Analysis Date2015-11-05 04:58:32
MD5630b9c7d3b5c209cbc5940cc2e95b227
SHA1f2112e4411e563d9cb9ef41357573a134951c214

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cbd040c5e941b1c136d3a73b40ea9014 sha1: 850c94af4c521d690b1c6c7b5e0308fb3efdcda0 size: 794112
Section.rdata md5: ff74e87cc31e8b38cc3fd21395146b7a sha1: 8f4693320479ad821db8e799f128bc966551d6db size: 59904
Section.data md5: a75f1608cb45efc225d904b36446cc15 sha1: fc23a9d91e5430fcdf452de1a358842d235fe11c size: 414720
Timestamp2014-09-05 11:44:58
PackerMicrosoft Visual C++ ?.?
PEhashbb2a189959f488375b6e731c4995e433386e7956
IMPhash6ab931ec1076ec611527d6f05aae66bd
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.Xpack.309644
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Kryptik.CCLE
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesno_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusno_virus
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_WONTON.SMJ1
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVWin.Trojan.Agent-953308
AVDr. WebTrojan.KillFiles.30587
AVF-SecureGen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vjluirge1l3zsbuzbkqbg.exe
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\vjluirge1l3zsbuzbkqbg.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\vjluirge1l3zsbuzbkqbg.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Workstation Panel Logon Locator Now ➝
C:\WINDOWS\system32\lmszrzlgmf.exe
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\lck
Creates FileC:\WINDOWS\system32\lmszrzlgmf.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\etc
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\lmszrzlgmf.exe
Creates ServiceStorage Audio Identity Interface Tools Portable - C:\WINDOWS\system32\lmszrzlgmf.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1852

Process
↳ Pid 1160

Process
↳ C:\WINDOWS\system32\lmszrzlgmf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\cfg
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\rng
Creates FileC:\WINDOWS\system32\dklnpjj.exe
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\lck
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\run
Creates FileC:\WINDOWS\TEMP\vjluirge1rojsbu.exe
Creates FileC:\WINDOWS\system32\gtfixvkttwfel\tst
Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\vjluirge1rojsbu.exe -r 46311 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\lmszrzlgmf.exe"

Process
↳ C:\WINDOWS\system32\lmszrzlgmf.exe

Creates FileC:\WINDOWS\system32\gtfixvkttwfel\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\lmszrzlgmf.exe"

Creates FileC:\WINDOWS\system32\gtfixvkttwfel\tst

Process
↳ C:\WINDOWS\TEMP\vjluirge1rojsbu.exe -r 46311 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSsaltsecond.net
Type: A
74.220.199.6
DNSsaltwear.net
Type: A
50.63.202.34
DNSequalfind.net
Type: A
208.100.26.234
DNSwatchfind.net
Type: A
69.172.201.208
DNSwatchwear.net
Type: A
184.168.221.96
DNSfairwear.net
Type: A
208.91.197.27
DNSdreamwear.net
Type: A
185.53.177.8
DNSspothelp.net
Type: A
184.168.221.40
DNSgrouphelp.net
Type: A
193.34.69.203
DNSsouthblood.net
Type: A
DNSenemydont.net
Type: A
DNSsellsmall.net
Type: A
DNSwheelreply.net
Type: A
DNSspothurt.net
Type: A
DNSsalthurt.net
Type: A
DNSgladtold.net
Type: A
DNStakentold.net
Type: A
DNSgladfind.net
Type: A
DNStakenfind.net
Type: A
DNSgladwear.net
Type: A
DNStakenwear.net
Type: A
DNSgladhurt.net
Type: A
DNStakenhurt.net
Type: A
DNSequaltold.net
Type: A
DNSgrouptold.net
Type: A
DNSgroupfind.net
Type: A
DNSequalwear.net
Type: A
DNSgroupwear.net
Type: A
DNSequalhurt.net
Type: A
DNSgrouphurt.net
Type: A
DNSspoketold.net
Type: A
DNSvisittold.net
Type: A
DNSspokefind.net
Type: A
DNSvisitfind.net
Type: A
DNSspokewear.net
Type: A
DNSvisitwear.net
Type: A
DNSspokehurt.net
Type: A
DNSvisithurt.net
Type: A
DNSwatchtold.net
Type: A
DNSfairtold.net
Type: A
DNSfairfind.net
Type: A
DNSwatchhurt.net
Type: A
DNSfairhurt.net
Type: A
DNSdreamtold.net
Type: A
DNSthistold.net
Type: A
DNSdreamfind.net
Type: A
DNSthisfind.net
Type: A
DNSthiswear.net
Type: A
DNSdreamhurt.net
Type: A
DNSthishurt.net
Type: A
DNSariveslow.net
Type: A
DNSsouthslow.net
Type: A
DNSarivefebruary.net
Type: A
DNSsouthfebruary.net
Type: A
DNSarivehelp.net
Type: A
DNSsouthhelp.net
Type: A
DNSarivenovember.net
Type: A
DNSsouthnovember.net
Type: A
DNSuponslow.net
Type: A
DNSwhichslow.net
Type: A
DNSuponfebruary.net
Type: A
DNSwhichfebruary.net
Type: A
DNSuponhelp.net
Type: A
DNSwhichhelp.net
Type: A
DNSuponnovember.net
Type: A
DNSwhichnovember.net
Type: A
DNSspotslow.net
Type: A
DNSsaltslow.net
Type: A
DNSspotfebruary.net
Type: A
DNSsaltfebruary.net
Type: A
DNSsalthelp.net
Type: A
DNSspotnovember.net
Type: A
DNSsaltnovember.net
Type: A
DNSgladslow.net
Type: A
DNStakenslow.net
Type: A
DNSgladfebruary.net
Type: A
DNStakenfebruary.net
Type: A
DNSgladhelp.net
Type: A
DNStakenhelp.net
Type: A
DNSgladnovember.net
Type: A
DNStakennovember.net
Type: A
DNSequalslow.net
Type: A
DNSgroupslow.net
Type: A
DNSequalfebruary.net
Type: A
DNSgroupfebruary.net
Type: A
DNSequalhelp.net
Type: A
DNSequalnovember.net
Type: A
DNSgroupnovember.net
Type: A
DNSspokeslow.net
Type: A
DNSvisitslow.net
Type: A
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://saltwear.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://equalfind.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://watchfind.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://watchwear.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://fairwear.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://dreamwear.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://spothelp.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://grouphelp.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://saltwear.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://equalfind.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://watchfind.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://watchwear.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://fairwear.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://dreamwear.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://spothelp.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
HTTP GEThttp://grouphelp.net/index.php?method=validate&mode=sox&v=031&sox=430a4a01
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.34:80
Flows TCP192.168.1.1:1038 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1039 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1042 ➝ 185.53.177.8:80
Flows TCP192.168.1.1:1043 ➝ 184.168.221.40:80
Flows TCP192.168.1.1:1044 ➝ 193.34.69.203:80
Flows TCP192.168.1.1:1045 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1046 ➝ 50.63.202.34:80
Flows TCP192.168.1.1:1047 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1049 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1050 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1051 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1052 ➝ 185.53.177.8:80
Flows TCP192.168.1.1:1053 ➝ 184.168.221.40:80
Flows TCP192.168.1.1:1054 ➝ 193.34.69.203:80

Raw Pcap

Strings