Analysis Date2016-02-02 07:18:13
MD5491121fc20114786af7c30fb0851ffd1
SHA101f90e280f9cc593f96d591b65b8d10450db4f06

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c0cf0c486dd7dd414b275f1621c8a051 sha1: 67d1dfb72b0508d0b01070cf1b62ed7338870b2b size: 198144
Section.rdata md5: ef4ee6df2b476a521e87b2fe6c0a0627 sha1: 1faf9e495a7c4393a8d06e414787cd45d6f8f527 size: 2560
Section.data md5: a1730d02c050516ea78179edd5a54741 sha1: 1964a4b9b3208ff3e06ffa55b5c7894bbdaf64f0 size: 16896
Section.reloc md5: d0e5068eb2de6d5349d66cb79f4c3d3b sha1: 21af95522665da261027b0960c4eb0038fb5d85e size: 30720
Timestamp2014-08-20 05:29:52
PEhash34156043b3368864f202271c5e0ca5a31e11dce3
IMPhash53755e8c9d2e8ee1057093e50aa51d3f
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHRG!491121FC2011
AVAvira (antivir)TR/Nivdort.A.33102
AVTwisterNo Virus
AVAd-AwareTrojan.Generic.15803911
AVAlwil (avast)Vupa [Cryp]
AVEset (nod32)Win32/Bayrob.AT.gen
AVGrisoft (avg)Generic37.AHKC
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderTrojan.Generic.15803911
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DG
AVMicroWorld (escan)Trojan.Generic.15803911
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.H.gen!Eldorado
AVEmsisoftTrojan.Generic.15803911
AVFrisk (f-prot)W32/Nivdort.H.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardTrojan.Generic.15803911
AVArcabit (arcavir)Trojan.Generic.15803911
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.13743
AVF-SecureTrojan.Generic.15803911

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\iwwshryim\j7sptt0yiu
Creates FileC:\WINDOWS\iwwshryim\j7sptt0yiu
Creates FileC:\iwwshryim\p0ieg1mh1bpuwtlefd.exe
Deletes FileC:\WINDOWS\iwwshryim\j7sptt0yiu
Creates ProcessC:\iwwshryim\p0ieg1mh1bpuwtlefd.exe

Process
↳ C:\iwwshryim\p0ieg1mh1bpuwtlefd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Secondary Quality Locator Topology Media ➝
C:\iwwshryim\syotgbft.exe
Creates FileC:\iwwshryim\fuokel74wm
Creates FileC:\iwwshryim\j7sptt0yiu
Creates FileC:\WINDOWS\iwwshryim\j7sptt0yiu
Creates FilePIPE\lsarpc
Creates FileC:\iwwshryim\syotgbft.exe
Deletes FileC:\WINDOWS\iwwshryim\j7sptt0yiu
Creates ProcessC:\iwwshryim\syotgbft.exe
Creates ServiceQuality System WMI Information PNRP - C:\iwwshryim\syotgbft.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1880

Process
↳ Pid 1184

Process
↳ C:\iwwshryim\syotgbft.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\iwwshryim\eyriiyryzj.exe
Creates FileC:\iwwshryim\fuokel74wm
Creates FileC:\iwwshryim\j7sptt0yiu
Creates FileC:\WINDOWS\iwwshryim\j7sptt0yiu
Creates File\Device\Afd\Endpoint
Creates FileC:\iwwshryim\xkb7kxtfx
Deletes FileC:\WINDOWS\iwwshryim\j7sptt0yiu
Creates Processuyjsk6qz2ig0 "c:\iwwshryim\syotgbft.exe"

Process
↳ C:\iwwshryim\syotgbft.exe

Creates FileC:\iwwshryim\j7sptt0yiu
Creates FileC:\WINDOWS\iwwshryim\j7sptt0yiu
Deletes FileC:\WINDOWS\iwwshryim\j7sptt0yiu

Process
↳ uyjsk6qz2ig0 "c:\iwwshryim\syotgbft.exe"

Creates FileC:\iwwshryim\j7sptt0yiu
Creates FileC:\WINDOWS\iwwshryim\j7sptt0yiu
Deletes FileC:\WINDOWS\iwwshryim\j7sptt0yiu

Network Details:

DNSalreadyclear.net
Type: A
195.22.26.248
DNSalreadygeneral.net
Type: A
195.22.28.198
DNSalreadygeneral.net
Type: A
195.22.28.199
DNSalreadygeneral.net
Type: A
195.22.28.196
DNSalreadygeneral.net
Type: A
195.22.28.197
DNSalreadyinclude.net
Type: A
208.100.26.234
DNSgentlemannorth.net
Type: A
98.139.135.129
DNSwaterclear.net
Type: A
141.8.225.124
DNSsmokenorth.net
Type: A
184.168.221.58
DNSgentlemanreceive.net
Type: A
5.2.189.251
DNScrowdbranch.net
Type: A
98.139.135.129
DNSsummerbelieve.net
Type: A
208.100.26.234
DNSsummerquarter.net
Type: A
46.30.212.27
DNSmembersystem.net
Type: A
85.13.128.193
DNSfollowtrust.net
Type: A
68.178.232.100
DNSpartyindeed.net
Type: A
DNSfightindeed.net
Type: A
DNSpartyduring.net
Type: A
DNSfightduring.net
Type: A
DNSfreshclear.net
Type: A
DNSexperienceclear.net
Type: A
DNSfreshgeneral.net
Type: A
DNSexperiencegeneral.net
Type: A
DNSfreshinclude.net
Type: A
DNSexperienceinclude.net
Type: A
DNSfreshnorth.net
Type: A
DNSexperiencenorth.net
Type: A
DNSgentlemanclear.net
Type: A
DNSgentlemangeneral.net
Type: A
DNSgentlemaninclude.net
Type: A
DNSalreadynorth.net
Type: A
DNSfollowclear.net
Type: A
DNSmemberclear.net
Type: A
DNSfollowgeneral.net
Type: A
DNSmembergeneral.net
Type: A
DNSfollowinclude.net
Type: A
DNSmemberinclude.net
Type: A
DNSfollownorth.net
Type: A
DNSmembernorth.net
Type: A
DNSbeginclear.net
Type: A
DNSknownclear.net
Type: A
DNSbegingeneral.net
Type: A
DNSknowngeneral.net
Type: A
DNSbegininclude.net
Type: A
DNSknowninclude.net
Type: A
DNSbeginnorth.net
Type: A
DNSknownnorth.net
Type: A
DNSsummerclear.net
Type: A
DNScrowdclear.net
Type: A
DNSsummergeneral.net
Type: A
DNScrowdgeneral.net
Type: A
DNSsummerinclude.net
Type: A
DNScrowdinclude.net
Type: A
DNSsummernorth.net
Type: A
DNScrowdnorth.net
Type: A
DNSthoughtclear.net
Type: A
DNSthoughtgeneral.net
Type: A
DNSwatergeneral.net
Type: A
DNSthoughtinclude.net
Type: A
DNSwaterinclude.net
Type: A
DNSthoughtnorth.net
Type: A
DNSwaternorth.net
Type: A
DNSwomanclear.net
Type: A
DNSsmokeclear.net
Type: A
DNSwomangeneral.net
Type: A
DNSsmokegeneral.net
Type: A
DNSwomaninclude.net
Type: A
DNSsmokeinclude.net
Type: A
DNSwomannorth.net
Type: A
DNSpartyclear.net
Type: A
DNSfightclear.net
Type: A
DNSpartygeneral.net
Type: A
DNSfightgeneral.net
Type: A
DNSpartyinclude.net
Type: A
DNSfightinclude.net
Type: A
DNSpartynorth.net
Type: A
DNSfightnorth.net
Type: A
DNSfreshbranch.net
Type: A
DNSexperiencebranch.net
Type: A
DNSfreshbelieve.net
Type: A
DNSexperiencebelieve.net
Type: A
DNSfreshreceive.net
Type: A
DNSexperiencereceive.net
Type: A
DNSfreshquarter.net
Type: A
DNSexperiencequarter.net
Type: A
DNSgentlemanbranch.net
Type: A
DNSalreadybranch.net
Type: A
DNSgentlemanbelieve.net
Type: A
DNSalreadybelieve.net
Type: A
DNSalreadyreceive.net
Type: A
DNSgentlemanquarter.net
Type: A
DNSalreadyquarter.net
Type: A
DNSfollowbranch.net
Type: A
DNSmemberbranch.net
Type: A
DNSfollowbelieve.net
Type: A
DNSmemberbelieve.net
Type: A
DNSfollowreceive.net
Type: A
DNSmemberreceive.net
Type: A
DNSfollowquarter.net
Type: A
