Analysis Date | 2015-07-24 06:37:57 |
---|---|
MD5 | 73b212d0dcc000145c7f45212f6a6025 |
SHA1 | 1c6dbf315a5f0abccd907374f7d857112c973d36 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: faeb6cc2305f08efe553bac78e705fa9 sha1: 41260d77406d83228d96589de196a4de1ac7a864 size: 299520 | |
Section | .rdata md5: 9b3247279d8bdbfe7d419b5e59edcc70 sha1: 960f522c4714c13cfa36979f5a14c8d6c6c21396 size: 43520 | |
Section | .data md5: 7a35d2fed747a5be659ca5bc52f91909 sha1: 0986ad913f09436858daf8b463e8e1b243bb5845 size: 6656 | |
Section | .reloc md5: ffbcbffbcce432f3234218b10e2e8598 sha1: 7cd618c5e60a3d6dba64907df19049b45de24100 size: 26112 | |
Timestamp | 2015-05-21 03:46:59 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | 0c60af93a4ce043d2208c7adb8f1e4873021bfe4 | |
IMPhash | 52658cf4a45f0088a3ca253e06d901e1 | |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Diley.1 |
AV | Dr. Web | Trojan.Bayrob.5 |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Diley.1 |
AV | BullGuard | Gen:Variant.Diley.1 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | no_virus |
AV | Trend Micro | TROJ_BAYROB.SM0 |
AV | Kaspersky | no_virus |
AV | Zillya! | no_virus |
AV | Emsisoft | Gen:Variant.Diley.1 |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | no_virus |
AV | MalwareBytes | Trojan.Agent.KVTGen |
AV | MicroWorld (escan) | Gen:Variant.Diley.1 |
AV | Microsoft Security Essentials | Trojan:Win32/Dynamer!ac |
AV | K7 | Trojan ( 004c77f41 ) |
AV | BitDefender | Gen:Variant.Diley.1 |
AV | Fortinet | W32/Babrob.Y!tr |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Eset (nod32) | Win32/Bayrob.Z |
AV | Alwil (avast) | Trojan-gen:Win32:Trojan-gen |
AV | Ad-Aware | Gen:Variant.Diley.1 |
AV | Twister | no_virus |
AV | Avira (antivir) | TR/Dynamer.ac.862 |
AV | Mcafee | Trojan-FGIJ!73B212D0DCC0 |
AV | Rising | no_virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\gqtloqo\hkw1ic5dfqtifsykeu.exe |
---|---|
Creates File | C:\gqtloqo\zzudhlezgq23 |
Creates File | C:\WINDOWS\gqtloqo\zzudhlezgq23 |
Deletes File | C:\WINDOWS\gqtloqo\zzudhlezgq23 |
Creates Process | C:\gqtloqo\hkw1ic5dfqtifsykeu.exe |
Process
↳ C:\gqtloqo\hkw1ic5dfqtifsykeu.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Counter Alerts Reports Grouping AutoConnect ➝ C:\gqtloqo\dbyrhjxjxgym.exe |
---|---|
Creates File | C:\gqtloqo\dbyrhjxjxgym.exe |
Creates File | PIPE\lsarpc |
Creates File | C:\gqtloqo\zzudhlezgq23 |
Creates File | C:\WINDOWS\gqtloqo\zzudhlezgq23 |
Creates File | C:\gqtloqo\isrh09mi |
Deletes File | C:\WINDOWS\gqtloqo\zzudhlezgq23 |
Creates Process | C:\gqtloqo\dbyrhjxjxgym.exe |
Creates Service | Protected Defender Intelligent Link Copy - C:\gqtloqo\dbyrhjxjxgym.exe |
Process
↳ Pid 796
Process
↳ Pid 844
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | pipe\PCHFaultRepExecPipe |
---|
Process
↳ Pid 1112
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1868
Process
↳ Pid 1088
Process
↳ C:\gqtloqo\dbyrhjxjxgym.exe
Creates File | pipe\net\NtControlPipe10 |
