Analysis Date | 2015-07-24 09:06:12 |
---|---|
MD5 | 13acf76bb8996b7bf70d0f4d37b28162 |
SHA1 | 1e3a2c935b2411eeb2c5c0d8e71c9db362bb9b06 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: ab7704257be7f6a84da3c45c04a24ace sha1: 7215ae2b477619b24a81499c7a09cf2059add0ab size: 324608 | |
Section | .rdata md5: 524a252cba00d7802cc134d8d4a2cc24 sha1: a76242d681be3d90de264a77bf6a8ebea22d8dcb size: 60416 | |
Section | .data md5: e119f336c187efd784bfaeaf675547d4 sha1: 330596bf97660382266458732172d91672f53a74 size: 7680 | |
Section | .reloc md5: 15fcfdeb3990871ed9f8b9dc5b9ddb7c sha1: 9aaa4f0934d2b60fd97442f37d24dc54ae5a867b size: 27136 | |
Timestamp | 2015-05-11 06:51:08 | |
Packer | Microsoft Visual C++ 8 | |
PEhash | 9b665f8de04273f0785925e21a87ca422a3f6613 | |
IMPhash | c1d806b69fb8edae866407d13953eef9 | |
AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.AL |
AV | Mcafee | PWS-FCCE!13ACF76BB899 |
AV | Ad-Aware | Gen:Variant.Kazy.611009 |
AV | K7 | Trojan ( 004c3a4d1 ) |
AV | Frisk (f-prot) | no_virus |
AV | Fortinet | W32/Bayrob.T!tr |
AV | Avira (antivir) | TR/Spy.ZBot.xbbeomq |
AV | Dr. Web | Trojan.Bayrob.1 |
AV | CA (E-Trust Ino) | no_virus |
AV | Symantec | Downloader.Upatre!g15 |
AV | VirusBlokAda (vba32) | no_virus |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | MicroWorld (escan) | Gen:Variant.Kazy.611009 |
AV | BitDefender | Gen:Variant.Kazy.611009 |
AV | Eset (nod32) | Win32/Bayrob.V.gen |
AV | Twister | Trojan.Scar.jhtp.aceu |
AV | Authentium | W32/Nivdort.B.gen!Eldorado |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Kazy.611009 |
AV | Rising | Trojan.Win32.Bayrod.b |
AV | CAT (quickheal) | TrojanSpy.Nivdort.OD4 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | BullGuard | Gen:Variant.Kazy.611009 |
AV | Padvish | no_virus |
AV | Trend Micro | TROJ_BAYROB.SM0 |
AV | Zillya! | Trojan.Scar.Win32.92017 |
AV | Emsisoft | Gen:Variant.Kazy.611009 |
AV | F-Secure | Gen:Variant.Kazy.611009 |
AV | MalwareBytes | Trojan.Agent.KVTGen |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\yihhfguel\fxx3votra |
---|---|
Creates File | C:\WINDOWS\yihhfguel\fxx3votra |
Creates File | C:\yihhfguel\skibd1k02tacem5smaxx.exe |
Deletes File | C:\WINDOWS\yihhfguel\fxx3votra |
Creates Process | C:\yihhfguel\skibd1k02tacem5smaxx.exe |
Process
↳ C:\yihhfguel\skibd1k02tacem5smaxx.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Adaptive Locator Color File Upgrade ➝ C:\yihhfguel\ozkzbak.exe |
---|---|
Creates File | C:\yihhfguel\ozkzbak.exe |
Creates File | PIPE\lsarpc |
Creates File | C:\yihhfguel\fxx3votra |
Creates File | C:\WINDOWS\yihhfguel\fxx3votra |
Creates File | C:\yihhfguel\qiyydyo |
Deletes File | C:\WINDOWS\yihhfguel\fxx3votra |
Creates Process | C:\yihhfguel\ozkzbak.exe |
Creates Service | UPnP Config Experience Microsoft - C:\yihhfguel\ozkzbak.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 804
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1852
Process
↳ Pid 1128
Process
↳ C:\yihhfguel\ozkzbak.exe
Creates File | pipe\net\NtControlPipe10 |
---|---|
Creates File | C:\yihhfguel\wvmdmhixxb |
Creates File | C:\yihhfguel\whirmqmovnu.exe |
Creates File | C:\yihhfguel\fxx3votra |
