Analysis Date2015-11-03 23:25:57
MD5edd4d8c6d97b510d1292727140491b81
SHA1db2b682f53931c40b63371c6b6c9f578474af8bd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: db0a85d4018be273b5372b1ab2958d3b sha1: 227032ac8f2bfbe8655f269518f9270b16f99251 size: 227328
Section.data md5: a500009e69d7a62cf67e4f45e93105f0 sha1: 8a9a8e88a6df5c502fff6df8443b44b867cc3630 size: 20480
Section.rdata md5: fee24d15560b76e28afa606c28310f60 sha1: dcfd1a5358279abc8051d9063b7aa451a1a71924 size: 39424
Section.eh_fram md5: 4c65f2ea4c634f80ae9d1d8c261f0848 sha1: bfe940c8fc5124668d0df1521788d32247e1676d size: 40448
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 4a349ea78520286d4679b8934fe46c5d sha1: 98fac54998220058a7a8e2674fd21ef0978bbead size: 7168
Section.CRT md5: 63391dc539598dad77ee0dbc3fece4b2 sha1: eb5da8f8c2ee53d915de581d68ef4054d7134049 size: 512
Section.tls md5: bb26d9c5aefc6c61ade45477c4a18756 sha1: a12bdb7979d4d623e99c865ceac89938b586550d size: 512
Timestamp2015-03-05 06:22:41
PEhash73174e3f1940b60de0f352f5cbe8e278d905e8f9
IMPhashb149552da3930135e5801d5087ee60fb
AVDr. WebTrojan.DownLoader17.30854
AVAuthentiumW32/S-6a8c3109!Eldorado
AVArcabit (arcavir)Gen:Variant.Symmi.51758
AVEmsisoftGen:Variant.Symmi.51758
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVSymantecDownloader.Upatre!g16
AVEset (nod32)Win32/Agent.XDQ
AVPadvishno_virus
AVCA (E-Trust Ino)no_virus
AVFortinetW32/Agent.XDQ!tr
AVAvira (antivir)TR/ATRAPS.A.10250
AVTrend Microno_virus
AVFrisk (f-prot)no_virus
AVAlwil (avast)Agent-AZPC [Trj]
AVClamAVno_virus
AVF-SecureGen:Variant.Symmi.51758
AVMcafeeTrojan-FGOJ!EDD4D8C6D97B
AVTwisterno_virus
AVGrisoft (avg)Win32/Cryptor
AVBitDefenderGen:Variant.Symmi.51758
AVRisingno_virus
AVIkarusTrojan.Win32.Agent
AVAd-AwareGen:Variant.Symmi.51758
AVCAT (quickheal)no_virus
AVK7Trojan ( 004c988e1 )
AVVirusBlokAda (vba32)no_virus
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVKasperskyTrojan.Win32.Generic
AVBullGuardGen:Variant.Symmi.51758
AVMalwareBytesno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ddbkedtk\focdqiy
Creates FileC:\WINDOWS\ddbkedtk\focdqiy
Creates FileC:\ddbkedtk\el4uoro1mfah3rfnudxaa.exe
Deletes FileC:\WINDOWS\ddbkedtk\focdqiy
Creates ProcessC:\ddbkedtk\el4uoro1mfah3rfnudxaa.exe

Process
↳ C:\ddbkedtk\el4uoro1mfah3rfnudxaa.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Wired Application Smart Themes Locator ➝
C:\ddbkedtk\vllfhxlo6kinc.exe
Creates FileC:\ddbkedtk\focdqiy
Creates FileC:\WINDOWS\ddbkedtk\focdqiy
Creates FileC:\ddbkedtk\kgzgyybyr
Creates FilePIPE\lsarpc
Creates FileC:\ddbkedtk\vllfhxlo6kinc.exe
Deletes FileC:\WINDOWS\ddbkedtk\focdqiy
Creates ProcessC:\ddbkedtk\vllfhxlo6kinc.exe
Creates ServicePnP-X Propagation Storage Protocol Transfer - C:\ddbkedtk\vllfhxlo6kinc.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1140

Process
↳ C:\ddbkedtk\vllfhxlo6kinc.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\ddbkedtk\fmssxrcsvr
Creates FileC:\ddbkedtk\focdqiy
Creates FileC:\WINDOWS\ddbkedtk\focdqiy
Creates FileC:\ddbkedtk\fublpilu.exe
Creates FileC:\ddbkedtk\kgzgyybyr
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\ddbkedtk\focdqiy
Creates Processbseirnsm8uaj "c:\ddbkedtk\vllfhxlo6kinc.exe"

Process
↳ C:\ddbkedtk\vllfhxlo6kinc.exe

Creates FileC:\ddbkedtk\focdqiy
Creates FileC:\WINDOWS\ddbkedtk\focdqiy
Deletes FileC:\WINDOWS\ddbkedtk\focdqiy

Process
↳ bseirnsm8uaj "c:\ddbkedtk\vllfhxlo6kinc.exe"

