Analysis Date2016-01-29 15:27:10
MD515b08f0d67a5ce48f4565d39580ad33d
SHA1756521e5d117ab673d46fff4bc9b1c9e7b927580

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: aecc784ea5b0c7232a7b8105aacf73eb sha1: 07b99a38f26651d4bd7cbb53fb1002f61e109509 size: 522240
Section.rdata md5: 1b9b610693d7e10fcee2ef43a27b4cdb sha1: 8a3789c69c4f1a3502b3fec7a092012d11b7aeef size: 26112
Section.data md5: a91ee3a86d3d1a4d4232f20d32b4fef9 sha1: e727d1987151f5ac23b29bae3c9e4883c8d65b72 size: 20480
Section.reloc md5: 42376c3df0e1242e276602a15e55a22d sha1: ae909aeeb354ed8b6c0b4a9ce56b35eef06a31bb size: 39424
Timestamp2014-07-15 08:11:19
PackerMicrosoft Visual C++ 8
PEhash9333b96fc19f56e7b4d09b561299f66fd7c1ff29
IMPhashb0ebd5038077a48d9ed1a4aa065ac09b
AVCA (E-Trust Ino)No Virus
AVF-SecureGen:Variant.Zusy.141475
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVBullGuardGen:Variant.Zusy.141475
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVIkarusNo Virus
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.141475
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMicrosoft Security EssentialsNo Virus
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Zusy.141475
AVFortinetW32/Bayrob.BM!tr
AVSymantecNo Virus
AVGrisoft (avg)Generic37.ADAA
AVEset (nod32)Win32/Bayrob.BM
AVAlwil (avast)Win32:Malware-gen
AVRisingNo Virus
AVAd-AwareGen:Variant.Zusy.141475
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAvira (antivir)TR/Crypt.ZPACK.182568
AVMcafeeTrojan-FHSQ!15B08F0D67A5

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\kiqpegymx\hj1khfl1zblmgh1hzy.exe
Creates FileC:\kiqpegymx\njjvgsxl
Creates FileC:\WINDOWS\kiqpegymx\njjvgsxl
Deletes FileC:\WINDOWS\kiqpegymx\njjvgsxl
Creates ProcessC:\kiqpegymx\hj1khfl1zblmgh1hzy.exe

Process
↳ C:\kiqpegymx\hj1khfl1zblmgh1hzy.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Auto-Discovery Connections Search Publication ➝
C:\kiqpegymx\oxvcwkmut.exe
Creates FileC:\kiqpegymx\oxvcwkmut.exe
Creates FilePIPE\lsarpc
Creates FileC:\kiqpegymx\njjvgsxl
Creates FileC:\kiqpegymx\uuq69a7tn3
Creates FileC:\WINDOWS\kiqpegymx\njjvgsxl
Deletes FileC:\WINDOWS\kiqpegymx\njjvgsxl
Creates ProcessC:\kiqpegymx\oxvcwkmut.exe
Creates ServiceSocket Config Scheduler Counter Call Key - C:\kiqpegymx\oxvcwkmut.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1152

Process
↳ C:\kiqpegymx\oxvcwkmut.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\kiqpegymx\uzoiwrdk
Creates FileC:\kiqpegymx\njjvgsxl
Creates File\Device\Afd\Endpoint
Creates FileC:\kiqpegymx\uuq69a7tn3
Creates FileC:\kiqpegymx\wuipnxyu.exe
Creates FileC:\WINDOWS\kiqpegymx\njjvgsxl
Deletes FileC:\WINDOWS\kiqpegymx\njjvgsxl
Creates Processaboqjtmfkjhe "c:\kiqpegymx\oxvcwkmut.exe"

Process
↳ C:\kiqpegymx\oxvcwkmut.exe

Creates FileC:\kiqpegymx\njjvgsxl
Creates FileC:\WINDOWS\kiqpegymx\njjvgsxl
Deletes FileC:\WINDOWS\kiqpegymx\njjvgsxl

