Analysis Date2015-11-06 06:18:38
MD5248d6f919dd4bfa137c839d2a2892ee8
SHA1167aa87f43b5f192d8d8c093d5a861e249a7e08b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4afed6a03b7c82b9762551598530162e sha1: 8c59093cd7b09f98c24b66932241772cb5a7f3d0 size: 288768
Section.rdata md5: aacaafcbec9162c96205e312f3672c1c sha1: 66b29752136e7efa7d796ab5bde62e13a44dcb6d size: 43520
Section.data md5: 4bf1af46ae469789e80b0e96ade3af89 sha1: 009f3e70689f99adba1ae08cd2713ed930db65a2 size: 6656
Section.reloc md5: 8c8daf217a8e06efc31b1d46c07057a4 sha1: 90658d9161cfca17699cfa23747f425eeb1c94ef size: 24064
Timestamp2015-05-21 04:43:35
PackerMicrosoft Visual C++ ?.?
PEhash1328875407d0a29c5231db6c96ffd25586c05c7d
IMPhashdd4098a0ca58d7dbe4127738949dd32a
AVRisingNo Virus
AVMcafeeTrojan-FGIJ!248D6F919DD4
AVAvira (antivir)TR/Crypt.ZPACK.201689
AVTwisterNo Virus
AVAd-AwareGen:Variant.Diley.1
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.Z
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Babrob.Y!tr
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesTrojan.Bayrob.KVTGen
AVAuthentiumW32/Scar.V.gen!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Diley.1
AVZillya!No Virus
AVKasperskyTrojan.Win32.Scar.jvbv
AVTrend MicroNo Virus
AVCAT (quickheal)TrojanSpy.Nivdort.J4
AVVirusBlokAda (vba32)No Virus
AVPadvishNo Virus
AVBullGuardGen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVClamAVNo Virus
AVDr. WebTrojan.Bayrob.5
AVF-SecureGen:Variant.Diley.1
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FGIJ!248D6F919DD4
AVAvira (antivir)TR/Crypt.ZPACK.201689
AVTwisterNo Virus
AVAd-AwareGen:Variant.Diley.1
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.Z
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Babrob.Y!tr
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesTrojan.Bayrob.KVTGen
AVAuthentiumW32/Scar.V.gen!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\edmhbkhutkpylqp\umb3r1kkwxnnotcqeksn4l.exe
Creates FileC:\edmhbkhutkpylqp\jys6tck0o
Creates FileC:\WINDOWS\edmhbkhutkpylqp\jys6tck0o
Deletes FileC:\WINDOWS\edmhbkhutkpylqp\jys6tck0o
Creates ProcessC:\edmhbkhutkpylqp\umb3r1kkwxnnotcqeksn4l.exe

Process
↳ C:\edmhbkhutkpylqp\umb3r1kkwxnnotcqeksn4l.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Acquisition Provider Manager Collector UPnP ➝
C:\edmhbkhutkpylqp\icufbaqmuja.exe
Creates FileC:\edmhbkhutkpylqp\jys6tck0o
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\edmhbkhutkpylqp\jys6tck0o
Creates FileC:\edmhbkhutkpylqp\icufbaqmuja.exe
Creates FileC:\edmhbkhutkpylqp\irptoz
Deletes FileC:\WINDOWS\edmhbkhutkpylqp\jys6tck0o
Creates ProcessC:\edmhbkhutkpylqp\icufbaqmuja.exe
Creates ServiceOffline Trap Class Awareness Session Filtering - C:\edmhbkhutkpylqp\icufbaqmuja.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1136

Process
↳ C:\edmhbkhutkpylqp\icufbaqmuja.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\edmhbkhutkpylqp\mya77uc
Creates FileC:\edmhbkhutkpylqp\jys6tck0o
Creates FileC:\WINDOWS\edmhbkhutkpylqp\jys6tck0o
Creates File\Device\Afd\Endpoint
Creates FileC:\edmhbkhutkpylqp\njcyiilyfq.exe
Creates FileC:\edmhbkhutkpylqp\irptoz
Deletes FileC:\WINDOWS\edmhbkhutkpylqp\jys6tck0o
Creates Processnbkwa2kvxao1 "c:\edmhbkhutkpylqp\icufbaqmuja.exe"

Process
↳ C:\edmhbkhutkpylqp\icufbaqmuja.exe

Creates FileC:\edmhbkhutkpylqp\jys6tck0o
Creates FileC:\WINDOWS\edmhbkhutkpylqp\jys6tck0o
Deletes FileC:\WINDOWS\edmhbkhutkpylqp\jys6tck0o

Process
↳ nbkwa2kvxao1 "c:\edmhbkhutkpylqp\icufbaqmuja.exe"

