Analysis Date2015-10-12 07:35:59
MD5365e4c1f86e2cbd168073b7e1068b239
SHA1e97de8de18c49d72621acf71034c284ed298a3f3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 03c75af232c7f8bcbd40a84ec69fd531 sha1: dc8c1fcb944000f7a99820c0be441402261975a8 size: 231424
Section.data md5: ebf88bf1e73cdf78cd5b86bafbc20f13 sha1: 2fdb460f662cfffb7b946d116ce5756b7557ca4c size: 20480
Section.rdata md5: 7d9be1dc4c723a86d8465803e13feb97 sha1: fd72724c5646f546254be05ddc971ad5fc5288b8 size: 38912
Section.eh_fram md5: 179434f54d6e373ca008ef815174444e sha1: 5452a6a913acf662c32518184baed9c7ba37944f size: 40448
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: b7f46307f2501e9cf0cd7ba1dd08a645 sha1: ed24a117b29862721ac3e2b5fabc112914965158 size: 7168
Section.CRT md5: b0587ce1fda151d1f161a2d29d23a193 sha1: a27fe47c1762dc0fc9fccf5a50b9610a8b048693 size: 512
Section.tls md5: 255674fadd8cc7bc6ab4eb4e269c5241 sha1: 2b846edad7a64d2f5b163ac5c63f40a7564a16e8 size: 512
Timestamp2015-03-05 06:29:35
PEhash3572b07c93bcf519ceeb451453827dcbb0fe596e
IMPhasheb9267d7aa9e7f91a90b297852480bb6
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!acf
AVEmsisoftGen:Variant.Symmi.51758
AVFortinetW32/Agent.XDQ!tr
AVArcabit (arcavir)Gen:Variant.Symmi.51758
AVAvira (antivir)TR/ATRAPS.A.8657
AVClamAVno_virus
AVF-SecureGen:Variant.Symmi.51758
AVCA (E-Trust Ino)no_virus
AVKasperskyTrojan.Win32.Scar.lhzg
AVBitDefenderGen:Variant.Symmi.51758
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVDr. Webno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVTrend Microno_virus
AVZillya!no_virus
AVMcafeeTrojan-FGOJ!365E4C1F86E2
AVRisingno_virus
AVIkarusTrojan.Win32.Agent
AVVirusBlokAda (vba32)no_virus
AVBullGuardGen:Variant.Symmi.51758
AVAd-AwareGen:Variant.Symmi.51758
AVK7Trojan ( 004c988e1 )
AVSymantecDownloader.Upatre!g16
AVFrisk (f-prot)no_virus
AVGrisoft (avg)Win32/Cryptor
AVAuthentiumW32/S-6a8c3109!Eldorado
AVAlwil (avast)no_virus
AVTwisterno_virus
AVMalwareBytesno_virus
AVEset (nod32)Win32/Agent.XDQ

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\bgl3pghvhxh\vps3xoqj
Creates FileC:\bgl3pghvhxh\vps3xoqj
Creates FileC:\bgl3pghvhxh\gw1ucgq1kgzttcsbzzp8.exe
Deletes FileC:\WINDOWS\bgl3pghvhxh\vps3xoqj
Creates ProcessC:\bgl3pghvhxh\gw1ucgq1kgzttcsbzzp8.exe

Process
↳ C:\bgl3pghvhxh\gw1ucgq1kgzttcsbzzp8.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\RPC Endpoint Color TPM Compatibility Defragmenter ➝
C:\bgl3pghvhxh\dv1ffgkjasl.exe
Creates FileC:\bgl3pghvhxh\aswpuoeh
Creates FileC:\WINDOWS\bgl3pghvhxh\vps3xoqj
Creates FileC:\bgl3pghvhxh\vps3xoqj
Creates FilePIPE\lsarpc
Creates FileC:\bgl3pghvhxh\dv1ffgkjasl.exe
Deletes FileC:\WINDOWS\bgl3pghvhxh\vps3xoqj
Creates ProcessC:\bgl3pghvhxh\dv1ffgkjasl.exe
Creates ServiceServer Files Logs PC WLAN WWAN Tunneling - C:\bgl3pghvhxh\dv1ffgkjasl.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1140

Process
↳ C:\bgl3pghvhxh\dv1ffgkjasl.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\bgl3pghvhxh\aswpuoeh
Creates FileC:\WINDOWS\bgl3pghvhxh\vps3xoqj
Creates FileC:\bgl3pghvhxh\vps3xoqj
Creates FileC:\bgl3pghvhxh\xqwxlneo
Creates FileC:\bgl3pghvhxh\bzcspckazq.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\bgl3pghvhxh\vps3xoqj
Creates Processzgaashmnkwuz "c:\bgl3pghvhxh\dv1ffgkjasl.exe"