Process
↳ aboqjtmfkjhe "c:\kiqpegymx\oxvcwkmut.exe"

Creates FileC:\kiqpegymx\njjvgsxl
Creates FileC:\WINDOWS\kiqpegymx\njjvgsxl
Deletes FileC:\WINDOWS\kiqpegymx\njjvgsxl

Network Details:

DNSstillsurprise.net
Type: A
98.139.135.129
DNSstrengthdifferent.net
Type: A
208.100.26.234
DNSmachineclean.net
Type: A
208.109.181.40
DNSrightclean.net
Type: A
66.175.213.119
DNSrightcourse.net
Type: A
72.167.191.69
DNSfamilyclean.net
Type: A
176.34.121.15
DNSfamilyclean.net
Type: A
54.247.165.51
DNSfamilyclean.net
Type: A
54.228.214.122
DNSfamilyclean.net
Type: A
54.75.224.248
DNSfamilyclean.net
Type: A
46.137.98.88
DNSfamilyclean.net
Type: A
176.34.232.209
DNSenglishpaint.net
Type: A
82.165.249.114
DNSenglishcourse.net
Type: A
50.63.202.2
DNSenglishwomen.net
Type: A
207.148.248.143
DNSpersondivide.net
Type: A
98.139.135.129
DNSsuddennothing.net
Type: A
208.100.26.234
DNSpicturestream.net
Type: A
104.130.192.137
DNSfamilystream.net
Type: A
149.210.210.187
DNSmachinebusiness.net
Type: A
69.73.160.55
DNSresultbeside.net
Type: A
DNSbrokenletter.net
Type: A
DNSresultletter.net
Type: A
DNSbrokendifferent.net
Type: A
DNSresultdifferent.net
Type: A
DNSpreparesurprise.net
Type: A
DNSdesiresurprise.net
Type: A
DNSpreparebeside.net
Type: A
DNSdesirebeside.net
Type: A
DNSprepareletter.net
Type: A
DNSdesireletter.net
Type: A
DNSpreparedifferent.net
Type: A
DNSdesiredifferent.net
Type: A
DNSstrengthsurprise.net
Type: A
DNSstrengthbeside.net
Type: A
DNSstillbeside.net
Type: A
DNSstrengthletter.net
Type: A
DNSstillletter.net
Type: A
DNSstilldifferent.net
Type: A
DNSexpectclean.net
Type: A
DNSbecauseclean.net
Type: A
DNSexpectpaint.net
Type: A
DNSbecausepaint.net
Type: A
DNSexpectcourse.net
Type: A
DNSbecausecourse.net
Type: A
DNSexpectwomen.net
Type: A
DNSbecausewomen.net
Type: A
DNSpersonclean.net
Type: A
DNSpersonpaint.net
Type: A
DNSmachinepaint.net
Type: A
DNSpersoncourse.net
Type: A
DNSmachinecourse.net
Type: A
DNSpersonwomen.net
Type: A
DNSmachinewomen.net
Type: A
DNSsuddenclean.net
Type: A
DNSforeignclean.net
Type: A
DNSsuddenpaint.net
Type: A
DNSforeignpaint.net
Type: A
DNSsuddencourse.net
Type: A
DNSforeigncourse.net
Type: A
DNSsuddenwomen.net
Type: A
DNSforeignwomen.net
Type: A
DNSwhetherclean.net
Type: A
DNSwhetherpaint.net
Type: A
DNSrightpaint.net
Type: A
DNSwhethercourse.net
Type: A
DNSwhetherwomen.net
Type: A
DNSrightwomen.net
Type: A
DNSfigureclean.net
Type: A
DNSthoughclean.net
Type: A
DNSfigurepaint.net
Type: A
DNSthoughpaint.net
Type: A
DNSfigurecourse.net
Type: A
DNSthoughcourse.net
Type: A
DNSfigurewomen.net
Type: A
DNSthoughwomen.net
Type: A
DNSpictureclean.net
Type: A
DNScigaretteclean.net
Type: A
DNSpicturepaint.net
Type: A
DNScigarettepaint.net
Type: A
DNSpicturecourse.net
Type: A
DNScigarettecourse.net
Type: A
DNSpicturewomen.net
Type: A
DNScigarettewomen.net
Type: A
DNSchildrenclean.net
Type: A
DNSchildrenpaint.net
Type: A
DNSfamilypaint.net
Type: A
DNSchildrencourse.net
Type: A
DNSfamilycourse.net
Type: A
