Analysis Date2016-03-04 17:31:39
MD573f7a9a70fd67bbdf53386e452a29626
SHA11117b5b61ecba5069349c51c75bc31760900be53

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6793cda61dc5d2c05c84b3c5fb8ae351 sha1: eac6cace4db21c3056fe2801dee402ce6497b086 size: 192512
Section.rdata md5: e6c325d231e60f6ca3d55e5d1a647f2b sha1: 64e7a021439da56e27a148d52f9991047db0baa7 size: 18432
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 8eddc130707e8a70c2c73fa3892f5e0b sha1: a09905211461f96942cbc4fab9046533d42f9c6c size: 30720
Timestamp2016-01-06 16:47:05
PEhash4fd19144f377b642bbad2d34a6746ce8c65a7bda
IMPhash831084ee62db3e6134840ce8332178f3
AVVirusBlokAda (vba32)No Virus
AVCA (E-Trust Ino)Gen:Variant.Razy.12226
AVTwisterNo Virus
AVAvira (antivir)TR/Nivdort.A.36351
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVMicroWorld (escan)Gen:Variant.Razy.12226
AVRisingNo Virus
AVTrend MicroNo Virus
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVFortinetW32/Bayrob.AQ!tr
AVAlwil (avast)Win32:Malware-gen
AVAlwil (avast)Malware-gen
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DD
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVKasperskyTrojan.Win32.Generic
AVEmsisoftGen:Variant.Razy.12226
AVSymantecTrojan.Bayrob!gen6
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVK7Trojan ( 004db0c61 )
AVDr. WebTrojan.DownLoader19.37772
AVClamAVNo Virus
AVGrisoft (avg)Win32/Heur
AVBitDefenderGen:Variant.Razy.12226
AVMalwareBytesNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.12226
AVMcafeeTrojan-FHPX!73F7A9A70FD6
AVBullGuardGen:Variant.Razy.12226
AVF-SecureGen:Variant.Razy.12226
AVAd-AwareGen:Variant.Razy.12226
AVEset (nod32)Win32/Bayrob.AT.gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\rfshhhdjh\fteul7s1
Creates FileC:\rfshhhdjh\cql1lposd3fsarwi6t.exe
Creates FileC:\WINDOWS\rfshhhdjh\fteul7s1
Deletes FileC:\WINDOWS\rfshhhdjh\fteul7s1
Creates ProcessC:\rfshhhdjh\cql1lposd3fsarwi6t.exe

Process
↳ C:\rfshhhdjh\cql1lposd3fsarwi6t.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Biometric Provider Profile Now UserMode ➝
C:\rfshhhdjh\qkwxbzekdk.exe
Creates FileC:\rfshhhdjh\fteul7s1
Creates FileC:\rfshhhdjh\igxmha2phr6
Creates FilePIPE\lsarpc
Creates FileC:\rfshhhdjh\qkwxbzekdk.exe
Creates FileC:\WINDOWS\rfshhhdjh\fteul7s1
Deletes FileC:\WINDOWS\rfshhhdjh\fteul7s1
Creates ProcessC:\rfshhhdjh\qkwxbzekdk.exe
Creates ServiceNotification Intelligent Location - C:\rfshhhdjh\qkwxbzekdk.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1120

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1884

Process
↳ Pid 1176

Process
↳ C:\rfshhhdjh\qkwxbzekdk.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\rfshhhdjh\n5knzjnrm
Creates FileC:\rfshhhdjh\fteul7s1
Creates FileC:\rfshhhdjh\igxmha2phr6
Creates FileC:\rfshhhdjh\qimzvbbd.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\rfshhhdjh\fteul7s1
Deletes FileC:\WINDOWS\rfshhhdjh\fteul7s1
Creates Processjgpjgkpzfdtn "c:\rfshhhdjh\qkwxbzekdk.exe"

Process
↳ C:\rfshhhdjh\qkwxbzekdk.exe

Creates FileC:\rfshhhdjh\fteul7s1
Creates FileC:\WINDOWS\rfshhhdjh\fteul7s1
Deletes FileC:\WINDOWS\rfshhhdjh\fteul7s1

Process
↳ jgpjgkpzfdtn "c:\rfshhhdjh\qkwxbzekdk.exe"

Creates FileC:\rfshhhdjh\fteul7s1
Creates FileC:\WINDOWS\rfshhhdjh\fteul7s1
Deletes FileC:\WINDOWS\rfshhhdjh\fteul7s1

Network Details:

DNSsmokealways.net
Type: A
195.22.28.196
DNSsmokealways.net
Type: A
195.22.28.197
DNSsmokealways.net
Type: A
195.22.28.198
DNSsmokealways.net
Type: A
195.22.28.199
DNSfightanger.net
Type: A
52.0.217.44
DNSfreshschool.net
Type: A
203.189.109.65
DNSfollowschool.net
Type: A
208.100.26.234
DNScrowdschool.net
Type: A
59.106.167.73
DNSthoughtschool.net
Type: A
50.63.202.53
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSwomanschool.net
Type: A
121.254.178.252
DNSsmokeschool.net
Type: A
69.89.31.60
DNSpartyschool.net
Type: A
69.172.201.208
DNSexperiencetraining.net
Type: A
74.220.199.8
DNSsummertraining.net
Type: A
216.239.139.94
DNSsummerstorm.net
Type: A
72.52.4.119
DNScrowdstorm.net
Type: A
184.168.221.41
DNSsummerthrown.net
Type: A
208.100.26.234
DNSwatertraining.net
Type: A
216.21.239.197
DNSwomantraining.net
Type: A
208.91.197.66
DNSpartyhunger.net
Type: A
82.165.25.210
DNSfighthunger.net
Type: A
72.52.4.120
DNSfighttraining.net
Type: A
69.172.201.208
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSwateralways.net
Type: A
DNSthoughtforest.net
Type: A
DNSwaterforest.net
Type: A
DNSwomanwheat.net
Type: A
DNSsmokewheat.net
Type: A
DNSwomananger.net
Type: A
DNSsmokeanger.net
Type: A
DNSwomanalways.net
Type: A
DNSwomanforest.net
Type: A
DNSsmokeforest.net
Type: A
DNSpartywheat.net
Type: A
DNSfightwheat.net
Type: A
DNSpartyanger.net
Type: A
DNSpartyalways.net
Type: A
DNSfightalways.net
Type: A
DNSpartyforest.net
Type: A
DNSfightforest.net
Type: A
DNSexperienceschool.net
Type: A
DNSfreshwhile.net
Type: A
DNSexperiencewhile.net
Type: A
DNSfreshquestion.net
Type: A
DNSexperiencequestion.net
Type: A
DNSfreshtherefore.net
Type: A
DNSexperiencetherefore.net
Type: A
DNSgentlemanschool.net
Type: A
DNSalreadyschool.net
Type: A
DNSgentlemanwhile.net
Type: A
DNSalreadywhile.net
Type: A
DNSgentlemanquestion.net
Type: A
DNSalreadyquestion.net
Type: A
DNSgentlemantherefore.net
Type: A
DNSalreadytherefore.net
Type: A
DNSmemberschool.net
Type: A
DNSfollowwhile.net
Type: A
DNSmemberwhile.net
Type: A
DNSfollowquestion.net
Type: A
DNSmemberquestion.net
Type: A
DNSfollowtherefore.net
Type: A
DNSmembertherefore.net
Type: A
DNSbeginschool.net
Type: A
DNSknownschool.net
Type: A
DNSbeginwhile.net
Type: A
DNSknownwhile.net
Type: A
DNSbeginquestion.net
Type: A
DNSknownquestion.net
Type: A
DNSbegintherefore.net
Type: A
DNSknowntherefore.net
Type: A
DNSsummerschool.net
Type: A
DNSsummerwhile.net
Type: A
DNScrowdwhile.net
Type: A
DNSsummerquestion.net
Type: A
DNScrowdquestion.net
Type: A
DNSsummertherefore.net
Type: A
DNScrowdtherefore.net
Type: A
DNSwaterschool.net
Type: A
DNSthoughtwhile.net
Type: A
DNSwaterwhile.net
Type: A
DNSthoughtquestion.net
Type: A
DNSwaterquestion.net
Type: A
DNSthoughttherefore.net
Type: A
DNSwatertherefore.net
Type: A
DNSwomanwhile.net
Type: A
DNSsmokewhile.net
Type: A
DNSwomanquestion.net
Type: A
DNSsmokequestion.net
Type: A
DNSwomantherefore.net
Type: A
DNSsmoketherefore.net
Type: A
DNSfightschool.net
Type: A
DNSpartywhile.net
Type: A
DNSfightwhile.net
Type: A
DNSpartyquestion.net
Type: A
DNSfightquestion.net
Type: A
DNSpartytherefore.net
Type: A
DNSfighttherefore.net
Type: A
DNSfreshhunger.net
Type: A
DNSexperiencehunger.net
Type: A
DNSfreshtraining.net
Type: A
DNSfreshstorm.net
Type: A
DNSexperiencestorm.net
Type: A
DNSfreshthrown.net
Type: A
DNSexperiencethrown.net
Type: A
DNSgentlemanhunger.net
Type: A
DNSalreadyhunger.net
Type: A
DNSgentlemantraining.net
Type: A
DNSalreadytraining.net
Type: A
DNSgentlemanstorm.net
Type: A
DNSalreadystorm.net
Type: A
DNSgentlemanthrown.net
Type: A
DNSalreadythrown.net
Type: A
DNSfollowhunger.net
Type: A
DNSmemberhunger.net
Type: A
DNSfollowtraining.net
Type: A
DNSmembertraining.net
Type: A
DNSfollowstorm.net
Type: A
