Analysis Date2016-03-26 18:29:53
MD5f7cf205d5873841e2255b9324b8aeba0
SHA1cde004de29a41971c0bc88543011c8ab9be815cd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ab6a4607487196d3ab7c6192ac2ac1f9 sha1: 3fe120349699c2a3425cf02c3c167a5b0cbef5fd size: 86016
Section.rdata md5: cfa0d799ebbecf0b4cc8c1b3d3b85f72 sha1: 50676effd7577e64dae8dc0d4cbe38a524a084ea size: 14848
Section.data md5: 5ed81ce785be786863af1257779f0d41 sha1: a7484b81e7ce1927ff0dde9e69746639c22f7843 size: 80896
Section.rsrc md5: bb18881c5a6c9fd58d8d7efd0ae7e0ef sha1: 64b631a519a8a43ee2db73c486f9cba9aeef953a size: 170496
Timestamp2016-03-21 16:35:59
PackerMicrosoft Visual C++ ?.?
PEhash992b2fc53148b7883f55938df9d05e7a18ea4321
IMPhash4866a5dd32abc3e48ca108b747dcda79
AVCA (E-Trust Ino)Gen:Variant.Zusy.185855
AVMicrosoft Security EssentialsWorm:Win32/Kasidet!rfn
AVRisingNo Virus
AVMcafeeRDN/Generic.hbg
AVMicroWorld (escan)Gen:Variant.Midie.8447
AVMalwareBytesNo Virus
AVAvira (antivir)No Virus
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)No Virus
AVAuthentiumW32/Backdoor.VOQK-5279
AVEmsisoftGen:Variant.Zusy.185855
AVTwisterNo Virus
AVAd-AwareGen:Variant.Zusy.185855
AVZillya!No Virus
AVKasperskyNo Virus
AVTrend MicroNo Virus
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.ERXK
AVGrisoft (avg)Crypt_r.BOG
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVSymantecTrojan.Cryptlock.N!g6
AVBullGuardGen:Variant.Zusy.185855
AVArcabit (arcavir)Gen:Variant.Zusy.185855
AVFortinetW32/Kryptik.ERUZ!tr
AVClamAVNo Virus
AVBitDefenderGen:Variant.Zusy.185855
AVDr. WebBackDoor.IRC.NgrBot.566
AVK7Trojan ( 004e112e1 )
AVF-SecureGen:Variant.Zusy.185855

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\twunk_32.exe ➝
C:\Documents and Settings\Administrator\Application Data\alFSVWJB\twunk_32.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\alFSVWJB\
Creates FileC:\WINDOWS\kernel32.dll
Creates FileC:\Documents and Settings\Administrator\Application Data\alFSVWJB\twunk_32.exe
Creates Process /a /c ping 127.0.0.1 -n 3&del "C:\malware.exe"
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\CDE004~1.EXE
Creates ProcessC:\Documents and Settings\Administrator\Application Data\alFSVWJB\twunk_32.exe C:\CDE004~1.EXE
Creates MutexalFSVWJB

Process
↳ C:\WINDOWS\system32\cmd.exe

Process
↳ /a /c ping 127.0.0.1 -n 3&del "C:\malware.exe"

Creates Processping 127.0.0.1 -n 3

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\CDE004~1.EXE

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\Documents and Settings\Administrator\Application Data\alFSVWJB\twunk_32.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\alFSVWJB\twunk_32.exe C:\CDE004~1.EXE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\twunk_32.exe ➝
C:\Documents and Settings\Administrator\Application Data\alFSVWJB\twunk_32.exe\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00
Creates FileC:\WINDOWS\kernel32.dll
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\alFSVWJB.job
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\Documents and Settings\Administrator\Application Data\alFSVWJB\twunk_32.exe
Creates MutexalFSVWJB

Process
↳ ping 127.0.0.1 -n 3

Winsock DNS127.0.0.1

Network Details:


Raw Pcap

Strings