Analysis Date2015-11-27 03:49:58
MD554ecc0b83e79a7214fb1db32d06425d7
SHA1e32c94b7c64cb48206f7d0f0b05e11e8956bbc67

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: b68fa3176a01d991906b8abe9a914de0 sha1: e11e349f7bb38cbf46ed5217d23332ed85bb42f4 size: 283136
SectionUPX2 md5: 19e4a615bdc98fa2aff6eecdc1eafc6f sha1: 4a6e8d55956c7e93a7bd61981ef4f97e194022e3 size: 512
Timestamp2015-04-16 11:47:36
PackerUPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]
PEhashe9aa926021ca5c9ac19e56e6204b966f0d71384e
IMPhashbed3c7d181d7392e49af1596ad4bcb6e
AVAvira (antivir)TR/Proxy.Gen
AVAuthentiumW32/Heuristic-317!Eldorado
AVPadvishno_virus
AVMcafeeno_virus
AVGrisoft (avg)Win32/DH{Ow?}
AVMalwareBytesno_virus
AVKasperskyTrojan.Win32.Invader
AVVirusBlokAda (vba32)no_virus
AVDr. WebBackDoor.Bulknet.739:Trojan.DownLoad.64914
AVRisingno_virus
AVTwisterno_virus
AVEset (nod32)Win32/Wigon.PH
AVBitDefenderGen:Trojan.Heur.RP.rmGfaiMMxw
AVMicroWorld (escan)Gen:Trojan.Heur.RP.rmGfaiMMxw
AVFrisk (f-prot)W32/SecRisk-ProcessPatcher-base
AVZillya!no_virus
AVSophosMal/Behav-010:Mal/Emogen-Y
AVCAT (quickheal)no_virus
AVBullGuardGen:Trojan.Heur.RP.rmGfaiMMxw
AVClamAVno_virus
AVF-SecureGen:Trojan.Heur.RP.rmGfaiMMxw
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Heuristic-317!Eldorado
AVMicrosoft Security EssentialsTrojanDropper:Win32/Cutwail.gen!K
AVAd-AwareGen:Trojan.Heur.RP.rmGfaiMMxw
AVAlwil (avast)Cutwail-CW [Trj]
AVSymantecTrojan.Pandex!gm
AVFortinetW32/Wigon.PH!tr
AVK7Trojan ( 0040c0821 )
AVMicrosoft Security EssentialsTrojanDropper:Win32/Cutwail.gen!K
AVTwisterno_virus
AVK7Trojan ( 0040c0821 )
AVIkarusGen.Trojan
AVEmsisoftGen:Trojan.Heur.RP.rmGfaiMMxw
AVAvira (antivir)TR/Proxy.Gen
AVTrend MicroMal_Xed-24
AVMcafeeno_virus
AVRisingno_virus
AVAlwil (avast)Cutwail-CW [Trj]
AVBitDefenderGen:Trojan.Heur.RP.rmGfaiMMxw
AVAd-AwareGen:Trojan.Heur.RP.rmGfaiMMxw
AVArcabit (arcavir)Gen:Trojan.Heur.RP.rmGfaiMMxw
AVEset (nod32)Win32/Wigon.PH
AVFortinetW32/Wigon.PH!tr
AVSymantecTrojan.Pandex!gm
AVGrisoft (avg)Win32/DH{Ow?}
AVMicroWorld (escan)Gen:Trojan.Heur.RP.rmGfaiMMxw
AVMalwareBytesno_virus
AVIkarusGen.Trojan
AVFrisk (f-prot)W32/SecRisk-ProcessPatcher-base

