Analysis Date2015-10-28 07:02:21
MD5c459b5d6f63c0439733fd6ac7ba0d9fe
SHA1b8f0231829b0188709eb309d252e2584ad41e49e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 63bfaccb895b7954f53d3ebd96756084 sha1: 04b99d9c1c0047b2658330097a757ecbf115444a size: 800768
Section.rdata md5: 2f472b03d997dceb0761b60e618da152 sha1: f13f9416ac17f868c0d29c8e781b412c2131e70a size: 59904
Section.data md5: 6e0e95983f2ba33f8cef275c98a8fcab sha1: b214a417cb838c47a53e04933477c7bb6e7187d8 size: 405504
Timestamp2014-11-28 23:00:09
PackerMicrosoft Visual C++ ?.?
PEhashb03f4b8c8470cda04301896b6b2618e24123dac0
IMPhash8007cacdfdfe78f1dc1c316b6ea8267b
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/AD.Godatch.Y.6
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Kryptik-OOC [Trj]
AVEset (nod32)Win32/Kryptik.CCLE
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.FakePDF
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!Trojan.Kryptik.Win32.777728
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_WONTON.SMJ1
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. WebTrojan.DownLoader12.3746
AVF-SecureGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\sew53is1lainywowecwki6r.exe
Creates FileC:\WINDOWS\system32\krvlvvdjydlu\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\sew53is1lainywowecwki6r.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\sew53is1lainywowecwki6r.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Hardware COM Media Propagation ➝
C:\WINDOWS\system32\hanhwpbsjhas.exe
Creates FileC:\WINDOWS\system32\krvlvvdjydlu\etc
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\hanhwpbsjhas.exe
Creates FileC:\WINDOWS\system32\krvlvvdjydlu\lck
Creates FileC:\WINDOWS\system32\krvlvvdjydlu\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\hanhwpbsjhas.exe
Creates ServiceWeb Policy Office Name Presentation Host - C:\WINDOWS\system32\hanhwpbsjhas.exe

Process
↳ Pid 796

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1124

Process
↳ C:\WINDOWS\system32\hanhwpbsjhas.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\krvlvvdjydlu\run
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\sew53is1rnonywo.exe
Creates FileC:\WINDOWS\system32\krvlvvdjydlu\cfg
Creates FileC:\WINDOWS\system32\krvlvvdjydlu\lck
Creates FileC:\WINDOWS\system32\krvlvvdjydlu\rng
Creates FileC:\WINDOWS\system32\ieyzixw.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\krvlvvdjydlu\tst
Creates ProcessC:\WINDOWS\TEMP\sew53is1rnonywo.exe -r 49051 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\hanhwpbsjhas.exe"

Process
↳ C:\WINDOWS\system32\hanhwpbsjhas.exe

Creates FileC:\WINDOWS\system32\krvlvvdjydlu\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\hanhwpbsjhas.exe"

