Analysis Date2015-05-01 13:47:49
MD571ecedec7bc40433a48e1c66074825fd
SHA17a99975e858132ce13103e8b6b55a2910a82a128

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 580e81255ebfab87967d8418002de2f9 sha1: 7aa12258cb16c0a6e5d41fc6b015894b91060115 size: 10752
Section.rdata md5: ca63502247da7bc9464a08c745ef1836 sha1: a9b37376035c9413cfb0d303b0f0cb1350d4d027 size: 3072
Section.data md5: 8570121f161f65b56d195e7190002fd2 sha1: 5377dea9068285121d9da0409d307d4548b79310 size: 21504
Section.reloc md5: 2b66b73d1fda6dba169e48ccdebac721 sha1: 043a759d08c4d9bb38b1197cab16d0b3ea90a4c3 size: 1024
Timestamp2002-04-25 01:03:53
PEhash66f34360d41009d2af5f5f8678c4eeebe0b8ba99
IMPhash9cc58992837ed0ed0260c0727355a558
AVAd-AwareGeneric.Malware.SFdld.024C2FEF
AVAlwil (avast)ShellCode-AU [Trj]
AVArcabit (arcavir)Generic.Malware.SFdld.024C2FEF
AVAuthentiumPatched
AVAvira (antivir)TR/Spy.Gen
AVBitDefenderGeneric.Malware.SFdld.024C2FEF
AVBullGuardGeneric.Malware.SFdld.024C2FEF
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDownloader.Cutwail.BS4
AVClamAVWin.Trojan.Pushdo-43
AVDr. WebTrojan.DownLoader6.62576
AVEmsisoftGeneric.Malware.SFdld.024C2FEF
AVEset (nod32)Win32/Wigon.PB
AVFortinetW32/Pushdo.B!tr.bdr
AVFrisk (f-prot)New or modified Patched
AVF-SecureGeneric.Malware.SFdld.024C2FEF
AVGrisoft (avg)BackDoor.Generic16.IFV
AVIkarusGen.Trojan
AVK7Backdoor ( 003e613b1 )
AVKasperskyBackdoor.Win32.Pushdo.b
AVMalwareBytesSpyware.Password
AVMcafeeDownloader-FKQ!71ECEDEC7BC4
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Generic.Malware.SFdld.024C2FEF
AVPadvishno_virus
AVRisingno_virus
AVSophosMal/Emogen-Y
AVSymantecSecurityRisk.Downldr
AVTrend MicroMal_DLDER
AVTwisterBackdoor.CCCCCCCC@240E10.mg
AVVirusBlokAda (vba32)Backdoor.Pushdo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\qyftegoblari ➝
C:\Documents and Settings\Administrator\qyftegoblari.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\qyftegoblari.exe
Creates Mutexqyftegoblari

Network Details:

DNS4dbenelux.be
Type: A
195.14.0.52
DNS4esports.eu
Type: A
212.172.221.9
DNS4dmobil.at
Type: A
193.200.113.66
DNS9welten.de
Type: A
5.159.56.6
DNS4evergames.nl
Type: A
185.13.226.250
DNS4evernails.nl
Type: A
109.237.208.85
DNS9neunzig.de
Type: A
109.237.130.21
DNS4evermusic.pl
Type: A
86.111.240.157
DNS4eversoft.hu
Type: A
185.51.65.164
DNSaccountingtechs.biz
Type: A
Flows TCP192.168.1.1:1031 ➝ 195.14.0.52:443
Flows TCP192.168.1.1:1032 ➝ 195.14.0.52:443
Flows TCP192.168.1.1:1033 ➝ 212.172.221.9:443
Flows TCP192.168.1.1:1034 ➝ 212.172.221.9:443
Flows TCP192.168.1.1:1035 ➝ 193.200.113.66:443
Flows TCP192.168.1.1:1036 ➝ 193.200.113.66:443
Flows TCP192.168.1.1:1037 ➝ 5.159.56.6:443
Flows TCP192.168.1.1:1038 ➝ 5.159.56.6:443
Flows TCP192.168.1.1:1039 ➝ 185.13.226.250:443
Flows TCP192.168.1.1:1040 ➝ 185.13.226.250:443
Flows TCP192.168.1.1:1041 ➝ 109.237.208.85:443
Flows TCP192.168.1.1:1042 ➝ 109.237.208.85:443
Flows TCP192.168.1.1:1043 ➝ 109.237.130.21:443
Flows TCP192.168.1.1:1044 ➝ 109.237.130.21:443
Flows TCP192.168.1.1:1045 ➝ 195.14.0.52:443
Flows TCP192.168.1.1:1046 ➝ 195.14.0.52:443
Flows TCP192.168.1.1:1047 ➝ 109.237.130.21:443
Flows TCP192.168.1.1:1048 ➝ 109.237.130.21:443
Flows TCP192.168.1.1:1049 ➝ 109.237.130.21:443
Flows TCP192.168.1.1:1050 ➝ 109.237.130.21:443
Flows TCP192.168.1.1:1051 ➝ 86.111.240.157:443
Flows TCP192.168.1.1:1052 ➝ 86.111.240.157:443
Flows TCP192.168.1.1:1053 ➝ 109.237.130.21:443
Flows TCP192.168.1.1:1054 ➝ 109.237.130.21:443
Flows TCP192.168.1.1:1055 ➝ 185.51.65.164:443
Flows TCP192.168.1.1:1056 ➝ 185.51.65.164:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
.7