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates ProcessC:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\OSVersion ➝
79625
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Regedit32 ➝
C:\WINDOWS\system32\regedit.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort ➝
65534
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\btsi.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\rkengg[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\captlfix[1].htm
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\cpwpb[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\xult[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\wolffkran[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\ifesnet[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexpaovaq92324
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSn23china.com
Winsock DNSrkengg.com
Winsock DNSxult.org
Winsock DNSbtsi.com.ph
Winsock DNSwebavant.com
Winsock DNSskgm.ru
Winsock DNSaraax.com
Winsock DNSplaske.ua
Winsock DNScpwpb.com
Winsock DNScqdgroup.com
Winsock DNSifesnet.com
Winsock DNScaptlfix.com
Winsock DNSstopllc.com
Winsock DNSatis-sk.ca
Winsock DNSslower.it
Winsock DNSskypearl.com
Winsock DNSwolffkran.de

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\OSVersion ➝
79625
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Regedit32 ➝
C:\WINDOWS\system32\regedit.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort ➝
65534
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\hbfuels[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexgaebc26461
Winsock DNSdeckoviny.cz
Winsock DNSsnf.it
Winsock DNSnels.co.uk
Winsock DNS603888.com
Winsock DNSmondopp.net
Winsock DNShbfuels.com
Winsock DNSfrom30ty.com

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\OSVersion ➝
79625
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Regedit32 ➝
C:\WINDOWS\system32\regedit.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort ➝
65534
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexrpqvhk24368
Winsock DNSmidap.com
Winsock DNSkustnara.com
Winsock DNSifesnet.com
Winsock DNSalexpope.biz
Winsock DNSe-kami.net
Winsock DNSwillsub.com
Winsock DNSrevoldia.net
Winsock DNSleapc.com

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\OSVersion ➝
79625
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Regedit32 ➝
C:\WINDOWS\system32\regedit.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort ➝
65534
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexujzzqh2279
Winsock DNSvfcindia.com
Winsock DNSalexpope.biz
Winsock DNSavse.hu
Winsock DNSoh28ya.com
Winsock DNSmondopp.net
Winsock DNSa-domani.com
Winsock DNSslower.it
Winsock DNSatbauk.org
Winsock DNSokashimo.com
Winsock DNSoaith.ca

Network Details:

DNSredgiga.com
Type: A
104.31.89.129
DNSredgiga.com
Type: A
104.31.88.129
DNSesmoke.net
Type: A
204.15.134.44
DNSfloopis.com
Type: A
99.192.128.29
DNSpertex.com
Type: A
46.227.200.51
DNSpertex.com
Type: A
46.227.200.50
DNSthiessen.net
Type: A
62.75.161.184
DNSinfotech.pl
Type: A
62.129.220.170
DNSpccj.net
Type: A
219.94.162.11
DNSkewlmail.com
Type: A
69.163.201.178
DNSnotis.ru
Type: A
91.109.201.127
DNSmxs.mail.ru
Type: A
94.100.180.150
DNSmxs.mail.ru
Type: A
217.69.139.150
DNSalt4.gmail-smtp-in.l.google.com
Type: A
64.233.166.26
DNSgmail-smtp-in.l.google.com
Type: A
64.233.177.26
DNSin1.smtp.messagingengine.com
Type: A
66.111.4.74
DNSin1.smtp.messagingengine.com
Type: A
66.111.4.75
DNSin1.smtp.messagingengine.com
Type: A
66.111.4.70
DNSin1.smtp.messagingengine.com
Type: A
66.111.4.71
DNSin1.smtp.messagingengine.com
Type: A
66.111.4.72
DNSin1.smtp.messagingengine.com
Type: A
66.111.4.73
DNSxult.org
Type: A
65.52.128.33
DNScaptlfix.com
Type: A
192.230.74.38
DNScaptlfix.com
Type: A
199.83.135.38
DNScpwpb.com
Type: A
69.20.11.153
DNSslower.it
Type: A
127.0.0.11
DNSifesnet.com
Type: A
78.35.0.251
DNSwolffkran.de
Type: A
148.251.127.29
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.208.74.215
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.174.31.254
DNSbtsi.com.ph
Type: A
107.190.141.194
DNSccrsi.org
Type: A
104.237.98.62
DNSxinhui.net
Type: A
103.15.192.173
DNSpopbook.com
Type: A
120.24.238.21
DNSjsaps.com
Type: A
49.212.235.59
DNSnme.co.jp
Type: A
203.0.113.0
DNSskypearl.com
Type: A
114.179.231.55
DNShbfuels.com
Type: A
104.28.29.57
DNShbfuels.com
Type: A
104.28.28.57
DNSmondopp.net
Type: A
72.52.4.91
DNSdeckoviny.cz
Type: A
88.86.118.82
DNSnels.co.uk
Type: A
193.34.148.209
DNSfrom30ty.com
Type: A
210.172.144.247
DNS603888.com
Type: A
122.152.128.138
DNSftchat.com
Type: A
104.28.0.44
DNSftchat.com
Type: A
104.28.1.44
DNSgujarat.com
Type: A
104.28.20.183
DNSgujarat.com
Type: A
104.28.21.183
DNSbible.org
Type: A
67.210.231.230
DNShaigh-me.com
Type: A
79.170.44.118
DNSavse.hu
Type: A
87.229.26.84
DNSusadig.com
Type: A
24.223.107.10
DNSmxs.mail.ru
Type: A
217.69.139.150
DNSmxs.mail.ru
Type: A
94.100.180.150
DNSe-kami.net
Type: A
157.7.184.16
DNSleapc.com
Type: A
76.12.115.26
DNSkustnara.com
Type: A
46.30.212.197
DNSmidap.com
Type: A
104.28.7.114
DNSmidap.com
Type: A
104.28.6.114
DNSwillsub.com
Type: A
69.89.107.122
DNSalexpope.biz
Type: A
76.74.184.61
DNSrevoldia.net
Type: A
182.48.9.239
DNSbggs.com
Type: A
127.0.0.1
DNScjborden.com
Type: A
50.63.202.16
DNSshteeble.com
Type: A
91.202.171.113
DNSportoccd.org
Type: A
217.118.19.169
DNSmcseurope.nl
Type: A
93.186.182.76
DNSfifa-ews.com
Type: A
94.126.17.113
DNSjohnlyon.org
Type: A
66.29.210.245
DNSwebsy.com
Type: A
94.23.37.199
DNSoh28ya.com
Type: A
54.178.140.67
DNSatbauk.org
Type: A
104.27.181.120
DNSatbauk.org
Type: A
104.27.180.120
DNSslower.it
Type: A
127.0.0.11
DNSoaith.ca
Type: A
192.124.249.12
DNSvfcindia.com
Type: A
64.27.53.122
DNSa-domani.com
Type: A
183.90.232.24
DNSokashimo.com
Type: A
210.170.99.92
DNSdoggybag.org
Type: A
213.186.33.16
DNSsimetar.com
Type: A
70.34.36.206
DNSdyag-eng.com
Type: A
74.220.215.227
DNSsledsport.ru
Type: A
185.22.232.175
DNSwebavant.com
Type: A
69.64.39.130
DNStozzhin.com
Type: A
