Analysis Date2015-11-04 17:19:59
MD5e8b731746c1ffd09501f9cd0f22ef22c
SHA19e369f55b7ac712114d50df5d8631df46a086206

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 64ebb07a0d1bf61febd52dc5a8b3528c sha1: 3afee91e2cb167eac4d8efa50403d4ebb366575b size: 226816
Section.data md5: 2fe58ce364059137e4447fd7a07f3e64 sha1: 1da8103218427f507549d383b51bfc520bba79f5 size: 20992
Section.rdata md5: 015a644804f66c31695384201e49d030 sha1: 12327e1f57453012453a33aacf9826719737ee36 size: 40960
Section.eh_fram md5: 6bcfddbda1417c023347e2d010eb465c sha1: 88be45c373fe939e45bb88cde953982927676114 size: 40448
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 8921133435c22212352aee9f33e684c3 sha1: 04eaf60ae6d712ffdc7feedfa7e119f15d21f8d4 size: 6144
Section.CRT md5: 79ba02b90919ba8e4f75cc1a116a5a87 sha1: f76e103cc1e2eae70769973790b61a31140b9e9e size: 512
Section.tls md5: b57a16ff719595a439546ce529dc168a sha1: 7fde70d610b6bf6cf3c3af66d780d60e5e89cb7b size: 512
Timestamp2015-03-05 06:26:45
PEhashf7efebb5b65f2831e2e2597c2084f3f5cf94647f
IMPhash385e380ee83d94b87688c8874b8b47da
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVAuthentiumW32/S-6a8c3109!Eldorado
AVF-SecureGen:Variant.Symmi.51758
AVK7Trojan ( 004c988e1 )
AVMalwareBytesNo Virus
AVAuthentiumW32/S-6a8c3109!Eldorado
AVDr. WebTrojan.DownLoader17.41224
AVAd-AwareGen:Variant.Symmi.51758
AVBitDefenderGen:Variant.Symmi.51758
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVGrisoft (avg)Win32/Cryptor
AVK7Trojan ( 004c988e1 )
AVMalwareBytesNo Virus
AVEmsisoftGen:Variant.Symmi.51758
AVTrend MicroNo Virus
AVPadvishNo Virus
AVClamAVNo Virus
AVRising0x5932d843
AVTwisterNo Virus
AVEset (nod32)Win32/Agent.XDQ
AVFortinetW32/Agent.XDQ!tr
AVSymantecDownloader.Upatre!g16
AVFrisk (f-prot)No Virus
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Agent.XDQ
AVFortinetW32/Agent.XDQ!tr
AVBitDefenderGen:Variant.Symmi.51758
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVMcafeeTrojan-FGOJ!E8B731746C1F
AVIkarusTrojan.Win32.Agent
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Symmi.51758
AVArcabit (arcavir)Gen:Variant.Symmi.51758
AVRising0x5932d843
AVCA (E-Trust Ino)No Virus
AVMcafeeTrojan-FGOJ!E8B731746C1F
AVAvira (antivir)TR/ATRAPS.A.10576
AVTwisterNo Virus
AVAlwil (avast)Evo-gen [Susp]
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g16
AVAvira (antivir)TR/ATRAPS.A.10576
AVAd-AwareGen:Variant.Symmi.51758
AVIkarusTrojan.Win32.Agent
AVFrisk (f-prot)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\hfrgwvm2fx\wgyctju
Creates FileC:\hfrgwvm2fx\blw23k1kk0zrhoujppyq.exe
Creates FileC:\WINDOWS\hfrgwvm2fx\wgyctju
Deletes FileC:\WINDOWS\hfrgwvm2fx\wgyctju
Creates ProcessC:\hfrgwvm2fx\blw23k1kk0zrhoujppyq.exe

Process
↳ C:\hfrgwvm2fx\blw23k1kk0zrhoujppyq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Tablet Name Panel Controls ➝
C:\hfrgwvm2fx\lnqptvumebhy4.exe
Creates FileC:\hfrgwvm2fx\lnqptvumebhy4.exe
Creates FileC:\hfrgwvm2fx\wgyctju
Creates FileC:\hfrgwvm2fx\qmbf7px
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\hfrgwvm2fx\wgyctju
Deletes FileC:\WINDOWS\hfrgwvm2fx\wgyctju
Creates ProcessC:\hfrgwvm2fx\lnqptvumebhy4.exe
Creates ServiceWindow WMI Bus Detection BitLocker - C:\hfrgwvm2fx\lnqptvumebhy4.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1148

Process
↳ C:\hfrgwvm2fx\lnqptvumebhy4.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\hfrgwvm2fx\hiefl6g
Creates FileC:\hfrgwvm2fx\wgyctju
Creates FileC:\hfrgwvm2fx\qmbf7px
Creates FileC:\hfrgwvm2fx\fxeebuhhmimok.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\hfrgwvm2fx\wgyctju
Deletes FileC:\WINDOWS\hfrgwvm2fx\wgyctju
Creates Processwxms1mwlllti "c:\hfrgwvm2fx\lnqptvumebhy4.exe"