---|---|
Creates File | \Device\Afd\Endpoint |
Creates File | C:\gqtloqo\qjomtmgbwze |
Creates File | C:\gqtloqo\zzudhlezgq23 |
Creates File | C:\WINDOWS\gqtloqo\zzudhlezgq23 |
Creates File | C:\gqtloqo\trlxttiucnx.exe |
Creates File | C:\gqtloqo\isrh09mi |
Deletes File | C:\WINDOWS\gqtloqo\zzudhlezgq23 |
Creates Process | lqck3lp0rvxy "c:\gqtloqo\dbyrhjxjxgym.exe" |
Process
↳ C:\gqtloqo\dbyrhjxjxgym.exe
Creates File | C:\gqtloqo\zzudhlezgq23 |
---|---|
Creates File | C:\WINDOWS\gqtloqo\zzudhlezgq23 |
Deletes File | C:\WINDOWS\gqtloqo\zzudhlezgq23 |
Process
↳ lqck3lp0rvxy "c:\gqtloqo\dbyrhjxjxgym.exe"
Creates File | C:\gqtloqo\zzudhlezgq23 |
---|---|
Creates File | C:\WINDOWS\gqtloqo\zzudhlezgq23 |
Deletes File | C:\WINDOWS\gqtloqo\zzudhlezgq23 |
Network Details:
DNS | crowdfriend.net Type: A 50.63.202.48 |
---|---|
DNS | waterfriend.net Type: A 69.64.147.242 |
DNS | womanfriend.net Type: A 218.30.21.59 |
DNS | partyfriend.net Type: A 89.31.143.7 |
DNS | experiencesafety.net Type: A 72.21.91.60 |
DNS | freshfuture.net Type: A 66.39.68.24 |
DNS | beginearly.net Type: A 95.211.230.75 |
DNS | knownfuture.net Type: A 94.127.112.92 |
DNS | knownfuture.net Type: A 94.127.112.93 |
DNS | crowdfuture.net Type: A 5.9.118.41 |
DNS | memberconsider.net Type: A |
DNS | followfriend.net Type: A |
DNS | memberfriend.net Type: A |
DNS | beginlaughter.net Type: A |
DNS | knownlaughter.net Type: A |
DNS | beginfancy.net Type: A |
DNS | knownfancy.net Type: A |
DNS | beginconsider.net Type: A |
DNS | knownconsider.net Type: A |
DNS | beginfriend.net Type: A |
DNS | knownfriend.net Type: A |
DNS | summerlaughter.net Type: A |
DNS | crowdlaughter.net Type: A |
DNS | summerfancy.net Type: A |
DNS | crowdfancy.net Type: A |
DNS | summerconsider.net Type: A |
DNS | crowdconsider.net Type: A |
DNS | summerfriend.net Type: A |
DNS | thoughtlaughter.net Type: A |
DNS | waterlaughter.net Type: A |
DNS | thoughtfancy.net Type: A |
DNS | waterfancy.net Type: A |
DNS | thoughtconsider.net Type: A |
DNS | waterconsider.net Type: A |
DNS | thoughtfriend.net Type: A |
DNS | womanlaughter.net Type: A |
DNS | smokelaughter.net Type: A |
DNS | womanfancy.net Type: A |
DNS | smokefancy.net Type: A |
DNS | womanconsider.net Type: A |
DNS | smokeconsider.net Type: A |
DNS | smokefriend.net Type: A |
DNS | partylaughter.net Type: A |
DNS | fightlaughter.net Type: A |
DNS | partyfancy.net Type: A |
DNS | fightfancy.net Type: A |
DNS | partyconsider.net Type: A |
DNS | fightconsider.net Type: A |
DNS | fightfriend.net Type: A |
DNS | freshsmell.net Type: A |
DNS | experiencesmell.net Type: A |
DNS | freshearly.net Type: A |
DNS | experienceearly.net Type: A |
DNS | freshsafety.net Type: A |
DNS | experiencefuture.net Type: A |
DNS | gentlemansmell.net Type: A |
DNS | alreadysmell.net Type: A |
DNS | gentlemanearly.net Type: A |
DNS | alreadyearly.net Type: A |
DNS | gentlemansafety.net Type: A |
DNS | alreadysafety.net Type: A |
DNS | gentlemanfuture.net Type: A |
DNS | alreadyfuture.net Type: A |
