Analysis Date2016-02-02 15:06:57
MD5a57e8e1b64a41aaa1da33313e6333c3f
SHA12864a733a564e90b680c9b4df7845f8e92500f9e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3e3462713c619c55ad96eff3a2d1cba7 sha1: 6bd29a2ebc2e2e356033ab2212a01803cdf31491 size: 532480
Section.rdata md5: c312b8a7467ad1e7922c04d203410e3b sha1: baa7932ca11c33398a191c81d1af411ce593f043 size: 26112
Section.data md5: cacc39957bae5cca1a7ccb73b090c9ec sha1: c00c2b0e1788d9d306d3dc1ae10d1b2c84fcada2 size: 20992
Section.reloc md5: 609654e5c66a1b895c665eaba67d53ef sha1: 6b5b2cb23eda5ba81b98a275e41e2c8e2de3c7ee size: 39424
Timestamp2014-05-27 09:32:18
PackerMicrosoft Visual C++ 8
PEhash97d453828354c7b4e8f82b367691d780fb6d0a34
IMPhash8b8339b7719dc84085d338077e6fe88e
AVRisingNo Virus
AVMcafeeTrojan-FHSQ!A57E8E1B64A4
AVAvira (antivir)TR/Taranis.2125
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAd-AwareGen:Variant.Zusy.141475
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Bayrob.BM
AVGrisoft (avg)Generic37.AHQG
AVSymantecNo Virus
AVFortinetW32/Bayrob.BM!tr
AVBitDefenderGen:Variant.Zusy.141475
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.141475
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVIkarusNo Virus
AVZillya!No Virus
AVKasperskyNo Virus
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Zusy.141475
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Zusy.141475
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\tfwusxpnn\ssc1jq2aqjlnujfsni.exe
Creates FileC:\tfwusxpnn\cbmxv5
Creates FileC:\WINDOWS\tfwusxpnn\cbmxv5
Deletes FileC:\WINDOWS\tfwusxpnn\cbmxv5
Creates ProcessC:\tfwusxpnn\ssc1jq2aqjlnujfsni.exe

Process
↳ C:\tfwusxpnn\ssc1jq2aqjlnujfsni.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Function Class Disk Play Mapper ➝
C:\tfwusxpnn\gbxxuxapdnw.exe
Creates FileC:\tfwusxpnn\gbxxuxapdnw.exe
Creates FilePIPE\lsarpc
Creates FileC:\tfwusxpnn\slm3zlz
Creates FileC:\tfwusxpnn\cbmxv5
Creates FileC:\WINDOWS\tfwusxpnn\cbmxv5
Deletes FileC:\WINDOWS\tfwusxpnn\cbmxv5
Creates ProcessC:\tfwusxpnn\gbxxuxapdnw.exe
Creates ServiceUpgrade Management WinHTTP Connections Human - C:\tfwusxpnn\gbxxuxapdnw.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1840

Process
↳ Pid 1092

Process
↳ C:\tfwusxpnn\gbxxuxapdnw.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\tfwusxpnn\slm3zlz
Creates FileC:\tfwusxpnn\cbmxv5
Creates FileC:\WINDOWS\tfwusxpnn\cbmxv5
Creates File\Device\Afd\Endpoint
Creates FileC:\tfwusxpnn\cu5lwbe0s
Creates FileC:\tfwusxpnn\xkhihuvcydlv.exe
Deletes FileC:\WINDOWS\tfwusxpnn\cbmxv5
Creates Processdrlpzyvxlh0h "c:\tfwusxpnn\gbxxuxapdnw.exe"

Process
↳ C:\tfwusxpnn\gbxxuxapdnw.exe

Creates FileC:\tfwusxpnn\cbmxv5
Creates FileC:\WINDOWS\tfwusxpnn\cbmxv5
Deletes FileC:\WINDOWS\tfwusxpnn\cbmxv5

Process
↳ drlpzyvxlh0h "c:\tfwusxpnn\gbxxuxapdnw.exe"