Creates File | C:\WINDOWS\yihhfguel\fxx3votra |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\yihhfguel\qiyydyo |
Deletes File | C:\WINDOWS\yihhfguel\fxx3votra |
Creates Process | tdvrhecdbpb3 "c:\yihhfguel\ozkzbak.exe" |
Process
↳ C:\yihhfguel\ozkzbak.exe
Creates File | C:\yihhfguel\fxx3votra |
---|---|
Creates File | C:\WINDOWS\yihhfguel\fxx3votra |
Deletes File | C:\WINDOWS\yihhfguel\fxx3votra |
Process
↳ tdvrhecdbpb3 "c:\yihhfguel\ozkzbak.exe"
Creates File | C:\yihhfguel\fxx3votra |
---|---|
Creates File | C:\WINDOWS\yihhfguel\fxx3votra |
Deletes File | C:\WINDOWS\yihhfguel\fxx3votra |
Network Details:
DNS | crowdfriend.net Type: A 50.63.202.48 |
---|---|
DNS | waterfriend.net Type: A 69.64.147.242 |
DNS | womanfriend.net Type: A 218.30.21.59 |
DNS | partyfriend.net Type: A 89.31.143.7 |
DNS | experiencesafety.net Type: A 72.21.91.60 |
DNS | freshfuture.net Type: A 66.39.68.24 |
DNS | beginearly.net Type: A 95.211.230.75 |
DNS | knownfuture.net Type: A 94.127.112.92 |
DNS | knownfuture.net Type: A 94.127.112.93 |
DNS | crowdfuture.net Type: A 5.9.118.41 |
DNS | watersafety.net Type: A 217.160.52.166 |
DNS | waterfuture.net Type: A 184.168.221.9 |
DNS | knownconsider.net Type: A |
DNS | beginfriend.net Type: A |
DNS | knownfriend.net Type: A |
DNS | summerlaughter.net Type: A |
DNS | crowdlaughter.net Type: A |
DNS | summerfancy.net Type: A |
DNS | crowdfancy.net Type: A |
DNS | summerconsider.net Type: A |
DNS | crowdconsider.net Type: A |
DNS | summerfriend.net Type: A |
DNS | thoughtlaughter.net Type: A |
DNS | waterlaughter.net Type: A |
DNS | thoughtfancy.net Type: A |
DNS | waterfancy.net Type: A |
DNS | thoughtconsider.net Type: A |
DNS | waterconsider.net Type: A |
DNS | thoughtfriend.net Type: A |
DNS | womanlaughter.net Type: A |
DNS | smokelaughter.net Type: A |
DNS | womanfancy.net Type: A |
DNS | smokefancy.net Type: A |
DNS | womanconsider.net Type: A |
DNS | smokeconsider.net Type: A |
DNS | smokefriend.net Type: A |
DNS | partylaughter.net Type: A |
DNS | fightlaughter.net Type: A |
DNS | partyfancy.net Type: A |
DNS | fightfancy.net Type: A |
DNS | partyconsider.net Type: A |
DNS | fightconsider.net Type: A |
DNS | fightfriend.net Type: A |
DNS | freshsmell.net Type: A |
DNS | experiencesmell.net Type: A |
DNS | freshearly.net Type: A |
DNS | experienceearly.net Type: A |
DNS | freshsafety.net Type: A |
DNS | experiencefuture.net Type: A |
DNS | gentlemansmell.net Type: A |
DNS | alreadysmell.net Type: A |
DNS | gentlemanearly.net Type: A |
DNS | alreadyearly.net Type: A |
DNS | gentlemansafety.net Type: A |
DNS | alreadysafety.net Type: A |
DNS | gentlemanfuture.net Type: A |
DNS | alreadyfuture.net Type: A |
DNS | followsmell.net Type: A |
DNS | membersmell.net Type: A |
DNS | followearly.net Type: A |
DNS | memberearly.net Type: A |
DNS | followsafety.net Type: A |
DNS | membersafety.net Type: A |
DNS | followfuture.net Type: A |
DNS | memberfuture.net Type: A |
DNS | beginsmell.net Type: A |
DNS | knownsmell.net Type: A |
DNS | knownearly.net Type: A |
DNS | beginsafety.net Type: A |
DNS | knownsafety.net Type: A |
DNS | beginfuture.net Type: A |
DNS | summersmell.net Type: A |
