Analysis Date2015-11-10 19:28:48
MD545e4469e7466a0c43adcab397a720932
SHA1d1975029dead0f47999a2f1b67424961e8805573

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 57ec7665f18f41a20619277035c654a8 sha1: eea2f4c2a843ad3d93d791413c8c8481717aaf17 size: 297472
Section.rdata md5: 6622e3fec7ac0e7be65f3fc693bda63a sha1: deb93f64adcf15636fb56cbd9f59599c577ca1f4 size: 36352
Section.data md5: d2bc4b92e7fb5d8977db1ac8315db20c sha1: 300188cc6fdad98c33390b3d7f12e41486d03046 size: 94720
Timestamp2015-01-29 09:45:25
PackerMicrosoft Visual C++ ?.?
PEhash38e749f7e10532130ada10f143bbadfc7c5ba784
IMPhasha4f73e6023c2f4c82bbcad97a779572e
AVRisingNo Virus
AVMcafeeTrojan-FEMT!45E4469E7466
AVAvira (antivir)BDS/Zegost.Gen4
AVTwisterNo Virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Rodecap.BE
AVGrisoft (avg)Win32/Cryptor
AVSymantecTrojan.Gen
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cb2771 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Agent
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_NIVDORT.SMB
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)No Virus
AVPadvishNo Virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader17.40716
AVF-SecureGen:Variant.Symmi.22722
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FEMT!45E4469E7466
AVAvira (antivir)BDS/Zegost.Gen4
AVTwisterNo Virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Rodecap.BE
AVGrisoft (avg)Win32/Cryptor
AVSymantecTrojan.Gen
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cb2771 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Reporting Background Portable Information ➝
C:\Documents and Settings\Administrator\Application Data\duxcsucjf\vzwkyyvaqj.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\duxcsucjf\vzwkyyvaqj.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\duxcsucjf\vzwkyyvaqj.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\duxcsucjf\vzwkyyvaqj.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\duxcsucjf\jntwnlxla.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\duxcsucjf\vzwkyyvaqj.ce
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\duxcsucjf\vzwkyyvaqj.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\duxcsucjf\vzwkyyvaqj.exe"

Network Details:

DNStwelveappear.net
Type: A
208.100.26.234
DNShistoryanother.net
Type: A
195.22.28.198
DNShistoryanother.net
Type: A
195.22.28.199
DNShistoryanother.net
Type: A
195.22.28.196
DNShistoryanother.net
Type: A
195.22.28.197
DNShistorybusiness.net
Type: A
91.195.240.101
DNSclassbusiness.net
Type: A
66.55.83.0
DNSthinkbright.net
Type: A
160.153.92.162
DNSoftenappear.net
Type: A
DNSaloneappear.net
Type: A
DNSmiddlemanner.net
Type: A
DNStwelvemanner.net
Type: A
DNSmiddleanother.net
Type: A
DNStwelveanother.net
Type: A
DNSmiddlebusiness.net
Type: A
DNStwelvebusiness.net
Type: A
DNSmiddleappear.net
Type: A
DNSrathermanner.net
Type: A
DNSmorningmanner.net
Type: A
DNSratheranother.net
Type: A
DNSmorninganother.net
Type: A
DNSratherbusiness.net
Type: A
DNSmorningbusiness.net
Type: A
DNSratherappear.net
Type: A
DNSmorningappear.net
Type: A
DNSstrangemanner.net
Type: A
DNShistorymanner.net
Type: A
DNSstrangeanother.net
Type: A
DNSstrangebusiness.net
Type: A
DNSstrangeappear.net
Type: A
DNShistoryappear.net
Type: A
DNSamountmanner.net
Type: A
DNSweathermanner.net
Type: A
DNSamountanother.net
Type: A
DNSweatheranother.net
Type: A
DNSamountbusiness.net
Type: A
DNSweatherbusiness.net
Type: A
DNSamountappear.net
Type: A
DNSweatherappear.net
Type: A
DNSthickmanner.net
Type: A
DNSclassmanner.net
Type: A
DNSthickanother.net
Type: A
DNSclassanother.net
Type: A
DNSthickbusiness.net
Type: A
DNSthickappear.net
Type: A
DNSclassappear.net
Type: A
DNSthinkinstead.net
Type: A
DNSpresentinstead.net
Type: A
DNSthinkexplain.net
Type: A
DNSpresentexplain.net
Type: A
DNSpresentbright.net
Type: A
DNSthinkinside.net
Type: A
DNSpresentinside.net
Type: A
DNSchiefinstead.net
Type: A
DNScollegeinstead.net
Type: A
DNSchiefexplain.net
Type: A
DNScollegeexplain.net
Type: A
DNSchiefbright.net
Type: A
DNScollegebright.net
Type: A
DNSchiefinside.net
Type: A
DNScollegeinside.net
Type: A
DNSofteninstead.net
Type: A
DNSaloneinstead.net
Type: A
DNSoftenexplain.net
Type: A
DNSaloneexplain.net
Type: A
DNSoftenbright.net
Type: A
DNSalonebright.net
Type: A
DNSofteninside.net
Type: A
DNSaloneinside.net
Type: A
DNSmiddleinstead.net
Type: A
DNStwelveinstead.net
Type: A
DNSmiddleexplain.net
Type: A
DNStwelveexplain.net
Type: A
DNSmiddlebright.net
Type: A
DNStwelvebright.net
Type: A
DNSmiddleinside.net
Type: A
DNStwelveinside.net
Type: A
DNSratherinstead.net
Type: A
DNSmorninginstead.net
Type: A
DNSratherexplain.net
Type: A
DNSmorningexplain.net
Type: A
DNSratherbright.net
Type: A
DNSmorningbright.net
Type: A
DNSratherinside.net
Type: A
DNSmorninginside.net
Type: A
DNSstrangeinstead.net
Type: A
DNShistoryinstead.net
Type: A
DNSstrangeexplain.net
Type: A
HTTP GEThttp://twelveappear.net/index.php?email=cameliastoica@rogers.com&method=post&len
User-Agent:
HTTP GEThttp://historyanother.net/index.php?email=cameliastoica@rogers.com&method=post&len
User-Agent:
HTTP GEThttp://historybusiness.net/index.php?email=cameliastoica@rogers.com&method=post&len
User-Agent:
HTTP GEThttp://classbusiness.net/index.php?email=cameliastoica@rogers.com&method=post&len
User-Agent:
HTTP GEThttp://thinkbright.net/index.php?email=cameliastoica@rogers.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1033 ➝ 91.195.240.101:80
Flows TCP192.168.1.1:1034 ➝ 66.55.83.0:80
Flows TCP192.168.1.1:1035 ➝ 160.153.92.162:80

Raw Pcap

Strings