Analysis Date2015-08-14 10:02:43
MD5a9d24329a9a0afc81ad989c5e489598d
SHA11d5081086e3ab2448450903971f7a361e85437a1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0bca88f44282ce63cb7e24e8b698fdc0 sha1: 3cf69aee00cefa205b41aff321038effa65ffccd size: 197632
Section.rdata md5: 5d300d511afb3e2d30403f40de7b2d9a sha1: b67738b270307d49c1879f12a917397b6a1fb8ba size: 53760
Section.data md5: f47c6a40c1c1249d0716ce8acf5771a0 sha1: e383d5d9770a065fcf4480f76fcf4eb94f032d8b size: 7168
Section.reloc md5: c51a267da7a97547092eced7e7159788 sha1: 4bc7dadfd41364280697548bf075586a9c78458b size: 14336
Timestamp2015-04-29 19:22:04
PackerMicrosoft Visual C++ 8
PEhashab491d2ccafdf83678cf7a6537956f4ed028416b
IMPhash9c5e6cd735944ac00313550d5b307b18
AVClamAVno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVGrisoft (avg)PSW.Generic12.BSCD
AVEmsisoftGen:Variant.Kazy.604861
AVBitDefenderGen:Variant.Kazy.604861
AVMalwareBytesTrojan.Agent.KVTGen
AVK7Trojan ( 004c12491 )
AVBullGuardGen:Variant.Kazy.604861
AVSymantecDownloader.Upatre!g15
AVPadvishno_virus
AVAvira (antivir)TR/Crypt.Xpack.195988
AVRisingTrojan.Win32.Bayrod.a
AVTwisterTrojan.0000E9000000006A1.mg
AVZillya!no_virus
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)no_virus
AVCA (E-Trust Ino)no_virus
AVMcafeeTrojan-FGIJ!A9D24329A9A0
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVAuthentiumW32/Scar.R.gen!Eldorado
AVFortinetW32/Generic.AC.215362
AVKasperskyTrojan.Win32.Scar.jckp
AVEset (nod32)Win32/Bayrob.Q
AVTrend MicroTROJ_BAYROB.SM0
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVAlwil (avast)VB-AJEW [Trj]
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVAd-AwareGen:Variant.Kazy.604861
AVVirusBlokAda (vba32)no_virus
AVF-SecureGen:Variant.Kazy.604861

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\deausuyhhiwhge\k1nu6fvmuv3x
Creates FileC:\deausuyhhiwhge\ey98udm8yhz0ebzj.exe
Creates FileC:\deausuyhhiwhge\k1nu6fvmuv3x
Deletes FileC:\WINDOWS\deausuyhhiwhge\k1nu6fvmuv3x
Creates ProcessC:\deausuyhhiwhge\ey98udm8yhz0ebzj.exe

Process
↳ C:\deausuyhhiwhge\ey98udm8yhz0ebzj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Bus Themes Name Publication Cryptographic ➝
C:\deausuyhhiwhge\xikjfbn.exe
Creates FileC:\WINDOWS\deausuyhhiwhge\k1nu6fvmuv3x
Creates FileC:\deausuyhhiwhge\r7xat1
Creates FilePIPE\lsarpc
Creates FileC:\deausuyhhiwhge\xikjfbn.exe
Creates FileC:\deausuyhhiwhge\k1nu6fvmuv3x
Deletes FileC:\WINDOWS\deausuyhhiwhge\k1nu6fvmuv3x
Creates ProcessC:\deausuyhhiwhge\xikjfbn.exe
Creates ServiceSystem Client Windows Peer Networking - C:\deausuyhhiwhge\xikjfbn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\1D5081086E3AB2448450903971F7A-2812FEFD.pf
Creates FileC:\WINDOWS\Prefetch\XIKJFBN.EXE-1F1AD71E.pf
Creates FileC:\WINDOWS\Prefetch\EY98UDM8YHZ0EBZJ.EXE-1F2E8FC3.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\ZVSAPLQBDE.EXE-076336F5.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1204

Process
↳ Pid 1316

Process
↳ Pid 1864

Process
↳ Pid 1092

Process
↳ C:\deausuyhhiwhge\xikjfbn.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\deausuyhhiwhge\k1nu6fvmuv3x
Creates FileC:\deausuyhhiwhge\r7xat1
Creates FileC:\deausuyhhiwhge\zvsaplqbde.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\deausuyhhiwhge\sojhqc
Creates FileC:\deausuyhhiwhge\k1nu6fvmuv3x
Deletes FileC:\WINDOWS\deausuyhhiwhge\k1nu6fvmuv3x
Creates Processtuqramrbtnpy "c:\deausuyhhiwhge\xikjfbn.exe"

Process
↳ C:\deausuyhhiwhge\xikjfbn.exe

Creates FileC:\WINDOWS\deausuyhhiwhge\k1nu6fvmuv3x
Creates FileC:\deausuyhhiwhge\k1nu6fvmuv3x
Deletes FileC:\WINDOWS\deausuyhhiwhge\k1nu6fvmuv3x

Process
↳ tuqramrbtnpy "c:\deausuyhhiwhge\xikjfbn.exe"

