Analysis Date2015-08-21 06:08:03
MD5eefdc179ef184a698e216a3d60a3faa0
SHA1c8df25b9400f02e71e0f60626dd1a9056f05ef99

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c7ba750a8f130ad4d41676d536b61c62 sha1: 42a9cd229054a83566716503fdadf474d35e2739 size: 1024
Section.rdata md5: 5e001465d8cd3c885bc984c952e08cb6 sha1: 32ee3ee5d774fd02de6c2a88102ae2ee5e5e4e06 size: 1024
Section.data md5: fc7eb756c1f4b17f16449816cc3cec81 sha1: 2617518e49202d532dae1af9ba05aecfefd1e75b size: 512
Section.rsrc md5: f7ef86b274517230795bf4da5d81caba sha1: e7d6b5830eaaf92c877b30e29c762c806ec392ad size: 58368
Timestamp2014-06-26 11:37:02
PEhashf13de80a8e0ee698bbf613cc72d0cfdb65aee45e
IMPhash4ca0a0adb97211d9334271ded971bdde
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.327123
AVDr. WebTrojan.MulDrop3.14959
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.327123
AVBullGuardGen:Variant.Kazy.327123
AVPadvishno_virus
AVVirusBlokAda (vba32)Trojan.Cutwail
AVCAT (quickheal)Trojan.Generic.r4
AVTrend MicroTROJ_CUTWAIL.SM0
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Kryptik.Win32.767433
AVEmsisoftGen:Variant.Kazy.327123
AVIkarusTrojan.Win32.Cutwail
AVFrisk (f-prot)no_virus
AVAuthentiumno_virus
AVMalwareBytesTrojan.Agent.US
AVMicroWorld (escan)Gen:Variant.Kazy.327123
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVK7Trojan ( 0049c2dc1 )
AVBitDefenderGen:Variant.Kazy.327123
AVFortinetW32/Generic.BG!tr
AVSymantecTrojan.Zbot
AVGrisoft (avg)Agent
AVEset (nod32)Win32/Kryptik.CFFF
AVAlwil (avast)Cutwail-CM [Trj]
AVAd-AwareGen:Variant.Kazy.327123
AVTwisterno_virus
AVAvira (antivir)TR/Dropper.Gen
AVMcafeeDownloader-FAKU!EEFDC179EF18
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\goqgenimywos ➝
C:\Documents and Settings\Administrator\goqgenimywos.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\synergistic-technologies[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\public3.sta.net[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\keanstech[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\petshop-pinky[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fullbrookconsulting[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fvs-net.co[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[2].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\worklifesupport[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\office-gita[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hotel-otrada[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\goqgenimywos.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ingimex[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dt.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\porterwisconsin[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kin-sei[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\makrocorretora.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\owensound.library.on[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\synergistic-technologies[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\public3.sta.net[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\keanstech[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\petshop-pinky[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fullbrookconsulting[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fvs-net.co[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[2].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\worklifesupport[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\office-gita[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hotel-otrada[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ingimex[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\porterwisconsin[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dt.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\makrocorretora.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kin-sei[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\owensound.library.on[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexgoqgenimywos
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSporterwisconsin.com
Winsock DNSkeitai-tengoku.com
Winsock DNSoffice-gita.com
Winsock DNSpublic3.sta.net.cn
Winsock DNShotel-otrada.com
Winsock DNSingimex.com
Winsock DNSpetshop-pinky.com
Winsock DNSsynergistic-technologies.com
Winsock DNSkeanstech.com
Winsock DNSowensound.library.on.ca
Winsock DNSdt.com.pl
Winsock DNSwex-americas.com
Winsock DNSimposible.com
Winsock DNSfullbrookconsulting.com
Winsock DNStasteofcharlotte.com
Winsock DNSshirleyatkinson.com
Winsock DNSkin-sei.com
Winsock DNSworklifesupport.com
Winsock DNSmakrocorretora.com.br
Winsock DNSfvs-net.co.jp

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
63.250.193.228
DNSkeanstech.com
Type: A
58.185.235.178
DNSowensound.library.on.ca
Type: A
64.50.166.194
DNSsynergistic-technologies.com
Type: A
66.49.192.239
DNSingimex.com
Type: A
94.229.164.169
DNSworklifesupport.com
Type: A
104.28.0.81
DNSworklifesupport.com
Type: A
104.28.1.81
DNSfvs-net.co.jp
Type: A
157.112.158.27
DNSfullbrookconsulting.com
Type: A
88.208.252.229
DNSmakrocorretora.com.br
Type: A
184.107.226.59
DNSporterwisconsin.com
Type: A
50.116.77.1
DNSshirleyatkinson.com
Type: A
80.94.193.27
DNSkeitai-tengoku.com
Type: A
219.94.200.18
DNSimposible.com
Type: A
185.66.175.183
DNSkin-sei.com
Type: A
59.106.61.119
DNSoffice-gita.com
Type: A
219.94.192.25
DNShotel-otrada.com
Type: A
90.156.201.35
DNShotel-otrada.com
Type: A
90.156.201.65
DNShotel-otrada.com
Type: A
90.156.201.87
DNShotel-otrada.com
Type: A
90.156.201.97
DNStasteofcharlotte.com
Type: A
208.112.63.80
DNSdt.com.pl
Type: A
213.189.53.79
DNSpublic3.sta.net.cn
Type: A
218.1.66.90
DNSpetshop-pinky.com
Type: A
210.239.8.163
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSwex-americas.com
Type: A
HTTP POSThttp://synergistic-technologies.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://ingimex.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://keanstech.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://owensound.library.on.ca/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://fvs-net.co.jp/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://fullbrookconsulting.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://worklifesupport.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://makrocorretora.com.br/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://porterwisconsin.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://shirleyatkinson.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://keitai-tengoku.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://imposible.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://kin-sei.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://office-gita.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://hotel-otrada.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://tasteofcharlotte.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://tasteofcharlotte.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://dt.com.pl/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://public3.sta.net.cn/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.163.152:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25
Flows TCP192.168.1.1:1041 ➝ 66.49.192.239:80
Flows TCP192.168.1.1:1042 ➝ 94.229.164.169:80
Flows TCP192.168.1.1:1044 ➝ 58.185.235.178:80
Flows TCP192.168.1.1:1045 ➝ 64.50.166.194:80
Flows TCP192.168.1.1:1046 ➝ 157.112.158.27:80
Flows TCP192.168.1.1:1048 ➝ 88.208.252.229:80
Flows TCP192.168.1.1:1047 ➝ 104.28.0.81:80
Flows TCP192.168.1.1:1049 ➝ 184.107.226.59:80
Flows TCP192.168.1.1:1053 ➝ 50.116.77.1:80
Flows TCP192.168.1.1:1055 ➝ 80.94.193.27:80
Flows TCP192.168.1.1:1056 ➝ 219.94.200.18:80
Flows TCP192.168.1.1:1057 ➝ 185.66.175.183:80
Flows TCP192.168.1.1:1058 ➝ 59.106.61.119:80
Flows TCP192.168.1.1:1059 ➝ 219.94.192.25:80
Flows TCP192.168.1.1:1060 ➝ 90.156.201.35:80
Flows TCP192.168.1.1:1061 ➝ 208.112.63.80:80
Flows TCP192.168.1.1:1062 ➝ 208.112.63.80:80
Flows TCP192.168.1.1:1063 ➝ 213.189.53.79:80
Flows TCP192.168.1.1:1064 ➝ 218.1.66.90:80

Raw Pcap

Strings