Analysis Date | 2015-10-13 00:23:21 |
---|---|
MD5 | e1f39752177c7bec82785badafae6276 |
SHA1 | dfe9d554c0960dc8d332b0c1369e339a74d3cc2c |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: b1010aebe0f56727cb5d03d05f65fbf0 sha1: d690827b6969bef5022dbfe315fa178b81d44ca1 size: 222720 | |
Section | .data md5: 585a2dda31f9d1dfce3c865d215bcbd0 sha1: 450830f885fdfcf72fde0b3662440d7d53b8917f size: 20992 | |
Section | .rdata md5: f3ab13df2e58d6a51f4bc0df70800010 sha1: 2624d392a4c06c1ac7ec37a82350978aa3b62b47 size: 37376 | |
Section | .eh_fram md5: eacc38bd4a1594c469f57eac1dd79fc7 sha1: 4be7af2d5a5aa49085882635c2a525f79d207db8 size: 40448 | |
Section | .bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0 | |
Section | .idata md5: 7d9c2f895fc0590cbbfcc6fdb38088d7 sha1: 8007a4265807bc3ad6e4a46f057e1c5e150aaf5b size: 6144 | |
Section | .CRT md5: 5b8b32c18e66f844d8a37c1e338b23a5 sha1: a98ead742275de3b8507410c1980d1c8834be13b size: 512 | |
Section | .tls md5: bb26d9c5aefc6c61ade45477c4a18756 sha1: a12bdb7979d4d623e99c865ceac89938b586550d size: 512 | |
Timestamp | 2015-03-05 06:24:55 | |
PEhash | df499a0bf72ee52fa6d040e9b6535225d26e4650 | |
IMPhash | 89d4022ce593009dd51fb0b0f6617bbd | |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Symmi.51758 |
AV | Dr. Web | no_virus |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Symmi.51758 |
AV | BullGuard | Gen:Variant.Symmi.51758 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | no_virus |
AV | Trend Micro | no_virus |
AV | Kaspersky | Trojan.Win32.Scar.llsn |
AV | Zillya! | no_virus |
AV | Emsisoft | Gen:Variant.Symmi.51758 |
AV | Ikarus | Trojan.Win32.Agent |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/S-6a8c3109!Eldorado |
AV | MalwareBytes | no_virus |
AV | MicroWorld (escan) | Gen:Variant.Symmi.51758 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort!rfn |
AV | K7 | Trojan ( 004c988e1 ) |
AV | BitDefender | Gen:Variant.Symmi.51758 |
AV | Fortinet | W32/Agent.XDQ!tr |
AV | Symantec | Downloader.Upatre!g16 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Eset (nod32) | Win32/Agent.XDQ |
AV | Alwil (avast) | Agent-AZPC [Trj] |
AV | Ad-Aware | Gen:Variant.Symmi.51758 |
AV | Rising | no_virus |
AV | Twister | no_virus |
AV | Avira (antivir) | TR/ATRAPS.A.9098 |
AV | Mcafee | Trojan-FGOJ!E1F39752177C |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\xbl6ynwo\eahfoufriwd |
---|---|
Creates File | C:\WINDOWS\xbl6ynwo\eahfoufriwd |
Creates File | C:\xbl6ynwo\brl4nbg81m0jr1oqjvd2wzi.exe |
Deletes File | C:\WINDOWS\xbl6ynwo\eahfoufriwd |
Creates Process | C:\xbl6ynwo\brl4nbg81m0jr1oqjvd2wzi.exe |
Process
↳ C:\xbl6ynwo\brl4nbg81m0jr1oqjvd2wzi.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Brightness Driver Transfer Tunneling ➝ C:\xbl6ynwo\rfsfoqqlmn.exe |
---|---|
Creates File | C:\xbl6ynwo\rfsfoqqlmn.exe |
Creates File | C:\xbl6ynwo\eahfoufriwd |
Creates File | C:\WINDOWS\xbl6ynwo\eahfoufriwd |
Creates File | PIPE\lsarpc |
Creates File | C:\xbl6ynwo\tarz3oj |
Deletes File | C:\WINDOWS\xbl6ynwo\eahfoufriwd |
Creates Process | C:\xbl6ynwo\rfsfoqqlmn.exe |
Creates Service | Solutions Agent Publication HomeGroup - C:\xbl6ynwo\rfsfoqqlmn.exe |
Process
↳ Pid 804
Process
↳ Pid 852
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1120
Process
↳ Pid 1208
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1868
Process
↳ Pid 1140
Process
↳ C:\xbl6ynwo\rfsfoqqlmn.exe
Creates File | C:\xbl6ynwo\eahfoufriwd |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\WINDOWS\xbl6ynwo\eahfoufriwd |
Creates File | C:\xbl6ynwo\vchiqn4epyvm |
Creates File | C:\xbl6ynwo\afoj9kuhdqqw.exe |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\xbl6ynwo\tarz3oj |
Deletes File | C:\WINDOWS\xbl6ynwo\eahfoufriwd |
Creates Process | lxinkkgzmlqf "c:\xbl6ynwo\rfsfoqqlmn.exe" |
Process
↳ C:\xbl6ynwo\rfsfoqqlmn.exe
Creates File | C:\xbl6ynwo\eahfoufriwd |
---|---|
Creates File | C:\WINDOWS\xbl6ynwo\eahfoufriwd |
Deletes File | C:\WINDOWS\xbl6ynwo\eahfoufriwd |
Process
↳ lxinkkgzmlqf "c:\xbl6ynwo\rfsfoqqlmn.exe"
Creates File | C:\xbl6ynwo\eahfoufriwd |
---|---|
Creates File | C:\WINDOWS\xbl6ynwo\eahfoufriwd |
Deletes File | C:\WINDOWS\xbl6ynwo\eahfoufriwd |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 61746865 72696e65 616e6465 72736f6e atherineanderson 0x00000050 (00080) 2e6e6574 0d0a0d0a .net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 6861726c 6f747465 616e6173 74616369 harlotteanastaci 0x00000050 (00080) 612e6e65 740d0a0d 0a a.net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 6861726c 6f747465 616e6465 72736f6e harlotteanderson 0x00000050 (00080) 2e6e6574 0d0a0d0a 0a .net..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206b : close..Host: k 0x00000040 (00064) 696d6265 726c6565 6368616d 6265726c imberleechamberl 0x00000050 (00080) 61696e2e 6e65740d 0a0d0a ain.net....
Strings