Analysis Date2016-04-19 07:20:38
MD5ecf54a869539fa237c090552d087bc36
SHA125da84334d7f7c36c3868b01fc32fd8c634f1e5e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2ce13bf835438c7dfb4a2193bed126ef sha1: f3009b94991ed04bce9e8c7b9cf8688a16dc38ec size: 264704
Section.rdata md5: a8093dcfbdc30afc4ff4ec828ea16002 sha1: 4cd7b047906beed6595a4a4cc58c7a81be7b45d9 size: 40448
Section.data md5: 2f5f496cae9a7ff2ce283e5d240451f7 sha1: 18d6aff8092a7a6b18bbd180e057e81fd44cbfc4 size: 1536
Section.reloc md5: 9bdac731fce41ef28d1e9e3ff1e3dde3 sha1: 33a660fe00745dd54f9bd7bda4a4e4df2d720b4a size: 51712
Timestamp2015-12-23 05:01:32
PackerBorland Delphi 3.0 (???)
PEhash0220cbc8ee3eedd62ad8fadaf28f0efa1432cf5e
IMPhash3c6a0d85360f2f668c2d2beb26fd5bf6
AVCA (E-Trust Ino)Gen:Variant.Razy.11545
AVF-SecureGen:Variant.Razy.11545
AVDr. WebTrojan.DownLoader18.21478
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.11545
AVBullGuardGen:Variant.Razy.11545
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.Msgfake
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVEmsisoftGen:Variant.Razy.11545
AVIkarusPUA.ConvertAd
AVFrisk (f-prot)W32/Nivdort.F.gen!Eldorado
AVAuthentiumW32/Nivdort.F.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.11545
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CW
AVK7Trojan ( 004db0c61 )
AVBitDefenderGen:Variant.Razy.11545
AVFortinetW32/Bayrob.AQ!tr
AVSymantecTrojan.Bayrob!gen6
AVGrisoft (avg)Win32/Heur
AVEset (nod32)Win32/Bayrob.AQ
AVAlwil (avast)Win32:Malware-gen
AVAlwil (avast)Malware-gen
AVAd-AwareGen:Variant.Razy.11545
AVTwisterNo Virus
AVAvira (antivir)No Virus
AVMcafeeTrojan-FHPD!ECF54A869539
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ytkznrncgmrooe\tuktu12oqgclpjnqtofjff.exe
Creates FileC:\ytkznrncgmrooe\b2poz35
Creates FileC:\WINDOWS\ytkznrncgmrooe\b2poz35
Deletes FileC:\WINDOWS\ytkznrncgmrooe\b2poz35
Creates ProcessC:\ytkznrncgmrooe\tuktu12oqgclpjnqtofjff.exe

Process
↳ C:\ytkznrncgmrooe\tuktu12oqgclpjnqtofjff.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Isolation Redirector Group Color Resolution ➝
C:\ytkznrncgmrooe\wuopzgnatc.exe
Creates FileC:\ytkznrncgmrooe\wuopzgnatc.exe
Creates FileC:\ytkznrncgmrooe\b2poz35
Creates FileC:\WINDOWS\ytkznrncgmrooe\b2poz35
Creates FilePIPE\lsarpc
Creates FileC:\ytkznrncgmrooe\dox5wwndbp
Deletes FileC:\WINDOWS\ytkznrncgmrooe\b2poz35
Creates ProcessC:\ytkznrncgmrooe\wuopzgnatc.exe
Creates ServiceNotification COM Protected Call - C:\ytkznrncgmrooe\wuopzgnatc.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\DhcpNameServer ➝
192.168.254.254\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\Parameters\Tcpip\DhcpDefaultGateway ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer ➝
192.168.254.254\\x00
Creates FileNDIS
Creates FileC:\WINDOWS\Prefetch\WUOPZGNATC.EXE-01053EAF.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\TDFDDONRVOEL.EXE-12D79A4A.pf
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1120

Process
↳ Pid 1204

Process
↳ Pid 1312

Process
↳ Pid 1856

Process
↳ Pid 1616

Process
↳ C:\ytkznrncgmrooe\wuopzgnatc.exe

Creates FileC:\ytkznrncgmrooe\duk1u0vg5nq
Creates Filepipe\net\NtControlPipe10
Creates FileC:\ytkznrncgmrooe\b2poz35
Creates FileC:\WINDOWS\ytkznrncgmrooe\b2poz35
Creates FileC:\ytkznrncgmrooe\tdfddonrvoel.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\ytkznrncgmrooe\dox5wwndbp
Deletes FileC:\WINDOWS\ytkznrncgmrooe\b2poz35
Creates Processtgbbyujc4qs3 "c:\ytkznrncgmrooe\wuopzgnatc.exe"

Process
↳ C:\ytkznrncgmrooe\wuopzgnatc.exe

Creates FileC:\ytkznrncgmrooe\b2poz35
Creates FileC:\WINDOWS\ytkznrncgmrooe\b2poz35
Deletes FileC:\WINDOWS\ytkznrncgmrooe\b2poz35