Creates FileC:\edmhbkhutkpylqp\jys6tck0o
Creates FileC:\WINDOWS\edmhbkhutkpylqp\jys6tck0o
Deletes FileC:\WINDOWS\edmhbkhutkpylqp\jys6tck0o

Network Details:

DNSthinkstream.net
Type: A
207.150.212.30
DNSpresentnothing.net
Type: A
184.168.221.33
DNScollegenothing.net
Type: A
208.100.26.234
DNSalonebottle.net
Type: A
195.22.26.254
DNSalonebottle.net
Type: A
195.22.26.231
DNSalonebottle.net
Type: A
195.22.26.252
DNSalonebottle.net
Type: A
195.22.26.253
DNSweatherstream.net
Type: A
184.168.221.48
DNSthinkbusiness.net
Type: A
41.76.215.222
DNSchiefbusiness.net
Type: A
50.63.202.49
DNSpresentstream.net
Type: A
DNSthinknothing.net
Type: A
DNSthinkbottle.net
Type: A
DNSpresentbottle.net
Type: A
DNSthinkdivide.net
Type: A
DNSpresentdivide.net
Type: A
DNSchiefstream.net
Type: A
DNScollegestream.net
Type: A
DNSchiefnothing.net
Type: A
DNSchiefbottle.net
Type: A
DNScollegebottle.net
Type: A
DNSchiefdivide.net
Type: A
DNScollegedivide.net
Type: A
DNSoftenstream.net
Type: A
DNSalonestream.net
Type: A
DNSoftennothing.net
Type: A
DNSalonenothing.net
Type: A
DNSoftenbottle.net
Type: A
DNSoftendivide.net
Type: A
DNSalonedivide.net
Type: A
DNSmiddlestream.net
Type: A
DNStwelvestream.net
Type: A
DNSmiddlenothing.net
Type: A
DNStwelvenothing.net
Type: A
DNSmiddlebottle.net
Type: A
DNStwelvebottle.net
Type: A
DNSmiddledivide.net
Type: A
DNStwelvedivide.net
Type: A
DNSratherstream.net
Type: A
DNSmorningstream.net
Type: A
DNSrathernothing.net
Type: A
DNSmorningnothing.net
Type: A
DNSratherbottle.net
Type: A
DNSmorningbottle.net
Type: A
DNSratherdivide.net
Type: A
DNSmorningdivide.net
Type: A
DNSstrangestream.net
Type: A
DNShistorystream.net
Type: A
DNSstrangenothing.net
Type: A
DNShistorynothing.net
Type: A
DNSstrangebottle.net
Type: A
DNShistorybottle.net
Type: A
DNSstrangedivide.net
Type: A
DNShistorydivide.net
Type: A
DNSamountstream.net
Type: A
DNSamountnothing.net
Type: A
DNSweathernothing.net
Type: A
DNSamountbottle.net
Type: A
DNSweatherbottle.net
Type: A
DNSamountdivide.net
Type: A
DNSweatherdivide.net
Type: A
DNSthickstream.net
Type: A
DNSclassstream.net
Type: A
DNSthicknothing.net
Type: A
DNSclassnothing.net
Type: A
DNSthickbottle.net
Type: A
DNSclassbottle.net
Type: A
DNSthickdivide.net
Type: A
DNSclassdivide.net
Type: A
DNSthinkmanner.net
Type: A
DNSpresentmanner.net
Type: A
DNSthinkanother.net
Type: A
DNSpresentanother.net
Type: A
DNSpresentbusiness.net
Type: A
DNSthinkappear.net
Type: A
DNSpresentappear.net
Type: A
DNSchiefmanner.net
Type: A
DNScollegemanner.net
Type: A
DNSchiefanother.net
Type: A
DNScollegeanother.net
Type: A
DNScollegebusiness.net
Type: A
DNSchiefappear.net
Type: A
DNScollegeappear.net
Type: A
DNSoftenmanner.net
Type: A
DNSalonemanner.net
Type: A
DNSoftenanother.net
Type: A
DNSaloneanother.net
Type: A
DNSoftenbusiness.net
Type: A
HTTP GEThttp://thinkstream.net/index.php
User-Agent:
HTTP GEThttp://presentnothing.net/index.php
User-Agent:
HTTP GEThttp://collegenothing.net/index.php
User-Agent:
HTTP GEThttp://alonebottle.net/index.php
User-Agent:
HTTP GEThttp://weatherstream.net/index.php
User-Agent:
HTTP GEThttp://thinkbusiness.net/index.php
User-Agent:
HTTP GEThttp://chiefbusiness.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 207.150.212.30:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.33:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.48:80
Flows TCP192.168.1.1:1036 ➝ 41.76.215.222:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.49:80

Raw Pcap

Strings