Analysis Date2016-04-16 04:30:58
MD59926f9b503117a1d83ea0ceaeb407310
SHA11f869a7027bc8086b96b5caa68c44db18f4da369

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b67fd93af40fba1b82cb3c8e11b72e43 sha1: d81868a9075be9a3cf354b7163e8356cf6eca272 size: 197632
Section.rdata md5: 8d19daa1ac2dc56a78b411cfe38422c1 sha1: aa0df2f9fbbeab52f84b56a2cdd8f3c2900de314 size: 2560
Section.data md5: 8a9bd6e1534df9f2776497c55f3d72ed sha1: 9acb7cebda4666ce86343b1cff8a7056213904e5 size: 15872
Section.reloc md5: b104f7b2653ec2a12fbc53fdacf95fa0 sha1: abab6c586338ef0c94c3c431701fb6ceef9e4050 size: 30720
Timestamp2014-03-10 08:25:15
PEhashb550ef03b50f525ece81bc8b1a89e78a32385b5d
IMPhash3246a4034ca28378b5b16192ce1e6290
AVRisingNo Virus
AVCA (E-Trust Ino)Gen:Variant.Razy.18137
AVF-SecureGen:Variant.Razy.18137
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.18137
AVBullGuardGen:Variant.Razy.18137
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVEmsisoftGen:Variant.Razy.18137
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.H.gen!Eldorado
AVAuthentiumW32/Nivdort.H.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.18137
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Razy.18137
AVFortinetW32/Bayrob.AQ!tr
AVSymantecTrojan.Bayrob!gen6
AVGrisoft (avg)Generic37.AUDS
AVEset (nod32)Win32/Bayrob.AT.gen
AVAlwil (avast)Vupa [Cryp]
AVAd-AwareGen:Variant.Razy.18137
AVTwisterNo Virus
AVAvira (antivir)TR/Nivdort.kzrc
AVMcafeeTrojan-FHRG!9926F9B50311

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\fsbfenqp\tgsyjhw
Creates FileC:\fsbfenqp\tgsyjhw
Creates FileC:\fsbfenqp\nu1kzngiyvas9sz.exe
Deletes FileC:\WINDOWS\fsbfenqp\tgsyjhw
Creates ProcessC:\fsbfenqp\nu1kzngiyvas9sz.exe

Process
↳ C:\fsbfenqp\nu1kzngiyvas9sz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Reports Machine Authentication ➝
C:\fsbfenqp\zzubltrgrml.exe
Creates FileC:\WINDOWS\fsbfenqp\tgsyjhw
Creates FileC:\fsbfenqp\buhc6nvw
Creates FileC:\fsbfenqp\tgsyjhw
Creates FileC:\fsbfenqp\zzubltrgrml.exe
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\fsbfenqp\tgsyjhw
Creates ProcessC:\fsbfenqp\zzubltrgrml.exe
Creates ServiceOffice Transaction Profile Initiator - C:\fsbfenqp\zzubltrgrml.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FilePIPE\lsarpc

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1876

Process
↳ Pid 1132

Process
↳ C:\fsbfenqp\zzubltrgrml.exe

Creates FileC:\WINDOWS\fsbfenqp\tgsyjhw
Creates Filepipe\net\NtControlPipe10
Creates FileC:\fsbfenqp\buhc6nvw
Creates FileC:\fsbfenqp\tgsyjhw
Creates FileC:\fsbfenqp\aux4lzi8raoa
Creates FileC:\fsbfenqp\flciewth.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\fsbfenqp\tgsyjhw
Creates Processlgsta3cpaths "c:\fsbfenqp\zzubltrgrml.exe"

Process
↳ C:\fsbfenqp\zzubltrgrml.exe

Creates FileC:\WINDOWS\fsbfenqp\tgsyjhw
Creates FileC:\fsbfenqp\tgsyjhw
Deletes FileC:\WINDOWS\fsbfenqp\tgsyjhw

Process
↳ lgsta3cpaths "c:\fsbfenqp\zzubltrgrml.exe"

Creates FileC:\WINDOWS\fsbfenqp\tgsyjhw
Creates FileC:\fsbfenqp\tgsyjhw
Deletes FileC:\WINDOWS\fsbfenqp\tgsyjhw

Network Details:

DNSlargeproud.net
Type: A
208.100.26.234
DNStradearound.net
Type: A
50.63.202.36
DNStradeproud.net
Type: A
50.63.202.34
DNSstreetcomplete.net
Type: A
192.64.119.236
DNSgatheraround.net
Type: A
199.59.243.120
DNSagainstnature.net
Type: A
50.87.144.164
DNScaptainneedle.net
Type: A
5.2.189.251
DNSlargeenough.net
Type: A
184.168.221.43
DNScaptainenough.net
Type: A
195.22.28.197
DNScaptainenough.net
Type: A
195.22.28.196
DNScaptainenough.net
Type: A
195.22.28.199
DNScaptainenough.net
Type: A
195.22.28.198
DNSelectricneedle.net
Type: A
70.32.83.79
DNSbetternature.net
Type: A
72.52.4.91
DNSgathernature.net
Type: A
208.100.26.234
DNSrecordcompany.net
Type: A
69.172.201.153
DNSelectriccompany.net
Type: A
207.148.248.143
DNStradecompany.net
Type: A
207.148.248.143
DNSbetterfurther.net
Type: A
195.22.28.196
DNSbetterfurther.net
Type: A
195.22.28.197
DNSbetterfurther.net
Type: A
195.22.28.198
DNSbetterfurther.net
Type: A
195.22.28.199
DNSbettercover.net
Type: A
196.25.69.13
DNSgathercover.net
Type: A
208.100.26.234
DNSbettercompany.net
Type: A
121.254.178.252
DNSdecidewelcome.net
Type: A
DNSnightaround.net
Type: A
DNSdecidearound.net
Type: A
DNSnightproud.net
Type: A
DNSdecideproud.net
Type: A
DNSnightcomplete.net
Type: A
DNSdecidecomplete.net
Type: A
DNSlargewelcome.net
Type: A
DNScaptainwelcome.net
Type: A
DNSlargearound.net
Type: A
DNScaptainaround.net
Type: A
DNScaptainproud.net
Type: A
DNSlargecomplete.net
Type: A
DNScaptaincomplete.net
Type: A
DNSrecordwelcome.net
Type: A
DNSelectricwelcome.net
Type: A
DNSrecordaround.net
Type: A
DNSelectricaround.net
Type: A
DNSrecordproud.net
Type: A
DNSelectricproud.net
Type: A
DNSrecordcomplete.net
Type: A
DNSelectriccomplete.net
Type: A
DNSstreetwelcome.net
Type: A
DNStradewelcome.net
Type: A
DNSstreetaround.net
Type: A
DNSstreetproud.net
Type: A
DNStradecomplete.net
Type: A
DNSbetterwelcome.net
Type: A
DNSgatherwelcome.net
Type: A
DNSbetteraround.net
Type: A
DNSbetterproud.net
Type: A
DNSgatherproud.net
Type: A
DNSbettercomplete.net
Type: A
DNSgathercomplete.net
Type: A
DNSflierwelcome.net
Type: A
DNSbreadwelcome.net
Type: A
DNSflieraround.net
Type: A
DNSbreadaround.net
Type: A
DNSflierproud.net
Type: A
DNSbreadproud.net
Type: A
DNSfliercomplete.net
Type: A
DNSbreadcomplete.net
Type: A
DNSquietwelcome.net
Type: A
DNSseasonwelcome.net
Type: A
DNSquietaround.net
Type: A
DNSseasonaround.net
Type: A
DNSquietproud.net
Type: A
DNSseasonproud.net
Type: A
DNSquietcomplete.net
Type: A
DNSseasoncomplete.net
Type: A
DNSdoubtnature.net
Type: A
DNSagainstneedle.net
Type: A
DNSdoubtneedle.net
Type: A
DNSagainstenough.net
Type: A
DNSdoubtenough.net
Type: A
DNSagainstgovern.net
Type: A
DNSdoubtgovern.net
Type: A
DNSnightnature.net
Type: A
DNSdecidenature.net
Type: A
DNSnightneedle.net
Type: A
DNSdecideneedle.net
Type: A
DNSnightenough.net
Type: A
DNSdecideenough.net
Type: A
DNSnightgovern.net
Type: A
DNSdecidegovern.net
Type: A
DNSlargenature.net
Type: A
DNScaptainnature.net
Type: A
DNSlargeneedle.net
Type: A
DNSlargegovern.net
Type: A
DNScaptaingovern.net
Type: A
DNSrecordnature.net
Type: A
DNSelectricnature.net
Type: A
DNSrecordneedle.net
Type: A
DNSrecordenough.net
Type: A
DNSelectricenough.net
Type: A
DNSrecordgovern.net
Type: A
DNSelectricgovern.net
Type: A
DNSstreetnature.net
Type: A
DNStradenature.net
Type: A
DNSstreetneedle.net
Type: A
DNStradeneedle.net
Type: A
DNSstreetenough.net
Type: A
DNStradeenough.net
Type: A
DNSstreetgovern.net
Type: A
DNStradegovern.net
Type: A
DNSbetterneedle.net
Type: A
DNSgatherneedle.net
Type: A
DNSbetterenough.net
Type: A
DNSgatherenough.net
Type: A
DNSbettergovern.net
