Analysis Date2015-07-29 10:38:18
MD5fa7f8f894a4d6bf950775d2ee9849555
SHA10f48bd2d74e1bff3868ccc32575b4603a5efea03

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ad78e672e262e5de490be147cad8875a sha1: 026f8396f1478f1fca680fd50547afb9957ab705 size: 300032
Section.rdata md5: 1a8e50ce0bc2b0f3c8f6f2d5a861165b sha1: c3ad8566fe9b49895768fb299315dcf645a0ebdd size: 58368
Section.data md5: 741eed1a12e3f47441cd6391a3f5759f sha1: 0f91594a78220dfde6a96e3f993389572a198655 size: 7168
Section.reloc md5: d650f7fe59c9a832857a59dd7529bf62 sha1: 4ecacf2b7c0963cc885d0eae179c13b72e12d915 size: 22528
Timestamp2015-05-11 06:52:21
PackerMicrosoft Visual C++ 8
PEhashf82a7589c3ffc0ad96c97291254eaac3b9ed76a6
IMPhash5c2857f9b40d5f618ecb8c52c544ffdb
AVFortinetW32/Bayrob.T!tr
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVSymantecDownloader.Upatre!g15
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVIkarusTrojan.Win32.Bayrob
AVBitDefenderGen:Variant.Kazy.611009
AVTwisterTrojan.Scar.jlea.eqal
AVRisingTrojan.Win32.Bayrod.b
AVEset (nod32)Win32/Bayrob.W
AVFrisk (f-prot)no_virus
AVPadvishno_virus
AVTrend MicroTROJ_BAYROB.SM0
AVEmsisoftGen:Variant.Kazy.611009
AVMalwareBytesTrojan.Agent
AVK7Trojan ( 004c3a4d1 )
AVGrisoft (avg)Win32/Cryptor
AVAd-AwareGen:Variant.Kazy.611009
AVClamAVno_virus
AVF-SecureGen:Variant.Kazy.611009
AVMcafeePWS-FCCE!FA7F8F894A4D
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVVirusBlokAda (vba32)no_virus
AVDr. WebTrojan.Bayrob.1
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVBullGuardGen:Variant.Kazy.611009
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVKasperskyTrojan.Win32.Scar.jlea
AVZillya!no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\bmklnol\vtl1n36w1gdurnkx.exe
Creates FileC:\bmklnol\ar9xkgctzx
Creates FileC:\WINDOWS\bmklnol\ar9xkgctzx
Deletes FileC:\WINDOWS\bmklnol\ar9xkgctzx
Creates ProcessC:\bmklnol\vtl1n36w1gdurnkx.exe

Process
↳ C:\bmklnol\vtl1n36w1gdurnkx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Proxy Assistant Link List Protected ➝
C:\bmklnol\bnkklhsj.exe
Creates FileC:\bmklnol\bnkklhsj.exe
Creates FileC:\bmklnol\utcebwkfe
Creates FileC:\bmklnol\ar9xkgctzx
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\bmklnol\ar9xkgctzx
Deletes FileC:\WINDOWS\bmklnol\ar9xkgctzx
Creates ProcessC:\bmklnol\bnkklhsj.exe
Creates ServiceEncrypting Volume Routing Remote - C:\bmklnol\bnkklhsj.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1848

Process
↳ Pid 1148

Process
↳ C:\bmklnol\bnkklhsj.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\bmklnol\utcebwkfe
Creates FileC:\bmklnol\ar9xkgctzx
Creates FileC:\bmklnol\qrborzkx
Creates FileC:\bmklnol\crcdcfsefion.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\bmklnol\ar9xkgctzx
Deletes FileC:\WINDOWS\bmklnol\ar9xkgctzx
Creates Processx3nhqgbuca7y "c:\bmklnol\bnkklhsj.exe"

Process
↳ C:\bmklnol\bnkklhsj.exe

Creates FileC:\bmklnol\ar9xkgctzx
Creates FileC:\WINDOWS\bmklnol\ar9xkgctzx
Deletes FileC:\WINDOWS\bmklnol\ar9xkgctzx

Process
↳ x3nhqgbuca7y "c:\bmklnol\bnkklhsj.exe"

Creates FileC:\bmklnol\ar9xkgctzx
Creates FileC:\WINDOWS\bmklnol\ar9xkgctzx
Deletes FileC:\WINDOWS\bmklnol\ar9xkgctzx

Network Details:

DNSpartybottle.net
Type: A
91.215.216.53
DNSfreshbusiness.net
Type: A
72.52.4.120
DNSexperiencebusiness.net
Type: A
188.40.135.139
DNSsummerbusiness.net
Type: A
129.119.80.195
DNScrowdbusiness.net
Type: A
184.168.221.104
DNSsummerappear.net
Type: A
95.211.230.75
DNSwaterbusiness.net
Type: A
192.185.77.17
DNSwomanbusiness.net
Type: A
184.168.221.52
DNSpartybusiness.net
Type: A
50.62.253.1
DNSpartyappear.net
Type: A
208.91.197.241
DNSfightnothing.net
Type: A
DNSfightbottle.net
Type: A
DNSpartydivide.net
Type: A
DNSfightdivide.net
Type: A
DNSfreshmanner.net
Type: A
DNSexperiencemanner.net
Type: A
DNSfreshanother.net
Type: A
DNSexperienceanother.net
Type: A
DNSfreshappear.net
Type: A
DNSexperienceappear.net
Type: A
DNSgentlemanmanner.net
Type: A
DNSalreadymanner.net
Type: A
DNSgentlemananother.net
Type: A
DNSalreadyanother.net
Type: A
DNSgentlemanbusiness.net
Type: A
DNSalreadybusiness.net
Type: A
DNSgentlemanappear.net
Type: A
DNSalreadyappear.net
Type: A
DNSfollowmanner.net
Type: A
DNSmembermanner.net
Type: A
DNSfollowanother.net
Type: A
DNSmemberanother.net
Type: A
DNSfollowbusiness.net
Type: A
DNSmemberbusiness.net
Type: A
DNSfollowappear.net
Type: A
DNSmemberappear.net
Type: A
DNSbeginmanner.net
Type: A
DNSknownmanner.net
Type: A
DNSbeginanother.net
Type: A
DNSknownanother.net
Type: A
DNSbeginbusiness.net
Type: A
DNSknownbusiness.net
Type: A
DNSbeginappear.net
Type: A
DNSknownappear.net
Type: A
DNSsummermanner.net
Type: A
DNScrowdmanner.net
Type: A
DNSsummeranother.net
Type: A
DNScrowdanother.net
Type: A
DNScrowdappear.net
Type: A
DNSthoughtmanner.net
Type: A
DNSwatermanner.net
Type: A
DNSthoughtanother.net
Type: A
DNSwateranother.net
Type: A
DNSthoughtbusiness.net
Type: A
DNSthoughtappear.net
Type: A
DNSwaterappear.net
Type: A
DNSwomanmanner.net
Type: A
DNSsmokemanner.net
Type: A
DNSwomananother.net
Type: A
DNSsmokeanother.net
Type: A
DNSsmokebusiness.net
Type: A
DNSwomanappear.net
Type: A
DNSsmokeappear.net
Type: A
DNSpartymanner.net
Type: A
DNSfightmanner.net
Type: A
DNSpartyanother.net
Type: A
DNSfightanother.net
Type: A
DNSfightbusiness.net
Type: A
DNSfightappear.net
Type: A
DNSfreshinstead.net
Type: A
DNSexperienceinstead.net
Type: A
DNSfreshexplain.net
Type: A
DNSexperienceexplain.net
Type: A
DNSfreshbright.net
Type: A
DNSexperiencebright.net
Type: A
DNSfreshinside.net
Type: A
DNSexperienceinside.net
Type: A
DNSgentlemaninstead.net
Type: A
DNSalreadyinstead.net
Type: A
DNSgentlemanexplain.net
Type: A
DNSalreadyexplain.net
Type: A
DNSgentlemanbright.net
Type: A
DNSalreadybright.net
Type: A
DNSgentlemaninside.net
Type: A
DNSalreadyinside.net
Type: A
HTTP GEThttp://partybottle.net/index.php
User-Agent:
HTTP GEThttp://freshbusiness.net/index.php
User-Agent:
HTTP GEThttp://experiencebusiness.net/index.php
User-Agent:
HTTP GEThttp://summerbusiness.net/index.php
User-Agent:
HTTP GEThttp://crowdbusiness.net/index.php
User-Agent:
HTTP GEThttp://summerappear.net/index.php
User-Agent:
HTTP GEThttp://waterbusiness.net/index.php
User-Agent:
HTTP GEThttp://womanbusiness.net/index.php
User-Agent:
HTTP GEThttp://partybusiness.net/index.php
User-Agent:
HTTP GEThttp://partyappear.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 91.215.216.53:80
Flows TCP192.168.1.1:1032 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1033 ➝ 188.40.135.139:80
Flows TCP192.168.1.1:1034 ➝ 129.119.80.195:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1036 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1037 ➝ 192.185.77.17:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.52:80
Flows TCP192.168.1.1:1039 ➝ 50.62.253.1:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 626f7474 6c652e6e 65740d0a   artybottle.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   72657368 62757369 6e657373 2e6e6574   reshbusiness.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   78706572 69656e63 65627573 696e6573   xperiencebusines
0x00000050 (00080)   732e6e65 740d0a0d 0a                  s.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   756d6d65 72627573 696e6573 732e6e65   ummerbusiness.ne
0x00000050 (00080)   740d0a0d 0a0d0a0d 0a                  t........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 62757369 6e657373 2e6e6574   rowdbusiness.net
0x00000050 (00080)   0d0a0d0a 0a0d0a0d 0a                  .........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   756d6d65 72617070 6561722e 6e65740d   ummerappear.net.
0x00000050 (00080)   0a0d0a0a 0a0d0a0d 0a                  .........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 62757369 6e657373 2e6e6574   aterbusiness.net
0x00000050 (00080)   0d0a0d0a 0a0d0a0d 0a                  .........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   6f6d616e 62757369 6e657373 2e6e6574   omanbusiness.net
0x00000050 (00080)   0d0a0d0a 0a0d0a0d 0a                  .........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 62757369 6e657373 2e6e6574   artybusiness.net
0x00000050 (00080)   0d0a0d0a 0a0d0a0d 0a                  .........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 61707065 61722e6e 65740d0a   artyappear.net..
0x00000050 (00080)   0d0a0d0a 0a0d0a0d 0a                  .........


Strings