Analysis Date2016-02-25 16:27:05
MD5644cf9f4cbfbe5baf8b14ce144832e07
SHA11d23386cec6a0ca6fdc894266bc78144a9ab1f20

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c7090a1bc64691e18b6677ef6515342e sha1: 1d2e3ad29ed6c08d2aa53524bb225d1f74260fe7 size: 189952
Section.rdata md5: 5074a56425d976dcf9511ef98638e422 sha1: fa9685caf63437f05248cb0d8e923bcc8b1e98ec size: 18432
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 4fcb0a33a8c7af6c8ffc8a3304a152c9 sha1: 1ab4ff164de70d0582c4e51093da062262e1d513 size: 30720
Timestamp2016-01-06 16:39:31
PEhashe94ad506376402ae724ffa8616e1488cec44317d
IMPhash20e226f5c2bb732b17746c137bee9a5e
AVCA (E-Trust Ino)Gen:Variant.Razy.12226
AVF-SecureGen:Variant.Razy.12226
AVDr. WebTrojan.DownLoader19.34184
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.12226
AVBullGuardGen:Variant.Razy.12226
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Downloader.Waski.Win32.5939
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVEmsisoftGen:Variant.Razy.12226
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.12226
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DG
AVK7Trojan ( 004db0c61 )
AVBitDefenderGen:Variant.Razy.12226
AVFortinetW32/Bayrob.AQ!tr
AVSymantecTrojan.Bayrob!gen6
AVGrisoft (avg)Generic_r.GRU
AVEset (nod32)Win32/Bayrob.AT.gen
AVAlwil (avast)Win32:Malware-gen
AVRisingNo Virus
AVAd-AwareGen:Variant.Razy.12226
AVTwisterNo Virus
AVAvira (antivir)TR/Nivdort.A.35845
AVMcafeeTrojan-FHPX!644CF9F4CBFB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\smjlztnrqnkqnr\okq1l65ugexfxxqumzo.exe
Creates FileC:\smjlztnrqnkqnr\sevaztsih
Creates FileC:\WINDOWS\smjlztnrqnkqnr\sevaztsih
Deletes FileC:\WINDOWS\smjlztnrqnkqnr\sevaztsih
Creates ProcessC:\smjlztnrqnkqnr\okq1l65ugexfxxqumzo.exe

Process
↳ C:\smjlztnrqnkqnr\okq1l65ugexfxxqumzo.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Routing Assistant Biometric Profile Task ➝
C:\smjlztnrqnkqnr\wmaxvciyu.exe
Creates FileC:\smjlztnrqnkqnr\sevaztsih
Creates FileC:\smjlztnrqnkqnr\wmaxvciyu.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\smjlztnrqnkqnr\sevaztsih
Creates FileC:\smjlztnrqnkqnr\zl6krq
Deletes FileC:\WINDOWS\smjlztnrqnkqnr\sevaztsih
Creates ProcessC:\smjlztnrqnkqnr\wmaxvciyu.exe
Creates ServicePanel Parental IPsec Microsoft Window Support - C:\smjlztnrqnkqnr\wmaxvciyu.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1172

Process
↳ C:\smjlztnrqnkqnr\wmaxvciyu.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\smjlztnrqnkqnr\sevaztsih
Creates FileC:\smjlztnrqnkqnr\wicidtbj4
Creates FileC:\WINDOWS\smjlztnrqnkqnr\sevaztsih
Creates File\Device\Afd\Endpoint
Creates FileC:\smjlztnrqnkqnr\hgoojduvg.exe
Creates FileC:\smjlztnrqnkqnr\zl6krq
Deletes FileC:\WINDOWS\smjlztnrqnkqnr\sevaztsih
Creates Processpppuyzeeytqn "c:\smjlztnrqnkqnr\wmaxvciyu.exe"

Process
↳ C:\smjlztnrqnkqnr\wmaxvciyu.exe

Creates FileC:\smjlztnrqnkqnr\sevaztsih
Creates FileC:\WINDOWS\smjlztnrqnkqnr\sevaztsih
Deletes FileC:\WINDOWS\smjlztnrqnkqnr\sevaztsih

Process
↳ pppuyzeeytqn "c:\smjlztnrqnkqnr\wmaxvciyu.exe"

Creates FileC:\smjlztnrqnkqnr\sevaztsih
Creates FileC:\WINDOWS\smjlztnrqnkqnr\sevaztsih
Deletes FileC:\WINDOWS\smjlztnrqnkqnr\sevaztsih

