Analysis Date2015-11-02 15:39:32
MD5712002b13d597635a00544da60d5756b
SHA198e0e8a2db1eadb7810d045f60f60cdb7b2aca2d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 474645ee45c4af7db2272ca8f2a9323c sha1: 8ce5944eb1acc169c681a591f922b3544026056d size: 849920
Section.rdata md5: f8bacc4999a4824cc075ed9ad5b0c1e7 sha1: b93ef5a4486a8a6346a6b46a624ff7d91e6dc80d size: 327168
Section.data md5: f929156a6fbe110acfe512d2dcb4ba63 sha1: 8311d1ac1ae4cd747dd696a0d8d011dc4e748a7c size: 7680
Timestamp2015-03-13 07:34:21
PackerMicrosoft Visual C++ ?.?
PEhashba5a13a9f9b343a50bd3937219454dab4e93228c
IMPhash3aa1aa8d63b28981ca7f9ada0a5c0b68
AVMalwareBytesNo Virus
AVPadvishNo Virus
AVIkarusTrojan.Win32.Crypt
AVMalwareBytesNo Virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVFortinetW32/Kryptik.DDQD!tr
AVGrisoft (avg)Win32/Cryptor
AVK7Trojan ( 004cd0081 )
AVKasperskyTrojan.Win32.Generic
AVMcafeeNo Virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVF-SecureGen:Variant.Zusy.133308
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVEset (nod32)Win32/Kryptik.DDQD
AVEset (nod32)Win32/Kryptik.DDQD
AVFrisk (f-prot)No Virus
AVGrisoft (avg)Win32/Cryptor
AVFortinetW32/Kryptik.DDQD!tr
AVIkarusTrojan.Win32.Crypt
AVK7Trojan ( 004cd0081 )
AVKasperskyTrojan.Win32.Generic
AVF-SecureGen:Variant.Zusy.133308
AVMcafeeNo Virus
AVAd-AwareGen:Variant.Zusy.133308
AVBullGuardGen:Variant.Zusy.133308
AVBullGuardGen:Variant.Zusy.133308
AVAlwil (avast)Win32:Malware-gen
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVCA (E-Trust Ino)No Virus
AVCA (E-Trust Ino)No Virus
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVAlwil (avast)Win32:Malware-gen
AVCAT (quickheal)No Virus
AVCAT (quickheal)No Virus
AVAd-AwareGen:Variant.Zusy.133308
AVAvira (antivir)TR/Crypt.ZPACK.62214
AVClamAVNo Virus
AVClamAVNo Virus
AVAvira (antivir)TR/Crypt.ZPACK.62214
AVFrisk (f-prot)No Virus
AVDr. WebTrojan.DownLoader17.36033
AVDr. WebTrojan.DownLoader17.36033
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVBitDefenderGen:Variant.Zusy.133308
AVEmsisoftGen:Variant.Zusy.133308
AVEmsisoftGen:Variant.Zusy.133308
AVBitDefenderGen:Variant.Zusy.133308
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVPadvishNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\efbfbdsnhqj\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\qbcdvbf1liqnzpf2unzm.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\qbcdvbf1liqnzpf2unzm.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\qbcdvbf1liqnzpf2unzm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Interactive Connections List Auto ➝
C:\WINDOWS\system32\seathvj.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\etc
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\lck
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\tst
Creates FileC:\WINDOWS\system32\seathvj.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\seathvj.exe
Creates ServiceAudio Driver DHCP Fax Link-Layer - C:\WINDOWS\system32\seathvj.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1140

Process
↳ C:\WINDOWS\system32\seathvj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\run
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\rng
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\tst
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\lck
Creates FileC:\WINDOWS\system32\vphxcvk.exe
Creates FileC:\WINDOWS\TEMP\qbcdvbf1swdnzp.exe
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\qbcdvbf1swdnzp.exe -r 39685 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\seathvj.exe"

Process
↳ C:\WINDOWS\system32\seathvj.exe

Creates FileC:\WINDOWS\system32\efbfbdsnhqj\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\seathvj.exe"