Process
↳ tgbbyujc4qs3 "c:\ytkznrncgmrooe\wuopzgnatc.exe"

Creates FileC:\ytkznrncgmrooe\b2poz35
Creates FileC:\WINDOWS\ytkznrncgmrooe\b2poz35
Deletes FileC:\WINDOWS\ytkznrncgmrooe\b2poz35

Network Details:

DNSamountaround.net
Type: A
195.22.28.199
DNSamountaround.net
Type: A
195.22.28.196
DNSamountaround.net
Type: A
195.22.28.197
DNSamountaround.net
Type: A
195.22.28.198
DNSclassaround.net
Type: A
104.155.10.64
DNSthinknature.net
Type: A
121.254.178.252
DNSaloneneedle.net
Type: A
208.100.26.234
DNSmorningneedle.net
Type: A
208.100.26.234
DNSthinkfurther.net
Type: A
207.148.248.143
DNSthinkbecome.net
Type: A
98.124.199.23
DNSthinkcompany.net
Type: A
208.91.197.27
DNSpresentcompany.net
Type: A
85.233.160.22
DNSchieffurther.net
Type: A
195.22.28.199
DNSchieffurther.net
Type: A
195.22.28.196
DNSchieffurther.net
Type: A
195.22.28.197
DNSchieffurther.net
Type: A
195.22.28.198
DNScollegecompany.net
Type: A
208.91.197.27
DNSratherbecome.net
Type: A
208.100.26.234
DNSstrangecompany.net
Type: A
198.71.232.3
DNShistorycompany.net
Type: A
184.168.221.47
DNSweathercompany.net
Type: A
213.131.64.60
DNSclasscover.net
Type: A
104.28.10.78
DNSclasscover.net
Type: A
104.28.11.78
DNSoftenproud.net
Type: A
DNSaloneproud.net
Type: A
DNSoftencomplete.net
Type: A
DNSalonecomplete.net
Type: A
DNSmiddlewelcome.net
Type: A
DNStwelvewelcome.net
Type: A
DNSmiddlearound.net
Type: A
DNStwelvearound.net
Type: A
DNSmiddleproud.net
Type: A
DNStwelveproud.net
Type: A
DNSmiddlecomplete.net
Type: A
DNStwelvecomplete.net
Type: A
DNSratherwelcome.net
Type: A
DNSmorningwelcome.net
Type: A
DNSratheraround.net
Type: A
DNSmorningaround.net
Type: A
DNSratherproud.net
Type: A
DNSmorningproud.net
Type: A
DNSrathercomplete.net
Type: A
DNSmorningcomplete.net
Type: A
DNSstrangewelcome.net
Type: A
DNShistorywelcome.net
Type: A
DNSstrangearound.net
Type: A
DNShistoryaround.net
Type: A
DNSstrangeproud.net
Type: A
DNShistoryproud.net
Type: A
DNSstrangecomplete.net
Type: A
DNShistorycomplete.net
Type: A
DNSamountwelcome.net
Type: A
DNSweatherwelcome.net
Type: A
DNSweatheraround.net
Type: A
DNSamountproud.net
Type: A
DNSweatherproud.net
Type: A
DNSamountcomplete.net
Type: A
DNSweathercomplete.net
Type: A
DNSthickwelcome.net
Type: A
DNSclasswelcome.net
Type: A
DNSthickaround.net
Type: A
DNSthickproud.net
Type: A
DNSclassproud.net
Type: A
DNSthickcomplete.net
Type: A
DNSclasscomplete.net
Type: A
DNSpresentnature.net
Type: A
DNSthinkneedle.net
Type: A
DNSpresentneedle.net
Type: A
DNSthinkenough.net
Type: A
DNSpresentenough.net
Type: A
DNSthinkgovern.net
Type: A
DNSpresentgovern.net
Type: A
DNSchiefnature.net
Type: A
DNScollegenature.net
Type: A
DNSchiefneedle.net
Type: A
DNScollegeneedle.net
Type: A
DNSchiefenough.net
Type: A
DNScollegeenough.net
Type: A
DNSchiefgovern.net
Type: A
DNScollegegovern.net
Type: A
DNSoftennature.net
Type: A
DNSalonenature.net
Type: A
DNSoftenneedle.net
Type: A
DNSoftenenough.net
Type: A
DNSaloneenough.net
Type: A
DNSoftengovern.net
Type: A
DNSalonegovern.net
Type: A
DNSmiddlenature.net
Type: A
DNStwelvenature.net
Type: A
DNSmiddleneedle.net
Type: A
DNStwelveneedle.net
Type: A
DNSmiddleenough.net
Type: A
DNStwelveenough.net
Type: A
DNSmiddlegovern.net
Type: A
DNStwelvegovern.net
Type: A
DNSrathernature.net
Type: A
DNSmorningnature.net
Type: A
DNSratherneedle.net
Type: A
DNSratherenough.net
Type: A
DNSmorningenough.net
Type: A
DNSrathergovern.net
Type: A
DNSmorninggovern.net
Type: A
DNSstrangenature.net
Type: A
DNShistorynature.net
Type: A
DNSstrangeneedle.net
