Analysis Date2015-10-13 00:23:21
MD5e1f39752177c7bec82785badafae6276
SHA1dfe9d554c0960dc8d332b0c1369e339a74d3cc2c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b1010aebe0f56727cb5d03d05f65fbf0 sha1: d690827b6969bef5022dbfe315fa178b81d44ca1 size: 222720
Section.data md5: 585a2dda31f9d1dfce3c865d215bcbd0 sha1: 450830f885fdfcf72fde0b3662440d7d53b8917f size: 20992
Section.rdata md5: f3ab13df2e58d6a51f4bc0df70800010 sha1: 2624d392a4c06c1ac7ec37a82350978aa3b62b47 size: 37376
Section.eh_fram md5: eacc38bd4a1594c469f57eac1dd79fc7 sha1: 4be7af2d5a5aa49085882635c2a525f79d207db8 size: 40448
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 7d9c2f895fc0590cbbfcc6fdb38088d7 sha1: 8007a4265807bc3ad6e4a46f057e1c5e150aaf5b size: 6144
Section.CRT md5: 5b8b32c18e66f844d8a37c1e338b23a5 sha1: a98ead742275de3b8507410c1980d1c8834be13b size: 512
Section.tls md5: bb26d9c5aefc6c61ade45477c4a18756 sha1: a12bdb7979d4d623e99c865ceac89938b586550d size: 512
Timestamp2015-03-05 06:24:55
PEhashdf499a0bf72ee52fa6d040e9b6535225d26e4650
IMPhash89d4022ce593009dd51fb0b0f6617bbd
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.51758
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.51758
AVBullGuardGen:Variant.Symmi.51758
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Scar.llsn
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.51758
AVIkarusTrojan.Win32.Agent
AVFrisk (f-prot)no_virus
AVAuthentiumW32/S-6a8c3109!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVK7Trojan ( 004c988e1 )
AVBitDefenderGen:Variant.Symmi.51758
AVFortinetW32/Agent.XDQ!tr
AVSymantecDownloader.Upatre!g16
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.XDQ
AVAlwil (avast)Agent-AZPC [Trj]
AVAd-AwareGen:Variant.Symmi.51758
AVRisingno_virus
AVTwisterno_virus
AVAvira (antivir)TR/ATRAPS.A.9098
AVMcafeeTrojan-FGOJ!E1F39752177C

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\xbl6ynwo\eahfoufriwd
Creates FileC:\WINDOWS\xbl6ynwo\eahfoufriwd
Creates FileC:\xbl6ynwo\brl4nbg81m0jr1oqjvd2wzi.exe
Deletes FileC:\WINDOWS\xbl6ynwo\eahfoufriwd
Creates ProcessC:\xbl6ynwo\brl4nbg81m0jr1oqjvd2wzi.exe

Process
↳ C:\xbl6ynwo\brl4nbg81m0jr1oqjvd2wzi.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Brightness Driver Transfer Tunneling ➝
C:\xbl6ynwo\rfsfoqqlmn.exe
Creates FileC:\xbl6ynwo\rfsfoqqlmn.exe
Creates FileC:\xbl6ynwo\eahfoufriwd
Creates FileC:\WINDOWS\xbl6ynwo\eahfoufriwd
Creates FilePIPE\lsarpc
Creates FileC:\xbl6ynwo\tarz3oj
Deletes FileC:\WINDOWS\xbl6ynwo\eahfoufriwd
Creates ProcessC:\xbl6ynwo\rfsfoqqlmn.exe
Creates ServiceSolutions Agent Publication HomeGroup - C:\xbl6ynwo\rfsfoqqlmn.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1120

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1140

Process
↳ C:\xbl6ynwo\rfsfoqqlmn.exe

Creates FileC:\xbl6ynwo\eahfoufriwd
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\xbl6ynwo\eahfoufriwd
Creates FileC:\xbl6ynwo\vchiqn4epyvm
Creates FileC:\xbl6ynwo\afoj9kuhdqqw.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\xbl6ynwo\tarz3oj
Deletes FileC:\WINDOWS\xbl6ynwo\eahfoufriwd
Creates Processlxinkkgzmlqf "c:\xbl6ynwo\rfsfoqqlmn.exe"

Process
↳ C:\xbl6ynwo\rfsfoqqlmn.exe

Creates FileC:\xbl6ynwo\eahfoufriwd
Creates FileC:\WINDOWS\xbl6ynwo\eahfoufriwd
Deletes FileC:\WINDOWS\xbl6ynwo\eahfoufriwd

Process
↳ lxinkkgzmlqf "c:\xbl6ynwo\rfsfoqqlmn.exe"

Creates FileC:\xbl6ynwo\eahfoufriwd
Creates FileC:\WINDOWS\xbl6ynwo\eahfoufriwd
Deletes FileC:\WINDOWS\xbl6ynwo\eahfoufriwd

Network Details:

