Analysis Date2015-03-27 19:30:47
MD55e9e54b8cc32ffc8908e225d9da4e2c6
SHA18a1417a77fc474a984322888e15bc8760b98f11c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3692472e6ebadbca59855d4c66fed118 sha1: 731b4400f63f6d67f4dca9de165a4abc633bde2a size: 22528
Section.rdata md5: 2036037722b3d740c2c24fea4fbf237f sha1: 19e474f2f2f663ab4dccac124522fa62ab97476d size: 5120
Section.data md5: 5c97db224e6c141073c4c49ea59843ec sha1: 1aeaba146bd366867608aa8f4406bc6b608cf2c5 size: 118272
Section.rsrc md5: 465fa3aea5bd31656bdaa31f62bcf347 sha1: 78088d0e83ee8f0ee35b73fbb06b55e12bd68aaa size: 4612
Sectionfadxplz md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2003-03-24 02:22:13
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: CLIPSRV.EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2105)
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.5512
FileDescription: Windows NT DDE Server
PackerMicrosoft Visual C++ 7.0
PEhashe7f746772497ba8d8f97d7c4e7db920652b62081
IMPhash77f93fcb6b22682020d7ec5697185655
AV360 Safeno_virus
AVAd-AwareGen:Variant.Zusy.Elzob.24779
AVAlwil (avast)Virtu-F:Win32:Virtu-F
AVArcabit (arcavir)Gen:Variant.Zusy.Elzob.24779
AVAuthentiumW32/Carberp.C.gen!Eldorado
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardGen:Variant.Zusy.Elzob.24779
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Zbot.Y4
AVClamAVWorm.Palevo-28227
AVDr. WebTrojan.MulDrop1.64009
AVEmsisoftGen:Variant.Zusy.Elzob.24779
AVEset (nod32)Win32/Kryptik.LBN
AVFortinetW32/SpyEyes.LBN!tr.spy
AVFrisk (f-prot)W32/Carberp.C.gen!Eldorado
AVF-SecureGen:Variant.Zusy.Elzob.24779
AVGrisoft (avg)Generic21.NJI
AVIkarusWorm.Win32.AutoRun
AVK7Trojan ( 003c36381 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesTrojan.VBKrypt
AVMcafeePWS-Spyeye.x
AVMicrosoft Security EssentialsTrojan:Win32/Ramnit.A
AVMicroWorld (escan)Gen:Variant.Zusy.Elzob.24779
AVRisingno_virus
AVSophosTroj/Ramnit-CL
AVSymantecTrojan.Gen
AVTrend MicroTSPY_AZ.71F993FF
AVVirusBlokAda (vba32)MalwareScope.Trojan-PSW.Pinch.9
AVRisingno_virus
AVMcafeePWS-Spyeye.x
AVAvira (antivir)TR/Dropper.Gen
AVAd-AwareGen:Variant.Zusy.Elzob.24779
AV360 Safeno_virus
AVAlwil (avast)Virtu-F:Win32:Virtu-F
AVEset (nod32)Win32/Kryptik.LBN
AVGrisoft (avg)Generic21.NJI
AVSymantecTrojan.Gen
AVFortinetW32/SpyEyes.LBN!tr.spy
AVK7Trojan ( 003c36381 )
AVMicrosoft Security EssentialsTrojan:Win32/Ramnit.A
AVMicroWorld (escan)Gen:Variant.Zusy.Elzob.24779
AVMalwareBytesTrojan.VBKrypt
AVAuthentiumW32/Carberp.C.gen!Eldorado
AVFrisk (f-prot)W32/Carberp.C.gen!Eldorado
AVIkarusWorm.Win32.AutoRun
AVEmsisoftGen:Variant.Zusy.Elzob.24779
AVZillya!Trojan.Zbot.Win32.31134
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_AZ.71F993FF
AVCAT (quickheal)Trojan.Zbot.Y4
AVVirusBlokAda (vba32)MalwareScope.Trojan-PSW.Pinch.9
AVBullGuardGen:Variant.Zusy.Elzob.24779
AVArcabit (arcavir)Gen:Variant.Zusy.Elzob.24779
AVClamAVWorm.Palevo-28227
AVDr. WebTrojan.MulDrop1.64009
AVF-SecureGen:Variant.Zusy.Elzob.24779
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69C421D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\malware.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Program Files\huettqja\px3.tmp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\Administrator\qcvbfpbp.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Deletes FileC:\Program Files\huettqja\px3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Creates Mutex{37FFF72F-FE56-017C-F492-53D69AA21D45}
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Network Details:

DNSgoogle.com
Type: A
216.58.219.142
DNSawrcaverybrstuktdybstr.com
Type: A
109.74.196.143
DNSawecerybtuitbyatr.com
Type: A
109.74.196.143
DNSqwevrbyitntbyjdtyhvsdtrhr.com
Type: A
198.74.50.135
Flows TCP192.168.1.1:1033 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1032 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1034 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1035 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1036 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1037 ➝ 198.74.50.135:443
Flows TCP192.168.1.1:1038 ➝ 198.74.50.135:443

Raw Pcap

Strings