Creates FileC:\WINDOWS\system32\efbfbdsnhqj\tst

Process
↳ C:\WINDOWS\TEMP\qbcdvbf1swdnzp.exe -r 39685 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmuchhappy.net
Type: A
208.91.197.241
DNScallmile.net
Type: A
208.91.197.241
DNSnailthere.net
Type: A
98.139.135.129
DNSbothplain.net
Type: A
208.91.197.241
DNSwalkword.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNShumanpast.net
Type: A
216.92.44.196
DNShumanfish.net
Type: A
69.195.136.122
DNSmusiclady.net
Type: A
181.224.136.119
DNSfrontfish.net
Type: A
104.28.15.5
DNSfrontfish.net
Type: A
104.28.14.5
DNShangfish.net
Type: A
50.63.202.50
DNSwishfish.net
Type: A
50.63.202.55
DNSdeadwing.net
Type: A
85.25.214.16
DNSdeadlady.net
Type: A
195.22.26.254
DNSdeadlady.net
Type: A
195.22.26.231
DNSdeadlady.net
Type: A
195.22.26.252
DNSdeadlady.net
Type: A
195.22.26.253
DNSrocklady.net
Type: A
64.61.199.44
DNSdeadfish.net
Type: A
69.172.201.208
DNSrockfish.net
Type: A
96.45.83.235
DNSrockfish.net
Type: A
96.45.82.90
DNSrockfish.net
Type: A
96.45.82.194
DNSrockfish.net
Type: A
96.45.83.91
DNSwronglady.net
Type: A
208.100.26.234
DNSsouthcity.net
Type: A
207.148.248.143
DNSmuchhappy.net
Type: A
208.91.197.241
DNSableread.net
Type: A
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSmonthnext.net
Type: A
DNSstoryocean.net
Type: A
DNSdecemberknew.net
Type: A
DNSmouthgray.net
Type: A
DNSfridayloss.net
Type: A
DNSeggbraker.com
Type: A
DNSmadeguide.net
Type: A
DNSwronglate.net
Type: A
DNSmadelate.net
Type: A
DNShumanwing.net
Type: A
DNShairwing.net
Type: A
DNShairpast.net
Type: A
DNShumanlady.net
Type: A
DNShairlady.net
Type: A
DNShairfish.net
Type: A
DNSyardwing.net
Type: A
DNSmusicwing.net
Type: A
DNSyardpast.net
Type: A
DNSmusicpast.net
Type: A
DNSyardlady.net
Type: A
DNSyardfish.net
Type: A
DNSmusicfish.net
Type: A
DNSwentwing.net
Type: A
DNSspendwing.net
Type: A
DNSwentpast.net
Type: A
DNSspendpast.net
Type: A
DNSwentlady.net
Type: A
DNSspendlady.net
Type: A
DNSwentfish.net
Type: A
DNSspendfish.net
Type: A
DNSfrontwing.net
Type: A
DNSofferwing.net
Type: A
DNSfrontpast.net
Type: A
DNSofferpast.net
Type: A
DNSfrontlady.net
Type: A
DNSofferlady.net
Type: A
DNSofferfish.net
Type: A
DNShangwing.net
Type: A
DNSseptemberwing.net
Type: A
DNShangpast.net
Type: A
DNSseptemberpast.net
Type: A
DNShanglady.net
Type: A
DNSseptemberlady.net
Type: A
DNSseptemberfish.net
Type: A
DNSjoinwing.net
Type: A
DNSwishwing.net
Type: A
DNSjoinpast.net
Type: A
DNSwishpast.net
Type: A
DNSjoinlady.net
Type: A
DNSwishlady.net
Type: A
DNSjoinfish.net
Type: A
DNSrockwing.net
Type: A
DNSdeadpast.net
Type: A
DNSrockpast.net
Type: A
DNSwrongwing.net
Type: A
DNSmadewing.net
Type: A
DNSwrongpast.net
Type: A
DNSmadepast.net
Type: A
DNSmadelady.net
Type: A
DNSwrongfish.net
Type: A
DNSmadefish.net
Type: A
DNSarivegrow.net
Type: A
DNSsouthgrow.net
Type: A
DNSarivetear.net
Type: A
DNSsouthtear.net
Type: A
DNSarivethank.net
Type: A
DNSsouththank.net
Type: A
DNSarivecity.net
Type: A
DNSupongrow.net
Type: A
DNSwhichgrow.net
Type: A
DNSupontear.net
Type: A
DNSwhichtear.net
Type: A
DNSuponthank.net
Type: A
DNSwhichthank.net
Type: A
DNSuponcity.net
Type: A
DNSwhichcity.net
Type: A
DNSspotgrow.net
Type: A
DNSsaltgrow.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://callmile.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://bothplain.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://walkword.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://humanpast.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://humanfish.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://musiclady.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://frontfish.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://hangfish.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://wishfish.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://deadwing.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://deadlady.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://rocklady.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://deadfish.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://rockfish.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://wronglady.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://southcity.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://callmile.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://bothplain.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://walkword.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://humanpast.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://humanfish.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://musiclady.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://frontfish.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://hangfish.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://wishfish.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://deadwing.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://deadlady.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://rocklady.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://deadfish.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://rockfish.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://wronglady.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
HTTP GEThttp://southcity.net/index.php?method=validate&mode=sox&v=041&sox=3c18da00&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1032 ➝ 156.196.201.1:1177
Flows TCP192.168.1.1:1040 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1044 ➝ 216.92.44.196:80
Flows TCP192.168.1.1:1045 ➝ 69.195.136.122:80
Flows TCP192.168.1.1:1046 ➝ 181.224.136.119:80
Flows TCP192.168.1.1:1047 ➝ 104.28.15.5:80
Flows TCP192.168.1.1:1048 ➝ 50.63.202.50:80
Flows TCP192.168.1.1:1049 ➝ 50.63.202.55:80
Flows TCP192.168.1.1:1050 ➝ 85.25.214.16:80
Flows TCP192.168.1.1:1051 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1052 ➝ 64.61.199.44:80
Flows TCP192.168.1.1:1053 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1054 ➝ 96.45.83.235:80
Flows TCP192.168.1.1:1055 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1056 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1057 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1064 ➝ 216.92.44.196:80
Flows TCP192.168.1.1:1065 ➝ 69.195.136.122:80
Flows TCP192.168.1.1:1066 ➝ 181.224.136.119:80
Flows TCP192.168.1.1:1067 ➝ 104.28.15.5:80
Flows TCP192.168.1.1:1068 ➝ 50.63.202.50:80
Flows TCP192.168.1.1:1069 ➝ 50.63.202.55:80
Flows TCP192.168.1.1:1070 ➝ 85.25.214.16:80
Flows TCP192.168.1.1:1071 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1072 ➝ 64.61.199.44:80
Flows TCP192.168.1.1:1073 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1074 ➝ 96.45.83.235:80
Flows TCP192.168.1.1:1075 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1076 ➝ 207.148.248.143:80

Raw Pcap

Strings