Analysis | #totalhash

Analysis Date	2015-09-16 02:15:32
MD5	b10d29d48f3a241ca6ad4d7debecbfc7
SHA1	da0684e051713dac993fa906bb6558465f865c09

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: e046fe5d1b7e61a2d6752194523f132c sha1: c46bfff70559d086f07505599506a51009738037 size: 835072
Section	.rdata md5: c4305036007ffc4fcd412e4a123a1642 sha1: 2523211db1075a23fcd5e8f13f8b0d98d9ed55c2 size: 315392
Section	.data md5: 34f66e01ab067c82f469711484aa2b5d sha1: 7bda02679dabe558fe7501b673d6c4b4f2c8570e size: 7680
Timestamp	2015-04-12 19:54:23
Packer	Microsoft Visual C++ ?.?
PEhash	a55f8860c3c6e1d7dadfa4aa15fd336be1ad142d
IMPhash	6903b7878273ddf02664c2ed611caf2f
AV	CA (E-Trust Ino)	no_virus
AV	Rising	0x590623c9
AV	Mcafee	no_virus
AV	Avira (antivir)	TR/Crypt.Xpack.251612
AV	Twister	no_virus
AV	Ad-Aware	Gen:Variant.Zusy.133308
AV	Alwil (avast)	Downloader-TLD [Trj]
AV	Eset (nod32)	Win32/Kryptik.DDQD
AV	Grisoft (avg)	Win32/Cryptor
AV	Symantec	Downloader.Upatre!g15
AV	Fortinet	W32/Kryptik.DDQD!tr
AV	BitDefender	Gen:Variant.Zusy.133308
AV	K7	Trojan ( 004bb8ba1 )
AV	Microsoft Security Essentials	Trojan:Win32/Dynamer!ac
AV	MicroWorld (escan)	Gen:Variant.Zusy.133308
AV	MalwareBytes	no_virus
AV	Authentium	W32/Zusy.X.gen!Eldorado
AV	Frisk (f-prot)	no_virus
AV	Ikarus	Trojan.Win32.Crypt
AV	Emsisoft	Gen:Variant.Zusy.133308
AV	Zillya!	no_virus
AV	Kaspersky	Trojan.Win32.Generic
AV	Trend Micro	no_virus
AV	CAT (quickheal)	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	Padvish	no_virus
AV	BullGuard	Gen:Variant.Zusy.133308
AV	Arcabit (arcavir)	Gen:Variant.Zusy.133308
AV	ClamAV	no_virus
AV	Dr. Web	Trojan.DownLoader16.22421
AV	F-Secure	Gen:Variant.Zusy.133308

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\dfzzhsbv1kiqwrq5tnvjvhjub.exe
Creates File	C:\WINDOWS\system32\vzzhzppuhrigk\tst
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\dfzzhsbv1kiqwrq5tnvjvhjub.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\dfzzhsbv1kiqwrq5tnvjvhjub.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Presentation Resource IPsec Plug Collector ➝ C:\WINDOWS\system32\aquzbmn.exe
Creates File	C:\WINDOWS\system32\drivers\etc\hosts
Creates File	C:\WINDOWS\system32\vzzhzppuhrigk\etc
Creates File	C:\WINDOWS\system32\aquzbmn.exe
Creates File	C:\WINDOWS\system32\vzzhzppuhrigk\lck
Creates File	C:\WINDOWS\system32\vzzhzppuhrigk\tst
Deletes File	C:\WINDOWS\system32\\drivers\etc\hosts
Creates Process	C:\WINDOWS\system32\aquzbmn.exe
Creates Service	Provider Acquisition Bluetooth - C:\WINDOWS\system32\aquzbmn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates File	WMIDataDevice

Process
↳ Pid 1860

Process
↳ Pid 1128

Process
↳ C:\WINDOWS\system32\aquzbmn.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1
Creates File	C:\WINDOWS\system32\vzzhzppuhrigk\cfg
Creates File	C:\WINDOWS\system32\fgfpilmqrkc.exe
Creates File	C:\WINDOWS\TEMP\dfzzhsbv1rpuwrq5t.exe
Creates File	pipe\net\NtControlPipe10
Creates File	C:\WINDOWS\system32\vzzhzppuhrigk\rng
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\system32\vzzhzppuhrigk\tst
Creates File	C:\WINDOWS\system32\vzzhzppuhrigk\lck
Creates File	C:\WINDOWS\system32\vzzhzppuhrigk\run
Creates Process	WATCHDOGPROC "c:\windows\system32\aquzbmn.exe"
Creates Process	C:\WINDOWS\TEMP\dfzzhsbv1rpuwrq5t.exe -r 48316 tcp