DNSchildrenwomen.net
Type: A
DNSfamilywomen.net
Type: A
DNSeitherclean.net
Type: A
DNSenglishclean.net
Type: A
DNSeitherpaint.net
Type: A
DNSeithercourse.net
Type: A
DNSeitherwomen.net
Type: A
DNSexpectstream.net
Type: A
DNSbecausestream.net
Type: A
DNSexpectnothing.net
Type: A
DNSbecausenothing.net
Type: A
DNSexpectbottle.net
Type: A
DNSbecausebottle.net
Type: A
DNSexpectdivide.net
Type: A
DNSbecausedivide.net
Type: A
DNSpersonstream.net
Type: A
DNSmachinestream.net
Type: A
DNSpersonnothing.net
Type: A
DNSmachinenothing.net
Type: A
DNSpersonbottle.net
Type: A
DNSmachinebottle.net
Type: A
DNSmachinedivide.net
Type: A
DNSsuddenstream.net
Type: A
DNSforeignstream.net
Type: A
DNSforeignnothing.net
Type: A
DNSsuddenbottle.net
Type: A
DNSforeignbottle.net
Type: A
DNSsuddendivide.net
Type: A
DNSforeigndivide.net
Type: A
DNSwhetherstream.net
Type: A
DNSrightstream.net
Type: A
DNSwhethernothing.net
Type: A
DNSrightnothing.net
Type: A
DNSwhetherbottle.net
Type: A
DNSrightbottle.net
Type: A
DNSwhetherdivide.net
Type: A
DNSrightdivide.net
Type: A
DNSfigurestream.net
Type: A
DNSthoughstream.net
Type: A
DNSfigurenothing.net
Type: A
DNSthoughnothing.net
Type: A
DNSfigurebottle.net
Type: A
DNSthoughbottle.net
Type: A
DNSfiguredivide.net
Type: A
DNSthoughdivide.net
Type: A
DNScigarettestream.net
Type: A
DNSpicturenothing.net
Type: A
DNScigarettenothing.net
Type: A
DNSpicturebottle.net
Type: A
DNScigarettebottle.net
Type: A
DNSpicturedivide.net
Type: A
DNScigarettedivide.net
Type: A
DNSchildrenstream.net
Type: A
DNSchildrennothing.net
Type: A
DNSfamilynothing.net
Type: A
DNSchildrenbottle.net
Type: A
DNSfamilybottle.net
Type: A
DNSchildrendivide.net
Type: A
DNSfamilydivide.net
Type: A
DNSeitherstream.net
Type: A
DNSenglishstream.net
Type: A
DNSeithernothing.net
Type: A
DNSenglishnothing.net
Type: A
DNSeitherbottle.net
Type: A
DNSenglishbottle.net
Type: A
DNSeitherdivide.net
Type: A
DNSenglishdivide.net
Type: A
DNSexpectmanner.net
Type: A
DNSbecausemanner.net
Type: A
DNSexpectanother.net
Type: A
DNSbecauseanother.net
Type: A
DNSexpectbusiness.net
Type: A
DNSbecausebusiness.net
Type: A
DNSexpectappear.net
Type: A
DNSbecauseappear.net
Type: A
DNSpersonmanner.net
Type: A
DNSmachinemanner.net
Type: A
DNSpersonanother.net
Type: A
DNSmachineanother.net
Type: A
DNSpersonbusiness.net
Type: A
DNSpersonappear.net
Type: A
DNSmachineappear.net
Type: A
DNSsuddenmanner.net
Type: A
DNSforeignmanner.net
Type: A
DNSsuddenanother.net
Type: A
DNSforeignanother.net
Type: A
DNSsuddenbusiness.net
Type: A
HTTP GEThttp://stillsurprise.net/index.php
User-Agent:
HTTP GEThttp://strengthdifferent.net/index.php
User-Agent:
HTTP GEThttp://machineclean.net/index.php
User-Agent:
HTTP GEThttp://rightclean.net/index.php
User-Agent:
HTTP GEThttp://rightcourse.net/index.php
User-Agent:
HTTP GEThttp://familyclean.net/index.php
User-Agent:
HTTP GEThttp://englishpaint.net/index.php
User-Agent:
HTTP GEThttp://englishcourse.net/index.php
User-Agent:
HTTP GEThttp://englishwomen.net/index.php