Process
↳ C:\hfrgwvm2fx\lnqptvumebhy4.exe

Creates FileC:\hfrgwvm2fx\wgyctju
Creates FileC:\WINDOWS\hfrgwvm2fx\wgyctju
Deletes FileC:\WINDOWS\hfrgwvm2fx\wgyctju

Process
↳ wxms1mwlllti "c:\hfrgwvm2fx\lnqptvumebhy4.exe"

Creates FileC:\hfrgwvm2fx\wgyctju
Creates FileC:\WINDOWS\hfrgwvm2fx\wgyctju
Deletes FileC:\WINDOWS\hfrgwvm2fx\wgyctju

Network Details:

DNSearnestinesullivan.net
Type: A
195.22.26.231
DNSearnestinesullivan.net
Type: A
195.22.26.252
DNSearnestinesullivan.net
Type: A
195.22.26.253
DNSearnestinesullivan.net
Type: A
195.22.26.254
DNSalexandrinamargaret.net
Type: A
DNSmariabellamargaret.net
Type: A
DNSalexandrinacherokee.net
Type: A
DNSmariabellacherokee.net
Type: A
DNSalexandrinaarabella.net
Type: A
DNSmariabellaarabella.net
Type: A
DNSalexandrinasullivan.net
Type: A
DNSmariabellasullivan.net
Type: A
DNSbartholomewmargaret.net
Type: A
DNSwilloughbymargaret.net
Type: A
DNSbartholomewcherokee.net
Type: A
DNSwilloughbycherokee.net
Type: A
DNSbartholomewarabella.net
Type: A
DNSwilloughbyarabella.net
Type: A
DNSbartholomewsullivan.net
Type: A
DNSwilloughbysullivan.net
Type: A
DNSchristianamargaret.net
Type: A
DNSdulcibellamargaret.net
Type: A
DNSchristianacherokee.net
Type: A
DNSdulcibellacherokee.net
Type: A
DNSchristianaarabella.net
Type: A
DNSdulcibellaarabella.net
Type: A
DNSchristianasullivan.net
Type: A
DNSdulcibellasullivan.net
Type: A
DNSwashingtonmargaret.net
Type: A
DNSearnestinemargaret.net
Type: A
DNSwashingtoncherokee.net
Type: A
DNSearnestinecherokee.net
Type: A
DNSwashingtonarabella.net
Type: A
DNSearnestinearabella.net
Type: A
DNSwashingtonsullivan.net
Type: A
DNSsacheverellmargaret.net
Type: A
DNSwilhelminamargaret.net
Type: A
DNSsacheverellcherokee.net
Type: A
DNSwilhelminacherokee.net
Type: A
DNSsacheverellarabella.net
Type: A
DNSwilhelminaarabella.net
Type: A
DNSsacheverellsullivan.net
Type: A
DNSwilhelminasullivan.net
Type: A
DNSmaximillianmargaret.net
Type: A
DNSgwendolinemargaret.net
Type: A
DNSmaximilliancherokee.net
Type: A
DNSgwendolinecherokee.net
Type: A
DNSmaximillianarabella.net
Type: A
DNSgwendolinearabella.net
Type: A
DNSmaximilliansullivan.net
Type: A
DNSgwendolinesullivan.net
Type: A
DNSbeauregardmargaret.net
Type: A
DNSevangelinamargaret.net
Type: A
DNSbeauregardcherokee.net
Type: A
DNSevangelinacherokee.net
Type: A
DNSbeauregardarabella.net
Type: A
DNSevangelinaarabella.net
Type: A
DNSbeauregardsullivan.net
Type: A
DNSevangelinasullivan.net
Type: A
DNSrichardinemargaret.net
Type: A
DNSevangelinemargaret.net
Type: A
DNSrichardinecherokee.net
Type: A
DNSevangelinecherokee.net
Type: A
DNSrichardinearabella.net
Type: A
DNSevangelinearabella.net
Type: A
DNSrichardinesullivan.net
Type: A
DNSevangelinesullivan.net
Type: A
DNSalexandrinastrudwick.net
Type: A
DNSmariabellastrudwick.net
Type: A
DNSalexandrinaconstable.net
Type: A
DNSmariabellaconstable.net
Type: A
DNSalexandrinadonaldson.net
Type: A
DNSmariabelladonaldson.net
Type: A
DNSalexandrinaharoldson.net
Type: A
DNSmariabellaharoldson.net
Type: A
DNSbartholomewstrudwick.net
Type: A
DNSwilloughbystrudwick.net
Type: A
DNSbartholomewconstable.net
Type: A
DNSwilloughbyconstable.net
Type: A
DNSbartholomewdonaldson.net
Type: A
DNSwilloughbydonaldson.net
Type: A
DNSbartholomewharoldson.net
Type: A
DNSwilloughbyharoldson.net
Type: A
DNSchristianastrudwick.net
Type: A
DNSdulcibellastrudwick.net
Type: A
DNSchristianaconstable.net
Type: A
DNSdulcibellaconstable.net
Type: A
DNSchristianadonaldson.net
Type: A
HTTP GEThttp://earnestinesullivan.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.231:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   61726e65 7374696e 6573756c 6c697661   arnestinesulliva
0x00000050 (00080)   6e2e6e65 740d0a0d 0a                  n.net....


Strings