Process
↳ C:\WINDOWS\system32\aquzbmn.exe

Creates File	C:\WINDOWS\system32\vzzhzppuhrigk\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\aquzbmn.exe"

Creates File	C:\WINDOWS\system32\vzzhzppuhrigk\tst

Process
↳ C:\WINDOWS\TEMP\dfzzhsbv1rpuwrq5t.exe -r 48316 tcp

Creates File	\Device\Afd\Endpoint
Winsock DNS	239.255.255.250

Network Details:

DNS	nailthere.net Type: A 98.139.135.129
DNS	groupgrain.net Type: A 208.91.197.241
DNS	threeonly.net Type: A 208.91.197.241
DNS	naildeep.com Type: A 74.220.215.218
DNS	lifeclock.net Type: A 198.46.51.193
DNS	lifeclock.net Type: A 162.212.2.137
DNS	lifemake.net Type: A 192.64.119.44
DNS	enemyrush.net Type: A 95.211.230.75
DNS	deeprush.net Type: A 184.168.221.26
DNS	pushhard.net Type: A 66.96.147.159
DNS	pushclock.net Type: A 217.70.184.38
DNS	pushmake.net Type: A 37.59.4.217
DNS	longshine.net Type: A 218.107.207.37
DNS	ableread.net Type: A
DNS	fearstate.net Type: A
DNS	longcold.net Type: A
DNS	fridayloss.net Type: A
DNS	wrongbelow.net Type: A
DNS	hilldance.net Type: A
DNS	eggbraker.com Type: A
DNS	ithouneed.com Type: A
DNS	longrush.net Type: A
DNS	soilrush.net Type: A
DNS	wheelhard.net Type: A
DNS	saidhard.net Type: A
DNS	wheelclock.net Type: A
DNS	saidclock.net Type: A
DNS	wheelmake.net Type: A
DNS	saidmake.net Type: A
DNS	wheelrush.net Type: A
DNS	saidrush.net Type: A
DNS	stickhard.net Type: A
DNS	ballhard.net Type: A
DNS	stickclock.net Type: A
DNS	ballclock.net Type: A
DNS	stickmake.net Type: A
DNS	ballmake.net Type: A
DNS	stickrush.net Type: A
DNS	ballrush.net Type: A
DNS	enemyhard.net Type: A
DNS	lifehard.net Type: A
DNS	enemyclock.net Type: A
DNS	enemymake.net Type: A
DNS	liferush.net Type: A
DNS	mouthhard.net Type: A
DNS	tillhard.net Type: A
DNS	mouthclock.net Type: A
DNS	tillclock.net Type: A
DNS	mouthmake.net Type: A
DNS	tillmake.net Type: A
DNS	mouthrush.net Type: A
DNS	tillrush.net Type: A
DNS	shallhard.net Type: A
DNS	deephard.net Type: A
DNS	shallclock.net Type: A
DNS	deepclock.net Type: A
DNS	shallmake.net Type: A
DNS	deepmake.net Type: A
DNS	shallrush.net Type: A
DNS	fridayhard.net Type: A
DNS	fridayclock.net Type: A
DNS	fridaymake.net Type: A
DNS	pushrush.net Type: A
DNS	fridayrush.net Type: A
DNS	alonghard.net Type: A
DNS	decemberhard.net Type: A
DNS	alongclock.net Type: A
DNS	decemberclock.net Type: A
DNS	alongmake.net Type: A
DNS	decembermake.net Type: A
DNS	alongrush.net Type: A
DNS	decemberrush.net Type: A
DNS	longfifth.net Type: A
DNS	soilfifth.net Type: A
DNS	soilshine.net Type: A
DNS	longdone.net Type: A
DNS	soildone.net Type: A
DNS	longknew.net Type: A
DNS	soilknew.net Type: A
DNS	wheelfifth.net Type: A
DNS	saidfifth.net Type: A
DNS	wheelshine.net Type: A
DNS	saidshine.net Type: A
DNS	wheeldone.net Type: A
DNS	saiddone.net Type: A
DNS	wheelknew.net Type: A
DNS	saidknew.net Type: A
DNS	stickfifth.net Type: A
DNS	ballfifth.net Type: A
DNS	stickshine.net Type: A
DNS	ballshine.net Type: A
DNS	stickdone.net Type: A
DNS	balldone.net Type: A
DNS	stickknew.net Type: A
DNS	ballknew.net Type: A
DNS	enemyfifth.net Type: A
DNS	lifefifth.net Type: A
DNS	enemyshine.net Type: A
HTTP GET	http://nailthere.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent:
HTTP GET	http://groupgrain.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent:
HTTP GET	http://threeonly.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent:
HTTP GET	http://naildeep.com/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent:
HTTP GET	http://lifeclock.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent:
HTTP GET	http://lifemake.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent:
HTTP GET	http://enemyrush.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent:
HTTP GET	http://deeprush.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent:
HTTP GET	http://pushhard.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent:
HTTP GET	http://pushclock.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent:
HTTP GET	http://pushmake.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent:
HTTP GET	http://longshine.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent:
Flows TCP	192.168.1.1:1037 ➝ 98.139.135.129:80
Flows TCP	192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1040 ➝ 74.220.215.218:80
Flows TCP	192.168.1.1:1041 ➝ 198.46.51.193:80
Flows TCP	192.168.1.1:1042 ➝ 192.64.119.44:80
Flows TCP	192.168.1.1:1043 ➝ 95.211.230.75:80
Flows TCP	192.168.1.1:1044 ➝ 184.168.221.26:80
Flows TCP	192.168.1.1:1045 ➝ 66.96.147.159:80
Flows TCP	192.168.1.1:1046 ➝ 217.70.184.38:80
Flows TCP	192.168.1.1:1047 ➝ 37.59.4.217:80
Flows TCP	192.168.1.1:1048 ➝ 218.107.207.37:80

