Analysis Date | 2015-07-29 10:38:18 |
---|---|
MD5 | fa7f8f894a4d6bf950775d2ee9849555 |
SHA1 | 0f48bd2d74e1bff3868ccc32575b4603a5efea03 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: ad78e672e262e5de490be147cad8875a sha1: 026f8396f1478f1fca680fd50547afb9957ab705 size: 300032 | |
Section | .rdata md5: 1a8e50ce0bc2b0f3c8f6f2d5a861165b sha1: c3ad8566fe9b49895768fb299315dcf645a0ebdd size: 58368 | |
Section | .data md5: 741eed1a12e3f47441cd6391a3f5759f sha1: 0f91594a78220dfde6a96e3f993389572a198655 size: 7168 | |
Section | .reloc md5: d650f7fe59c9a832857a59dd7529bf62 sha1: 4ecacf2b7c0963cc885d0eae179c13b72e12d915 size: 22528 | |
Timestamp | 2015-05-11 06:52:21 | |
Packer | Microsoft Visual C++ 8 | |
PEhash | f82a7589c3ffc0ad96c97291254eaac3b9ed76a6 | |
IMPhash | 5c2857f9b40d5f618ecb8c52c544ffdb | |
AV | Fortinet | W32/Bayrob.T!tr |
AV | MicroWorld (escan) | Gen:Variant.Kazy.611009 |
AV | Avira (antivir) | TR/Spy.ZBot.xbbeomq |
AV | Symantec | Downloader.Upatre!g15 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.AL |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | BitDefender | Gen:Variant.Kazy.611009 |
AV | Twister | Trojan.Scar.jlea.eqal |
AV | Rising | Trojan.Win32.Bayrod.b |
AV | Eset (nod32) | Win32/Bayrob.W |
AV | Frisk (f-prot) | no_virus |
AV | Padvish | no_virus |
AV | Trend Micro | TROJ_BAYROB.SM0 |
AV | Emsisoft | Gen:Variant.Kazy.611009 |
AV | MalwareBytes | Trojan.Agent |
AV | K7 | Trojan ( 004c3a4d1 ) |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Ad-Aware | Gen:Variant.Kazy.611009 |
AV | ClamAV | no_virus |
AV | F-Secure | Gen:Variant.Kazy.611009 |
AV | Mcafee | PWS-FCCE!FA7F8F894A4D |
AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
AV | VirusBlokAda (vba32) | no_virus |
AV | Dr. Web | Trojan.Bayrob.1 |
AV | Arcabit (arcavir) | Gen:Variant.Kazy.611009 |
AV | BullGuard | Gen:Variant.Kazy.611009 |
AV | CAT (quickheal) | TrojanSpy.Nivdort.OD4 |
AV | Kaspersky | Trojan.Win32.Scar.jlea |
AV | Zillya! | no_virus |
AV | CA (E-Trust Ino) | no_virus |
AV | Authentium | W32/Nivdort.B.gen!Eldorado |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\bmklnol\vtl1n36w1gdurnkx.exe |
---|---|
Creates File | C:\bmklnol\ar9xkgctzx |
Creates File | C:\WINDOWS\bmklnol\ar9xkgctzx |
Deletes File | C:\WINDOWS\bmklnol\ar9xkgctzx |
Creates Process | C:\bmklnol\vtl1n36w1gdurnkx.exe |
Process
↳ C:\bmklnol\vtl1n36w1gdurnkx.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Proxy Assistant Link List Protected ➝ C:\bmklnol\bnkklhsj.exe |
---|---|
Creates File | C:\bmklnol\bnkklhsj.exe |
Creates File | C:\bmklnol\utcebwkfe |
Creates File | C:\bmklnol\ar9xkgctzx |
Creates File | PIPE\lsarpc |
Creates File | C:\WINDOWS\bmklnol\ar9xkgctzx |
Deletes File | C:\WINDOWS\bmklnol\ar9xkgctzx |
Creates Process | C:\bmklnol\bnkklhsj.exe |
Creates Service | Encrypting Volume Routing Remote - C:\bmklnol\bnkklhsj.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 812
Process
↳ Pid 856
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1212
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1848
Process
↳ Pid 1148
Process
↳ C:\bmklnol\bnkklhsj.exe
Creates File | pipe\net\NtControlPipe10 |
---|---|
Creates File | C:\bmklnol\utcebwkfe |
Creates File | C:\bmklnol\ar9xkgctzx |
Creates File | C:\bmklnol\qrborzkx |
Creates File | C:\bmklnol\crcdcfsefion.exe |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\bmklnol\ar9xkgctzx |
Deletes File | C:\WINDOWS\bmklnol\ar9xkgctzx |
Creates Process | x3nhqgbuca7y "c:\bmklnol\bnkklhsj.exe" |
Process
↳ C:\bmklnol\bnkklhsj.exe
Creates File | C:\bmklnol\ar9xkgctzx |
---|---|
Creates File | C:\WINDOWS\bmklnol\ar9xkgctzx |
Deletes File | C:\WINDOWS\bmklnol\ar9xkgctzx |
Process
↳ x3nhqgbuca7y "c:\bmklnol\bnkklhsj.exe"
Creates File | C:\bmklnol\ar9xkgctzx |
---|---|
Creates File | C:\WINDOWS\bmklnol\ar9xkgctzx |
Deletes File | C:\WINDOWS\bmklnol\ar9xkgctzx |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 61727479 626f7474 6c652e6e 65740d0a artybottle.net.. 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 72657368 62757369 6e657373 2e6e6574 reshbusiness.net 0x00000050 (00080) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2065 : close..Host: e 0x00000040 (00064) 78706572 69656e63 65627573 696e6573 xperiencebusines 0x00000050 (00080) 732e6e65 740d0a0d 0a s.net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 756d6d65 72627573 696e6573 732e6e65 ummerbusiness.ne 0x00000050 (00080) 740d0a0d 0a0d0a0d 0a t........ 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 726f7764 62757369 6e657373 2e6e6574 rowdbusiness.net 0x00000050 (00080) 0d0a0d0a 0a0d0a0d 0a ......... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 756d6d65 72617070 6561722e 6e65740d ummerappear.net. 0x00000050 (00080) 0a0d0a0a 0a0d0a0d 0a ......... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 61746572 62757369 6e657373 2e6e6574 aterbusiness.net 0x00000050 (00080) 0d0a0d0a 0a0d0a0d 0a ......... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 6f6d616e 62757369 6e657373 2e6e6574 omanbusiness.net 0x00000050 (00080) 0d0a0d0a 0a0d0a0d 0a ......... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 61727479 62757369 6e657373 2e6e6574 artybusiness.net 0x00000050 (00080) 0d0a0d0a 0a0d0a0d 0a ......... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 61727479 61707065 61722e6e 65740d0a artyappear.net.. 0x00000050 (00080) 0d0a0d0a 0a0d0a0d 0a .........
Strings