Creates FileC:\WINDOWS\deausuyhhiwhge\k1nu6fvmuv3x
Creates FileC:\deausuyhhiwhge\k1nu6fvmuv3x
Deletes FileC:\WINDOWS\deausuyhhiwhge\k1nu6fvmuv3x

Network Details:

DNSenglishforest.net
Type: A
59.188.232.88
DNSpersonschool.net
Type: A
165.160.13.20
DNSpersonschool.net
Type: A
165.160.15.20
DNSforeignquestion.net
Type: A
195.22.26.252
DNSforeignquestion.net
Type: A
195.22.26.231
DNSforeignquestion.net
Type: A
195.22.26.254
DNSforeignquestion.net
Type: A
195.22.26.253
DNSrightschool.net
Type: A
82.144.197.54
DNSrightquestion.net
Type: A
208.91.197.27
DNSfamilyschool.net
Type: A
50.63.202.104
DNSchildrenwhile.net
Type: A
95.211.230.75
DNSfigurealways.net
Type: A
DNSthoughalways.net
Type: A
DNSfigureforest.net
Type: A
DNSthoughforest.net
Type: A
DNSpicturewheat.net
Type: A
DNScigarettewheat.net
Type: A
DNSpictureanger.net
Type: A
DNScigaretteanger.net
Type: A
DNSpicturealways.net
Type: A
DNScigarettealways.net
Type: A
DNSpictureforest.net
Type: A
DNScigaretteforest.net
Type: A
DNSchildrenwheat.net
Type: A
DNSfamilywheat.net
Type: A
DNSchildrenanger.net
Type: A
DNSfamilyanger.net
Type: A
DNSchildrenalways.net
Type: A
DNSfamilyalways.net
Type: A
DNSchildrenforest.net
Type: A
DNSfamilyforest.net
Type: A
DNSeitherwheat.net
Type: A
DNSenglishwheat.net
Type: A
DNSeitheranger.net
Type: A
DNSenglishanger.net
Type: A
DNSeitheralways.net
Type: A
DNSenglishalways.net
Type: A
DNSeitherforest.net
Type: A
DNSexpectschool.net
Type: A
DNSbecauseschool.net
Type: A
DNSexpectwhile.net
Type: A
DNSbecausewhile.net
Type: A
DNSexpectquestion.net
Type: A
DNSbecausequestion.net
Type: A
DNSexpecttherefore.net
Type: A
DNSbecausetherefore.net
Type: A
DNSmachineschool.net
Type: A
DNSpersonwhile.net
Type: A
DNSmachinewhile.net
Type: A
DNSpersonquestion.net
Type: A
DNSmachinequestion.net
Type: A
DNSpersontherefore.net
Type: A
DNSmachinetherefore.net
Type: A
DNSsuddenschool.net
Type: A
DNSforeignschool.net
Type: A
DNSsuddenwhile.net
Type: A
DNSforeignwhile.net
Type: A
DNSsuddenquestion.net
Type: A
DNSsuddentherefore.net
Type: A
DNSforeigntherefore.net
Type: A
DNSwhetherschool.net
Type: A
DNSwhetherwhile.net
Type: A
DNSrightwhile.net
Type: A
DNSwhetherquestion.net
Type: A
DNSwhethertherefore.net
Type: A
DNSrighttherefore.net
Type: A
DNSfigureschool.net
Type: A
DNSthoughschool.net
Type: A
DNSfigurewhile.net
Type: A
DNSthoughwhile.net
Type: A
DNSfigurequestion.net
Type: A
DNSthoughquestion.net
Type: A
DNSfiguretherefore.net
Type: A
DNSthoughtherefore.net
Type: A
DNSpictureschool.net
Type: A
DNScigaretteschool.net
Type: A
DNSpicturewhile.net
Type: A
DNScigarettewhile.net
Type: A
DNSpicturequestion.net
Type: A
DNScigarettequestion.net
Type: A
DNSpicturetherefore.net
Type: A
DNScigarettetherefore.net
Type: A
DNSchildrenschool.net
Type: A
DNSfamilywhile.net
Type: A
DNSchildrenquestion.net
Type: A
DNSfamilyquestion.net
Type: A
DNSchildrentherefore.net
Type: A
DNSfamilytherefore.net
Type: A
DNSeitherschool.net
Type: A
HTTP GEThttp://englishforest.net/index.php
User-Agent:
HTTP GEThttp://personschool.net/index.php
User-Agent:
HTTP GEThttp://foreignquestion.net/index.php
User-Agent:
HTTP GEThttp://rightschool.net/index.php
User-Agent:
HTTP GEThttp://rightquestion.net/index.php
User-Agent:
HTTP GEThttp://familyschool.net/index.php
User-Agent:
HTTP GEThttp://childrenwhile.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 59.188.232.88:80
Flows TCP192.168.1.1:1032 ➝ 165.160.13.20:80
Flows TCP192.168.1.1:1033 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1034 ➝ 82.144.197.54:80
Flows TCP192.168.1.1:1035 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1036 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1037 ➝ 95.211.230.75:80

Raw Pcap

Strings