Analysis Date2016-04-17 09:48:02
MD5087f244f754b8596cc08505fef660bff
SHA116e2c2ecaee3e6ecc016e3204588409fe01543ad

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fcb5b5ac2b5c7443c2c641c66cc88e5b sha1: 8c8ad59621e81b0e725c47eda2d3d68e9368dd48 size: 182272
Section.rdata md5: 96b95e1966ea7232697241bf4f4e7cb5 sha1: ebebb9cfced0307e318fcfe6f064a5b68029e02f size: 2560
Section.data md5: 1915874d337e9a38a7bdbb4ebf701a1e sha1: f4332d5f2e627e9d8353335d3fec04441a2fe01e size: 14848
Section.reloc md5: a5e450e77f062d16ea806cc7255bfe44 sha1: 11e4a4578e96afb399ed79adca898658eccd241f size: 30208
Timestamp2014-09-12 21:37:20
PEhash4f004977dddf61c5326329bb46f3257998be0f53
IMPhasha5e26dcd801ea923ca4f0a39f16ddbc5
AVCA (E-Trust Ino)Gen:Variant.Razy.18137
AVF-SecureGen:Variant.Razy.18137
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.18137
AVBullGuardGen:Variant.Razy.18137
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVEmsisoftGen:Variant.Razy.18137
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.18137
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DO
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Razy.18137
AVFortinetW32/Bayrob.AQ!tr
AVSymantecTrojan.Bayrob!gen6
AVGrisoft (avg)Generic_r.GTB
AVEset (nod32)Win32/Bayrob.BA
AVAlwil (avast)Vupa [Cryp]
AVAd-AwareGen:Variant.Razy.18137
AVTwisterNo Virus
AVAvira (antivir)No Virus
AVMcafeeTrojan-FHQT!087F244F754B
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\rzyxebfwgij\u8a1leusoakqrkbquc.exe
Creates FileC:\rzyxebfwgij\gevvocfq
Creates FileC:\WINDOWS\rzyxebfwgij\gevvocfq
Deletes FileC:\WINDOWS\rzyxebfwgij\gevvocfq
Creates ProcessC:\rzyxebfwgij\u8a1leusoakqrkbquc.exe

Process
↳ C:\rzyxebfwgij\u8a1leusoakqrkbquc.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\User Client Proxy Upgrade DLL Manager ➝
C:\rzyxebfwgij\lbeptlgtsulv.exe
Creates FileC:\rzyxebfwgij\gevvocfq
Creates FilePIPE\lsarpc
Creates FileC:\rzyxebfwgij\nvzegdyl8v
Creates FileC:\WINDOWS\rzyxebfwgij\gevvocfq
Creates FileC:\rzyxebfwgij\lbeptlgtsulv.exe
Deletes FileC:\WINDOWS\rzyxebfwgij\gevvocfq
Creates ProcessC:\rzyxebfwgij\lbeptlgtsulv.exe
Creates ServiceWindows Launcher Color Shadow Support - C:\rzyxebfwgij\lbeptlgtsulv.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1848

Process
↳ Pid 1136

Process
↳ C:\rzyxebfwgij\lbeptlgtsulv.exe

Creates FileC:\rzyxebfwgij\na2kvmdlbrb
Creates Filepipe\net\NtControlPipe10
Creates FileC:\rzyxebfwgij\gevvocfq
Creates FileC:\rzyxebfwgij\aacqqumyttk.exe
Creates FileC:\rzyxebfwgij\nvzegdyl8v
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\rzyxebfwgij\gevvocfq
Deletes FileC:\WINDOWS\rzyxebfwgij\gevvocfq
Creates Processoqyagqdjmrhn "c:\rzyxebfwgij\lbeptlgtsulv.exe"

Process
↳ C:\rzyxebfwgij\lbeptlgtsulv.exe

Creates FileC:\rzyxebfwgij\gevvocfq
Creates FileC:\WINDOWS\rzyxebfwgij\gevvocfq
Deletes FileC:\WINDOWS\rzyxebfwgij\gevvocfq

Process
↳ oqyagqdjmrhn "c:\rzyxebfwgij\lbeptlgtsulv.exe"

Creates FileC:\rzyxebfwgij\gevvocfq
Creates FileC:\WINDOWS\rzyxebfwgij\gevvocfq
Deletes FileC:\WINDOWS\rzyxebfwgij\gevvocfq

Network Details:

DNSbreadabove.net
Type: A
195.22.28.198
DNSbreadabove.net
Type: A
195.22.28.199
DNSbreadabove.net
Type: A
195.22.28.196
DNSbreadabove.net
Type: A
195.22.28.197
DNSchiefshore.net
Type: A
192.64.119.9
DNScollegewritten.net
Type: A
192.64.119.10
DNScollegedollar.net
Type: A
192.64.119.11
DNSaloneshore.net
Type: A
208.100.26.234
DNSalonedollar.net
Type: A
208.100.26.234
DNSmorningdollar.net
Type: A
50.63.202.48
DNSthinkboard.net
Type: A
69.195.124.144
DNSchiefcharacter.net
Type: A
195.22.28.197
DNSchiefcharacter.net
Type: A
195.22.28.198
DNSchiefcharacter.net
Type: A
195.22.28.199
DNSchiefcharacter.net
Type: A
195.22.28.196
DNSchiefboard.net
Type: A
192.240.170.144
DNScollegeboard.net
Type: A
199.167.200.62
DNSaloneladder.net
Type: A
208.100.26.234
DNShistoryboard.net
Type: A
87.98.254.183
DNShistoryboard.net
Type: A
94.23.154.108
DNShistoryboard.net
Type: A
94.23.154.120
DNShistoryboard.net
Type: A
87.98.188.44
DNShistoryboard.net
Type: A
87.98.250.104
DNSclassboard.net
Type: A
64.85.171.16
DNScaptainshoulder.net
Type: A
DNSlargefinger.net
Type: A
DNScaptainfinger.net
Type: A
DNSrecorduntil.net
Type: A
DNSelectricuntil.net
Type: A
DNSrecordabove.net
Type: A
DNSelectricabove.net
Type: A
DNSrecordshoulder.net
Type: A
DNSelectricshoulder.net
Type: A
DNSrecordfinger.net
Type: A
DNSelectricfinger.net
Type: A
DNSstreetuntil.net
Type: A
DNStradeuntil.net
Type: A
DNSstreetabove.net
Type: A
DNStradeabove.net
Type: A
DNSstreetshoulder.net
Type: A
DNStradeshoulder.net
Type: A
DNSstreetfinger.net
Type: A
DNStradefinger.net
Type: A
DNSbetteruntil.net
Type: A
DNSgatheruntil.net
Type: A
DNSbetterabove.net
Type: A
DNSgatherabove.net
Type: A
DNSbettershoulder.net
Type: A
DNSgathershoulder.net
Type: A
DNSbetterfinger.net
Type: A
DNSgatherfinger.net
Type: A
DNSflieruntil.net
Type: A
DNSbreaduntil.net
Type: A
DNSflierabove.net
Type: A
DNSfliershoulder.net
Type: A
DNSbreadshoulder.net
Type: A
DNSflierfinger.net
Type: A
DNSbreadfinger.net
Type: A
DNSquietuntil.net
Type: A
DNSseasonuntil.net
Type: A
DNSquietabove.net
Type: A
DNSseasonabove.net
Type: A
DNSquietshoulder.net
Type: A
DNSseasonshoulder.net
Type: A
DNSquietfinger.net
Type: A
DNSseasonfinger.net
Type: A
DNSthinkshore.net
Type: A
DNSpresentshore.net
Type: A
DNSthinkwritten.net
Type: A
DNSpresentwritten.net
Type: A
DNSthinkdollar.net
Type: A
DNSpresentdollar.net
Type: A
DNSthinkrealize.net
Type: A
DNSpresentrealize.net
Type: A
DNScollegeshore.net
Type: A
DNSchiefwritten.net
Type: A
DNSchiefdollar.net
Type: A
DNSchiefrealize.net
Type: A
DNScollegerealize.net
Type: A
DNSoftenshore.net
Type: A
DNSoftenwritten.net
Type: A
DNSalonewritten.net
Type: A
DNSoftendollar.net
Type: A
DNSoftenrealize.net
Type: A
DNSalonerealize.net
Type: A
DNSmiddleshore.net
Type: A
DNStwelveshore.net
Type: A
DNSmiddlewritten.net
Type: A
DNStwelvewritten.net
Type: A
DNSmiddledollar.net
Type: A
DNStwelvedollar.net
Type: A
DNSmiddlerealize.net
Type: A
DNStwelverealize.net
Type: A
DNSrathershore.net
Type: A
DNSmorningshore.net
Type: A
DNSratherwritten.net
Type: A
DNSmorningwritten.net
Type: A
DNSratherdollar.net
Type: A
DNSratherrealize.net
Type: A
DNSmorningrealize.net
Type: A
DNSstrangeshore.net
Type: A
DNShistoryshore.net
Type: A
DNSstrangewritten.net
Type: A
DNShistorywritten.net
Type: A
DNSstrangedollar.net
Type: A
DNShistorydollar.net
Type: A
DNSstrangerealize.net
Type: A
DNShistoryrealize.net
Type: A
DNSamountshore.net
