Analysis Date2015-08-14 14:02:55
MD5ba051b97c72e03829fb55d859f74ecda
SHA1a25f9391639ad5732b8440286429908dc060cfb4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 18f6116df4f97b4d07f4a63512bcf556 sha1: 5754bcecc64f1912f9867d268ad8f51068b2afe9 size: 299520
Section.rdata md5: 2d75f4dd549871674e821581e41a1a95 sha1: 714222b77ebd37a626ae14035325a93ccdc116ab size: 35840
Section.data md5: f96271491cf5caf41d367b0f72d4611c sha1: 515c4caf845d0feca2416fc886891e9dde01b883 size: 96768
Timestamp2015-01-29 10:26:40
PackerMicrosoft Visual C++ ?.?
PEhash7eb4edb3b1d43b5b2173ee0243a636cdddf14462
IMPhash5a8c830caef0034c10a9443fecc2f3f0
AVTrend MicroTSPY_NIVDORT.SMB
AVEset (nod32)Win32/Agent.VNC
AVVirusBlokAda (vba32)no_virus
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Agent.VNC!tr
AVCAT (quickheal)Trojan.Dynamer.AC3
AVMalwareBytesTrojan.Zbot.WHE
AVCA (E-Trust Ino)no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVTwisterno_virus
AVBullGuardGen:Variant.Symmi.22722
AVSymantecDownloader.Upatre!g15
AVPadvishno_virus
AVFrisk (f-prot)no_virus
AVZillya!no_virus
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.Win32.Agent
AVAvira (antivir)TR/Crypt.ZPACK.Gen8
AVF-SecureGen:Variant.Symmi.22722
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVMcafeeTrojan-FEMT!BA051B97C72E
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVKasperskyTrojan.Win32.Generic
AVClamAVno_virus
AVRisingno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVK7Trojan ( 004938ec1 )
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVDr. WebTrojan.DownLoader15.34467

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Resolution UserMode Networking AutoConfig ➝
C:\Documents and Settings\Administrator\Application Data\kmsiaeii\drlffjfqxmr.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\kmsiaeii\drlffjfqxmr.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\kmsiaeii\drlffjfqxmr.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\kmsiaeii\drlffjfqxmr.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\kmsiaeii\drlffjfqxmr.wid5f
Creates FileC:\Documents and Settings\Administrator\Application Data\kmsiaeii\czwdutiz.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\kmsiaeii\drlffjfqxmr.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\kmsiaeii\drlffjfqxmr.exe"

Network Details:

DNSforeignquestion.net
Type: A
195.22.26.252
DNSforeignquestion.net
Type: A
195.22.26.253
DNSforeignquestion.net
Type: A
195.22.26.254
DNSforeignquestion.net
Type: A
195.22.26.231
DNSrightschool.net
Type: A
82.144.197.54
DNSrightquestion.net
Type: A
208.91.197.27
DNSfamilyschool.net
Type: A
50.63.202.104
DNSchildrenwhile.net
Type: A
95.211.230.75
DNSenglishschool.net
Type: A
72.52.4.119
DNSenglishquestion.net
Type: A
85.25.201.249
DNSsuddenstorm.net
Type: A
199.116.78.152
DNSrighttraining.net
Type: A
50.63.202.68
DNSsuddenwhile.net
Type: A
DNSforeignwhile.net
Type: A
DNSsuddenquestion.net
Type: A
DNSsuddentherefore.net
Type: A
DNSforeigntherefore.net
Type: A
DNSwhetherschool.net
Type: A
DNSwhetherwhile.net
Type: A
DNSrightwhile.net
Type: A
DNSwhetherquestion.net
Type: A
DNSwhethertherefore.net
Type: A
DNSrighttherefore.net
Type: A
DNSfigureschool.net
Type: A
DNSthoughschool.net
Type: A
DNSfigurewhile.net
Type: A
DNSthoughwhile.net
Type: A
DNSfigurequestion.net
Type: A
DNSthoughquestion.net
Type: A
DNSfiguretherefore.net
Type: A
DNSthoughtherefore.net
Type: A
DNSpictureschool.net
Type: A
DNScigaretteschool.net
Type: A
DNSpicturewhile.net
Type: A
DNScigarettewhile.net
Type: A
DNSpicturequestion.net
Type: A
DNScigarettequestion.net
Type: A
DNSpicturetherefore.net
Type: A
DNScigarettetherefore.net
Type: A
DNSchildrenschool.net
Type: A
DNSfamilywhile.net
Type: A
DNSchildrenquestion.net
Type: A
DNSfamilyquestion.net
Type: A
DNSchildrentherefore.net
Type: A
DNSfamilytherefore.net
Type: A
DNSeitherschool.net
Type: A
DNSeitherwhile.net
Type: A
DNSenglishwhile.net
Type: A
DNSeitherquestion.net
Type: A
DNSeithertherefore.net
Type: A
DNSenglishtherefore.net
Type: A
DNSexpecthunger.net
Type: A
DNSbecausehunger.net
Type: A
DNSexpecttraining.net
Type: A
DNSbecausetraining.net
Type: A
DNSexpectstorm.net
Type: A
DNSbecausestorm.net
Type: A
DNSexpectthrown.net
Type: A
DNSbecausethrown.net
Type: A
DNSpersonhunger.net
Type: A
DNSmachinehunger.net
Type: A
DNSpersontraining.net
Type: A
DNSmachinetraining.net
Type: A
DNSpersonstorm.net
Type: A
DNSmachinestorm.net
Type: A
DNSpersonthrown.net
Type: A
DNSmachinethrown.net
Type: A
DNSsuddenhunger.net
Type: A
DNSforeignhunger.net
Type: A
DNSsuddentraining.net
Type: A
DNSforeigntraining.net
Type: A
DNSforeignstorm.net
Type: A
DNSsuddenthrown.net
Type: A
DNSforeignthrown.net
Type: A
DNSwhetherhunger.net
Type: A
DNSrighthunger.net
Type: A
DNSwhethertraining.net
Type: A
DNSwhetherstorm.net
Type: A
DNSrightstorm.net
Type: A
DNSwhetherthrown.net
Type: A
DNSrightthrown.net
Type: A
DNSfigurehunger.net
Type: A
DNSthoughhunger.net
Type: A
DNSfiguretraining.net
Type: A
DNSthoughtraining.net
Type: A
DNSfigurestorm.net
Type: A
DNSthoughstorm.net
Type: A
DNSfigurethrown.net
Type: A
HTTP GEThttp://foreignquestion.net/index.php?email=turkey.m3m1@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://rightschool.net/index.php?email=turkey.m3m1@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://rightquestion.net/index.php?email=turkey.m3m1@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://familyschool.net/index.php?email=turkey.m3m1@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://childrenwhile.net/index.php?email=turkey.m3m1@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://englishschool.net/index.php?email=turkey.m3m1@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://englishquestion.net/index.php?email=turkey.m3m1@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://suddenstorm.net/index.php?email=turkey.m3m1@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://righttraining.net/index.php?email=turkey.m3m1@yahoo.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1032 ➝ 82.144.197.54:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1035 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1036 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1037 ➝ 85.25.201.249:80
Flows TCP192.168.1.1:1038 ➝ 199.116.78.152:80
Flows TCP192.168.1.1:1039 ➝ 50.63.202.68:80

Raw Pcap

Strings