Network Details:

DNSchildrenalthough.net
Type: A
195.22.28.197
DNSchildrenalthough.net
Type: A
195.22.28.198
DNSchildrenalthough.net
Type: A
195.22.28.199
DNSchildrenalthough.net
Type: A
195.22.28.196
DNSbecausecharge.net
Type: A
195.22.28.198
DNSbecausecharge.net
Type: A
195.22.28.199
DNSbecausecharge.net
Type: A
195.22.28.196
DNSbecausecharge.net
Type: A
195.22.28.197
DNSpersoncharge.net
Type: A
208.100.26.234
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSalreadyshort.net
Type: A
195.22.28.199
DNSalreadyshort.net
Type: A
195.22.28.196
DNSalreadyshort.net
Type: A
195.22.28.197
DNSalreadyshort.net
Type: A
195.22.28.198
DNSknownpromise.net
Type: A
208.100.26.234
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSfreshoffice.net
Type: A
82.165.89.154
DNSmemberoffice.net
Type: A
50.63.202.52
DNScigarettehowever.net
Type: A
DNSchildrenchoose.net
Type: A
DNSfamilychoose.net
Type: A
DNSfamilyalthough.net
Type: A
DNSchildrenperiod.net
Type: A
DNSfamilyperiod.net
Type: A
DNSchildrenhowever.net
Type: A
DNSfamilyhowever.net
Type: A
DNSeitherchoose.net
Type: A
DNSenglishchoose.net
Type: A
DNSeitheralthough.net
Type: A
DNSenglishalthough.net
Type: A
DNSeitherperiod.net
Type: A
DNSenglishperiod.net
Type: A
DNSeitherhowever.net
Type: A
DNSenglishhowever.net
Type: A
DNSexpectsingle.net
Type: A
DNSbecausesingle.net
Type: A
DNSexpectcharge.net
Type: A
DNSexpectdifference.net
Type: A
DNSbecausedifference.net
Type: A
DNSexpectevery.net
Type: A
DNSbecauseevery.net
Type: A
DNSpersonsingle.net
Type: A
DNSmachinesingle.net
Type: A
DNSmachinecharge.net
Type: A
DNSpersondifference.net
Type: A
DNSmachinedifference.net
Type: A
DNSpersonevery.net
Type: A
DNSmachineevery.net
Type: A
DNSsuddensingle.net
Type: A
DNSforeignsingle.net
Type: A
DNSsuddencharge.net
Type: A
DNSforeigncharge.net
Type: A
DNSsuddendifference.net
Type: A
DNSforeigndifference.net
Type: A
DNSsuddenevery.net
Type: A
DNSforeignevery.net
Type: A
DNSwhethersingle.net
Type: A
DNSrightsingle.net
Type: A
DNSwhethercharge.net
Type: A
DNSrightcharge.net
Type: A
DNSwhetherdifference.net
Type: A
DNSrightdifference.net
Type: A
DNSwhetherevery.net
Type: A
DNSrightevery.net
Type: A
DNSfiguresingle.net
Type: A
DNSthoughsingle.net
Type: A
DNSfigurecharge.net
Type: A
DNSthoughcharge.net
Type: A
DNSfiguredifference.net
Type: A
DNSthoughdifference.net
Type: A
DNSfigureevery.net
Type: A
DNSthoughevery.net
Type: A
DNSpicturesingle.net
Type: A
DNScigarettesingle.net
Type: A
DNSpicturecharge.net
Type: A
DNScigarettecharge.net
Type: A
DNSpicturedifference.net
Type: A
DNScigarettedifference.net
Type: A
DNSpictureevery.net
Type: A
DNScigaretteevery.net
Type: A
DNSchildrensingle.net
Type: A
DNSfamilysingle.net
Type: A
DNSchildrencharge.net
Type: A
DNSfamilycharge.net
Type: A
DNSchildrendifference.net
Type: A
DNSfamilydifference.net
Type: A
DNSchildrenevery.net
Type: A
DNSfamilyevery.net
Type: A
DNSeithersingle.net
Type: A
DNSenglishsingle.net
Type: A
DNSeithercharge.net
Type: A
DNSenglishcharge.net
Type: A
DNSeitherdifference.net
Type: A
DNSenglishdifference.net
Type: A
DNSeitherevery.net
Type: A
DNSenglishevery.net
Type: A
DNSfreshshould.net
Type: A
DNSexperienceshould.net