Type: A
DNSweathershore.net
Type: A
DNSamountwritten.net
Type: A
DNSweatherwritten.net
Type: A
DNSamountdollar.net
Type: A
DNSweatherdollar.net
Type: A
DNSamountrealize.net
Type: A
DNSweatherrealize.net
Type: A
DNSthickshore.net
Type: A
DNSclassshore.net
Type: A
DNSthickwritten.net
Type: A
DNSclasswritten.net
Type: A
DNSthickdollar.net
Type: A
DNSclassdollar.net
Type: A
DNSthickrealize.net
Type: A
DNSclassrealize.net
Type: A
DNSthinkcharacter.net
Type: A
DNSpresentcharacter.net
Type: A
DNSthinkladder.net
Type: A
DNSpresentladder.net
Type: A
DNSpresentboard.net
Type: A
DNSthinkenter.net
Type: A
DNSpresententer.net
Type: A
DNScollegecharacter.net
Type: A
DNSchiefladder.net
Type: A
DNScollegeladder.net
Type: A
DNSchiefenter.net
Type: A
DNScollegeenter.net
Type: A
DNSoftencharacter.net
Type: A
DNSalonecharacter.net
Type: A
DNSoftenladder.net
Type: A
DNSoftenboard.net
Type: A
DNSaloneboard.net
Type: A
DNSoftenenter.net
Type: A
DNSaloneenter.net
Type: A
DNSmiddlecharacter.net
Type: A
DNStwelvecharacter.net
Type: A
DNSmiddleladder.net
Type: A
DNStwelveladder.net
Type: A
DNSmiddleboard.net
Type: A
DNStwelveboard.net
Type: A
DNSmiddleenter.net
Type: A
DNStwelveenter.net
Type: A
DNSrathercharacter.net
Type: A
DNSmorningcharacter.net
Type: A
DNSratherladder.net
Type: A
DNSmorningladder.net
Type: A
DNSratherboard.net
Type: A
DNSmorningboard.net
Type: A
DNSratherenter.net
Type: A
DNSmorningenter.net
Type: A
DNSstrangecharacter.net
Type: A
DNShistorycharacter.net
Type: A
DNSstrangeladder.net
Type: A
DNShistoryladder.net
Type: A
DNSstrangeboard.net
Type: A
DNSstrangeenter.net
Type: A
DNShistoryenter.net
Type: A
DNSamountcharacter.net
Type: A
DNSweathercharacter.net
Type: A
DNSamountladder.net
Type: A
DNSweatherladder.net
Type: A
DNSamountboard.net
Type: A
DNSweatherboard.net
Type: A
DNSamountenter.net
Type: A
DNSweatherenter.net
Type: A
DNSthickcharacter.net
Type: A
DNSclasscharacter.net
Type: A
DNSthickladder.net
Type: A
DNSclassladder.net
Type: A
DNSthickboard.net
Type: A
DNSthickenter.net
Type: A
HTTP GEThttp://breadabove.net/index.php
User-Agent:
HTTP GEThttp://chiefshore.net/index.php
User-Agent:
HTTP GEThttp://collegewritten.net/index.php
User-Agent:
HTTP GEThttp://collegedollar.net/index.php
User-Agent:
HTTP GEThttp://aloneshore.net/index.php
User-Agent:
HTTP GEThttp://alonedollar.net/index.php
User-Agent:
HTTP GEThttp://morningdollar.net/index.php
User-Agent:
HTTP GEThttp://thinkboard.net/index.php
User-Agent:
HTTP GEThttp://chiefcharacter.net/index.php
User-Agent:
HTTP GEThttp://chiefboard.net/index.php
User-Agent:
HTTP GEThttp://collegeboard.net/index.php
User-Agent:
HTTP GEThttp://aloneladder.net/index.php
User-Agent:
HTTP GEThttp://historyboard.net/index.php
User-Agent:
HTTP GEThttp://classboard.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1032 ➝ 192.64.119.9:80
Flows TCP192.168.1.1:1033 ➝ 192.64.119.10:80
Flows TCP192.168.1.1:1034 ➝ 192.64.119.11:80
Flows TCP192.168.1.1:1035 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1036 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.48:80
Flows TCP192.168.1.1:1038 ➝ 69.195.124.144:80
Flows TCP192.168.1.1:1039 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1040 ➝ 192.240.170.144:80
Flows TCP192.168.1.1:1041 ➝ 199.167.200.62:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1043 ➝ 87.98.254.183:80
Flows TCP192.168.1.1:1044 ➝ 64.85.171.16:80

Raw Pcap



Strings