DNSmemberquarter.net
Type: A
DNSbeginbranch.net
Type: A
DNSknownbranch.net
Type: A
DNSbeginbelieve.net
Type: A
DNSknownbelieve.net
Type: A
DNSbeginreceive.net
Type: A
DNSknownreceive.net
Type: A
DNSbeginquarter.net
Type: A
DNSknownquarter.net
Type: A
DNSsummerbranch.net
Type: A
DNScrowdbelieve.net
Type: A
DNSsummerreceive.net
Type: A
DNScrowdreceive.net
Type: A
DNScrowdquarter.net
Type: A
DNSthoughtbranch.net
Type: A
DNSwaterbranch.net
Type: A
DNSthoughtbelieve.net
Type: A
DNSwaterbelieve.net
Type: A
DNSthoughtreceive.net
Type: A
DNSwaterreceive.net
Type: A
DNSthoughtquarter.net
Type: A
DNSwaterquarter.net
Type: A
DNSwomanbranch.net
Type: A
DNSsmokebranch.net
Type: A
DNSwomanbelieve.net
Type: A
DNSsmokebelieve.net
Type: A
DNSwomanreceive.net
Type: A
DNSsmokereceive.net
Type: A
DNSwomanquarter.net
Type: A
DNSsmokequarter.net
Type: A
DNSpartybranch.net
Type: A
DNSfightbranch.net
Type: A
DNSpartybelieve.net
Type: A
DNSfightbelieve.net
Type: A
DNSpartyreceive.net
Type: A
DNSfightreceive.net
Type: A
DNSpartyquarter.net
Type: A
DNSfightquarter.net
Type: A
DNSfreshhonor.net
Type: A
DNSexperiencehonor.net
Type: A
DNSfreshneither.net
Type: A
DNSexperienceneither.net
Type: A
DNSfreshsystem.net
Type: A
DNSexperiencesystem.net
Type: A
DNSfreshtrust.net
Type: A
DNSexperiencetrust.net
Type: A
DNSgentlemanhonor.net
Type: A
DNSalreadyhonor.net
Type: A
DNSgentlemanneither.net
Type: A
DNSalreadyneither.net
Type: A
DNSgentlemansystem.net
Type: A
DNSalreadysystem.net
Type: A
DNSgentlemantrust.net
Type: A
DNSalreadytrust.net
Type: A
DNSfollowhonor.net
Type: A
DNSmemberhonor.net
Type: A
DNSfollowneither.net
Type: A
DNSmemberneither.net
Type: A
DNSfollowsystem.net
Type: A
DNSmembertrust.net
Type: A
DNSbeginhonor.net
Type: A
DNSknownhonor.net
Type: A
DNSbeginneither.net
Type: A
DNSknownneither.net
Type: A
DNSbeginsystem.net
Type: A
DNSknownsystem.net
Type: A
DNSbegintrust.net
Type: A
DNSknowntrust.net
Type: A
DNSsummerhonor.net
Type: A
DNScrowdhonor.net
Type: A
DNSsummerneither.net
Type: A
DNScrowdneither.net
Type: A
DNSsummersystem.net
Type: A
DNScrowdsystem.net
Type: A
HTTP GEThttp://alreadyclear.net/index.php
User-Agent:
HTTP GEThttp://alreadygeneral.net/index.php
User-Agent:
HTTP GEThttp://alreadyinclude.net/index.php
User-Agent:
HTTP GEThttp://gentlemannorth.net/index.php
User-Agent:
HTTP GEThttp://waterclear.net/index.php
User-Agent:
HTTP GEThttp://smokenorth.net/index.php
User-Agent:
HTTP GEThttp://gentlemanreceive.net/index.php
User-Agent:
HTTP GEThttp://crowdbranch.net/index.php
User-Agent:
HTTP GEThttp://summerbelieve.net/index.php
User-Agent:
HTTP GEThttp://summerquarter.net/index.php
User-Agent:
HTTP GEThttp://membersystem.net/index.php
User-Agent:
HTTP GEThttp://followtrust.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.124:80
Flows TCP192.168.1.1:1036 ➝ 184.168.221.58:80
Flows TCP192.168.1.1:1037 ➝ 5.2.189.251:80
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1040 ➝ 46.30.212.27:80
Flows TCP192.168.1.1:1041 ➝ 85.13.128.193:80
Flows TCP192.168.1.1:1042 ➝ 68.178.232.100:80

Raw Pcap

Strings