Analysis Date2016-03-15 19:47:43
MD529e29d38219aa33583789af7f214fb0e
SHA117a7dd629657756750addf609d4a45778f989a75

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b5596acbd9671ee4baa5395c06577ff0 sha1: 5ec81a0cce4848df4120b73193361394285d8311 size: 200704
Section.rdata md5: 4ad95335be17f2e2d4d49424ca55f250 sha1: 989e38101609b7b2ebc898cce6dc5477f12a8f8e size: 3072
Section.data md5: 71886ce6d3b61fce9ba17abb2b277ea6 sha1: 7e7ed24456d7dd910f0560e1956c40b0faa6b804 size: 15872
Section.reloc md5: 22a376b73433d0215647212eac231ac8 sha1: feac137e7e66faabf245c6f2a96e1236af4fa99c size: 31232
Timestamp2014-02-19 16:00:42
PEhash1b5715def762df796a73b9386b688bbfd86c6ef3
IMPhashecd1c8c5a27592eacd7bfe3bbb100707
AVCA (E-Trust Ino)Gen:Variant.Razy.18137
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DD
AVRisingNo Virus
AVMcafeeTrojan-FHRG!29E29D38219A
AVMicroWorld (escan)Gen:Variant.Razy.18137
AVMalwareBytesNo Virus
AVAvira (antivir)TR/Nivdort.A.38079
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.H.gen!Eldorado
AVAuthentiumW32/Nivdort.H.gen!Eldorado
AVEmsisoftGen:Variant.Razy.18137
AVTwisterVirus.558BEC#0056@2FF000.mg
AVAd-AwareGen:Variant.Razy.18137
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AT.gen
AVGrisoft (avg)Win32/Heur
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVSymantecTrojan.Bayrob!gen6
AVBullGuardGen:Variant.Razy.18137
AVArcabit (arcavir)Gen:Variant.Razy.18137
AVFortinetW32/Bayrob.AQ!tr
AVClamAVNo Virus
AVBitDefenderGen:Variant.Razy.18137
AVDr. WebNo Virus
AVK7Trojan ( 004dc2a31 )
AVF-SecureGen:Variant.Razy.18137

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\rpwsqsqocpva\zign1kw6lxcchiv62fu.exe
Creates FileC:\WINDOWS\rpwsqsqocpva\prajvhluoubh
Creates FileC:\rpwsqsqocpva\prajvhluoubh
Deletes FileC:\WINDOWS\rpwsqsqocpva\prajvhluoubh
Creates ProcessC:\rpwsqsqocpva\zign1kw6lxcchiv62fu.exe

Process
↳ C:\rpwsqsqocpva\zign1kw6lxcchiv62fu.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Transaction Fax Protection Web Store ➝
C:\rpwsqsqocpva\kfhxskoegpvt.exe
Creates FileC:\rpwsqsqocpva\jidn9bw
Creates FileC:\WINDOWS\rpwsqsqocpva\prajvhluoubh
Creates FileC:\rpwsqsqocpva\kfhxskoegpvt.exe
Creates FilePIPE\lsarpc
Creates FileC:\rpwsqsqocpva\prajvhluoubh
Deletes FileC:\WINDOWS\rpwsqsqocpva\prajvhluoubh
Creates ProcessC:\rpwsqsqocpva\kfhxskoegpvt.exe
Creates ServiceSoftware Superfetch Acquisition Trap Color - C:\rpwsqsqocpva\kfhxskoegpvt.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1140

Process
↳ C:\rpwsqsqocpva\kfhxskoegpvt.exe

Creates FileC:\rpwsqsqocpva\jidn9bw
Creates Filepipe\net\NtControlPipe10
Creates FileC:\rpwsqsqocpva\clq8ieo
Creates FileC:\WINDOWS\rpwsqsqocpva\prajvhluoubh
Creates File\Device\Afd\Endpoint
Creates FileC:\rpwsqsqocpva\xmzjvypfkzb.exe
Creates FileC:\rpwsqsqocpva\prajvhluoubh
Deletes FileC:\WINDOWS\rpwsqsqocpva\prajvhluoubh
Creates Processpf8lmrypscau "c:\rpwsqsqocpva\kfhxskoegpvt.exe"

Process
↳ C:\rpwsqsqocpva\kfhxskoegpvt.exe

Creates FileC:\WINDOWS\rpwsqsqocpva\prajvhluoubh
Creates FileC:\rpwsqsqocpva\prajvhluoubh
Deletes FileC:\WINDOWS\rpwsqsqocpva\prajvhluoubh

Process
↳ pf8lmrypscau "c:\rpwsqsqocpva\kfhxskoegpvt.exe"

