Analysis Date2015-11-02 16:04:53
MD5546b3c9f3d028dd19d24c5a72d5347eb
SHA1ea068ed2e734a3c725f2e525558eca705184b982

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6f2669abb5f970b303b864ecc2300129 sha1: 70f29a41e2e460a1bc24abd78fb0d33695acacec size: 795136
Section.rdata md5: 51aefb23060a3658061f7194719d4962 sha1: f6e8888e0cf606e3b248b0588a6b1980d619e105 size: 57344
Section.data md5: a3473c75e28088ab38871bdca4a5d6fd sha1: 07c1945938c03eb054e50b4f64c3cb58ea01c7fb size: 398848
Timestamp2014-09-05 10:45:05
PackerMicrosoft Visual C++ ?.?
PEhashf55cd038eac273f50d54d167105ee189ca0342b1
IMPhash3572e80c027d3996c08819969b9e26af
AVAd-AwareGen:Variant.Symmi.22722
AVGrisoft (avg)Win32/Cryptor
AVCAT (quickheal)no_virus
AVIkarusno_virus
AVAvira (antivir)TR/Crypt.ZPACK.62933
AVK7Trojan ( 004cd0081 )
AVClamAVno_virus
AVKasperskyTrojan.Win32.Generic
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVMalwareBytesno_virus
AVDr. Webno_virus
AVMcafeeno_virus
AVBitDefenderGen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVEmsisoftGen:Variant.Symmi.22722
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVAlwil (avast)Kryptik-OSY [Trj]
AVPadvishno_virus
AVEset (nod32)Win32/Kryptik.CCLE
AVRisingno_virus
AVBullGuardGen:Variant.Symmi.22722
AVFortinetW32/Kryptik.DDQD!tr
AVSymantecDownloader.Upatre!g15
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVTrend MicroTROJ_WONTON.SMJ1
AVFrisk (f-prot)no_virus
AVTwisterno_virus
AVCA (E-Trust Ino)no_virus
AVVirusBlokAda (vba32)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\efbfbdsnhqj\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\qijvi61lsqjzmtpqpk.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\qijvi61lsqjzmtpqpk.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\qijvi61lsqjzmtpqpk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Interactive Connections List Auto ➝
C:\WINDOWS\system32\seathvj.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\etc
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\lck
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\tst
Creates FileC:\WINDOWS\system32\seathvj.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\seathvj.exe
Creates ServiceAudio Driver DHCP Fax Link-Layer - C:\WINDOWS\system32\seathvj.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1160

Process
↳ C:\WINDOWS\system32\seathvj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\qijvi61rvhjz.exe
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\run
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\rng
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\tst
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\efbfbdsnhqj\lck
Creates FileC:\WINDOWS\system32\vphxcvk.exe
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\qijvi61rvhjz.exe -r 46414 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\seathvj.exe"

Process
↳ C:\WINDOWS\system32\seathvj.exe

Creates FileC:\WINDOWS\system32\efbfbdsnhqj\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\seathvj.exe"