DNS | crowdsmell.net Type: A |
DNS | summerearly.net Type: A |
DNS | crowdearly.net Type: A |
DNS | summersafety.net Type: A |
DNS | crowdsafety.net Type: A |
DNS | summerfuture.net Type: A |
DNS | thoughtsmell.net Type: A |
DNS | watersmell.net Type: A |
DNS | thoughtearly.net Type: A |
DNS | waterearly.net Type: A |
DNS | thoughtsafety.net Type: A |
DNS | thoughtfuture.net Type: A |
DNS | womansmell.net Type: A |
DNS | smokesmell.net Type: A |
HTTP GET | http://crowdfriend.net/index.php User-Agent: |
HTTP GET | http://waterfriend.net/index.php User-Agent: |
HTTP GET | http://womanfriend.net/index.php User-Agent: |
HTTP GET | http://partyfriend.net/index.php User-Agent: |
HTTP GET | http://experiencesafety.net/index.php User-Agent: |
HTTP GET | http://freshfuture.net/index.php User-Agent: |
HTTP GET | http://beginearly.net/index.php User-Agent: |
HTTP GET | http://knownfuture.net/index.php User-Agent: |
HTTP GET | http://crowdfuture.net/index.php User-Agent: |
HTTP GET | http://watersafety.net/index.php User-Agent: |
HTTP GET | http://waterfuture.net/index.php User-Agent: |
Flows TCP | 192.168.1.1:1031 ➝ 50.63.202.48:80 |
Flows TCP | 192.168.1.1:1032 ➝ 69.64.147.242:80 |
Flows TCP | 192.168.1.1:1033 ➝ 218.30.21.59:80 |
Flows TCP | 192.168.1.1:1034 ➝ 89.31.143.7:80 |
Flows TCP | 192.168.1.1:1035 ➝ 72.21.91.60:80 |
Flows TCP | 192.168.1.1:1036 ➝ 66.39.68.24:80 |
Flows TCP | 192.168.1.1:1037 ➝ 95.211.230.75:80 |
Flows TCP | 192.168.1.1:1038 ➝ 94.127.112.92:80 |
Flows TCP | 192.168.1.1:1039 ➝ 5.9.118.41:80 |
Flows TCP | 192.168.1.1:1040 ➝ 217.160.52.166:80 |
Flows TCP | 192.168.1.1:1041 ➝ 184.168.221.9:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 726f7764 66726965 6e642e6e 65740d0a rowdfriend.net.. 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 61746572 66726965 6e642e6e 65740d0a aterfriend.net.. 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 6f6d616e 66726965 6e642e6e 65740d0a omanfriend.net.. 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 61727479 66726965 6e642e6e 65740d0a artyfriend.net.. 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2065 : close..Host: e 0x00000040 (00064) 78706572 69656e63 65736166 6574792e xperiencesafety. 0x00000050 (00080) 6e65740d 0a0d0a net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 72657368 66757475 72652e6e 65740d0a reshfuture.net.. 0x00000050 (00080) 0d0a740d 0a0d0a ..t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2062 : close..Host: b 0x00000040 (00064) 6567696e 6561726c 792e6e65 740d0a0d eginearly.net... 0x00000050 (00080) 0a0a740d 0a0d0a ..t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206b : close..Host: k 0x00000040 (00064) 6e6f776e 66757475 72652e6e 65740d0a nownfuture.net.. 0x00000050 (00080) 0d0a740d 0a0d0a ..t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 726f7764 66757475 72652e6e 65740d0a rowdfuture.net.. 0x00000050 (00080) 0d0a740d 0a0d0a ..t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 61746572 73616665 74792e6e 65740d0a atersafety.net.. 0x00000050 (00080) 0d0a740d 0a0d0a ..t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 61746572 66757475 72652e6e 65740d0a aterfuture.net.. 0x00000050 (00080) 0d0a ..
Strings