Analysis Date2015-08-26 14:06:55
MD556f547ee46fa0b9514c8a143ff626a19
SHA1c1ac0bd4b8c2bb9de04e27ec2477f20edbe21452

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 66525efd63fcaf1961ea99347c86272a sha1: 66d26264973268cedc2305c23c0d107ec1979bbe size: 296960
Section.rdata md5: 2eb90088a2d62a92d9cd6578efe45557 sha1: 360915643cc5223741cf74b2775c96a192e67b0a size: 33792
Section.data md5: 00b936ec7a62717988742bd9325776b3 sha1: 5bb22e9a228d8b06bdcff4f401fc47906533db9e size: 109056
Timestamp2014-10-30 10:24:56
PackerMicrosoft Visual C++ ?.?
PEhash5ac673af4ebf79df6955005170d7d770a4c9b32f
IMPhashe1d8652721407878a9d757215c13aec3
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. WebTrojan.DownLoader15.29681
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVTrend MicroTSPY_NIVDORT.SMB
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusTrojan.FBAccountLock
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVMalwareBytesTrojan.Zbot.WHE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVK7Trojan ( 004cb2771 )
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Agent.VNC!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.VNC
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAvira (antivir)TR/Crypt.Xpack.258699
AVMcafeeTrojan-FEMT!56F547EE46FA
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Cache Thread Debugger AuthIP ➝
C:\Documents and Settings\Administrator\Application Data\hwhqrkfaewzcqui\yyuvfrmxxg.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\hwhqrkfaewzcqui\yyuvfrmxxg.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\hwhqrkfaewzcqui\yyuvfrmxxg.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\hwhqrkfaewzcqui\yyuvfrmxxg.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\hwhqrkfaewzcqui\yyuvfrmxxg.co
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\hwhqrkfaewzcqui\qfjuvueca.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\hwhqrkfaewzcqui\yyuvfrmxxg.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\hwhqrkfaewzcqui\yyuvfrmxxg.exe"

Network Details:

DNSmountainschool.net
Type: A
184.168.221.15
DNSwindowwhile.net
Type: A
95.211.230.75
DNSwinterschool.net
Type: A
82.98.134.9
DNSfinishschool.net
Type: A
208.73.211.70
DNSpossibletraining.net
Type: A
50.63.202.54
DNSsimplequestion.net
Type: A
DNSmotherquestion.net
Type: A
DNSsimpletherefore.net
Type: A
DNSmothertherefore.net
Type: A
DNSpossibleschool.net
Type: A
DNSmountainwhile.net
Type: A
DNSpossiblewhile.net
Type: A
DNSmountainquestion.net
Type: A
DNSpossiblequestion.net
Type: A
DNSmountaintherefore.net
Type: A
DNSpossibletherefore.net
Type: A
DNSperhapsschool.net
Type: A
DNSwindowschool.net
Type: A
DNSperhapswhile.net
Type: A
DNSperhapsquestion.net
Type: A
DNSwindowquestion.net
Type: A
DNSperhapstherefore.net
Type: A
DNSwindowtherefore.net
Type: A
DNSsubjectschool.net
Type: A
DNSwinterwhile.net
Type: A
DNSsubjectwhile.net
Type: A
DNSwinterquestion.net
Type: A
DNSsubjectquestion.net
Type: A
DNSwintertherefore.net
Type: A
DNSsubjecttherefore.net
Type: A
DNSleaveschool.net
Type: A
DNSfinishwhile.net
Type: A
DNSleavewhile.net
Type: A
DNSfinishquestion.net
Type: A
DNSleavequestion.net
Type: A
DNSfinishtherefore.net
Type: A
DNSleavetherefore.net
Type: A
DNSsweetschool.net
Type: A
DNSprobablyschool.net
Type: A
DNSsweetwhile.net
Type: A
DNSprobablywhile.net
Type: A
DNSsweetquestion.net
Type: A
DNSprobablyquestion.net
Type: A
DNSsweettherefore.net
Type: A
DNSprobablytherefore.net
Type: A
DNSseveralschool.net
Type: A
DNSmaterialschool.net
Type: A
DNSseveralwhile.net
Type: A
DNSmaterialwhile.net
Type: A
DNSseveralquestion.net
Type: A
DNSmaterialquestion.net
Type: A
DNSseveraltherefore.net
Type: A
DNSmaterialtherefore.net
Type: A
DNSseverahunger.net
Type: A
DNSlaughhunger.net
Type: A
DNSseveratraining.net
Type: A
DNSlaughtraining.net
Type: A
DNSseverastorm.net
Type: A
DNSlaughstorm.net
Type: A
DNSseverathrown.net
Type: A
DNSlaughthrown.net
Type: A
DNSsimplehunger.net
Type: A
DNSmotherhunger.net
Type: A
DNSsimpletraining.net
Type: A
DNSmothertraining.net
Type: A
DNSsimplestorm.net
Type: A
DNSmotherstorm.net
Type: A
DNSsimplethrown.net
Type: A
DNSmotherthrown.net
Type: A
DNSmountainhunger.net
Type: A
DNSpossiblehunger.net
Type: A
DNSmountaintraining.net
Type: A
DNSmountainstorm.net
Type: A
DNSpossiblestorm.net
Type: A
DNSmountainthrown.net
Type: A
DNSpossiblethrown.net
Type: A
DNSperhapshunger.net
Type: A
DNSwindowhunger.net
Type: A
DNSperhapstraining.net
Type: A
DNSwindowtraining.net
Type: A
DNSperhapsstorm.net
Type: A
DNSwindowstorm.net
Type: A
DNSperhapsthrown.net
Type: A
DNSwindowthrown.net
Type: A
DNSwinterhunger.net
Type: A
HTTP GEThttp://mountainschool.net/index.php?email=mazhiling@ronglee.com&method=post&len
User-Agent:
HTTP GEThttp://windowwhile.net/index.php?email=mazhiling@ronglee.com&method=post&len
User-Agent:
HTTP GEThttp://winterschool.net/index.php?email=mazhiling@ronglee.com&method=post&len
User-Agent:
HTTP GEThttp://finishschool.net/index.php?email=mazhiling@ronglee.com&method=post&len
User-Agent:
HTTP GEThttp://possibletraining.net/index.php?email=mazhiling@ronglee.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 184.168.221.15:80
Flows TCP192.168.1.1:1032 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1033 ➝ 82.98.134.9:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.70:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.54:80

Raw Pcap

Strings