Analysis Date2015-07-24 17:34:20
MD57776959931deea57aee8d32be0e593d1
SHA116a10ea7c10da5312821c1749af3767e02ed8213

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b501af3c0c3ff44a784be11d84c0ca0b sha1: 661ac247079a2b167cf7910492fbb7c894f85f99 size: 300544
Section.rdata md5: d33b582ac2394c53c0653b3bd32a7c2b sha1: 6b9e7f24aa878a6d6a9264715d6d3775782dc73d size: 58368
Section.data md5: d3fa86dc8c8e1b0e78212eb6961dff41 sha1: 2dc68d13e327fe8c4362fe47aba73f265292bf2a size: 7680
Section.reloc md5: ba704eef4c4d21f6bdee62aafdbea98a sha1: e37615079a7414f1714d69dfe5da6600c56efeba size: 22528
Timestamp2015-05-11 06:09:29
PackerMicrosoft Visual C++ 8
PEhashb53a1e41e81cd585f8e852bd82666fea420b7573
IMPhash764b3e02d1c4a11868e8fd6bd961d786
AVEmsisoftGen:Variant.Diley.1
AVMicroWorld (escan)Gen:Variant.Diley.1
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVIkarusTrojan.Win32.Bayrob
AVF-SecureGen:Variant.Diley.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVBitDefenderGen:Variant.Diley.1
AVTwisterTrojan.Scar.jobv.kunw
AVMcafeePWS-FCCE!7776959931DE
AVRisingTrojan.Win32.Bayrod.b
AVVirusBlokAda (vba32)no_virus
AVDr. WebTrojan.Bayrob.1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVFortinetW32/Bayrob.T!tr
AVMalwareBytesTrojan.Agent.KVTGen
AVK7Trojan ( 004c3a4d1 )
AVGrisoft (avg)Win32/Cryptor
AVAd-AwareGen:Variant.Diley.1
AVKasperskyTrojan.Win32.Generic
AVClamAVno_virus
AVTrend MicroTROJ_BAYROB.SM0
AVFrisk (f-prot)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVBullGuardGen:Variant.Diley.1
AVPadvishno_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVCA (E-Trust Ino)no_virus
AVEset (nod32)Win32/Bayrob.V.gen
AVSymantecDownloader.Upatre!g15
AVZillya!Trojan.Bayrob.Win32.1179
AVAuthentiumW32/Nivdort.B.gen!Eldorado

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\qoufgsycq\t8u88xz
Creates FileC:\qoufgsycq\prib1ktkqjgphpefqaf.exe
Creates FileC:\qoufgsycq\t8u88xz
Deletes FileC:\WINDOWS\qoufgsycq\t8u88xz
Creates ProcessC:\qoufgsycq\prib1ktkqjgphpefqaf.exe

Process
↳ C:\qoufgsycq\prib1ktkqjgphpefqaf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Upgrade Keying Shadow Offline ➝
C:\qoufgsycq\iuhcmfocstdr.exe
Creates FileC:\WINDOWS\qoufgsycq\t8u88xz
Creates FileC:\qoufgsycq\iuhcmfocstdr.exe
Creates FilePIPE\lsarpc
Creates FileC:\qoufgsycq\hkyosppdbxh
Creates FileC:\qoufgsycq\t8u88xz
Deletes FileC:\WINDOWS\qoufgsycq\t8u88xz
Creates ProcessC:\qoufgsycq\iuhcmfocstdr.exe
Creates ServiceDNS WMI Certificate Update IP Procedure Collector - C:\qoufgsycq\iuhcmfocstdr.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1140

Process
↳ C:\qoufgsycq\iuhcmfocstdr.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\qoufgsycq\t8u88xz
Creates FileC:\qoufgsycq\hkyosppdbxh
Creates File\Device\Afd\Endpoint
Creates FileC:\qoufgsycq\ca3pg0szriqc
Creates FileC:\qoufgsycq\dtdlwguy.exe
Creates FileC:\qoufgsycq\t8u88xz
Deletes FileC:\WINDOWS\qoufgsycq\t8u88xz
Creates Processu7wfnvddvniu "c:\qoufgsycq\iuhcmfocstdr.exe"

Process
↳ C:\qoufgsycq\iuhcmfocstdr.exe

Creates FileC:\WINDOWS\qoufgsycq\t8u88xz
Creates FileC:\qoufgsycq\t8u88xz
Deletes FileC:\WINDOWS\qoufgsycq\t8u88xz

Process
↳ u7wfnvddvniu "c:\qoufgsycq\iuhcmfocstdr.exe"

Creates FileC:\WINDOWS\qoufgsycq\t8u88xz
Creates FileC:\qoufgsycq\t8u88xz
Deletes FileC:\WINDOWS\qoufgsycq\t8u88xz

Network Details:

DNScrowdfuture.net
Type: A
5.9.118.41
DNSwatersafety.net
Type: A
217.160.52.166
DNSwaterfuture.net
Type: A
184.168.221.9
DNSwomansafety.net
Type: A
64.99.64.32
DNSfreshhealth.net
Type: A
208.91.197.27
DNSexperiencehealth.net
Type: A
198.1.89.4
DNSfreshclothes.net
Type: A
188.93.150.107
DNScrowdhealth.net
Type: A
64.99.80.30
DNSsummerclothes.net
Type: A
104.192.7.70
DNSwaterhealth.net
Type: A
72.52.4.120
DNSwaterdistant.net
Type: A
95.211.230.75
DNSwomanhealth.net
Type: A
69.89.22.137
DNSsummerearly.net
Type: A
DNScrowdearly.net
Type: A
DNSsummersafety.net
Type: A
DNScrowdsafety.net
Type: A
DNSsummerfuture.net
Type: A
DNSthoughtsmell.net
Type: A
DNSwatersmell.net
Type: A
DNSthoughtearly.net
Type: A
DNSwaterearly.net
Type: A
DNSthoughtsafety.net
Type: A
DNSthoughtfuture.net
Type: A
DNSwomansmell.net
Type: A
DNSsmokesmell.net
Type: A
DNSwomanearly.net
Type: A
DNSsmokeearly.net
Type: A
DNSsmokesafety.net
Type: A
DNSwomanfuture.net
Type: A
DNSsmokefuture.net
Type: A
DNSpartysmell.net
Type: A
DNSfightsmell.net
Type: A
DNSpartyearly.net
Type: A
DNSfightearly.net
Type: A
DNSpartysafety.net
Type: A
DNSfightsafety.net
Type: A
DNSpartyfuture.net
Type: A
DNSfightfuture.net
Type: A
DNSfreshseparate.net
Type: A
DNSexperienceseparate.net
Type: A
DNSexperienceclothes.net
Type: A
DNSfreshdistant.net
Type: A
DNSexperiencedistant.net
Type: A
DNSgentlemanseparate.net
Type: A
DNSalreadyseparate.net
Type: A
DNSgentlemanhealth.net
Type: A
DNSalreadyhealth.net
Type: A
DNSgentlemanclothes.net
Type: A
DNSalreadyclothes.net
Type: A
DNSgentlemandistant.net
Type: A
DNSalreadydistant.net
Type: A
DNSfollowseparate.net
Type: A
DNSmemberseparate.net
Type: A
DNSfollowhealth.net
Type: A
DNSmemberhealth.net
Type: A
DNSfollowclothes.net
Type: A
DNSmemberclothes.net
Type: A
DNSfollowdistant.net
Type: A
DNSmemberdistant.net
Type: A
DNSbeginseparate.net
Type: A
DNSknownseparate.net
Type: A
DNSbeginhealth.net
Type: A
DNSknownhealth.net
Type: A
DNSbeginclothes.net
Type: A
DNSknownclothes.net
Type: A
DNSbegindistant.net
Type: A
DNSknowndistant.net
Type: A
DNSsummerseparate.net
Type: A
DNScrowdseparate.net
Type: A
DNSsummerhealth.net
Type: A
DNScrowdclothes.net
Type: A
DNSsummerdistant.net
Type: A
DNScrowddistant.net
Type: A
DNSthoughtseparate.net
Type: A
DNSwaterseparate.net
Type: A
DNSthoughthealth.net
Type: A
DNSthoughtclothes.net
Type: A
DNSwaterclothes.net
Type: A
DNSthoughtdistant.net
Type: A
DNSwomanseparate.net
Type: A
DNSsmokeseparate.net
Type: A
DNSsmokehealth.net
Type: A
DNSwomanclothes.net
Type: A
DNSsmokeclothes.net
Type: A
DNSwomandistant.net
Type: A
HTTP GEThttp://crowdfuture.net/index.php
User-Agent:
HTTP GEThttp://watersafety.net/index.php
User-Agent:
HTTP GEThttp://waterfuture.net/index.php
User-Agent:
HTTP GEThttp://womansafety.net/index.php
User-Agent:
HTTP GEThttp://freshhealth.net/index.php
User-Agent:
HTTP GEThttp://experiencehealth.net/index.php
User-Agent:
HTTP GEThttp://freshclothes.net/index.php
User-Agent:
HTTP GEThttp://crowdhealth.net/index.php
User-Agent:
HTTP GEThttp://summerclothes.net/index.php
User-Agent:
HTTP GEThttp://waterhealth.net/index.php
User-Agent:
HTTP GEThttp://waterdistant.net/index.php
User-Agent:
HTTP GEThttp://womanhealth.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 5.9.118.41:80
Flows TCP192.168.1.1:1032 ➝ 217.160.52.166:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.9:80
Flows TCP192.168.1.1:1034 ➝ 64.99.64.32:80
Flows TCP192.168.1.1:1035 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1036 ➝ 198.1.89.4:80
Flows TCP192.168.1.1:1037 ➝ 188.93.150.107:80
Flows TCP192.168.1.1:1038 ➝ 64.99.80.30:80
Flows TCP192.168.1.1:1039 ➝ 104.192.7.70:80
Flows TCP192.168.1.1:1040 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1041 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1042 ➝ 69.89.22.137:80

Raw Pcap

Strings