Analysis Date2015-10-13 11:16:26
MD5ffcf159e9baacf314171be55859b6049
SHA1e23ddd2d7f730ba9c0b8612c6b4db77a4489edf5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 62b366fca67b8d9bc65ea9beee5ec627 sha1: 063ccbc02739665057aa055235f0ad830d3074ca size: 298496
Section.rdata md5: f6299b06c2c9e989323a204b10057486 sha1: ba9aca97ae219394622c8b8195184049f0b31b8a size: 33280
Section.data md5: e0c955f92d63ba43533eb46cb9b1e47a sha1: d5c1d5db768cabe66595bc1601e345aae07e91ca size: 100864
Timestamp2015-01-29 10:12:32
PackerMicrosoft Visual C++ ?.?
PEhash6f487877ca9e6f53a4f361373dff1bc4d805fa87
IMPhashc41a2174479d5107e11c08dbeaa94f0a
AVRisingno_virus
AVMcafeeTrojan-FEMT!FFCF159E9BAA
AVAvira (antivir)BDS/Zegost.Gen4
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cb2771 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Agent.Gen
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusno_virus
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_NIVDORT.SMB
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoader12.16873
AVF-SecureGen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Secure Extender Detection Remote ➝
C:\Documents and Settings\Administrator\Application Data\ddumpuiurhhwwx\yneppjwxdzui.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\ddumpuiurhhwwx\yneppjwxdzui.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\ddumpuiurhhwwx\yneppjwxdzui.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\ddumpuiurhhwwx\yneppjwxdzui.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\ddumpuiurhhwwx\yneppjwxdzui.pa0b
Creates FileC:\Documents and Settings\Administrator\Application Data\ddumpuiurhhwwx\aiwcwasr.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\ddumpuiurhhwwx\yneppjwxdzui.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\ddumpuiurhhwwx\yneppjwxdzui.exe"

Network Details:

DNShistoryadvance.net
Type: A
195.22.26.252
DNShistoryadvance.net
Type: A
195.22.26.253
DNShistoryadvance.net
Type: A
195.22.26.254
DNShistoryadvance.net
Type: A
195.22.26.231
DNSstrangestranger.net
Type: A
98.139.135.129
DNScollegeproblem.net
Type: A
208.100.26.234
DNSalonegoodbye.net
Type: A
DNSoftenfortieth.net
Type: A
DNSalonefortieth.net
Type: A
DNSmiddleadvance.net
Type: A
DNStwelveadvance.net
Type: A
DNSmiddlestranger.net
Type: A
DNStwelvestranger.net
Type: A
DNSmiddlegoodbye.net
Type: A
DNStwelvegoodbye.net
Type: A
DNSmiddlefortieth.net
Type: A
DNStwelvefortieth.net
Type: A
DNSratheradvance.net
Type: A
DNSmorningadvance.net
Type: A
DNSratherstranger.net
Type: A
DNSmorningstranger.net
Type: A
DNSrathergoodbye.net
Type: A
DNSmorninggoodbye.net
Type: A
DNSratherfortieth.net
Type: A
DNSmorningfortieth.net
Type: A
DNSstrangeadvance.net
Type: A
DNShistorystranger.net
Type: A
DNSstrangegoodbye.net
Type: A
DNShistorygoodbye.net
Type: A
DNSstrangefortieth.net
Type: A
DNShistoryfortieth.net
Type: A
DNSamountadvance.net
Type: A
DNSweatheradvance.net
Type: A
DNSamountstranger.net
Type: A
DNSweatherstranger.net
Type: A
DNSamountgoodbye.net
Type: A
DNSweathergoodbye.net
Type: A
DNSamountfortieth.net
Type: A
DNSweatherfortieth.net
Type: A
DNSthickadvance.net
Type: A
DNSclassadvance.net
Type: A
DNSthickstranger.net
Type: A
DNSclassstranger.net
Type: A
DNSthickgoodbye.net
Type: A
DNSclassgoodbye.net
Type: A
DNSthickfortieth.net
Type: A
DNSclassfortieth.net
Type: A
DNSthinkescape.net
Type: A
DNSpresentescape.net
Type: A
DNSthinkanimal.net
Type: A
DNSpresentanimal.net
Type: A
DNSthinkproblem.net
Type: A
DNSpresentproblem.net
Type: A
DNSthinkmodern.net
Type: A
DNSpresentmodern.net
Type: A
DNSchiefescape.net
Type: A
DNScollegeescape.net
Type: A
DNSchiefanimal.net
Type: A
DNScollegeanimal.net
Type: A
DNSchiefproblem.net
Type: A
DNSchiefmodern.net
Type: A
DNScollegemodern.net
Type: A
DNSoftenescape.net
Type: A
DNSaloneescape.net
Type: A
DNSoftenanimal.net
Type: A
DNSaloneanimal.net
Type: A
DNSoftenproblem.net
Type: A
DNSaloneproblem.net
Type: A
DNSoftenmodern.net
Type: A
DNSalonemodern.net
Type: A
DNSmiddleescape.net
Type: A
DNStwelveescape.net
Type: A
DNSmiddleanimal.net
Type: A
DNStwelveanimal.net
Type: A
DNSmiddleproblem.net
Type: A
DNStwelveproblem.net
Type: A
DNSmiddlemodern.net
Type: A
DNStwelvemodern.net
Type: A
DNSratherescape.net
Type: A
DNSmorningescape.net
Type: A
DNSratheranimal.net
Type: A
DNSmorninganimal.net
Type: A
DNSratherproblem.net
Type: A
DNSmorningproblem.net
Type: A
DNSrathermodern.net
Type: A
DNSmorningmodern.net
Type: A
DNSstrangeescape.net
Type: A
DNShistoryescape.net
Type: A
HTTP GEThttp://historyadvance.net/index.php?email=contabilitate@unifilter.ro&method=post&len
User-Agent:
HTTP GEThttp://strangestranger.net/index.php?email=contabilitate@unifilter.ro&method=post&len
User-Agent:
HTTP GEThttp://collegeproblem.net/index.php?email=contabilitate@unifilter.ro&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1032 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80

Raw Pcap

Strings