Analysis Date | 2016-01-28 21:06:26 |
---|---|
MD5 | 90d75b56d34e95587094bc3703bfe4cb |
SHA1 | 85b690b983cc417617b2acfbbb53e8a62fc52429 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 77836e73860bbc965728d5a27f570e85 sha1: a35faf1c0b7c518b4390921ddca40856699f2391 size: 306688 | |
Section | .rdata md5: d51d60a232fb553ab87a7b286100921c sha1: 853b7d1f35369f649663a0b88065e4c08c221609 size: 26112 | |
Section | .data md5: fec7dbf11e1d3391667246b0563e34de sha1: d3940df31d8f994eb798e778c3b1c6102756e985 size: 20480 | |
Section | .reloc md5: ae16610a35752a0bd593d77f35adb0c6 sha1: 07cd556a6a930c6ed3fd63951b1731a8dff44fed size: 33280 | |
Timestamp | 2014-08-20 18:45:46 | |
Packer | Microsoft Visual C++ 8 | |
PEhash | e0f52a18a6529cb82d44fc471ceebf7e646752ba | |
IMPhash | b52ffbd9f7db116c67254ac55d6e9c36 | |
AV | CA (E-Trust Ino) | No Virus |
AV | Rising | No Virus |
AV | Mcafee | Trojan-FHSQ!90D75B56D34E |
AV | Avira (antivir) | TR/Taranis.2081 |
AV | Twister | No Virus |
AV | Ad-Aware | Gen:Variant.Zusy.141475 |
AV | Alwil (avast) | No Virus |
AV | Eset (nod32) | Win32/Bayrob.BJ |
AV | Grisoft (avg) | Generic37.AECC |
AV | Symantec | No Virus |
AV | Fortinet | No Virus |
AV | BitDefender | Gen:Variant.Zusy.141475 |
AV | K7 | Trojan ( 004dc2a31 ) |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.DI |
AV | MicroWorld (escan) | Gen:Variant.Zusy.141475 |
AV | MalwareBytes | No Virus |
AV | Authentium | W32/Kazy.ES.gen!Eldorado |
AV | Emsisoft | Gen:Variant.Zusy.141475 |
AV | Frisk (f-prot) | W32/Kazy.ES.gen!Eldorado |
AV | Ikarus | Trojan-Spy.Win32.Nivdort |
AV | Zillya! | No Virus |
AV | Kaspersky | Trojan.Win32.Swizzor.e |
AV | Trend Micro | No Virus |
AV | VirusBlokAda (vba32) | No Virus |
AV | CAT (quickheal) | No Virus |
AV | BullGuard | Gen:Variant.Zusy.141475 |
AV | Arcabit (arcavir) | Gen:Variant.Zusy.141475 |
AV | ClamAV | No Virus |
AV | Dr. Web | No Virus |
AV | F-Secure | Gen:Variant.Zusy.141475 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\uehgmemm\ibjo1l3zapfoca0ylp.exe |
---|---|
Creates File | C:\uehgmemm\aftnvgvdizw |
Creates File | C:\WINDOWS\uehgmemm\aftnvgvdizw |
Deletes File | C:\WINDOWS\uehgmemm\aftnvgvdizw |
Creates Process | C:\uehgmemm\ibjo1l3zapfoca0ylp.exe |
Process
↳ C:\uehgmemm\ibjo1l3zapfoca0ylp.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Browser Thread Player Now Power ➝ C:\uehgmemm\oovdygqmwepe.exe |
---|---|
Creates File | C:\uehgmemm\edsno6cuic |
Creates File | C:\uehgmemm\oovdygqmwepe.exe |
Creates File | PIPE\lsarpc |
Creates File | C:\uehgmemm\aftnvgvdizw |
Creates File | C:\WINDOWS\uehgmemm\aftnvgvdizw |
Deletes File | C:\WINDOWS\uehgmemm\aftnvgvdizw |
Creates Process | C:\uehgmemm\oovdygqmwepe.exe |
Creates Service | Diagnostic AutoConnect Client Filtering - C:\uehgmemm\oovdygqmwepe.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 812
Process
↳ Pid 860
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1216
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1884
Process
↳ Pid 1196
Process
↳ C:\uehgmemm\oovdygqmwepe.exe
Creates File | C:\uehgmemm\edsno6cuic |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\uehgmemm\rigqxm |
Creates File | C:\uehgmemm\lriqlqiypu.exe |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\uehgmemm\aftnvgvdizw |
Creates File | C:\WINDOWS\uehgmemm\aftnvgvdizw |
Deletes File | C:\WINDOWS\uehgmemm\aftnvgvdizw |
Creates Process | rrdgiiqqfgyd "c:\uehgmemm\oovdygqmwepe.exe" |
Process
↳ C:\uehgmemm\oovdygqmwepe.exe
Creates File | C:\uehgmemm\aftnvgvdizw |
---|---|
Creates File | C:\WINDOWS\uehgmemm\aftnvgvdizw |
Deletes File | C:\WINDOWS\uehgmemm\aftnvgvdizw |
Process
↳ rrdgiiqqfgyd "c:\uehgmemm\oovdygqmwepe.exe"
Creates File | C:\uehgmemm\aftnvgvdizw |
---|---|
Creates File | C:\WINDOWS\uehgmemm\aftnvgvdizw |
Deletes File | C:\WINDOWS\uehgmemm\aftnvgvdizw |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2062 : close..Host: b 0x00000040 (00064) 75696c64 696e6770 6f776572 2e6e6574 uildingpower.net 0x00000050 (00080) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 72657474 79706f77 65722e6e 65740d0a rettypower.net.. 0x00000050 (00080) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2064 : close..Host: d 0x00000040 (00064) 6f75626c 6566616d 6f75732e 6e65740d oublefamous.net. 0x00000050 (00080) 0a0d0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 656c6c6f 77706f77 65722e6e 65740d0a ellowpower.net.. 0x00000050 (00080) 0d0a0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2062 : close..Host: b 0x00000040 (00064) 726f6b65 6e66616d 6f75732e 6e65740d rokenfamous.net. 0x00000050 (00080) 0a0d0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2062 : close..Host: b 0x00000040 (00064) 726f6b65 6e706f77 65722e6e 65740d0a rokenpower.net.. 0x00000050 (00080) 0d0a0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 74696c6c 706f7765 722e6e65 740d0a0d tillpower.net... 0x00000050 (00080) 0a0a0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2064 : close..Host: d 0x00000040 (00064) 6f63746f 726c6574 7465722e 6e65740d octorletter.net. 0x00000050 (00080) 0a0d0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2064 : close..Host: d 0x00000040 (00064) 6f63746f 72646966 66657265 6e742e6e octordifferent.n 0x00000050 (00080) 65740d0a 0d0a et.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 72657474 79646966 66657265 6e742e6e rettydifferent.n 0x00000050 (00080) 65740d0a 0d0a et.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 74696c6c 73757270 72697365 2e6e6574 tillsurprise.net 0x00000050 (00080) 0d0a0d0a 0d0a ...... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206d : close..Host: m 0x00000040 (00064) 61636869 6e65636c 65616e2e 6e65740d achineclean.net. 0x00000050 (00080) 0a0d0a ...
Strings