DNSmemberstorm.net
Type: A
DNSfollowthrown.net
Type: A
DNSmemberthrown.net
Type: A
DNSbeginhunger.net
Type: A
DNSknownhunger.net
Type: A
DNSbegintraining.net
Type: A
DNSknowntraining.net
Type: A
DNSbeginstorm.net
Type: A
DNSknownstorm.net
Type: A
DNSbeginthrown.net
Type: A
DNSknownthrown.net
Type: A
DNSsummerhunger.net
Type: A
DNScrowdhunger.net
Type: A
DNScrowdtraining.net
Type: A
DNScrowdthrown.net
Type: A
DNSthoughthunger.net
Type: A
DNSwaterhunger.net
Type: A
DNSthoughttraining.net
Type: A
DNSthoughtstorm.net
Type: A
DNSwaterstorm.net
Type: A
DNSthoughtthrown.net
Type: A
DNSwaterthrown.net
Type: A
DNSwomanhunger.net
Type: A
DNSsmokehunger.net
Type: A
DNSsmoketraining.net
Type: A
DNSwomanstorm.net
Type: A
DNSsmokestorm.net
Type: A
DNSwomanthrown.net
Type: A
DNSsmokethrown.net
Type: A
DNSpartytraining.net
Type: A
DNSpartystorm.net
Type: A
DNSfightstorm.net
Type: A
DNSpartythrown.net
Type: A
DNSfightthrown.net
Type: A
DNSfreshchoose.net
Type: A
DNSexperiencechoose.net
Type: A
DNSfreshalthough.net
Type: A
DNSexperiencealthough.net
Type: A
DNSfreshperiod.net
Type: A
DNSexperienceperiod.net
Type: A
DNSfreshhowever.net
Type: A
DNSexperiencehowever.net
Type: A
DNSgentlemanchoose.net
Type: A
DNSalreadychoose.net
Type: A
DNSgentlemanalthough.net
Type: A
DNSalreadyalthough.net
Type: A
DNSgentlemanperiod.net
Type: A
DNSalreadyperiod.net
Type: A
DNSgentlemanhowever.net
Type: A
DNSalreadyhowever.net
Type: A
DNSfollowchoose.net
Type: A
DNSmemberchoose.net
Type: A
DNSfollowalthough.net
Type: A
DNSmemberalthough.net
Type: A
DNSfollowperiod.net
Type: A
DNSmemberperiod.net
Type: A
DNSfollowhowever.net
Type: A
HTTP GEThttp://smokealways.net/index.php
User-Agent:
HTTP GEThttp://fightanger.net/index.php
User-Agent:
HTTP GEThttp://freshschool.net/index.php
User-Agent:
HTTP GEThttp://followschool.net/index.php
User-Agent:
HTTP GEThttp://crowdschool.net/index.php
User-Agent:
HTTP GEThttp://thoughtschool.net/index.php
User-Agent:
HTTP GEThttp://thoughttherefore.net/index.php
User-Agent:
HTTP GEThttp://womanschool.net/index.php
User-Agent:
HTTP GEThttp://smokeschool.net/index.php
User-Agent:
HTTP GEThttp://partyschool.net/index.php
User-Agent:
HTTP GEThttp://experiencetraining.net/index.php
User-Agent:
HTTP GEThttp://summertraining.net/index.php
User-Agent:
HTTP GEThttp://summerstorm.net/index.php
User-Agent:
HTTP GEThttp://crowdstorm.net/index.php
User-Agent:
HTTP GEThttp://summerthrown.net/index.php
User-Agent:
HTTP GEThttp://watertraining.net/index.php
User-Agent:
HTTP GEThttp://womantraining.net/index.php
User-Agent:
HTTP GEThttp://partyhunger.net/index.php
User-Agent:
HTTP GEThttp://fighthunger.net/index.php
User-Agent:
HTTP GEThttp://fighttraining.net/index.php
User-Agent:
HTTP GEThttp://alreadyperiod.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1032 ➝ 52.0.217.44:80
Flows TCP192.168.1.1:1033 ➝ 203.189.109.65:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 59.106.167.73:80
Flows TCP192.168.1.1:1036 ➝ 50.63.202.53:80
Flows TCP192.168.1.1:1037 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1038 ➝ 121.254.178.252:80
Flows TCP192.168.1.1:1039 ➝ 69.89.31.60:80
Flows TCP192.168.1.1:1040 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1041 ➝ 74.220.199.8:80
Flows TCP192.168.1.1:1042 ➝ 216.239.139.94:80
Flows TCP192.168.1.1:1043 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1044 ➝ 184.168.221.41:80
Flows TCP192.168.1.1:1045 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1046 ➝ 216.21.239.197:80
Flows TCP192.168.1.1:1047 ➝ 208.91.197.66:80
Flows TCP192.168.1.1:1048 ➝ 82.165.25.210:80
Flows TCP192.168.1.1:1049 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1050 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1051 ➝ 8.5.1.16:80

Raw Pcap

Strings