Analysis Date | 2015-11-05 04:46:48 |
---|---|
MD5 | 5d1b99f99abc98ebbeeb3485a3f1b6c7 |
SHA1 | 6e63ac9f30623cf9453e3d7eacf47be20f9ad661 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 4e3ce9cd0c0efbcbcbbecce402b8098a sha1: 3a127b138ea7e26f9b5c80ffd46861b97307a988 size: 844288 | |
Section | .rdata md5: 6cef3b1aa4a9cfb2696d445ae5004fa7 sha1: 2bc25639cdc6cb6920991f12e270f70ba328ab7b size: 325632 | |
Section | .data md5: 676804539c3954387aae07130fa3e629 sha1: 65194de5a82bfb4f8b9a6a0b2be5dc6bbc923d81 size: 7680 | |
Timestamp | 2015-04-15 02:05:27 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | c68e94bb3a609994fae69a82644e6f7bf99e7339 | |
IMPhash | 8e2af33a3f1a23915b4e43ff1e8f5325 | |
AV | Rising | no_virus |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Zusy.133308 |
AV | Dr. Web | Trojan.DownLoader17.37768 |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Zusy.133308 |
AV | BullGuard | Gen:Variant.Zusy.133308 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | no_virus |
AV | Trend Micro | no_virus |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Zillya! | no_virus |
AV | Emsisoft | Gen:Variant.Zusy.133308 |
AV | Ikarus | Trojan.Win32.Crypt |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/Zusy.X.gen!Eldorado |
AV | MalwareBytes | no_virus |
AV | MicroWorld (escan) | Gen:Variant.Zusy.133308 |
AV | Microsoft Security Essentials | Trojan:Win32/Dynamer!ac |
AV | K7 | Trojan ( 004cd0081 ) |
AV | BitDefender | Gen:Variant.Zusy.133308 |
AV | Fortinet | W32/Bayrob.X!tr |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Eset (nod32) | Win32/Kryptik.DDQD |
AV | Alwil (avast) | Downloader-TLD [Trj] |
AV | Ad-Aware | Gen:Variant.Zusy.133308 |
AV | Twister | no_virus |
AV | Avira (antivir) | TR/Crypt.XPACK.Gen2 |
AV | Mcafee | no_virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\hbkqzi1l4umcdcaekxoux.exe |
---|---|
Creates File | C:\WINDOWS\system32\gtfixvkttwfel\tst |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\hbkqzi1l4umcdcaekxoux.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\hbkqzi1l4umcdcaekxoux.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Workstation Panel Logon Locator Now ➝ C:\WINDOWS\system32\lmszrzlgmf.exe |
---|---|
Creates File | C:\WINDOWS\system32\gtfixvkttwfel\lck |
Creates File | C:\WINDOWS\system32\lmszrzlgmf.exe |
Creates File | C:\WINDOWS\system32\drivers\etc\hosts |
Creates File | C:\WINDOWS\system32\gtfixvkttwfel\etc |
Creates File | C:\WINDOWS\system32\gtfixvkttwfel\tst |
Deletes File | C:\WINDOWS\system32\\drivers\etc\hosts |
Creates Process | C:\WINDOWS\system32\lmszrzlgmf.exe |
Creates Service | Storage Audio Identity Interface Tools Portable - C:\WINDOWS\system32\lmszrzlgmf.exe |
Process
↳ Pid 808
Process
↳ Pid 856
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1116
Process
↳ Pid 1212
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Creates File | WMIDataDevice |
Process
↳ Pid 1868
Process
↳ Pid 1164
Process
↳ C:\WINDOWS\system32\lmszrzlgmf.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1 |
---|---|
Creates File | C:\WINDOWS\system32\gtfixvkttwfel\cfg |
Creates File | C:\WINDOWS\system32\gtfixvkttwfel\rng |
Creates File | C:\WINDOWS\system32\dklnpjj.exe |
Creates File | C:\WINDOWS\system32\gtfixvkttwfel\lck |
Creates File | C:\WINDOWS\TEMP\hbkqzi1sfvmcdca.exe |
Creates File | C:\WINDOWS\system32\gtfixvkttwfel\run |
Creates File | C:\WINDOWS\system32\gtfixvkttwfel\tst |
Creates File | pipe\net\NtControlPipe10 |
Creates File | \Device\Afd\Endpoint |
Creates Process | C:\WINDOWS\TEMP\hbkqzi1sfvmcdca.exe -r 35963 tcp |
Creates Process | WATCHDOGPROC "c:\windows\system32\lmszrzlgmf.exe" |
Process
↳ C:\WINDOWS\system32\lmszrzlgmf.exe
Creates File | C:\WINDOWS\system32\gtfixvkttwfel\tst |
---|
Process
↳ WATCHDOGPROC "c:\windows\system32\lmszrzlgmf.exe"
Creates File | C:\WINDOWS\system32\gtfixvkttwfel\tst |
---|
Process
↳ C:\WINDOWS\TEMP\hbkqzi1sfvmcdca.exe -r 35963 tcp
Creates File | \Device\Afd\Endpoint |
---|---|
Winsock DNS | 239.255.255.250 |
Network Details:
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
---|---|
DNS | nailthere.net Type: A 98.139.135.129 |
DNS | groupgrain.net Type: A 208.91.197.241 |
DNS | threeonly.net Type: A 208.91.197.241 |
DNS | naildeep.com Type: A 74.220.215.218 |
DNS | saltwear.net Type: A 50.63.202.34 |
DNS | equalfind.net Type: A 208.100.26.234 |
DNS | watchfind.net Type: A 69.172.201.208 |
DNS | watchwear.net Type: A 184.168.221.96 |
DNS | fairwear.net Type: A 208.91.197.27 |
DNS | dreamwear.net Type: A 185.53.177.8 |
DNS | spothelp.net Type: A 184.168.221.40 |
DNS | grouphelp.net Type: A 193.34.69.203 |
