Analysis Date2018-05-19 17:17:51
MD57145ba6c8483d5cb28183f713f0ef03f
SHA1c32cfc123b6f227ac5292c93bff9e7519d0ae163

Static Details:

AVArcabit (arcavir)Trojan.Agent.CWBV
AVAuthentiumW32/S-7c2ff71d!Eldorado
AVGrisoft (avg)Error Scanning File
AVAvira (antivir)No Virus
AVAlwil (avast)Dropper-gen [Drp]
AVAd-AwareTrojan.Agent.CWBV
AVBitDefenderTrojan.Agent.CWBV
AVBullGuardTrojan.Agent.CWBV
AVClamAVNo Virus
AVDr. WebTrojan.Siggen7.41778
AVEmsisoftTrojan.Agent.CWBV
AVMicroWorld (escan)Trojan.Agent.CWBV
AVCA (E-Trust Ino)No Virus
AVFortinetW32/Kryptik.GDQR!tr
AVFrisk (f-prot)W32/S-7c2ff71d!Eldorado
AVF-SecureTrojan.Agent.CWBV
AVIkarusPUA.Win32.Prepscram
AVK7Trojan ( 00526e411 )
AVKasperskyHoax.Win32.ArchSMS.gen
AVMalwareBytesError Scanning File
AVMcafeeNo Virus
AVMicrosoft Security EssentialsSoftwareBundler:Win32/Prepscram
AVNANORiskware.Win32.ArchSMS.eyvowo
AVNANORiskware.Win32.ArchSMS.eyvowy
AVNANORiskware.Win32.ArchSMS.eyvoxk
AVNANORiskware.Win32.ArchSMS.eyvpcy
AVNANORiskware.Win32.ArchSMS.eyvpgx
AVNANORiskware.Win32.ArchSMS.eyvpix
AVNANORiskware.Win32.ArchSMS.eyvpkz
AVNANORiskware.Win32.ArchSMS.eyvpnj
AVEset (nod32)Win32/Kryptik.GEGC
AVPadvishNo Virus
AVCAT (quickheal)No Virus
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecNo Virus
AVTrend MicroNo Virus
AVTwisterNo Virus
AVVirusBlokAda (vba32)BScope.AdWare.StartSurf
AVWindows DefenderSoftwareBundler:Win32/Prepscram
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\c32cfc123b6f227ac5292c93bff9e7519d0ae163.exe

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 68747470 3a2f2f62 7573682e   GET http://bush.
0x00000010 (00016)   62617369 6e616674 65727468 6f756768   basinafterthough
0x00000020 (00032)   742e6269 642f685f 72656469 722e7068   t.bid/h_redir.ph
0x00000030 (00048)   703f6f66 6665725f 69643d34 26616666   p?offer_id=4&aff
0x00000040 (00064)   5f69643d 35323430 26736f75 7263653d   _id=5240&source=
0x00000050 (00080)   36363236 26616666 5f737562 3d313026   6626&aff_sub=10&
0x00000060 (00096)   6166665f 73756232 3d353533 35383837   aff_sub2=5535887
0x00000070 (00112)   39362661 66665f73 7562333d 35353335   96&aff_sub3=5535
0x00000080 (00128)   38383739 36266166 665f7375 62343d35   88796&aff_sub4=5
0x00000090 (00144)   61613665 38326534 38663137 26616666   aa6e82e48f17&aff
0x000000a0 (00160)   5f737562 353d3134 30393038 39333030   _sub5=1409089300
0x000000b0 (00176)   2675726c 3d687474 70253341 25324625   &url=http%3A%2F%
0x000000c0 (00192)   32466275 73682e62 6173696e 61667465   2Fbush.basinafte
0x000000d0 (00208)   7274686f 75676874 2e626964 2f6f6666   rthought.bid/off
0x000000e0 (00224)   65722e70 68702533 46616666 49642533   er.php%3FaffId%3
0x000000f0 (00240)   447b6166 665f6964 7d253236 74726163   D{aff_id}%26trac
0x00000100 (00256)   6b696e67 49642533 44333236 33313435   kingId%3D3263145
0x00000110 (00272)   35372532 36696e73 74496425 33443636   57%26instId%3D66
0x00000120 (00288)   32362532 36686f5f 74726163 6b696e67   26%26ho_tracking
0x00000130 (00304)   69642533 447b7472 616e7361 6374696f   id%3D{transactio
0x00000140 (00320)   6e5f6964 7d253236 63632533 447b636f   n_id}%26cc%3D{co
0x00000150 (00336)   756e7472 795f636f 64657d25 32366363   untry_code}%26cc
0x00000160 (00352)   5f747970 25334468 6f253236 73622533   _typ%3Dho%26sb%3
0x00000170 (00368)   44783634 2532366e 65742533 44332e35   Dx64%26net%3D3.5
0x00000180 (00384)   2e333037 32392e34 39323625 32366965   .30729.4926%26ie
0x00000190 (00400)   25334438 25326530 25326537 36303025   %3D8%2e0%2e7600%
0x000001a0 (00416)   32653136 33383525 32367776 25334437   2e16385%26wv%3D7
0x000001b0 (00432)   25323664 62253344 496e7465 726e6574   %26db%3DInternet
0x000001c0 (00448)   4578706c 6f726572 25323675 61632533   Explorer%26uac%3
0x000001d0 (00464)   44312532 36636964 25334465 35366339   D1%26cid%3De56c9
0x000001e0 (00480)   33656234 38363631 37623162 63636438   3eb486617b1bccd8
0x000001f0 (00496)   37653134 38366336 37376425 32366f73   7e1486c677d%26os
0x00000200 (00512)   64253344 37342532 36726573 25334438   d%3D74%26res%3D8
0x00000210 (00528)   30307836 30302532 36762533 44332048   00x600%26v%3D3 H
0x00000220 (00544)   5454502f 312e310d 0a486f73 743a2062   TTP/1.1..Host: b
0x00000230 (00560)   7573682e 62617369 6e616674 65727468   ush.basinafterth
0x00000240 (00576)   6f756768 742e6269 640d0a43 6f6e6e65   ought.bid..Conne
0x00000250 (00592)   6374696f 6e3a2063 6c6f7365 0d0a4163   ction: close..Ac
0x00000260 (00608)   63657074 3a202a2f 2a0d0a55 7365722d   cept: */*..User-
0x00000270 (00624)   4167656e 743a2049 6e737461 6c6c4361   Agent: InstallCa
0x00000280 (00640)   70697461 6c0d0a0d 0a                  pital....