Type: A
DNSfreshshort.net
Type: A
DNSexperienceshort.net
Type: A
DNSfreshopinion.net
Type: A
DNSexperienceopinion.net
Type: A
DNSfreshpromise.net
Type: A
DNSexperiencepromise.net
Type: A
DNSgentlemanshould.net
Type: A
DNSalreadyshould.net
Type: A
DNSgentlemanshort.net
Type: A
DNSgentlemanopinion.net
Type: A
DNSalreadyopinion.net
Type: A
DNSgentlemanpromise.net
Type: A
DNSalreadypromise.net
Type: A
DNSfollowshould.net
Type: A
DNSmembershould.net
Type: A
DNSfollowshort.net
Type: A
DNSmembershort.net
Type: A
DNSfollowopinion.net
Type: A
DNSmemberopinion.net
Type: A
DNSfollowpromise.net
Type: A
DNSmemberpromise.net
Type: A
DNSbeginshould.net
Type: A
DNSknownshould.net
Type: A
DNSbeginshort.net
Type: A
DNSknownshort.net
Type: A
DNSbeginopinion.net
Type: A
DNSknownopinion.net
Type: A
DNSbeginpromise.net
Type: A
DNSsummershould.net
Type: A
DNScrowdshould.net
Type: A
DNSsummershort.net
Type: A
DNScrowdshort.net
Type: A
DNSsummeropinion.net
Type: A
DNScrowdopinion.net
Type: A
DNSsummerpromise.net
Type: A
DNScrowdpromise.net
Type: A
DNSthoughtshould.net
Type: A
DNSwatershould.net
Type: A
DNSthoughtshort.net
Type: A
DNSwatershort.net
Type: A
DNSthoughtopinion.net
Type: A
DNSwateropinion.net
Type: A
DNSthoughtpromise.net
Type: A
DNSwaterpromise.net
Type: A
DNSwomanshould.net
Type: A
DNSsmokeshould.net
Type: A
DNSwomanshort.net
Type: A
DNSsmokeshort.net
Type: A
DNSwomanopinion.net
Type: A
DNSsmokeopinion.net
Type: A
DNSwomanpromise.net
Type: A
DNSsmokepromise.net
Type: A
DNSpartyshould.net
Type: A
DNSfightshould.net
Type: A
DNSpartyshort.net
Type: A
DNSfightshort.net
Type: A
DNSpartyopinion.net
Type: A
DNSfightopinion.net
Type: A
DNSpartypromise.net
Type: A
DNSfightpromise.net
Type: A
DNSfreshsupply.net
Type: A
DNSexperiencesupply.net
Type: A
DNSfreshdistance.net
Type: A
DNSexperiencedistance.net
Type: A
DNSexperienceoffice.net
Type: A
DNSfresharrive.net
Type: A
DNSexperiencearrive.net
Type: A
DNSgentlemansupply.net
Type: A
DNSalreadysupply.net
Type: A
DNSgentlemandistance.net
Type: A
DNSalreadydistance.net
Type: A
DNSgentlemanoffice.net
Type: A
DNSalreadyoffice.net
Type: A
DNSgentlemanarrive.net
Type: A
DNSalreadyarrive.net
Type: A
DNSfollowsupply.net
Type: A
DNSmembersupply.net
Type: A
DNSfollowdistance.net
Type: A
DNSmemberdistance.net
Type: A
DNSfollowoffice.net
Type: A
DNSfollowarrive.net
Type: A
DNSmemberarrive.net
Type: A
DNSbeginsupply.net
Type: A
HTTP GEThttp://childrenalthough.net/index.php
User-Agent:
HTTP GEThttp://becausecharge.net/index.php
User-Agent:
HTTP GEThttp://personcharge.net/index.php
User-Agent:
HTTP GEThttp://rightdifference.net/index.php
User-Agent:
HTTP GEThttp://alreadyshort.net/index.php
User-Agent:
HTTP GEThttp://knownpromise.net/index.php
User-Agent:
HTTP GEThttp://womanshort.net/index.php
User-Agent:
HTTP GEThttp://freshoffice.net/index.php
User-Agent:
HTTP GEThttp://memberoffice.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1035 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1036 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1037 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1038 ➝ 82.165.89.154:80
Flows TCP192.168.1.1:1039 ➝ 50.63.202.52:80

Raw Pcap

Strings