
DNS	visitfind.net Type: A
DNS	spokewear.net Type: A
DNS	visitwear.net Type: A
DNS	spokehurt.net Type: A
DNS	visithurt.net Type: A
DNS	watchtold.net Type: A
DNS	fairtold.net Type: A
DNS	fairfind.net Type: A
DNS	watchhurt.net Type: A
DNS	fairhurt.net Type: A
DNS	dreamtold.net Type: A
DNS	thistold.net Type: A
DNS	dreamfind.net Type: A
DNS	thisfind.net Type: A
DNS	thiswear.net Type: A
DNS	dreamhurt.net Type: A
DNS	thishurt.net Type: A
DNS	ariveslow.net Type: A
DNS	southslow.net Type: A
DNS	arivefebruary.net Type: A
DNS	southfebruary.net Type: A
DNS	arivehelp.net Type: A
DNS	southhelp.net Type: A
DNS	arivenovember.net Type: A
DNS	southnovember.net Type: A
DNS	uponslow.net Type: A
DNS	whichslow.net Type: A
DNS	uponfebruary.net Type: A
DNS	whichfebruary.net Type: A
DNS	uponhelp.net Type: A
DNS	whichhelp.net Type: A
DNS	uponnovember.net Type: A
DNS	whichnovember.net Type: A
DNS	spotslow.net Type: A
DNS	saltslow.net Type: A
DNS	spotfebruary.net Type: A
DNS	saltfebruary.net Type: A
DNS	salthelp.net Type: A
DNS	spotnovember.net Type: A
DNS	saltnovember.net Type: A
DNS	gladslow.net Type: A
DNS	takenslow.net Type: A
DNS	gladfebruary.net Type: A
DNS	takenfebruary.net Type: A
DNS	gladhelp.net Type: A
DNS	takenhelp.net Type: A
DNS	gladnovember.net Type: A
DNS	takennovember.net Type: A
DNS	equalslow.net Type: A
DNS	groupslow.net Type: A
DNS	equalfebruary.net Type: A
DNS	groupfebruary.net Type: A
DNS	equalhelp.net Type: A
DNS	equalnovember.net Type: A
DNS	groupnovember.net Type: A
HTTP GET	http://ableread.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent:
HTTP GET	http://nailthere.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent:
HTTP GET	http://groupgrain.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent:
HTTP GET	http://threeonly.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent:
HTTP GET	http://naildeep.com/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent:
HTTP GET	http://saltwear.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent:
HTTP GET	http://equalfind.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent:
HTTP GET	http://watchfind.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent:
HTTP GET	http://watchwear.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent:
HTTP GET	http://fairwear.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent:
HTTP GET	http://dreamwear.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent:
HTTP GET	http://spothelp.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent:
HTTP GET	http://grouphelp.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent:
HTTP GET	http://ableread.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent:
Flows TCP	192.168.1.1:1036 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1044 ➝ 61.160.221.52:888
Flows TCP	192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP	192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1041 ➝ 74.220.215.218:80
Flows TCP	192.168.1.1:1042 ➝ 50.63.202.34:80
Flows TCP	192.168.1.1:1043 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1044 ➝ 69.172.201.208:80
Flows TCP	192.168.1.1:1045 ➝ 184.168.221.96:80
Flows TCP	192.168.1.1:1046 ➝ 208.91.197.27:80
Flows TCP	192.168.1.1:1047 ➝ 185.53.177.8:80
Flows TCP	192.168.1.1:1048 ➝ 184.168.221.40:80
Flows TCP	192.168.1.1:1049 ➝ 193.34.69.203:80
Flows TCP	192.168.1.1:1050 ➝ 8.5.1.16:80

Raw Pcap

Strings