Creates FileC:\WINDOWS\system32\efbfbdsnhqj\tst

Process
↳ C:\WINDOWS\TEMP\qijvi61rvhjz.exe -r 46414 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSsaltsecond.net
Type: A
74.220.199.6
DNSwishfish.net
Type: A
50.63.202.55
DNSdeadwing.net
Type: A
85.25.214.16
DNSdeadlady.net
Type: A
195.22.26.253
DNSdeadlady.net
Type: A
195.22.26.254
DNSdeadlady.net
Type: A
195.22.26.231
DNSdeadlady.net
Type: A
195.22.26.252
DNSrocklady.net
Type: A
64.61.199.44
DNSdeadfish.net
Type: A
69.172.201.208
DNSrockfish.net
Type: A
96.45.82.90
DNSrockfish.net
Type: A
96.45.82.194
DNSrockfish.net
Type: A
96.45.83.91
DNSrockfish.net
Type: A
96.45.83.235
DNSwronglady.net
Type: A
208.100.26.234
DNSsouthcity.net
Type: A
207.148.248.143
DNSspotcity.net
Type: A
91.195.240.101
DNSsaltcity.net
Type: A
184.168.221.55
DNSgladcity.net
Type: A
65.254.248.183
DNSvisitcity.net
Type: A
104.193.110.28
DNSwatchcity.net
Type: A
207.148.248.143
DNSfaircity.net
Type: A
80.77.120.47
DNSdreamgrow.net
Type: A
213.180.31.141
DNSdreamcity.net
Type: A
72.52.4.119
DNSthiscity.net
Type: A
121.42.126.34
DNSsouthblood.net
Type: A
DNSenemydont.net
Type: A
DNSsellsmall.net
Type: A
DNSwheelreply.net
Type: A
DNSjoinfish.net
Type: A
DNSrockwing.net
Type: A
DNSdeadpast.net
Type: A
DNSrockpast.net
Type: A
DNSwrongwing.net
Type: A
DNSmadewing.net
Type: A
DNSwrongpast.net
Type: A
DNSmadepast.net
Type: A
DNSmadelady.net
Type: A
DNSwrongfish.net
Type: A
DNSmadefish.net
Type: A
DNSarivegrow.net
Type: A
DNSsouthgrow.net
Type: A
DNSarivetear.net
Type: A
DNSsouthtear.net
Type: A
DNSarivethank.net
Type: A
DNSsouththank.net
Type: A
DNSarivecity.net
Type: A
DNSupongrow.net
Type: A
DNSwhichgrow.net
Type: A
DNSupontear.net
Type: A
DNSwhichtear.net
Type: A
DNSuponthank.net
Type: A
DNSwhichthank.net
Type: A
DNSuponcity.net
Type: A
DNSwhichcity.net
Type: A
DNSspotgrow.net
Type: A
DNSsaltgrow.net
Type: A
DNSspottear.net
Type: A
DNSsalttear.net
Type: A
DNSspotthank.net
Type: A
DNSsaltthank.net
Type: A
DNSgladgrow.net
Type: A
DNStakengrow.net
Type: A
DNSgladtear.net
Type: A
DNStakentear.net
Type: A
DNSgladthank.net
Type: A
DNStakenthank.net
Type: A
DNStakencity.net
Type: A
DNSequalgrow.net
Type: A
DNSgroupgrow.net
Type: A
DNSequaltear.net
Type: A
DNSgrouptear.net
Type: A
DNSequalthank.net
Type: A
DNSgroupthank.net
Type: A
DNSequalcity.net
Type: A
DNSgroupcity.net
Type: A
DNSspokegrow.net
Type: A
DNSvisitgrow.net
Type: A
DNSspoketear.net
Type: A
DNSvisittear.net
Type: A
DNSspokethank.net
Type: A
DNSvisitthank.net
Type: A
DNSspokecity.net
Type: A
DNSwatchgrow.net
Type: A
DNSfairgrow.net
Type: A
DNSwatchtear.net
Type: A
DNSfairtear.net
Type: A
DNSwatchthank.net
Type: A
DNSfairthank.net
Type: A
DNSthisgrow.net
Type: A
DNSdreamtear.net
Type: A
DNSthistear.net
Type: A
DNSdreamthank.net
Type: A
DNSthisthank.net
Type: A
DNSarivepure.net
Type: A
DNSsouthpure.net
Type: A
DNSarivemarch.net
Type: A
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://wishfish.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://deadwing.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://deadlady.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://rocklady.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://deadfish.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://rockfish.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://wronglady.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://southcity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://spotcity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://saltcity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://gladcity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://visitcity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://watchcity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://faircity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://dreamgrow.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://dreamcity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://thiscity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://wishfish.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://deadwing.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://deadlady.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://rocklady.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://deadfish.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://rockfish.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://wronglady.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://southcity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://spotcity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://saltcity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://gladcity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://visitcity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://watchcity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://faircity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://dreamgrow.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://dreamcity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
HTTP GEThttp://thiscity.net/index.php?method=validate&mode=sox&v=031&sox=3c18da00
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.55:80
Flows TCP192.168.1.1:1038 ➝ 85.25.214.16:80
Flows TCP192.168.1.1:1040 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1041 ➝ 64.61.199.44:80
Flows TCP192.168.1.1:1042 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1043 ➝ 96.45.82.90:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1045 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1046 ➝ 91.195.240.101:80
Flows TCP192.168.1.1:1047 ➝ 184.168.221.55:80
Flows TCP192.168.1.1:1048 ➝ 65.254.248.183:80
Flows TCP192.168.1.1:1049 ➝ 104.193.110.28:80
Flows TCP192.168.1.1:1050 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1051 ➝ 80.77.120.47:80
Flows TCP192.168.1.1:1052 ➝ 213.180.31.141:80
Flows TCP192.168.1.1:1053 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1054 ➝ 121.42.126.34:80
Flows TCP192.168.1.1:1055 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1056 ➝ 50.63.202.55:80
Flows TCP192.168.1.1:1057 ➝ 85.25.214.16:80
Flows TCP192.168.1.1:1058 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1059 ➝ 64.61.199.44:80
Flows TCP192.168.1.1:1060 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1061 ➝ 96.45.82.90:80
Flows TCP192.168.1.1:1062 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1063 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1064 ➝ 91.195.240.101:80
Flows TCP192.168.1.1:1065 ➝ 184.168.221.55:80
Flows TCP192.168.1.1:1066 ➝ 65.254.248.183:80
Flows TCP192.168.1.1:1067 ➝ 104.193.110.28:80
Flows TCP192.168.1.1:1068 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1069 ➝ 80.77.120.47:80
Flows TCP192.168.1.1:1070 ➝ 213.180.31.141:80
Flows TCP192.168.1.1:1071 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1072 ➝ 121.42.126.34:80

Raw Pcap



Strings