DNScatherineanderson.net
Type: A
181.224.147.220
DNScharlotteanastacia.net
Type: A
195.22.26.252
DNScharlotteanastacia.net
Type: A
195.22.26.253
DNScharlotteanastacia.net
Type: A
195.22.26.254
DNScharlotteanastacia.net
Type: A
195.22.26.231
DNScharlotteanderson.net
Type: A
46.30.212.212
DNSkimberleechamberlain.net
Type: A
217.160.165.207
DNSkristopheranastacia.net
Type: A
DNScassandraanastacia.net
Type: A
DNSkristopheranderson.net
Type: A
DNScassandraanderson.net
Type: A
DNSmaximilianbernadine.net
Type: A
DNSkimberleebernadine.net
Type: A
DNSmaximiliancharisma.net
Type: A
DNSkimberleecharisma.net
Type: A
DNSmaximiliananastacia.net
Type: A
DNSkimberleeanastacia.net
Type: A
DNSmaximiliananderson.net
Type: A
DNSkimberleeanderson.net
Type: A
DNScatherinabernadine.net
Type: A
DNScatherinebernadine.net
Type: A
DNScatherinacharisma.net
Type: A
DNScatherinecharisma.net
Type: A
DNScatherinaanastacia.net
Type: A
DNScatherineanastacia.net
Type: A
DNScatherinaanderson.net
Type: A
DNSantonettebernadine.net
Type: A
DNSmadeleinebernadine.net
Type: A
DNSantonettecharisma.net
Type: A
DNSmadeleinecharisma.net
Type: A
DNSantonetteanastacia.net
Type: A
DNSmadeleineanastacia.net
Type: A
DNSantonetteanderson.net
Type: A
DNSmadeleineanderson.net
Type: A
DNScharlottebernadine.net
Type: A
DNSstephaniebernadine.net
Type: A
DNScharlottecharisma.net
Type: A
DNSstephaniecharisma.net
Type: A
DNSstephanieanastacia.net
Type: A
DNSstephanieanderson.net
Type: A
DNSkimberlynbernadine.net
Type: A
DNSglanvillebernadine.net
Type: A
DNSkimberlyncharisma.net
Type: A
DNSglanvillecharisma.net
Type: A
DNSkimberlynanastacia.net
Type: A
DNSglanvilleanastacia.net
Type: A
DNSkimberlynanderson.net
Type: A
DNSglanvilleanderson.net
Type: A
DNSjessaminebernadine.net
Type: A
DNSgenevievebernadine.net
Type: A
DNSjessaminecharisma.net
Type: A
DNSgenevievecharisma.net
Type: A
DNSjessamineanastacia.net
Type: A
DNSgenevieveanastacia.net
Type: A
DNSjessamineanderson.net
Type: A
DNSgenevieveanderson.net
Type: A
DNSzechariahbernadine.net
Type: A
DNSmarmadukebernadine.net
Type: A
DNSzechariahcharisma.net
Type: A
DNSmarmadukecharisma.net
Type: A
DNSzechariahanastacia.net
Type: A
DNSmarmadukeanastacia.net
Type: A
DNSzechariahanderson.net
Type: A
DNSmarmadukeanderson.net
Type: A
DNSkristopherbrassington.net
Type: A
DNScassandrabrassington.net
Type: A
DNSkristopherecclestone.net
Type: A
DNScassandraecclestone.net
Type: A
DNSkristopherchamberlain.net
Type: A
DNScassandrachamberlain.net
Type: A
DNSkristopheranthonyson.net
Type: A
DNScassandraanthonyson.net
Type: A
DNSmaximilianbrassington.net
Type: A
DNSkimberleebrassington.net
Type: A
DNSmaximilianecclestone.net
Type: A
DNSkimberleeecclestone.net
Type: A
DNSmaximilianchamberlain.net
Type: A
DNSmaximiliananthonyson.net
Type: A
DNSkimberleeanthonyson.net
Type: A
DNScatherinabrassington.net
Type: A
DNScatherinebrassington.net
Type: A
DNScatherinaecclestone.net
Type: A
DNScatherineecclestone.net
Type: A
DNScatherinachamberlain.net
Type: A
DNScatherinechamberlain.net
Type: A
DNScatherinaanthonyson.net
Type: A
DNScatherineanthonyson.net
Type: A
DNSantonettebrassington.net
Type: A
HTTP GEThttp://catherineanderson.net/index.php
User-Agent:
HTTP GEThttp://charlotteanastacia.net/index.php
User-Agent:
HTTP GEThttp://charlotteanderson.net/index.php
User-Agent:
HTTP GEThttp://kimberleechamberlain.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 181.224.147.220:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1033 ➝ 46.30.212.212:80
Flows TCP192.168.1.1:1034 ➝ 217.160.165.207:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61746865 72696e65 616e6465 72736f6e   atherineanderson
0x00000050 (00080)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   6861726c 6f747465 616e6173 74616369   harlotteanastaci
0x00000050 (00080)   612e6e65 740d0a0d 0a                  a.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   6861726c 6f747465 616e6465 72736f6e   harlotteanderson
0x00000050 (00080)   2e6e6574 0d0a0d0a 0a                  .net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206b   : close..Host: k
0x00000040 (00064)   696d6265 726c6565 6368616d 6265726c   imberleechamberl
0x00000050 (00080)   61696e2e 6e65740d 0a0d0a              ain.net....


Strings