Analysis Date2015-07-24 06:37:57
MD573b212d0dcc000145c7f45212f6a6025
SHA11c6dbf315a5f0abccd907374f7d857112c973d36

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: faeb6cc2305f08efe553bac78e705fa9 sha1: 41260d77406d83228d96589de196a4de1ac7a864 size: 299520
Section.rdata md5: 9b3247279d8bdbfe7d419b5e59edcc70 sha1: 960f522c4714c13cfa36979f5a14c8d6c6c21396 size: 43520
Section.data md5: 7a35d2fed747a5be659ca5bc52f91909 sha1: 0986ad913f09436858daf8b463e8e1b243bb5845 size: 6656
Section.reloc md5: ffbcbffbcce432f3234218b10e2e8598 sha1: 7cd618c5e60a3d6dba64907df19049b45de24100 size: 26112
Timestamp2015-05-21 03:46:59
PackerMicrosoft Visual C++ ?.?
PEhash0c60af93a4ce043d2208c7adb8f1e4873021bfe4
IMPhash52658cf4a45f0088a3ca253e06d901e1
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Diley.1
AVDr. WebTrojan.Bayrob.5
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVBullGuardGen:Variant.Diley.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend MicroTROJ_BAYROB.SM0
AVKasperskyno_virus
AVZillya!no_virus
AVEmsisoftGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumno_virus
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Diley.1
AVFortinetW32/Babrob.Y!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Z
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVAd-AwareGen:Variant.Diley.1
AVTwisterno_virus
AVAvira (antivir)TR/Dynamer.ac.862
AVMcafeeTrojan-FGIJ!73B212D0DCC0
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\gqtloqo\hkw1ic5dfqtifsykeu.exe
Creates FileC:\gqtloqo\zzudhlezgq23
Creates FileC:\WINDOWS\gqtloqo\zzudhlezgq23
Deletes FileC:\WINDOWS\gqtloqo\zzudhlezgq23
Creates ProcessC:\gqtloqo\hkw1ic5dfqtifsykeu.exe

Process
↳ C:\gqtloqo\hkw1ic5dfqtifsykeu.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Counter Alerts Reports Grouping AutoConnect ➝
C:\gqtloqo\dbyrhjxjxgym.exe
Creates FileC:\gqtloqo\dbyrhjxjxgym.exe
Creates FilePIPE\lsarpc
Creates FileC:\gqtloqo\zzudhlezgq23
Creates FileC:\WINDOWS\gqtloqo\zzudhlezgq23
Creates FileC:\gqtloqo\isrh09mi
Deletes FileC:\WINDOWS\gqtloqo\zzudhlezgq23
Creates ProcessC:\gqtloqo\dbyrhjxjxgym.exe
Creates ServiceProtected Defender Intelligent Link Copy - C:\gqtloqo\dbyrhjxjxgym.exe

Process
↳ Pid 796

Process
↳ Pid 844

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1112

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1088

Process
↳ C:\gqtloqo\dbyrhjxjxgym.exe

Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates FileC:\gqtloqo\qjomtmgbwze
Creates FileC:\gqtloqo\zzudhlezgq23
Creates FileC:\WINDOWS\gqtloqo\zzudhlezgq23
Creates FileC:\gqtloqo\trlxttiucnx.exe
Creates FileC:\gqtloqo\isrh09mi
Deletes FileC:\WINDOWS\gqtloqo\zzudhlezgq23
Creates Processlqck3lp0rvxy "c:\gqtloqo\dbyrhjxjxgym.exe"

Process
↳ C:\gqtloqo\dbyrhjxjxgym.exe

Creates FileC:\gqtloqo\zzudhlezgq23
Creates FileC:\WINDOWS\gqtloqo\zzudhlezgq23
Deletes FileC:\WINDOWS\gqtloqo\zzudhlezgq23

Process
↳ lqck3lp0rvxy "c:\gqtloqo\dbyrhjxjxgym.exe"

Creates FileC:\gqtloqo\zzudhlezgq23
Creates FileC:\WINDOWS\gqtloqo\zzudhlezgq23
Deletes FileC:\WINDOWS\gqtloqo\zzudhlezgq23

Network Details:

DNScrowdfriend.net
Type: A
50.63.202.48
DNSwaterfriend.net
Type: A
69.64.147.242
DNSwomanfriend.net
Type: A
218.30.21.59
DNSpartyfriend.net
Type: A
89.31.143.7
DNSexperiencesafety.net
Type: A
72.21.91.60
DNSfreshfuture.net
Type: A
66.39.68.24
DNSbeginearly.net
Type: A
95.211.230.75
DNSknownfuture.net
Type: A
94.127.112.92
DNSknownfuture.net
Type: A
94.127.112.93
DNScrowdfuture.net
Type: A
5.9.118.41
DNSmemberconsider.net
Type: A
DNSfollowfriend.net
Type: A
DNSmemberfriend.net
Type: A
DNSbeginlaughter.net
Type: A
DNSknownlaughter.net
Type: A
DNSbeginfancy.net
Type: A
DNSknownfancy.net
Type: A
DNSbeginconsider.net
Type: A
DNSknownconsider.net
Type: A
DNSbeginfriend.net
Type: A
DNSknownfriend.net
Type: A
DNSsummerlaughter.net
Type: A
DNScrowdlaughter.net
Type: A
DNSsummerfancy.net
Type: A
DNScrowdfancy.net
Type: A
DNSsummerconsider.net
Type: A
DNScrowdconsider.net
Type: A
DNSsummerfriend.net
Type: A
DNSthoughtlaughter.net
Type: A
DNSwaterlaughter.net
Type: A
DNSthoughtfancy.net
Type: A
DNSwaterfancy.net
Type: A
DNSthoughtconsider.net
Type: A
DNSwaterconsider.net
Type: A
DNSthoughtfriend.net
Type: A
DNSwomanlaughter.net
Type: A
DNSsmokelaughter.net
Type: A
DNSwomanfancy.net
Type: A
DNSsmokefancy.net
Type: A
DNSwomanconsider.net
Type: A
DNSsmokeconsider.net
Type: A
DNSsmokefriend.net
Type: A
DNSpartylaughter.net
Type: A
DNSfightlaughter.net
Type: A
DNSpartyfancy.net
Type: A
DNSfightfancy.net
Type: A
DNSpartyconsider.net
Type: A
DNSfightconsider.net
Type: A
DNSfightfriend.net
Type: A
DNSfreshsmell.net
Type: A
DNSexperiencesmell.net
Type: A
DNSfreshearly.net
Type: A
DNSexperienceearly.net
Type: A
DNSfreshsafety.net
Type: A
DNSexperiencefuture.net
Type: A
DNSgentlemansmell.net
Type: A
DNSalreadysmell.net
Type: A
DNSgentlemanearly.net
Type: A
DNSalreadyearly.net
Type: A
DNSgentlemansafety.net
Type: A
DNSalreadysafety.net
Type: A
DNSgentlemanfuture.net
Type: A
DNSalreadyfuture.net
Type: A
DNSfollowsmell.net
Type: A
DNSmembersmell.net
Type: A
DNSfollowearly.net
Type: A
DNSmemberearly.net
Type: A
DNSfollowsafety.net
Type: A
DNSmembersafety.net
Type: A
DNSfollowfuture.net
Type: A
DNSmemberfuture.net
Type: A
DNSbeginsmell.net
Type: A
DNSknownsmell.net
Type: A
DNSknownearly.net
Type: A
DNSbeginsafety.net
Type: A
DNSknownsafety.net
Type: A
DNSbeginfuture.net
Type: A
DNSsummersmell.net
Type: A
DNScrowdsmell.net
Type: A
DNSsummerearly.net
Type: A
DNScrowdearly.net
Type: A
DNSsummersafety.net
Type: A
DNScrowdsafety.net
Type: A
DNSsummerfuture.net
Type: A
DNSthoughtsmell.net
Type: A
DNSwatersmell.net
Type: A
HTTP GEThttp://crowdfriend.net/index.php
User-Agent:
HTTP GEThttp://waterfriend.net/index.php
User-Agent:
HTTP GEThttp://womanfriend.net/index.php
User-Agent:
HTTP GEThttp://partyfriend.net/index.php
User-Agent:
HTTP GEThttp://experiencesafety.net/index.php
User-Agent:
HTTP GEThttp://freshfuture.net/index.php
User-Agent:
HTTP GEThttp://beginearly.net/index.php
User-Agent:
HTTP GEThttp://knownfuture.net/index.php
User-Agent:
HTTP GEThttp://crowdfuture.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.48:80
Flows TCP192.168.1.1:1032 ➝ 69.64.147.242:80
Flows TCP192.168.1.1:1033 ➝ 218.30.21.59:80
Flows TCP192.168.1.1:1034 ➝ 89.31.143.7:80
Flows TCP192.168.1.1:1035 ➝ 72.21.91.60:80
Flows TCP192.168.1.1:1036 ➝ 66.39.68.24:80
Flows TCP192.168.1.1:1037 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1038 ➝ 94.127.112.92:80
Flows TCP192.168.1.1:1039 ➝ 5.9.118.41:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 66726965 6e642e6e 65740d0a   rowdfriend.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 66726965 6e642e6e 65740d0a   aterfriend.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   6f6d616e 66726965 6e642e6e 65740d0a   omanfriend.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 66726965 6e642e6e 65740d0a   artyfriend.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   78706572 69656e63 65736166 6574792e   xperiencesafety.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   72657368 66757475 72652e6e 65740d0a   reshfuture.net..
0x00000050 (00080)   0d0a740d 0a0d0a                       ..t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   6567696e 6561726c 792e6e65 740d0a0d   eginearly.net...
0x00000050 (00080)   0a0a740d 0a0d0a                       ..t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206b   : close..Host: k
0x00000040 (00064)   6e6f776e 66757475 72652e6e 65740d0a   nownfuture.net..
0x00000050 (00080)   0d0a740d 0a0d0a                       ..t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 66757475 72652e6e 65740d0a   rowdfuture.net..
0x00000050 (00080)   0d0a740d 0a0d0a                       ..t....

Strings