Raw Pcap

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3726736f   ode=sox&v=047&so
0x00000030 (00048)   783d3462 34653638 3030266c 656e6864   x=4b4e6800&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206e61 696c7468 6572652e 6e65740d   : nailthere.net.
0x00000080 (00128)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3726736f   ode=sox&v=047&so
0x00000030 (00048)   783d3462 34653638 3030266c 656e6864   x=4b4e6800&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206772 6f757067 7261696e 2e6e6574   : groupgrain.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3726736f   ode=sox&v=047&so
0x00000030 (00048)   783d3462 34653638 3030266c 656e6864   x=4b4e6800&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207468 7265656f 6e6c792e 6e65740d   : threeonly.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3726736f   ode=sox&v=047&so
0x00000030 (00048)   783d3462 34653638 3030266c 656e6864   x=4b4e6800&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206e61 696c6465 65702e63 6f6d0d0a   : naildeep.com..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3726736f   ode=sox&v=047&so
0x00000030 (00048)   783d3462 34653638 3030266c 656e6864   x=4b4e6800&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c69 6665636c 6f636b2e 6e65740d   : lifeclock.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3726736f   ode=sox&v=047&so
0x00000030 (00048)   783d3462 34653638 3030266c 656e6864   x=4b4e6800&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c69 66656d61 6b652e6e 65740d0a   : lifemake.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3726736f   ode=sox&v=047&so
0x00000030 (00048)   783d3462 34653638 3030266c 656e6864   x=4b4e6800&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20656e 656d7972 7573682e 6e65740d   : enemyrush.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3726736f   ode=sox&v=047&so
0x00000030 (00048)   783d3462 34653638 3030266c 656e6864   x=4b4e6800&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206465 65707275 73682e6e 65740d0a   : deeprush.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3726736f   ode=sox&v=047&so
0x00000030 (00048)   783d3462 34653638 3030266c 656e6864   x=4b4e6800&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207075 73686861 72642e6e 65740d0a   : pushhard.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3726736f   ode=sox&v=047&so
0x00000030 (00048)   783d3462 34653638 3030266c 656e6864   x=4b4e6800&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207075 7368636c 6f636b2e 6e65740d   : pushclock.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3726736f   ode=sox&v=047&so
0x00000030 (00048)   783d3462 34653638 3030266c 656e6864   x=4b4e6800&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207075 73686d61 6b652e6e 65740d0a   : pushmake.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3726736f   ode=sox&v=047&so
0x00000030 (00048)   783d3462 34653638 3030266c 656e6864   x=4b4e6800&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c6f 6e677368 696e652e 6e65740d   : longshine.net.
0x00000080 (00128)   0a0d0a0a                              ....

Strings