DNS | followsmell.net Type: A |
DNS | membersmell.net Type: A |
DNS | followearly.net Type: A |
DNS | memberearly.net Type: A |
DNS | followsafety.net Type: A |
DNS | membersafety.net Type: A |
DNS | followfuture.net Type: A |
DNS | memberfuture.net Type: A |
DNS | beginsmell.net Type: A |
DNS | knownsmell.net Type: A |
DNS | knownearly.net Type: A |
DNS | beginsafety.net Type: A |
DNS | knownsafety.net Type: A |
DNS | beginfuture.net Type: A |
DNS | summersmell.net Type: A |
DNS | crowdsmell.net Type: A |
DNS | summerearly.net Type: A |
DNS | crowdearly.net Type: A |
DNS | summersafety.net Type: A |
DNS | crowdsafety.net Type: A |
DNS | summerfuture.net Type: A |
DNS | thoughtsmell.net Type: A |
DNS | watersmell.net Type: A |
HTTP GET | http://crowdfriend.net/index.php User-Agent: |
HTTP GET | http://waterfriend.net/index.php User-Agent: |
HTTP GET | http://womanfriend.net/index.php User-Agent: |
HTTP GET | http://partyfriend.net/index.php User-Agent: |
HTTP GET | http://experiencesafety.net/index.php User-Agent: |
HTTP GET | http://freshfuture.net/index.php User-Agent: |
HTTP GET | http://beginearly.net/index.php User-Agent: |
HTTP GET | http://knownfuture.net/index.php User-Agent: |
HTTP GET | http://crowdfuture.net/index.php User-Agent: |
Flows TCP | 192.168.1.1:1031 ➝ 50.63.202.48:80 |
Flows TCP | 192.168.1.1:1032 ➝ 69.64.147.242:80 |
Flows TCP | 192.168.1.1:1033 ➝ 218.30.21.59:80 |
Flows TCP | 192.168.1.1:1034 ➝ 89.31.143.7:80 |
Flows TCP | 192.168.1.1:1035 ➝ 72.21.91.60:80 |
Flows TCP | 192.168.1.1:1036 ➝ 66.39.68.24:80 |
Flows TCP | 192.168.1.1:1037 ➝ 95.211.230.75:80 |
Flows TCP | 192.168.1.1:1038 ➝ 94.127.112.92:80 |
Flows TCP | 192.168.1.1:1039 ➝ 5.9.118.41:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 726f7764 66726965 6e642e6e 65740d0a rowdfriend.net.. 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 61746572 66726965 6e642e6e 65740d0a aterfriend.net.. 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 6f6d616e 66726965 6e642e6e 65740d0a omanfriend.net.. 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 61727479 66726965 6e642e6e 65740d0a artyfriend.net.. 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2065 : close..Host: e 0x00000040 (00064) 78706572 69656e63 65736166 6574792e xperiencesafety. 0x00000050 (00080) 6e65740d 0a0d0a net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 72657368 66757475 72652e6e 65740d0a reshfuture.net.. 0x00000050 (00080) 0d0a740d 0a0d0a ..t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2062 : close..Host: b 0x00000040 (00064) 6567696e 6561726c 792e6e65 740d0a0d eginearly.net... 0x00000050 (00080) 0a0a740d 0a0d0a ..t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206b : close..Host: k 0x00000040 (00064) 6e6f776e 66757475 72652e6e 65740d0a nownfuture.net.. 0x00000050 (00080) 0d0a740d 0a0d0a ..t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 726f7764 66757475 72652e6e 65740d0a rowdfuture.net.. 0x00000050 (00080) 0d0a740d 0a0d0a ..t....
Strings