Creates FileC:\WINDOWS\rpwsqsqocpva\prajvhluoubh
Creates FileC:\rpwsqsqocpva\prajvhluoubh
Deletes FileC:\WINDOWS\rpwsqsqocpva\prajvhluoubh

Network Details:

DNSmightdried.net
Type: A
208.100.26.234
DNSdesirearticle.net
Type: A
195.22.28.198
DNSdesirearticle.net
Type: A
195.22.28.197
DNSdesirearticle.net
Type: A
195.22.28.196
DNSdesirearticle.net
Type: A
195.22.28.199
DNSbuildingservice.net
Type: A
207.148.248.143
DNSprettyriver.net
Type: A
141.8.225.226
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
52.0.96.24
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
52.71.117.99
DNSfellowriver.net
Type: A
208.100.26.234
DNSstillriver.net
Type: A
74.208.26.57
DNSbuildinghappen.net
Type: A
195.22.28.196
DNSbuildinghappen.net
Type: A
195.22.28.199
DNSbuildinghappen.net
Type: A
195.22.28.198
DNSbuildinghappen.net
Type: A
195.22.28.197
DNSbuildingshare.net
Type: A
65.254.248.178
DNSdoctorshake.net
Type: A
66.198.240.4
DNSdoctorshare.net
Type: A
82.98.134.234
DNSfellowshake.net
Type: A
5.2.189.251
DNSdoubleshare.net
Type: A
8.5.1.51
DNSbuildingangry.net
Type: A
DNSeveningangry.net
Type: A
DNSbuildingarticle.net
Type: A
DNSeveningarticle.net
Type: A
DNSstoredried.net
Type: A
DNSstorefifteen.net
Type: A
DNSmightfifteen.net
Type: A
DNSstoreangry.net
Type: A
DNSmightangry.net
Type: A
DNSstorearticle.net
Type: A
DNSmightarticle.net
Type: A
DNSdoctordried.net
Type: A
DNSprettydried.net
Type: A
DNSdoctorfifteen.net
Type: A
DNSprettyfifteen.net
Type: A
DNSdoctorangry.net
Type: A
DNSprettyangry.net
Type: A
DNSdoctorarticle.net
Type: A
DNSprettyarticle.net
Type: A
DNSfellowdried.net
Type: A
DNSdoubledried.net
Type: A
DNSfellowfifteen.net
Type: A
DNSdoublefifteen.net
Type: A
DNSfellowangry.net
Type: A
DNSdoubleangry.net
Type: A
DNSfellowarticle.net
Type: A
DNSdoublearticle.net
Type: A
DNSbrokendried.net
Type: A
DNSresultdried.net
Type: A
DNSbrokenfifteen.net
Type: A
DNSresultfifteen.net
Type: A
DNSbrokenangry.net
Type: A
DNSresultangry.net
Type: A
DNSbrokenarticle.net
Type: A
DNSresultarticle.net
Type: A
DNSpreparedried.net
Type: A
DNSdesiredried.net
Type: A
DNSpreparefifteen.net
Type: A
DNSdesirefifteen.net
Type: A
DNSprepareangry.net
Type: A
DNSdesireangry.net
Type: A
DNSpreparearticle.net
Type: A
DNSstrengthdried.net
Type: A
DNSstilldried.net
Type: A
DNSstrengthfifteen.net
Type: A
DNSstillfifteen.net
Type: A
DNSstrengthangry.net
Type: A
DNSstillangry.net
Type: A
DNSstrengtharticle.net
Type: A
DNSstillarticle.net
Type: A
DNSmovementmister.net
Type: A
DNSoutsidemister.net
Type: A
DNSmovementsuppose.net
Type: A
DNSoutsidesuppose.net
Type: A
DNSmovementservice.net
Type: A
DNSoutsideservice.net
Type: A
DNSmovementriver.net
Type: A
DNSoutsideriver.net
Type: A
DNSbuildingmister.net
Type: A
DNSeveningmister.net
Type: A
DNSbuildingsuppose.net
Type: A
DNSeveningsuppose.net
Type: A
DNSeveningservice.net
Type: A
DNSbuildingriver.net
Type: A
DNSeveningriver.net
Type: A
DNSstoremister.net
Type: A
DNSmightmister.net
Type: A
DNSstoresuppose.net
Type: A
DNSmightsuppose.net
Type: A
DNSstoreservice.net
Type: A
DNSmightservice.net
Type: A
DNSstoreriver.net
Type: A
DNSmightriver.net
Type: A
DNSdoctormister.net
Type: A
DNSprettymister.net
Type: A
DNSdoctorsuppose.net
Type: A
DNSprettysuppose.net
Type: A
DNSdoctorservice.net
Type: A
DNSprettyservice.net
Type: A
DNSdoctorriver.net
Type: A
DNSfellowmister.net
Type: A
DNSdoublemister.net
Type: A