Creates FileC:\ddbkedtk\focdqiy
Creates FileC:\WINDOWS\ddbkedtk\focdqiy
Deletes FileC:\WINDOWS\ddbkedtk\focdqiy

Network Details:

DNSbartholomewcristians.net
Type: A
195.22.26.252
DNSbartholomewcristians.net
Type: A
195.22.26.253
DNSbartholomewcristians.net
Type: A
195.22.26.254
DNSbartholomewcristians.net
Type: A
195.22.26.231
DNSalexandrinasamuelson.net
Type: A
DNSmariabellasamuelson.net
Type: A
DNSalexandrinathompsett.net
Type: A
DNSmariabellathompsett.net
Type: A
DNSalexandrinacristians.net
Type: A
DNSmariabellacristians.net
Type: A
DNSbartholomewstevenson.net
Type: A
DNSwilloughbystevenson.net
Type: A
DNSbartholomewsamuelson.net
Type: A
DNSwilloughbysamuelson.net
Type: A
DNSbartholomewthompsett.net
Type: A
DNSwilloughbythompsett.net
Type: A
DNSwilloughbycristians.net
Type: A
DNSchristianastevenson.net
Type: A
DNSdulcibellastevenson.net
Type: A
DNSchristianasamuelson.net
Type: A
DNSdulcibellasamuelson.net
Type: A
DNSchristianathompsett.net
Type: A
DNSdulcibellathompsett.net
Type: A
DNSchristianacristians.net
Type: A
DNSdulcibellacristians.net
Type: A
DNSwashingtonstevenson.net
Type: A
DNSearnestinestevenson.net
Type: A
DNSwashingtonsamuelson.net
Type: A
DNSearnestinesamuelson.net
Type: A
DNSwashingtonthompsett.net
Type: A
DNSearnestinethompsett.net
Type: A
DNSwashingtoncristians.net
Type: A
DNSearnestinecristians.net
Type: A
DNSsacheverellstevenson.net
Type: A
DNSwilhelminastevenson.net
Type: A
DNSsacheverellsamuelson.net
Type: A
DNSwilhelminasamuelson.net
Type: A
DNSsacheverellthompsett.net
Type: A
DNSwilhelminathompsett.net
Type: A
DNSsacheverellcristians.net
Type: A
DNSwilhelminacristians.net
Type: A
DNSmaximillianstevenson.net
Type: A
DNSgwendolinestevenson.net
Type: A
DNSmaximilliansamuelson.net
Type: A
DNSgwendolinesamuelson.net
Type: A
DNSmaximillianthompsett.net
Type: A
DNSgwendolinethompsett.net
Type: A
DNSmaximilliancristians.net
Type: A
DNSgwendolinecristians.net
Type: A
DNSbeauregardstevenson.net
Type: A
DNSevangelinastevenson.net
Type: A
DNSbeauregardsamuelson.net
Type: A
DNSevangelinasamuelson.net
Type: A
DNSbeauregardthompsett.net
Type: A
DNSevangelinathompsett.net
Type: A
DNSbeauregardcristians.net
Type: A
DNSevangelinacristians.net
Type: A
DNSrichardinestevenson.net
Type: A
DNSevangelinestevenson.net
Type: A
DNSrichardinesamuelson.net
Type: A
DNSevangelinesamuelson.net
Type: A
DNSrichardinethompsett.net
Type: A
DNSevangelinethompsett.net
Type: A
DNSrichardinecristians.net
Type: A
DNSevangelinecristians.net
Type: A
DNSalexandrinawilfreda.net
Type: A
DNSmariabellawilfreda.net
Type: A
DNSalexandrinasheridan.net
Type: A
DNSmariabellasheridan.net
Type: A
DNSalexandrinaannmarie.net
Type: A
DNSmariabellaannmarie.net
Type: A
DNSalexandrinasharalyn.net
Type: A
DNSmariabellasharalyn.net
Type: A
DNSbartholomewwilfreda.net
Type: A
DNSwilloughbywilfreda.net
Type: A
DNSbartholomewsheridan.net
Type: A
DNSwilloughbysheridan.net
Type: A
DNSbartholomewannmarie.net
Type: A
DNSwilloughbyannmarie.net
Type: A
DNSbartholomewsharalyn.net
Type: A
DNSwilloughbysharalyn.net
Type: A
DNSchristianawilfreda.net
Type: A
DNSdulcibellawilfreda.net
Type: A
DNSchristianasheridan.net
Type: A
DNSdulcibellasheridan.net
Type: A
DNSchristianaannmarie.net
Type: A
DNSdulcibellaannmarie.net
Type: A
DNSchristianasharalyn.net
Type: A
HTTP GEThttp://bartholomewcristians.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.252:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   61727468 6f6c6f6d 65776372 69737469   artholomewcristi
0x00000050 (00080)   616e732e 6e65740d 0a0d0a              ans.net....


Strings