Process
↳ C:\bgl3pghvhxh\dv1ffgkjasl.exe

Creates FileC:\WINDOWS\bgl3pghvhxh\vps3xoqj
Creates FileC:\bgl3pghvhxh\vps3xoqj
Deletes FileC:\WINDOWS\bgl3pghvhxh\vps3xoqj

Process
↳ zgaashmnkwuz "c:\bgl3pghvhxh\dv1ffgkjasl.exe"

Creates FileC:\WINDOWS\bgl3pghvhxh\vps3xoqj
Creates FileC:\bgl3pghvhxh\vps3xoqj
Deletes FileC:\WINDOWS\bgl3pghvhxh\vps3xoqj

Network Details:

DNSkristopherernestine.net
Type: A
217.160.165.207
DNSearnestinepatrickson.net
Type: A
DNSwashingtonrichardson.net
Type: A
DNSearnestinerichardson.net
Type: A
DNSwashingtonatterberry.net
Type: A
DNSearnestineatterberry.net
Type: A
DNSwashingtonunderwood.net
Type: A
DNSearnestineunderwood.net
Type: A
DNSsacheverellpatrickson.net
Type: A
DNSwilhelminapatrickson.net
Type: A
DNSsacheverellrichardson.net
Type: A
DNSwilhelminarichardson.net
Type: A
DNSsacheverellatterberry.net
Type: A
DNSwilhelminaatterberry.net
Type: A
DNSsacheverellunderwood.net
Type: A
DNSwilhelminaunderwood.net
Type: A
DNSmaximillianpatrickson.net
Type: A
DNSgwendolinepatrickson.net
Type: A
DNSmaximillianrichardson.net
Type: A
DNSgwendolinerichardson.net
Type: A
DNSmaximillianatterberry.net
Type: A
DNSgwendolineatterberry.net
Type: A
DNSmaximillianunderwood.net
Type: A
DNSgwendolineunderwood.net
Type: A
DNSbeauregardpatrickson.net
Type: A
DNSevangelinapatrickson.net
Type: A
DNSbeauregardrichardson.net
Type: A
DNSevangelinarichardson.net
Type: A
DNSbeauregardatterberry.net
Type: A
DNSevangelinaatterberry.net
Type: A
DNSbeauregardunderwood.net
Type: A
DNSevangelinaunderwood.net
Type: A
DNSrichardinepatrickson.net
Type: A
DNSevangelinepatrickson.net
Type: A
DNSrichardinerichardson.net
Type: A
DNSevangelinerichardson.net
Type: A
DNSrichardineatterberry.net
Type: A
DNSevangelineatterberry.net
Type: A
DNSrichardineunderwood.net
Type: A
DNSevangelineunderwood.net
Type: A
DNScassandraernestine.net
Type: A
DNSkristopherchastity.net
Type: A
DNScassandrachastity.net
Type: A
DNSkristophermillicent.net
Type: A
DNScassandramillicent.net
Type: A
DNSkristophertennyson.net
Type: A
DNScassandratennyson.net
Type: A
DNSmaximilianernestine.net
Type: A
DNSkimberleeernestine.net
Type: A
DNSmaximilianchastity.net
Type: A
DNSkimberleechastity.net
Type: A
DNSmaximilianmillicent.net
Type: A
DNSkimberleemillicent.net
Type: A
DNSmaximiliantennyson.net
Type: A
DNSkimberleetennyson.net
Type: A
DNScatherinaernestine.net
Type: A
DNScatherineernestine.net
Type: A
DNScatherinachastity.net
Type: A
DNScatherinechastity.net
Type: A
DNScatherinamillicent.net
Type: A
DNScatherinemillicent.net
Type: A
DNScatherinatennyson.net
Type: A
DNScatherinetennyson.net
Type: A
DNSantonetteernestine.net
Type: A
DNSmadeleineernestine.net
Type: A
DNSantonettechastity.net
Type: A
DNSmadeleinechastity.net
Type: A
DNSantonettemillicent.net
Type: A
DNSmadeleinemillicent.net
Type: A
DNSantonettetennyson.net
Type: A
DNSmadeleinetennyson.net
Type: A
DNScharlotteernestine.net
Type: A
DNSstephanieernestine.net
Type: A
DNScharlottechastity.net
Type: A
DNSstephaniechastity.net
Type: A
DNScharlottemillicent.net
Type: A
DNSstephaniemillicent.net
Type: A
DNScharlottetennyson.net
Type: A
DNSstephanietennyson.net
Type: A
DNSkimberlynernestine.net
Type: A
DNSglanvilleernestine.net
Type: A
DNSkimberlynchastity.net
Type: A
DNSglanvillechastity.net
Type: A
DNSkimberlynmillicent.net
Type: A
DNSglanvillemillicent.net
Type: A
HTTP GEThttp://kristopherernestine.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 217.160.165.207:80

Raw Pcap

Strings