)gzip
text
041C1I1^1e1v1|1
1:a[HH>
2)2.2;2F2X2b2
233;3G3Y3^3
?2?9?@?I?l?
3<4P4W4k4r4
:4;A;H;==w=
4elements.us;8zstabor.taborak.cz;4entertainmentgroup.tv;4ergindl.at;4erotik.de;accounting.ee;0daymusic.biz;0handicap.at;4darabians.nl;4dbenelux.be;0kommanix.de;4effect.ca;4egolifestyle.de;4elementos.cl;4energia.ee;4ergindl.at;4erotik.de;accounting.ee;0daymusic.biz;0handicap.at;4darabians.nl;4dbenelux.be;0kommanix.de;4effect.ca;4egolifestyle.de;4elementos.cl;4-elements.ch;4elements.de;4elements.pl;4elements.us;
5"565>5P5
>->6>J>
6N{#>n
7:7N7U7g7q7w7
7#$E48\NU|q{
7%?R4U{t
7V7@8F8L8
8$8@8J8Q8w8
8_9e9j9w9
9	:9:B:
=(9m[o
9o D}1X
9R\:_FwT^C78
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Accept: */*
Accept-Language: en-us
ADVAPI32.dll
AppManagement
#a*RzDs
B?r3ST
{C1BDBEFC-9C3C-4bb9-9127-45B2F8F5127B}
C9#eVR
CloseHandle
CoCreateInstance
CoInitialize
Co	mh~
Content-Length: %d
Content-Type: application/octet-stream
CopyFileA
CoUninitialize
CreateFileA
CreateMutexA
CreateProcessA
CreateRemoteThread
CreateThread
CreateWellKnownSid
@.data
:%:D:K:U:
EqualSid
ExitProcess
GetAdaptersInfo
GetAllUsersProfileDirectoryA
GetCurrentProcess
GetEnvironmentVariableA
GetExitCodeProcess
GetLastError
GetModuleFileNameA
GetProcAddress
GetProcessHeap
GetSystemDirectoryA
GetTempFileNameA
GetThreadContext
GetTickCount
GetTokenInformation
GetVolumeInformationA
g^xLFc:7	
g^xLFc:7W11T14Z:@iLU
HeapAlloc
HeapFree
H${E$~K-
,H+G=Bb
HttpAddRequestHeadersA
HttpOpenRequestA
http://%s
HttpSendRequestA
https://%s
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetQueryOptionA
InternetReadFile
InternetSetOptionA
IPHLPAPI.DLL
jFxF)^
:=;J;Y;b;
K&|E#|H)
KERNEL32.dll
LoadLibraryExA
lstrcatA
lstrcmpiA
lstrcpyA
lstrlenA
l`tVMdIC]EB_JJjX[~ou
{m7%5m
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
n\m8)=
O)~F#{F&
ole32.dll
OpenProcessToken
PGltZyBzcmM9ImRhdGE6aW1hZ2UvanBlZztiYXNlNjQs
ph+Mc:!
PVVVVVV
QueryPerformanceCounter
qyftegoblari
&'$R,"
`.rdata
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
ResumeThread
Rich=U
SetThreadContext
SetUnhandledExceptionFilter
SHLWAPI.dll
software\microsoft\windows\currentversion
Software\Microsoft\Windows\CurrentVersion
software\microsoft\windows\currentversion\run
Soi[89
%s\%s.exe
\system32\svchost.exe
SystemRoot
T8oA(b7!^6#c>.qOB
TerminateProcess
!This program cannot be run in DOS mode.
/<TLu]h-
TMi?;Z32T02W6;cEMx]h
]UpE@^64U01U37^?FpT^
USER32.dll
USERENV.dll
USERPROFILE
VirtualAlloc
VirtualAllocEx
VirtualFree
 ^W6({8
WaitForSingleObject
WININET.dll
wnsprintfA
WriteFile
WriteProcessMemory
WS2_32.dll
wsprintfA
w*XCD0F
xLFa:7W	1T14Z:@iLU
)|ygpxa
Z0m0:1K1U1[1z1
zixUGY9.C&
Z>TsV*?i.
!z%uQ%