User-Agent:
HTTP GEThttp://persondivide.net/index.php
User-Agent:
HTTP GEThttp://suddennothing.net/index.php
User-Agent:
HTTP GEThttp://picturestream.net/index.php
User-Agent:
HTTP GEThttp://familystream.net/index.php
User-Agent:
HTTP GEThttp://machinebusiness.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1032 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1033 ➝ 208.109.181.40:80
Flows TCP192.168.1.1:1034 ➝ 66.175.213.119:80
Flows TCP192.168.1.1:1035 ➝ 72.167.191.69:80
Flows TCP192.168.1.1:1036 ➝ 176.34.121.15:80
Flows TCP192.168.1.1:1037 ➝ 82.165.249.114:80
Flows TCP192.168.1.1:1038 ➝ 50.63.202.2:80
Flows TCP192.168.1.1:1039 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1040 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1041 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1042 ➝ 104.130.192.137:80
Flows TCP192.168.1.1:1043 ➝ 149.210.210.187:80
Flows TCP192.168.1.1:1044 ➝ 69.73.160.55:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74696c6c 73757270 72697365 2e6e6574   tillsurprise.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   7472656e 67746864 69666665 72656e74   trengthdifferent
0x00000050 (00080)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61636869 6e65636c 65616e2e 6e65740d   achineclean.net.
0x00000050 (00080)   0a0d0a74 0d0a0d0a                     ...t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69676874 636c6561 6e2e6e65 740d0a0d   ightclean.net...
0x00000050 (00080)   0a0d0a74 0d0a0d0a                     ...t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69676874 636f7572 73652e6e 65740d0a   ightcourse.net..
0x00000050 (00080)   0d0a0a74 0d0a0d0a                     ...t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79636c65 616e2e6e 65740d0a   amilyclean.net..
0x00000050 (00080)   0d0a0a74 0d0a0d0a                     ...t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 73687061 696e742e 6e65740d   nglishpaint.net.
0x00000050 (00080)   0a0d0a74 0d0a0d0a                     ...t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 7368636f 75727365 2e6e6574   nglishcourse.net
0x00000050 (00080)   0d0a0d0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 7368776f 6d656e2e 6e65740d   nglishwomen.net.
0x00000050 (00080)   0a0d0a0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6572736f 6e646976 6964652e 6e65740d   ersondivide.net.
0x00000050 (00080)   0a0d0a0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   75646465 6e6e6f74 68696e67 2e6e6574   uddennothing.net
0x00000050 (00080)   0d0a0d0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   69637475 72657374 7265616d 2e6e6574   icturestream.net
0x00000050 (00080)   0d0a0d0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79737472 65616d2e 6e65740d   amilystream.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61636869 6e656275 73696e65 73732e6e   achinebusiness.n
0x00000050 (00080)   65740d0a 0d0a                         et....


Strings