Analysis Date2015-08-31 08:29:50
MD58bc5d16869e989b8ba8ba1e4bec3d5cf
SHA1c68ce11e6c1d968d1cb9571728b76afe2b77d03e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectioninstall md5: e1f7693ff41e2a8911bf2ee5eebbc168 sha1: e45fa17dd4951b50726d532286f077503704e9f1 size: 512
Section.data md5: 74ce47c26e784f85d10b4c83cec73e56 sha1: 4c51cc30a445a65184b9baa3f56d1188864061ad size: 78848
Section.rsrc md5: 77291e044f72b3c4006624694015bceb sha1: 267724b6a9efcc3a4ab3553f724b7acd8058158f size: 9216
Timestamp2014-01-13 00:46:46
VersionLegalCopyright: Copyright ?1998-2011 Codejock Software, All Rights Reserved
InternalName: Xtreme ToolkitPro
FileVersion: 15.2.1.0
CompanyName: Codejock Software
PrivateBuild: 20120830.01
LegalTrademarks:
Comments:
ProductName: Xtreme ToolkitPro v15.2.1
SpecialBuild:
ProductVersion: 15.2.1
FileDescription: Xtreme ToolkitPro
OriginalFilename: Xtreme ToolkitPro.EXE
PackerMicrosoft Visual C++ v6.0
PEhash6e4f8ea0764133c56b36e570fb78e80ba2d5954e
IMPhashee349f2838eb4a8578b72443c467a36e
AVEmsisoftGen:Variant.Symmi.26451
AVMcafeeno_virus
AVSymantecInfostealer
AVCA (E-Trust Ino)no_virus
AVZillya!Trojan.Staser.Win32.203
AVVirusBlokAda (vba32)BScope.P2P-Worm.Palevo
AVPadvishno_virus
AVGrisoft (avg)Generic_r.BZC
AVEset (nod32)Win32/Farfli.ARD
AVFrisk (f-prot)W32/Downloader.J.gen!Eldorado
AVArcabit (arcavir)Gen:Variant.Symmi.26451
AVMalwareBytesno_virus
AVTrend Microno_virus
AVF-SecureGen:Variant.Symmi.26451
AVAd-AwareGen:Variant.Symmi.26451
AVIkarusBackdoor.Win32.Zegost
AVTwisterTrojan.62101D35F8D34C28
AVMicrosoft Security EssentialsBackdoor:Win32/Zegost.BW
AVBullGuardGen:Variant.Symmi.26451
AVClamAVno_virus
AVAuthentiumW32/Downloader.J.gen!Eldorado
AVBitDefenderGen:Variant.Symmi.26451
AVMicroWorld (escan)Gen:Variant.Symmi.26451
AVFortinetW32/Farfli.PZA!tr
AVAlwil (avast)Downloader-VIR [Trj]
AVKasperskyTrojan.Win32.Generic
AVCAT (quickheal)Backdoor.Zegost.r3
AVRisingno_virus
AVDr. WebBackDoor.Spy.422
AVK7Trojan ( 004957f21 )
AVAvira (antivir)TR/Zegost.A.29

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mnopqr Tuvwxyab Def\Description ➝
Mnopqrst Vwxyabcde Ghijklm Opqrstuv Xya
Creates FileC:\WINDOWS\rebfec.exe
Creates Process > nul
Creates MutexC:\malware.exe
Creates ServiceMnopqr Tuvwxyab Defghijk Mnop - C:\WINDOWS\rebfec.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1148

Process
↳ C:\WINDOWS\rebfec.exe

Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates MutexC:\WINDOWS\rebfec.exe
Creates Mutex127.0.0.1:2014

Process
↳ > nul

Network Details:

DNSdnspod-free.mydnspod.net
Type: A
119.28.48.229
DNSserver1.64838.com
Type: A
Flows TCP192.168.1.1:1032 ➝ 119.28.48.229:8000
Flows TCP192.168.1.1:1034 ➝ 119.28.48.229:8000
Flows TCP192.168.1.1:1036 ➝ 119.28.48.229:8000
Flows TCP192.168.1.1:1038 ➝ 119.28.48.229:8000
Flows TCP192.168.1.1:1040 ➝ 119.28.48.229:8000

Raw Pcap

Strings