Type: A
DNSgathergovern.net
Type: A
DNSfliernature.net
Type: A
DNSbreadnature.net
Type: A
DNSflierneedle.net
Type: A
DNSbreadneedle.net
Type: A
DNSflierenough.net
Type: A
DNSbreadenough.net
Type: A
DNSfliergovern.net
Type: A
DNSbreadgovern.net
Type: A
DNSquietnature.net
Type: A
DNSseasonnature.net
Type: A
DNSquietneedle.net
Type: A
DNSseasonneedle.net
Type: A
DNSquietenough.net
Type: A
DNSseasonenough.net
Type: A
DNSquietgovern.net
Type: A
DNSseasongovern.net
Type: A
DNSagainstfurther.net
Type: A
DNSdoubtfurther.net
Type: A
DNSagainstcover.net
Type: A
DNSdoubtcover.net
Type: A
DNSagainstbecome.net
Type: A
DNSdoubtbecome.net
Type: A
DNSagainstcompany.net
Type: A
DNSdoubtcompany.net
Type: A
DNSnightfurther.net
Type: A
DNSdecidefurther.net
Type: A
DNSnightcover.net
Type: A
DNSdecidecover.net
Type: A
DNSnightbecome.net
Type: A
DNSdecidebecome.net
Type: A
DNSnightcompany.net
Type: A
DNSdecidecompany.net
Type: A
DNSlargefurther.net
Type: A
DNScaptainfurther.net
Type: A
DNSlargecover.net
Type: A
DNScaptaincover.net
Type: A
DNSlargebecome.net
Type: A
DNScaptainbecome.net
Type: A
DNSlargecompany.net
Type: A
DNScaptaincompany.net
Type: A
DNSrecordfurther.net
Type: A
DNSelectricfurther.net
Type: A
DNSrecordcover.net
Type: A
DNSelectriccover.net
Type: A
DNSrecordbecome.net
Type: A
DNSelectricbecome.net
Type: A
DNSstreetfurther.net
Type: A
DNStradefurther.net
Type: A
DNSstreetcover.net
Type: A
DNStradecover.net
Type: A
DNSstreetbecome.net
Type: A
DNStradebecome.net
Type: A
DNSstreetcompany.net
Type: A
DNSgatherfurther.net
Type: A
DNSbetterbecome.net
Type: A
DNSgatherbecome.net
Type: A
DNSgathercompany.net
Type: A
DNSflierfurther.net
Type: A
DNSbreadfurther.net
Type: A
HTTP GEThttp://largeproud.net/index.php
User-Agent:
HTTP GEThttp://tradearound.net/index.php
User-Agent:
HTTP GEThttp://tradeproud.net/index.php
User-Agent:
HTTP GEThttp://streetcomplete.net/index.php
User-Agent:
HTTP GEThttp://gatheraround.net/index.php
User-Agent:
HTTP GEThttp://againstnature.net/index.php
User-Agent:
HTTP GEThttp://captainneedle.net/index.php
User-Agent:
HTTP GEThttp://largeenough.net/index.php
User-Agent:
HTTP GEThttp://captainenough.net/index.php
User-Agent:
HTTP GEThttp://electricneedle.net/index.php
User-Agent:
HTTP GEThttp://betternature.net/index.php
User-Agent:
HTTP GEThttp://gathernature.net/index.php
User-Agent:
HTTP GEThttp://recordcompany.net/index.php
User-Agent:
HTTP GEThttp://electriccompany.net/index.php
User-Agent:
HTTP GEThttp://tradecompany.net/index.php
User-Agent:
HTTP GEThttp://betterfurther.net/index.php
User-Agent:
HTTP GEThttp://bettercover.net/index.php
User-Agent:
HTTP GEThttp://gathercover.net/index.php
User-Agent:
HTTP GEThttp://bettercompany.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 50.63.202.36:80
Flows TCP192.168.1.1:1033 ➝ 50.63.202.34:80
Flows TCP192.168.1.1:1034 ➝ 192.64.119.236:80
Flows TCP192.168.1.1:1035 ➝ 199.59.243.120:80
Flows TCP192.168.1.1:1036 ➝ 50.87.144.164:80
Flows TCP192.168.1.1:1037 ➝ 5.2.189.251:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.43:80
Flows TCP192.168.1.1:1039 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1040 ➝ 70.32.83.79:80
Flows TCP192.168.1.1:1041 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1043 ➝ 69.172.201.153:80
Flows TCP192.168.1.1:1044 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1045 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1046 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1047 ➝ 196.25.69.13:80
Flows TCP192.168.1.1:1048 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1049 ➝ 121.254.178.252:80

Raw Pcap

Strings