27.254.142.204
DNScqdgroup.com
Type: A
221.132.33.88
DNSsiongann.com
Type: A
101.100.204.43
DNSkursavto.ru
Type: A
82.208.109.253
DNSaraax.com
Type: A
188.136.220.23
DNSkumaden.com
Type: A
49.212.180.178
DNSsanfotek.net
Type: A
97.74.42.79
DNSsidepath.com
Type: A
74.124.215.108
DNSshesfit.com
Type: A
45.56.67.57
DNSatb-lit.com
Type: A
93.125.30.150
DNSatis-sk.ca
Type: A
104.25.48.26
DNSatis-sk.ca
Type: A
104.25.49.26
DNSstopllc.com
Type: A
75.101.162.107
DNSsledsport.ru
Type: A
185.22.232.175
DNSunicus.jp
Type: A
49.212.232.113
DNSlikangds.com
Type: A
121.42.7.19
DNSskgm.ru
Type: A
178.210.70.140
DNSsomeikan.com
Type: A
202.189.180.2
DNScyclad.pl
Type: A
185.38.249.12
DNSt-mould.com
Type: A
94.102.211.24
DNSplaske.ua
Type: A
5.254.103.105
DNSsnf.it
Type: A
95.174.22.233
DNSvvsteknik.dk
Type: A
DNSmail7.digitalwaves.co.nz
Type: A
DNSrkengg.com
Type: A
DNSarowines.com
Type: A
DNSn23china.com
Type: A
HTTP POSThttp://captlfix.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://xult.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://cpwpb.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://ifesnet.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://wolffkran.de/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://rkengg.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://btsi.com.ph/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://hbfuels.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1039 ➝ 219.94.162.11:25
Flows TCP192.168.1.1:1040 ➝ 62.129.220.170:25
Flows TCP192.168.1.1:1041 ➝ 62.75.161.184:25
Flows TCP192.168.1.1:1042 ➝ 46.227.200.51:25
Flows TCP192.168.1.1:1043 ➝ 99.192.128.29:25
Flows TCP192.168.1.1:1044 ➝ 104.31.89.129:25
Flows TCP192.168.1.1:1045 ➝ 204.15.134.44:25
Flows TCP192.168.1.1:1046 ➝ 69.163.201.178:25
Flows TCP192.168.1.1:1047 ➝ 91.109.201.127:25
Flows TCP192.168.1.1:1048 ➝ 94.100.180.150:25
Flows TCP192.168.1.1:1088 ➝ 66.29.210.245:25
Flows TCP192.168.1.1:1049 ➝ 65.52.128.33:80
Flows TCP192.168.1.1:1057 ➝ 91.109.201.127:25
Flows TCP192.168.1.1:1071 ➝ 87.229.26.84:25
Flows TCP192.168.1.1:1089 ➝ 94.126.17.113:25
Flows TCP192.168.1.1:1050 ➝ 192.230.74.38:80
Flows TCP192.168.1.1:1058 ➝ 104.237.98.62:25
Flows TCP192.168.1.1:1072 ➝ 79.170.44.118:25
Flows TCP192.168.1.1:1091 ➝ 104.28.7.114:25
Flows TCP192.168.1.1:1051 ➝ 69.20.11.153:80
Flows TCP192.168.1.1:1059 ➝ 103.15.192.173:25
Flows TCP192.168.1.1:1073 ➝ 114.179.231.55:25
Flows TCP192.168.1.1:1090 ➝ 91.202.171.113:25
Flows TCP192.168.1.1:1060 ➝ 120.24.238.21:25
Flows TCP192.168.1.1:1075 ➝ 104.28.20.183:25
Flows TCP192.168.1.1:1053 ➝ 78.35.0.251:80
Flows TCP192.168.1.1:1061 ➝ 49.212.235.59:25
Flows TCP192.168.1.1:1074 ➝ 203.0.113.0:25
Flows TCP192.168.1.1:1093 ➝ 204.15.134.44:25
Flows TCP192.168.1.1:1054 ➝ 148.251.127.29:80
Flows TCP192.168.1.1:1062 ➝ 203.0.113.0:25
Flows TCP192.168.1.1:1076 ➝ 104.28.0.44:25
Flows TCP192.168.1.1:1094 ➝ 50.63.202.16:25
Flows TCP192.168.1.1:1055 ➝ 54.208.74.215:80
Flows TCP192.168.1.1:1064 ➝ 94.100.180.150:25
Flows TCP192.168.1.1:1077 ➝ 67.210.231.230:25
Flows TCP192.168.1.1:1095 ➝ 114.179.231.55:25
Flows TCP192.168.1.1:1056 ➝ 107.190.141.194:80
Flows TCP192.168.1.1:1065 ➝ 104.28.29.57:80
Flows TCP192.168.1.1:1078 ➝ 24.223.107.10:25

Raw Pcap

Strings