Creates FileC:\WINDOWS\system32\krvlvvdjydlu\tst

Process
↳ C:\WINDOWS\TEMP\sew53is1rnonywo.exe -r 49051 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSsaltsecond.net
Type: A
74.220.199.6
DNSpickgrave.net
Type: A
208.91.197.241
DNSroomstock.net
Type: A
208.91.197.241
DNSwatcheasy.net
Type: A
208.91.197.241
DNSuponmail.net
Type: A
208.91.197.241
DNStakenhand.net
Type: A
208.91.197.241
DNSwatchsince.net
Type: A
208.91.197.241
DNSspotdont.net
Type: A
208.91.197.241
DNSofferaunt.net
Type: A
208.91.197.241
DNSdrinkwide.net
Type: A
208.91.197.241
DNSpickmake.net
Type: A
208.91.197.241
DNSsouthreach.net
Type: A
208.109.181.233
DNSwhichprice.net
Type: A
173.193.105.242
DNSspotprice.net
Type: A
207.148.248.143
DNSgladraise.net
Type: A
208.100.26.234
DNSgroupprice.net
Type: A
5.22.149.135
DNSequalcroud.net
Type: A
195.22.26.248
DNSequalraise.net
Type: A
195.22.26.253
DNSequalraise.net
Type: A
195.22.26.254
DNSequalraise.net
Type: A
195.22.26.231
DNSequalraise.net
Type: A
195.22.26.252
DNSgroupraise.net
Type: A
50.31.225.93
DNSwatchprice.net
Type: A
69.172.201.208
DNSfairprice.net
Type: A
50.63.202.104
DNSdreamprice.net
Type: A
89.31.143.1
DNSdreamraise.net
Type: A
50.63.202.47
DNSdreamreach.net
Type: A
141.8.226.15
DNSsouthblood.net
Type: A
DNSableread.net
Type: A
DNSmadethan.net
Type: A
DNSwhomfifth.net
Type: A
DNSarivecroud.net
Type: A
DNSsouthcroud.net
Type: A
DNSariveraise.net
Type: A
DNSsouthraise.net
Type: A
DNSarivereach.net
Type: A
DNSuponprice.net
Type: A
DNSuponcroud.net
Type: A
DNSwhichcroud.net
Type: A
DNSuponraise.net
Type: A
DNSwhichraise.net
Type: A
DNSuponreach.net
Type: A
DNSwhichreach.net
Type: A
DNSsaltprice.net
Type: A
DNSspotcroud.net
Type: A
DNSsaltcroud.net
Type: A
DNSspotraise.net
Type: A
DNSsaltraise.net
Type: A
DNSspotreach.net
Type: A
DNSsaltreach.net
Type: A
DNSgladprice.net
Type: A
DNStakenprice.net
Type: A
DNSgladcroud.net
Type: A
DNStakencroud.net
Type: A
DNStakenraise.net
Type: A
DNSgladreach.net
Type: A
DNStakenreach.net
Type: A
DNSequalprice.net
Type: A
DNSgroupcroud.net
Type: A
DNSequalreach.net
Type: A
DNSgroupreach.net
Type: A
DNSspokeprice.net
Type: A
DNSvisitprice.net
Type: A
DNSspokecroud.net
Type: A
DNSvisitcroud.net
Type: A
DNSspokeraise.net
Type: A
DNSvisitraise.net
Type: A
DNSspokereach.net
Type: A
DNSvisitreach.net
Type: A
DNSwatchcroud.net
Type: A
DNSfaircroud.net
Type: A
DNSwatchraise.net
Type: A
DNSfairraise.net
Type: A
DNSwatchreach.net
Type: A
DNSfairreach.net
Type: A
DNSthisprice.net
Type: A
DNSdreamcroud.net
Type: A
DNSthiscroud.net
Type: A
DNSthisraise.net
Type: A
DNSthisreach.net
Type: A
DNSariveneck.net
Type: A
DNSsouthneck.net
Type: A
DNSariveshown.net
Type: A
DNSsouthshown.net
Type: A
DNSarivefood.net
Type: A
DNSsouthfood.net
Type: A
DNSarivemeet.net
Type: A
DNSsouthmeet.net
Type: A
DNSuponneck.net
Type: A
DNSwhichneck.net
Type: A
DNSuponshown.net
Type: A
DNSwhichshown.net
Type: A
DNSuponfood.net
Type: A
DNSwhichfood.net
Type: A
DNSuponmeet.net
Type: A
DNSwhichmeet.net
Type: A
DNSspotneck.net
Type: A
DNSsaltneck.net
Type: A
DNSspotshown.net
Type: A
DNSsaltshown.net
Type: A
DNSspotfood.net
Type: A
DNSsaltfood.net
Type: A
DNSspotmeet.net
Type: A
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://pickgrave.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://roomstock.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://watcheasy.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://uponmail.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://takenhand.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://watchsince.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://spotdont.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://offeraunt.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://drinkwide.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://pickmake.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://southreach.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://whichprice.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://spotprice.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://gladraise.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://groupprice.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://equalcroud.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://equalraise.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://groupraise.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://watchprice.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://fairprice.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://dreamprice.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://dreamraise.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://dreamreach.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://pickgrave.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://roomstock.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://watcheasy.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://uponmail.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://takenhand.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://watchsince.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://spotdont.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://offeraunt.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://drinkwide.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://pickmake.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://southreach.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://whichprice.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://spotprice.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://gladraise.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://groupprice.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://equalcroud.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://equalraise.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://groupraise.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://watchprice.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://fairprice.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://dreamprice.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://dreamraise.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
HTTP GEThttp://dreamreach.net/index.php?method=validate&mode=sox&v=034&sox=48d49600&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1048 ➝ 208.109.181.233:80
Flows TCP192.168.1.1:1049 ➝ 173.193.105.242:80
Flows TCP192.168.1.1:1050 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1051 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1052 ➝ 5.22.149.135:80
Flows TCP192.168.1.1:1053 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1054 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1055 ➝ 50.31.225.93:80
Flows TCP192.168.1.1:1056 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1057 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1058 ➝ 89.31.143.1:80
Flows TCP192.168.1.1:1059 ➝ 50.63.202.47:80
Flows TCP192.168.1.1:1060 ➝ 141.8.226.15:80
Flows TCP192.168.1.1:1061 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1069 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1070 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1071 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1072 ➝ 208.109.181.233:80
Flows TCP192.168.1.1:1073 ➝ 173.193.105.242:80
Flows TCP192.168.1.1:1074 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1075 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1076 ➝ 5.22.149.135:80
Flows TCP192.168.1.1:1077 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1078 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1079 ➝ 50.31.225.93:80
Flows TCP192.168.1.1:1080 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1081 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1082 ➝ 89.31.143.1:80
Flows TCP192.168.1.1:1083 ➝ 50.63.202.47:80
Flows TCP192.168.1.1:1084 ➝ 141.8.226.15:80

Raw Pcap

Strings