DNSfellowsuppose.net
Type: A
DNSdoublesuppose.net
Type: A
DNSfellowservice.net
Type: A
DNSdoubleservice.net
Type: A
DNSdoubleriver.net
Type: A
DNSbrokenmister.net
Type: A
DNSresultmister.net
Type: A
DNSbrokensuppose.net
Type: A
DNSresultsuppose.net
Type: A
DNSbrokenservice.net
Type: A
DNSresultservice.net
Type: A
DNSbrokenriver.net
Type: A
DNSresultriver.net
Type: A
DNSpreparemister.net
Type: A
DNSdesiremister.net
Type: A
DNSpreparesuppose.net
Type: A
DNSdesiresuppose.net
Type: A
DNSprepareservice.net
Type: A
DNSdesireservice.net
Type: A
DNSprepareriver.net
Type: A
DNSdesireriver.net
Type: A
DNSstrengthmister.net
Type: A
DNSstillmister.net
Type: A
DNSstrengthsuppose.net
Type: A
DNSstillsuppose.net
Type: A
DNSstrengthservice.net
Type: A
DNSstillservice.net
Type: A
DNSstrengthriver.net
Type: A
DNSmovementnearly.net
Type: A
DNSoutsidenearly.net
Type: A
DNSmovementhappen.net
Type: A
DNSoutsidehappen.net
Type: A
DNSmovementshake.net
Type: A
DNSoutsideshake.net
Type: A
DNSmovementshare.net
Type: A
DNSoutsideshare.net
Type: A
DNSbuildingnearly.net
Type: A
DNSeveningnearly.net
Type: A
DNSeveninghappen.net
Type: A
DNSbuildingshake.net
Type: A
DNSeveningshake.net
Type: A
DNSeveningshare.net
Type: A
DNSstorenearly.net
Type: A
DNSmightnearly.net
Type: A
DNSstorehappen.net
Type: A
DNSmighthappen.net
Type: A
DNSstoreshake.net
Type: A
DNSmightshake.net
Type: A
DNSstoreshare.net
Type: A
DNSmightshare.net
Type: A
DNSdoctornearly.net
Type: A
DNSprettynearly.net
Type: A
DNSdoctorhappen.net
Type: A
DNSprettyhappen.net
Type: A
DNSprettyshake.net
Type: A
DNSprettyshare.net
Type: A
DNSfellownearly.net
Type: A
DNSdoublenearly.net
Type: A
DNSfellowhappen.net
Type: A
DNSdoublehappen.net
Type: A
DNSdoubleshake.net
Type: A
DNSfellowshare.net
Type: A
DNSbrokennearly.net
Type: A
DNSresultnearly.net
Type: A
DNSbrokenhappen.net
Type: A
DNSresulthappen.net
Type: A
DNSbrokenshake.net
Type: A
DNSresultshake.net
Type: A
DNSbrokenshare.net
Type: A
DNSresultshare.net
Type: A
DNSpreparenearly.net
Type: A
DNSdesirenearly.net
Type: A
DNSpreparehappen.net
Type: A
DNSdesirehappen.net
Type: A
DNSprepareshake.net
Type: A
DNSdesireshake.net
Type: A
HTTP GEThttp://mightdried.net/index.php
User-Agent:
HTTP GEThttp://desirearticle.net/index.php
User-Agent:
HTTP GEThttp://buildingservice.net/index.php
User-Agent:
HTTP GEThttp://prettyriver.net/index.php
User-Agent:
HTTP GEThttp://doubleservice.net/index.php
User-Agent:
HTTP GEThttp://fellowriver.net/index.php
User-Agent:
HTTP GEThttp://stillriver.net/index.php
User-Agent:
HTTP GEThttp://buildinghappen.net/index.php
User-Agent:
HTTP GEThttp://buildingshare.net/index.php
User-Agent:
HTTP GEThttp://doctorshake.net/index.php
User-Agent:
HTTP GEThttp://doctorshare.net/index.php
User-Agent:
HTTP GEThttp://fellowshake.net/index.php
User-Agent:
HTTP GEThttp://doubleshare.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1033 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.226:80
Flows TCP192.168.1.1:1035 ➝ 52.0.96.24:80
Flows TCP192.168.1.1:1036 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1037 ➝ 74.208.26.57:80
Flows TCP192.168.1.1:1038 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1039 ➝ 65.254.248.178:80
Flows TCP192.168.1.1:1040 ➝ 66.198.240.4:80
Flows TCP192.168.1.1:1041 ➝ 82.98.134.234:80
Flows TCP192.168.1.1:1042 ➝ 5.2.189.251:80
Flows TCP192.168.1.1:1043 ➝ 8.5.1.51:80

Raw Pcap

Strings