Analysis Date | 2015-10-12 07:35:59 |
---|---|
MD5 | 365e4c1f86e2cbd168073b7e1068b239 |
SHA1 | e97de8de18c49d72621acf71034c284ed298a3f3 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 03c75af232c7f8bcbd40a84ec69fd531 sha1: dc8c1fcb944000f7a99820c0be441402261975a8 size: 231424 | |
Section | .data md5: ebf88bf1e73cdf78cd5b86bafbc20f13 sha1: 2fdb460f662cfffb7b946d116ce5756b7557ca4c size: 20480 | |
Section | .rdata md5: 7d9be1dc4c723a86d8465803e13feb97 sha1: fd72724c5646f546254be05ddc971ad5fc5288b8 size: 38912 | |
Section | .eh_fram md5: 179434f54d6e373ca008ef815174444e sha1: 5452a6a913acf662c32518184baed9c7ba37944f size: 40448 | |
Section | .bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0 | |
Section | .idata md5: b7f46307f2501e9cf0cd7ba1dd08a645 sha1: ed24a117b29862721ac3e2b5fabc112914965158 size: 7168 | |
Section | .CRT md5: b0587ce1fda151d1f161a2d29d23a193 sha1: a27fe47c1762dc0fc9fccf5a50b9610a8b048693 size: 512 | |
Section | .tls md5: 255674fadd8cc7bc6ab4eb4e269c5241 sha1: 2b846edad7a64d2f5b163ac5c63f40a7564a16e8 size: 512 | |
Timestamp | 2015-03-05 06:29:35 | |
PEhash | 3572b07c93bcf519ceeb451453827dcbb0fe596e | |
IMPhash | eb9267d7aa9e7f91a90b297852480bb6 | |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort!acf |
AV | Emsisoft | Gen:Variant.Symmi.51758 |
AV | Fortinet | W32/Agent.XDQ!tr |
AV | Arcabit (arcavir) | Gen:Variant.Symmi.51758 |
AV | Avira (antivir) | TR/ATRAPS.A.8657 |
AV | ClamAV | no_virus |
AV | F-Secure | Gen:Variant.Symmi.51758 |
AV | CA (E-Trust Ino) | no_virus |
AV | Kaspersky | Trojan.Win32.Scar.lhzg |
AV | BitDefender | Gen:Variant.Symmi.51758 |
AV | CAT (quickheal) | no_virus |
AV | Padvish | no_virus |
AV | Dr. Web | no_virus |
AV | MicroWorld (escan) | Gen:Variant.Symmi.51758 |
AV | Trend Micro | no_virus |
AV | Zillya! | no_virus |
AV | Mcafee | Trojan-FGOJ!365E4C1F86E2 |
AV | Rising | no_virus |
AV | Ikarus | Trojan.Win32.Agent |
AV | VirusBlokAda (vba32) | no_virus |
AV | BullGuard | Gen:Variant.Symmi.51758 |
AV | Ad-Aware | Gen:Variant.Symmi.51758 |
AV | K7 | Trojan ( 004c988e1 ) |
AV | Symantec | Downloader.Upatre!g16 |
AV | Frisk (f-prot) | no_virus |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Authentium | W32/S-6a8c3109!Eldorado |
AV | Alwil (avast) | no_virus |
AV | Twister | no_virus |
AV | MalwareBytes | no_virus |
AV | Eset (nod32) | Win32/Agent.XDQ |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\WINDOWS\bgl3pghvhxh\vps3xoqj |
---|---|
Creates File | C:\bgl3pghvhxh\vps3xoqj |
Creates File | C:\bgl3pghvhxh\gw1ucgq1kgzttcsbzzp8.exe |
Deletes File | C:\WINDOWS\bgl3pghvhxh\vps3xoqj |
Creates Process | C:\bgl3pghvhxh\gw1ucgq1kgzttcsbzzp8.exe |
Process
↳ C:\bgl3pghvhxh\gw1ucgq1kgzttcsbzzp8.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\RPC Endpoint Color TPM Compatibility Defragmenter ➝ C:\bgl3pghvhxh\dv1ffgkjasl.exe |
---|---|
Creates File | C:\bgl3pghvhxh\aswpuoeh |
Creates File | C:\WINDOWS\bgl3pghvhxh\vps3xoqj |
Creates File | C:\bgl3pghvhxh\vps3xoqj |
Creates File | PIPE\lsarpc |
Creates File | C:\bgl3pghvhxh\dv1ffgkjasl.exe |
Deletes File | C:\WINDOWS\bgl3pghvhxh\vps3xoqj |
Creates Process | C:\bgl3pghvhxh\dv1ffgkjasl.exe |
Creates Service | Server Files Logs PC WLAN WWAN Tunneling - C:\bgl3pghvhxh\dv1ffgkjasl.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 804
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1856
Process
↳ Pid 1140
Process
↳ C:\bgl3pghvhxh\dv1ffgkjasl.exe
Creates File | pipe\net\NtControlPipe10 |
---|---|
Creates File | C:\bgl3pghvhxh\aswpuoeh |
Creates File | C:\WINDOWS\bgl3pghvhxh\vps3xoqj |
Creates File | C:\bgl3pghvhxh\vps3xoqj |
Creates File | C:\bgl3pghvhxh\xqwxlneo |
Creates File | C:\bgl3pghvhxh\bzcspckazq.exe |
Creates File | \Device\Afd\Endpoint |
Deletes File | C:\WINDOWS\bgl3pghvhxh\vps3xoqj |
Creates Process | zgaashmnkwuz "c:\bgl3pghvhxh\dv1ffgkjasl.exe" |
Process
↳ C:\bgl3pghvhxh\dv1ffgkjasl.exe
Creates File | C:\WINDOWS\bgl3pghvhxh\vps3xoqj |
---|---|
Creates File | C:\bgl3pghvhxh\vps3xoqj |
Deletes File | C:\WINDOWS\bgl3pghvhxh\vps3xoqj |
Process
↳ zgaashmnkwuz "c:\bgl3pghvhxh\dv1ffgkjasl.exe"
Creates File | C:\WINDOWS\bgl3pghvhxh\vps3xoqj |
---|---|
Creates File | C:\bgl3pghvhxh\vps3xoqj |
Deletes File | C:\WINDOWS\bgl3pghvhxh\vps3xoqj |
Network Details:
Raw Pcap
Strings