Analysis Date2016-03-02 12:30:49
MD5699c3f8448731eb08ea7fc73ad20ef1a
SHA120fa3ede74520be493a4d006e0c2533ba358f1c9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4587d6d556b3e251bb6fcdc734cb9430 sha1: 429ab21afad728795b2469e847d3e6bc6f357834 size: 160768
Section.rdata md5: 2fb5d76e6b9f6d3d5e1838cc2a84a8fd sha1: 9a304297213bf20ac19e26cf77b1631da536f818 size: 38400
Section.data md5: 8c65ba6bb94c869ed8c1e3e1e15d96b0 sha1: ad9e259374fd27353baa8e268a14c016e0967959 size: 6656
Timestamp2015-03-13 09:08:50
PackerMicrosoft Visual C++ ?.?
PEhash9da19ed97f6810e19b499308199ee5c21d1a2dfc
IMPhashf1b69b5d2e3b445273f2a76acbfabba7
AVCA (E-Trust Ino)Gen:Variant.Rodecap.1
AVRisingNo Virus
AVMcafeeTrojan-FEVX!699C3F844873
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVTwisterNo Virus
AVAd-AwareGen:Variant.Rodecap.1
AVAlwil (avast)Kryptik-PDK [Trj]
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Rodecap.BJ!tr
AVBitDefenderGen:Variant.Rodecap.1
AVK7No Virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BI
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVEmsisoftGen:Variant.Rodecap.1
AVFrisk (f-prot)No Virus
AVIkarusTrojan-Spy.Win32.Nivdort
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.OL4
AVBullGuardGen:Variant.Rodecap.1
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.40638
AVF-SecureGen:Variant.Rodecap.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\sudpcohvo\mkpvfuuf
Creates FileC:\sudpcohvo\npftm1kgzkmaixjfa8vzc.exe
Creates FileC:\WINDOWS\sudpcohvo\mkpvfuuf
Deletes FileC:\WINDOWS\sudpcohvo\mkpvfuuf
Creates ProcessC:\sudpcohvo\npftm1kgzkmaixjfa8vzc.exe

Process
↳ C:\sudpcohvo\npftm1kgzkmaixjfa8vzc.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Tools Files Workstation Window List ➝
C:\sudpcohvo\mrqczxdlbg.exe
Creates FileC:\sudpcohvo\mrqczxdlbg.exe
Creates FileC:\sudpcohvo\sydslovn
Creates FileC:\sudpcohvo\mkpvfuuf
Creates FileC:\WINDOWS\sudpcohvo\mkpvfuuf
Deletes FileC:\WINDOWS\sudpcohvo\mkpvfuuf
Creates ProcessC:\sudpcohvo\mrqczxdlbg.exe
Creates ServiceWired PC Modules Panel iSCSI - C:\sudpcohvo\mrqczxdlbg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1860

Process
↳ Pid 1132

Process
↳ C:\sudpcohvo\mrqczxdlbg.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\sudpcohvo\pfdmrfm.exe
Creates FileC:\sudpcohvo\sydslovn
Creates File\Device\Afd\Endpoint
Creates FileC:\sudpcohvo\izojpz0
Creates FileC:\sudpcohvo\mkpvfuuf
Creates FileC:\WINDOWS\sudpcohvo\mkpvfuuf
Deletes FileC:\WINDOWS\sudpcohvo\mkpvfuuf
Creates Processuynwnkhgvyjo "c:\sudpcohvo\mrqczxdlbg.exe"

Process
↳ C:\sudpcohvo\mrqczxdlbg.exe

Creates FileC:\sudpcohvo\mkpvfuuf
Creates FileC:\WINDOWS\sudpcohvo\mkpvfuuf
Deletes FileC:\WINDOWS\sudpcohvo\mkpvfuuf

Process
↳ uynwnkhgvyjo "c:\sudpcohvo\mrqczxdlbg.exe"

Creates FileC:\sudpcohvo\mkpvfuuf
Creates FileC:\WINDOWS\sudpcohvo\mkpvfuuf
Deletes FileC:\WINDOWS\sudpcohvo\mkpvfuuf

Network Details:

DNSmountainspring.net
Type: A
81.21.76.62
DNSwinterspring.net
Type: A
199.7.108.140
DNSfinishfound.net
Type: A
195.22.28.198
DNSfinishfound.net
Type: A
195.22.28.199
DNSfinishfound.net
Type: A
195.22.28.196
DNSfinishfound.net
Type: A
195.22.28.197
DNSsweetspring.net
Type: A
50.63.202.45
DNSsweetsuccess.net
Type: A
207.148.248.143
DNSmaterialbanker.net
Type: A
208.100.26.234
DNSmotherairplane.net
Type: A
195.22.28.198
DNSmotherairplane.net
Type: A
195.22.28.199
DNSmotherairplane.net
Type: A
195.22.28.196
DNSmotherairplane.net
Type: A
195.22.28.197
DNSsimpleguard.net
Type: A
50.63.202.52
DNSmountainguard.net
Type: A
121.254.178.252
DNSmountainfence.net
Type: A
97.74.144.6
DNSwindowguard.net
Type: A
207.148.248.143
DNSwinterguard.net
Type: A
146.148.34.125
DNSwinterguard.net
Type: A
54.210.47.225
DNSpossiblespring.net
Type: A
DNSmountainsuccess.net
Type: A
DNSpossiblesuccess.net
Type: A
DNSmountainbanker.net
Type: A
DNSpossiblebanker.net
Type: A
DNSperhapsfound.net
Type: A
DNSwindowfound.net
Type: A
DNSperhapsspring.net
Type: A
DNSwindowspring.net
Type: A
DNSperhapssuccess.net
Type: A
DNSwindowsuccess.net
Type: A
DNSperhapsbanker.net
Type: A
DNSwindowbanker.net
Type: A
DNSwinterfound.net
Type: A
DNSsubjectfound.net
Type: A
DNSsubjectspring.net
Type: A
DNSwintersuccess.net
Type: A
DNSsubjectsuccess.net
Type: A
DNSwinterbanker.net
Type: A
DNSsubjectbanker.net
Type: A
DNSleavefound.net
Type: A
DNSfinishspring.net
Type: A
DNSleavespring.net
Type: A
DNSfinishsuccess.net
Type: A
DNSleavesuccess.net
Type: A
DNSfinishbanker.net
Type: A
DNSleavebanker.net
Type: A
DNSsweetfound.net
Type: A
DNSprobablyfound.net
Type: A
DNSprobablyspring.net
Type: A
DNSprobablysuccess.net
Type: A
DNSsweetbanker.net
Type: A
DNSprobablybanker.net
Type: A
DNSseveralfound.net
Type: A
DNSmaterialfound.net
Type: A
DNSseveralspring.net
Type: A
DNSmaterialspring.net
Type: A
DNSseveralsuccess.net
Type: A
DNSmaterialsuccess.net
Type: A
DNSseveralbanker.net
Type: A
DNSseveraairplane.net
Type: A
DNSlaughairplane.net
Type: A
DNSseverastraight.net
Type: A
DNSlaughstraight.net
Type: A
DNSseveraguard.net
Type: A
DNSlaughguard.net
Type: A
DNSseverafence.net
Type: A
DNSlaughfence.net
Type: A
DNSsimpleairplane.net
Type: A
DNSsimplestraight.net
Type: A
DNSmotherstraight.net
Type: A
DNSmotherguard.net
Type: A
DNSsimplefence.net
Type: A
DNSmotherfence.net
Type: A
DNSmountainairplane.net
Type: A
DNSpossibleairplane.net
Type: A
DNSmountainstraight.net
Type: A
DNSpossiblestraight.net
Type: A
DNSpossibleguard.net
Type: A
DNSpossiblefence.net
Type: A
DNSperhapsairplane.net
Type: A
DNSwindowairplane.net
Type: A
DNSperhapsstraight.net
Type: A
DNSwindowstraight.net
Type: A
DNSperhapsguard.net
Type: A
DNSperhapsfence.net
Type: A
DNSwindowfence.net
Type: A
DNSwinterairplane.net
Type: A
DNSsubjectairplane.net
Type: A
DNSwinterstraight.net
Type: A
DNSsubjectstraight.net
Type: A
DNSsubjectguard.net
Type: A
DNSwinterfence.net
Type: A
HTTP GEThttp://mountainspring.net/index.php?method&len
User-Agent:
HTTP GEThttp://winterspring.net/index.php?method&len
User-Agent:
HTTP GEThttp://finishfound.net/index.php?method&len
User-Agent:
HTTP GEThttp://sweetspring.net/index.php?method&len
User-Agent:
HTTP GEThttp://sweetsuccess.net/index.php?method&len
User-Agent:
HTTP GEThttp://materialbanker.net/index.php?method&len
User-Agent:
HTTP GEThttp://motherairplane.net/index.php?method&len
User-Agent:
HTTP GEThttp://simpleguard.net/index.php?method&len
User-Agent:
HTTP GEThttp://mountainguard.net/index.php?method&len
User-Agent:
HTTP GEThttp://mountainfence.net/index.php?method&len
User-Agent:
HTTP GEThttp://windowguard.net/index.php?method&len
User-Agent:
HTTP GEThttp://winterguard.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 81.21.76.62:80
Flows TCP192.168.1.1:1032 ➝ 199.7.108.140:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.45:80
Flows TCP192.168.1.1:1035 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1036 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1037 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1038 ➝ 50.63.202.52:80
Flows TCP192.168.1.1:1039 ➝ 121.254.178.252:80
Flows TCP192.168.1.1:1040 ➝ 97.74.144.6:80
Flows TCP192.168.1.1:1041 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1042 ➝ 146.148.34.125:80

Raw Pcap

Strings