Analysis Date2013-08-24 10:00:56
MD54198f9f18d87ec333d7ae61f427b8584
SHA1d66cdad1c5e79e7f0f0bb52101e9fe84b7c160e5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b7a001af312520406836822745dfe4a8 sha1: ca80a8c57a97b75ce93d74505ba1cf8f445f5100 size: 229888
Section.rdata md5: 31b8405d6347a40c2051e648e46bda35 sha1: 29608e1fd57d25bf1d9e4adf3bb43cb50ec3c079 size: 29184
Section.data md5: 6816b8ffcba0c7e7c53a332143379718 sha1: 214abac14741a30c140dbdc6689cee2ca1bac4e4 size: 9216
Timestamp2011-12-07 00:45:28
PackerMicrosoft Visual C++ ?.?
PEhash7b1dafef118c993dbd8958d45697551940a87f06
AVavgAgent_r.AVD

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Grouping Notification TCP/IP IPsec Initiator ➝
C:\Documents and Settings\Administrator\Local Settings\Application Data\wiycsmvnfbupnjs\ocoubdnqr.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\wiycsmvnfbupnjs\ocoubdnqr.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Application Data\wiycsmvnfbupnjs\ocoubdnqr.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Application Data\wiycsmvnfbupnjs\ocoubdnqr.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\wiycsmvnfbupnjs\caeqgtx.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\wiycsmvnfbupnjs\ocoubdnqr.csile
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Local Settings\Application Data\wiycsmvnfbupnjs\ocoubdnqr.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Local Settings\Application Data\wiycsmvnfbupnjs\ocoubdnqr.exe"

Network Details:

DNSoppored.com
Type: A
69.43.161.169
DNSburitosasrl.com
Type: A
69.43.161.170
DNSrebalt.com
Type: A
184.168.221.2
DNSpapadov.com
Type: A
208.73.210.202
DNSbadero.com
Type: A
50.63.202.67
DNSiberan.com
Type: A
208.73.210.203
DNSburitoriso.com
Type: A
208.73.210.204
DNSbilode.com
Type: A
209.99.40.226
DNSmogohet.com
Type: A
208.73.210.202
DNSmacandpa.com
Type: A
208.73.210.203
DNSnerlestitops.com
Type: A
208.73.210.202
DNSjondiret.com
Type: A
208.73.210.203
DNSbinerat.com
Type: A
208.73.210.155
DNSfontored.com
Type: A
64.15.71.22
DNSaderino.com
Type: A
209.99.40.223
DNSklestar.com
Type: A
72.10.147.5
DNSklestar.com
Type: A
72.10.147.6
DNSbezedete.com
Type: A
209.99.40.227
DNShaselopricezat.com
Type: A
DNSpulaminacee.com
Type: A
DNSgonotar.com
Type: A
DNSelverot.com
Type: A
DNSfalaterest.com
Type: A
DNSjimberolipop.com
Type: A
DNSglostmec.com
Type: A
DNSpoleric.com
Type: A
DNSvadelt.com
Type: A
DNSgehereiroplop.com
Type: A
DNSelectow.com
Type: A
DNSekendar.com
Type: A
DNSswcopilserits.com
Type: A
DNSmelixe.com
Type: A
DNSmarjepolirst.com
Type: A
DNShartend.com
Type: A
DNSferetolopazerns.com
Type: A
DNSlocoand.com
Type: A
DNSherolopcazers.com
Type: A
DNSvadaxer.com
Type: A
DNSgesqwaserops.com
Type: A
DNSfiatelox.com
Type: A
DNSdafatan.com
Type: A
DNSmianaf.com
Type: A
DNSnaimied.com
Type: A
DNSdengodar.com
Type: A
HTTP GEThttp://oppored.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://buritosasrl.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://rebalt.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://papadov.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://badero.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://iberan.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://buritoriso.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://bilode.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://mogohet.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://macandpa.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://nerlestitops.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://jondiret.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://binerat.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://fontored.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://aderino.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://klestar.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
HTTP GEThttp://bezedete.com/forum/search.php?email=vgarnto@hotmail.com
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 69.43.161.169:80
Flows TCP192.168.1.1:1032 ➝ 69.43.161.170:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.2:80
Flows TCP192.168.1.1:1034 ➝ 208.73.210.202:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.67:80
Flows TCP192.168.1.1:1036 ➝ 208.73.210.203:80
Flows TCP192.168.1.1:1037 ➝ 208.73.210.204:80
Flows TCP192.168.1.1:1038 ➝ 209.99.40.226:80
Flows TCP192.168.1.1:1039 ➝ 208.73.210.202:80
Flows TCP192.168.1.1:1040 ➝ 208.73.210.203:80
Flows TCP192.168.1.1:1041 ➝ 208.73.210.202:80
Flows TCP192.168.1.1:1042 ➝ 208.73.210.203:80
Flows TCP192.168.1.1:1043 ➝ 208.73.210.155:80
Flows TCP192.168.1.1:1044 ➝ 64.15.71.22:80
Flows TCP192.168.1.1:1045 ➝ 209.99.40.223:80
Flows TCP192.168.1.1:1046 ➝ 72.10.147.5:80
Flows TCP192.168.1.1:1047 ➝ 209.99.40.227:80

Raw Pcap
0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   6f70706f 7265642e 636f6d0d 0a0d0a     oppored.com....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   62757269 746f7361 73726c2e 636f6d0d   buritosasrl.com.
0x00000070 (00112)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   72656261 6c742e63 6f6d0d0a 0d0a6d0d   rebalt.com....m.
0x00000070 (00112)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   70617061 646f762e 636f6d0d 0a0d0a0d   papadov.com.....
0x00000070 (00112)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   62616465 726f2e63 6f6d0d0a 0d0a0a0d   badero.com......
0x00000070 (00112)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   69626572 616e2e63 6f6d0d0a 0d0a0a0d   iberan.com......
0x00000070 (00112)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   62757269 746f7269 736f2e63 6f6d0d0a   buritoriso.com..
0x00000070 (00112)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   62696c6f 64652e63 6f6d0d0a 0d0a0d0a   bilode.com......
0x00000070 (00112)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   6d6f676f 6865742e 636f6d0d 0a0d0a0a   mogohet.com.....
0x00000070 (00112)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   6d616361 6e647061 2e636f6d 0d0a0d0a   macandpa.com....
0x00000070 (00112)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   6e65726c 65737469 746f7073 2e636f6d   nerlestitops.com
0x00000070 (00112)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   6a6f6e64 69726574 2e636f6d 0d0a0d0a   jondiret.com....
0x00000070 (00112)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   62696e65 7261742e 636f6d0d 0a0d0a0a   binerat.com.....
0x00000070 (00112)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   666f6e74 6f726564 2e636f6d 0d0a0d0a   fontored.com....
0x00000070 (00112)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   61646572 696e6f2e 636f6d0d 0a0d0a     aderino.com....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   6b6c6573 7461722e 636f6d0d 0a0d0a     klestar.com....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f656d 61696c3d 76676172   h.php?email=vgar
0x00000020 (00032)   6e746f40 686f746d 61696c2e 636f6d20   nto@hotmail.com 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   62657a65 64657465 2e636f6d 0d0a0d0a   bezedete.com....
0x00000070 (00112)   0d0a0d0a                              ....


Strings