DNS | ableread.net Type: A |
DNS | fearstate.net Type: A |
DNS | longcold.net Type: A |
DNS | fridayloss.net Type: A |
DNS | wrongbelow.net Type: A |
DNS | hilldance.net Type: A |
DNS | eggbraker.com Type: A |
DNS | ithouneed.com Type: A |
DNS | saltfind.net Type: A |
DNS | spotwear.net Type: A |
DNS | spothurt.net Type: A |
DNS | salthurt.net Type: A |
DNS | gladtold.net Type: A |
DNS | takentold.net Type: A |
DNS | gladfind.net Type: A |
DNS | takenfind.net Type: A |
DNS | gladwear.net Type: A |
DNS | takenwear.net Type: A |
DNS | gladhurt.net Type: A |
DNS | takenhurt.net Type: A |
DNS | equaltold.net Type: A |
DNS | grouptold.net Type: A |
DNS | groupfind.net Type: A |
DNS | equalwear.net Type: A |
DNS | groupwear.net Type: A |
DNS | equalhurt.net Type: A |
DNS | grouphurt.net Type: A |
DNS | spoketold.net Type: A |
DNS | visittold.net Type: A |
DNS | spokefind.net Type: A |
DNS | visitfind.net Type: A |
DNS | spokewear.net Type: A |
DNS | visitwear.net Type: A |
DNS | spokehurt.net Type: A |
DNS | visithurt.net Type: A |
DNS | watchtold.net Type: A |
DNS | fairtold.net Type: A |
DNS | fairfind.net Type: A |
DNS | watchhurt.net Type: A |
DNS | fairhurt.net Type: A |
DNS | dreamtold.net Type: A |
DNS | thistold.net Type: A |
DNS | dreamfind.net Type: A |
DNS | thisfind.net Type: A |
DNS | thiswear.net Type: A |
DNS | dreamhurt.net Type: A |
DNS | thishurt.net Type: A |
DNS | ariveslow.net Type: A |
DNS | southslow.net Type: A |
DNS | arivefebruary.net Type: A |
DNS | southfebruary.net Type: A |
DNS | arivehelp.net Type: A |
DNS | southhelp.net Type: A |
DNS | arivenovember.net Type: A |
DNS | southnovember.net Type: A |
DNS | uponslow.net Type: A |
DNS | whichslow.net Type: A |
DNS | uponfebruary.net Type: A |
DNS | whichfebruary.net Type: A |
DNS | uponhelp.net Type: A |
DNS | whichhelp.net Type: A |
DNS | uponnovember.net Type: A |
DNS | whichnovember.net Type: A |
DNS | spotslow.net Type: A |
DNS | saltslow.net Type: A |
DNS | spotfebruary.net Type: A |
DNS | saltfebruary.net Type: A |
DNS | salthelp.net Type: A |
DNS | spotnovember.net Type: A |
DNS | saltnovember.net Type: A |
DNS | gladslow.net Type: A |
DNS | takenslow.net Type: A |
DNS | gladfebruary.net Type: A |
DNS | takenfebruary.net Type: A |
DNS | gladhelp.net Type: A |
DNS | takenhelp.net Type: A |
DNS | gladnovember.net Type: A |
DNS | takennovember.net Type: A |
DNS | equalslow.net Type: A |
DNS | groupslow.net Type: A |
DNS | equalfebruary.net Type: A |
DNS | groupfebruary.net Type: A |
DNS | equalhelp.net Type: A |
DNS | equalnovember.net Type: A |
DNS | groupnovember.net Type: A |
HTTP GET | http://ableread.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent: |
HTTP GET | http://nailthere.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent: |
HTTP GET | http://groupgrain.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent: |
HTTP GET | http://threeonly.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent: |
HTTP GET | http://naildeep.com/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent: |
HTTP GET | http://saltwear.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent: |
HTTP GET | http://equalfind.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent: |
HTTP GET | http://watchfind.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent: |
HTTP GET | http://watchwear.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent: |
HTTP GET | http://fairwear.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent: |
HTTP GET | http://dreamwear.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent: |
HTTP GET | http://spothelp.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent: |
HTTP GET | http://grouphelp.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent: |
HTTP GET | http://ableread.net/index.php?method=validate&mode=sox&v=048&sox=430a4a01&lenhdr User-Agent: |
Flows TCP | 192.168.1.1:1036 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1044 ➝ 61.160.221.52:888 |
Flows TCP | 192.168.1.1:1038 ➝ 98.139.135.129:80 |
Flows TCP | 192.168.1.1:1039 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1040 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1041 ➝ 74.220.215.218:80 |
Flows TCP | 192.168.1.1:1042 ➝ 50.63.202.34:80 |
Flows TCP | 192.168.1.1:1043 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1044 ➝ 69.172.201.208:80 |
Flows TCP | 192.168.1.1:1045 ➝ 184.168.221.96:80 |
Flows TCP | 192.168.1.1:1046 ➝ 208.91.197.27:80 |
Flows TCP | 192.168.1.1:1047 ➝ 185.53.177.8:80 |
Flows TCP | 192.168.1.1:1048 ➝ 184.168.221.40:80 |
Flows TCP | 192.168.1.1:1049 ➝ 193.34.69.203:80 |
Flows TCP | 192.168.1.1:1050 ➝ 8.5.1.16:80 |
Raw Pcap
Strings