0x00000000 (00000)   47455420 68747470 3a2f2f62 7573682e   GET http://bush.
0x00000010 (00016)   62617369 6e616674 65727468 6f756768   basinafterthough
0x00000020 (00032)   742e6269 642f6f66 6665722e 7068703f   t.bid/offer.php?
0x00000030 (00048)   61666649 643d3532 34302674 7261636b   affId=5240&track
0x00000040 (00064)   696e6749 643d3332 36333134 35353726   ingId=326314557&
0x00000050 (00080)   696e7374 49643d36 36323626 686f5f74   instId=6626&ho_t
0x00000060 (00096)   7261636b 696e6769 643d484f 35623030   rackingid=HO5b00
0x00000070 (00112)   35633362 34613930 39266363 3d444526   5c3b4a909&cc=DE&
0x00000080 (00128)   63635f74 79703d68 6f267362 3d783634   cc_typ=ho&sb=x64
0x00000090 (00144)   266e6574 3d332e35 2e333037 32392e34   &net=3.5.30729.4
0x000000a0 (00160)   39323626 69653d38 2e302e37 3630302e   926&ie=8.0.7600.
0x000000b0 (00176)   31363338 35267776 3d372664 623d496e   16385&wv=7&db=In
0x000000c0 (00192)   7465726e 65744578 706c6f72 65722675   ternetExplorer&u
0x000000d0 (00208)   61633d31 26636964 3d653536 63393365   ac=1&cid=e56c93e
0x000000e0 (00224)   62343836 36313762 31626363 64383765   b486617b1bccd87e
0x000000f0 (00240)   31343836 63363737 64266f73 643d3734   1486c677d&osd=74
0x00000100 (00256)   26726573 3d383030 78363030 26763d33   &res=800x600&v=3
0x00000110 (00272)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000120 (00288)   20627573 682e6261 73696e61 66746572    bush.basinafter
0x00000130 (00304)   74686f75 6768742e 6269640d 0a436f6e   thought.bid..Con
0x00000140 (00320)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000150 (00336)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000160 (00352)   722d4167 656e743a 20496e73 74616c6c   r-Agent: Install
0x00000170 (00368)   43617069 74616c0d 0a0d0a33 44332e35   Capital....3D3.5
0x00000180 (00384)   2e333037 32392e34 39323625 32366965   .30729.4926%26ie
0x00000190 (00400)   25334438 25326530 25326537 36303025   %3D8%2e0%2e7600%
0x000001a0 (00416)   32653136 33383525 32367776 25334437   2e16385%26wv%3D7
0x000001b0 (00432)   25323664 62253344 496e7465 726e6574   %26db%3DInternet
0x000001c0 (00448)   4578706c 6f726572 25323675 61632533   Explorer%26uac%3
0x000001d0 (00464)   44312532 36636964 25334465 35366339   D1%26cid%3De56c9
0x000001e0 (00480)   33656234 38363631 37623162 63636438   3eb486617b1bccd8
0x000001f0 (00496)   37653134 38366336 37376425 32366f73   7e1486c677d%26os
0x00000200 (00512)   64253344 37342532 36726573 25334438   d%3D74%26res%3D8
0x00000210 (00528)   30307836 30302532 36762533 44332048   00x600%26v%3D3 H
0x00000220 (00544)   5454502f 312e310d 0a486f73 743a2062   TTP/1.1..Host: b
0x00000230 (00560)   7573682e 62617369 6e616674 65727468   ush.basinafterth
0x00000240 (00576)   6f756768 742e6269 640d0a43 6f6e6e65   ought.bid..Conne
0x00000250 (00592)   6374696f 6e3a2063 6c6f7365 0d0a4163   ction: close..Ac
0x00000260 (00608)   63657074 3a202a2f 2a0d0a55 7365722d   cept: */*..User-
0x00000270 (00624)   4167656e 743a2049 6e737461 6c6c4361   Agent: InstallCa
0x00000280 (00640)   70697461 6c0d0a0d 0a                  pital....


Strings