Type: A
DNShistoryneedle.net
Type: A
DNSstrangeenough.net
Type: A
DNShistoryenough.net
Type: A
DNSstrangegovern.net
Type: A
DNShistorygovern.net
Type: A
DNSamountnature.net
Type: A
DNSweathernature.net
Type: A
DNSamountneedle.net
Type: A
DNSweatherneedle.net
Type: A
DNSamountenough.net
Type: A
DNSweatherenough.net
Type: A
DNSamountgovern.net
Type: A
DNSweathergovern.net
Type: A
DNSthicknature.net
Type: A
DNSclassnature.net
Type: A
DNSthickneedle.net
Type: A
DNSclassneedle.net
Type: A
DNSthickenough.net
Type: A
DNSclassenough.net
Type: A
DNSthickgovern.net
Type: A
DNSclassgovern.net
Type: A
DNSpresentfurther.net
Type: A
DNSthinkcover.net
Type: A
DNSpresentcover.net
Type: A
DNSpresentbecome.net
Type: A
DNScollegefurther.net
Type: A
DNSchiefcover.net
Type: A
DNScollegecover.net
Type: A
DNSchiefbecome.net
Type: A
DNScollegebecome.net
Type: A
DNSchiefcompany.net
Type: A
DNSoftenfurther.net
Type: A
DNSalonefurther.net
Type: A
DNSoftencover.net
Type: A
DNSalonecover.net
Type: A
DNSoftenbecome.net
Type: A
DNSalonebecome.net
Type: A
DNSoftencompany.net
Type: A
DNSalonecompany.net
Type: A
DNSmiddlefurther.net
Type: A
DNStwelvefurther.net
Type: A
DNSmiddlecover.net
Type: A
DNStwelvecover.net
Type: A
DNSmiddlebecome.net
Type: A
DNStwelvebecome.net
Type: A
DNSmiddlecompany.net
Type: A
DNStwelvecompany.net
Type: A
DNSratherfurther.net
Type: A
DNSmorningfurther.net
Type: A
DNSrathercover.net
Type: A
DNSmorningcover.net
Type: A
DNSmorningbecome.net
Type: A
DNSrathercompany.net
Type: A
DNSmorningcompany.net
Type: A
DNSstrangefurther.net
Type: A
DNShistoryfurther.net
Type: A
DNSstrangecover.net
Type: A
DNShistorycover.net
Type: A
DNSstrangebecome.net
Type: A
DNShistorybecome.net
Type: A
DNSamountfurther.net
Type: A
DNSweatherfurther.net
Type: A
DNSamountcover.net
Type: A
DNSweathercover.net
Type: A
DNSamountbecome.net
Type: A
DNSweatherbecome.net
Type: A
DNSamountcompany.net
Type: A
DNSthickfurther.net
Type: A
DNSclassfurther.net
Type: A
DNSthickcover.net
Type: A
DNSthickbecome.net
Type: A
DNSclassbecome.net
Type: A
HTTP GEThttp://amountaround.net/index.php
User-Agent:
HTTP GEThttp://classaround.net/index.php
User-Agent:
HTTP GEThttp://thinknature.net/index.php
User-Agent:
HTTP GEThttp://aloneneedle.net/index.php
User-Agent:
HTTP GEThttp://morningneedle.net/index.php
User-Agent:
HTTP GEThttp://thinkfurther.net/index.php
User-Agent:
HTTP GEThttp://thinkbecome.net/index.php
User-Agent:
HTTP GEThttp://thinkcompany.net/index.php
User-Agent:
HTTP GEThttp://presentcompany.net/index.php
User-Agent:
HTTP GEThttp://chieffurther.net/index.php
User-Agent:
HTTP GEThttp://collegecompany.net/index.php
User-Agent:
HTTP GEThttp://ratherbecome.net/index.php
User-Agent:
HTTP GEThttp://strangecompany.net/index.php
User-Agent:
HTTP GEThttp://historycompany.net/index.php
User-Agent:
HTTP GEThttp://weathercompany.net/index.php
User-Agent:
HTTP GEThttp://classcover.net/index.php
User-Agent:
Flows TCP192.168.1.1:1033 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1034 ➝ 104.155.10.64:80
Flows TCP192.168.1.1:1035 ➝ 121.254.178.252:80
Flows TCP192.168.1.1:1036 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1039 ➝ 98.124.199.23:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1041 ➝ 85.233.160.22:80
Flows TCP192.168.1.1:1042 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1045 ➝ 198.71.232.3:80
Flows TCP192.168.1.1:1046 ➝ 184.168.221.47:80
Flows TCP192.168.1.1:1047 ➝ 213.131.64.60:80
Flows TCP192.168.1.1:1048 ➝ 104.28.10.78:80

Raw Pcap

Strings