Creates FileC:\tfwusxpnn\cbmxv5
Creates FileC:\WINDOWS\tfwusxpnn\cbmxv5
Deletes FileC:\WINDOWS\tfwusxpnn\cbmxv5

Network Details:

DNSbeginbelieve.net
Type: A
195.22.28.198
DNSbeginbelieve.net
Type: A
195.22.28.199
DNSbeginbelieve.net
Type: A
195.22.28.196
DNSbeginbelieve.net
Type: A
195.22.28.197
DNScrowdbranch.net
Type: A
98.139.135.129
DNSsummerbelieve.net
Type: A
208.100.26.234
DNSsummerquarter.net
Type: A
46.30.212.27
DNSmembersystem.net
Type: A
85.13.128.193
DNSfollowtrust.net
Type: A
68.178.232.100
DNSthoughtsystem.net
Type: A
213.171.195.105
DNSwatersystem.net
Type: A
199.59.243.120
DNSwatertrust.net
Type: A
208.91.197.27
DNSsmokesystem.net
Type: A
208.100.26.234
DNSsmoketrust.net
Type: A
98.139.135.129
DNSpartysystem.net
Type: A
82.165.73.79
DNScrowdfriend.net
Type: A
50.63.202.48
DNSwaterfriend.net
Type: A
69.64.147.242
DNSalreadyreceive.net
Type: A
DNSgentlemanquarter.net
Type: A
DNSalreadyquarter.net
Type: A
DNSfollowbranch.net
Type: A
DNSmemberbranch.net
Type: A
DNSfollowbelieve.net
Type: A
DNSmemberbelieve.net
Type: A
DNSfollowreceive.net
Type: A
DNSmemberreceive.net
Type: A
DNSfollowquarter.net
Type: A
DNSmemberquarter.net
Type: A
DNSbeginbranch.net
Type: A
DNSknownbranch.net
Type: A
DNSknownbelieve.net
Type: A
DNSbeginreceive.net
Type: A
DNSknownreceive.net
Type: A
DNSbeginquarter.net
Type: A
DNSknownquarter.net
Type: A
DNSsummerbranch.net
Type: A
DNScrowdbelieve.net
Type: A
DNSsummerreceive.net
Type: A
DNScrowdreceive.net
Type: A
DNScrowdquarter.net
Type: A
DNSthoughtbranch.net
Type: A
DNSwaterbranch.net
Type: A
DNSthoughtbelieve.net
Type: A
DNSwaterbelieve.net
Type: A
DNSthoughtreceive.net
Type: A
DNSwaterreceive.net
Type: A
DNSthoughtquarter.net
Type: A
DNSwaterquarter.net
Type: A
DNSwomanbranch.net
Type: A
DNSsmokebranch.net
Type: A
DNSwomanbelieve.net
Type: A
DNSsmokebelieve.net
Type: A
DNSwomanreceive.net
Type: A
DNSsmokereceive.net
Type: A
DNSwomanquarter.net
Type: A
DNSsmokequarter.net
Type: A
DNSpartybranch.net
Type: A
DNSfightbranch.net
Type: A
DNSpartybelieve.net
Type: A
DNSfightbelieve.net
Type: A
DNSpartyreceive.net
Type: A
DNSfightreceive.net
Type: A
DNSpartyquarter.net
Type: A
DNSfightquarter.net
Type: A
DNSfreshhonor.net
Type: A
DNSexperiencehonor.net
Type: A
DNSfreshneither.net
Type: A
DNSexperienceneither.net
Type: A
DNSfreshsystem.net
Type: A
DNSexperiencesystem.net
Type: A
DNSfreshtrust.net
Type: A
DNSexperiencetrust.net
Type: A
DNSgentlemanhonor.net
Type: A
DNSalreadyhonor.net
Type: A
DNSgentlemanneither.net
Type: A
DNSalreadyneither.net
Type: A
DNSgentlemansystem.net
Type: A
DNSalreadysystem.net
Type: A
DNSgentlemantrust.net
Type: A
DNSalreadytrust.net
Type: A
DNSfollowhonor.net
Type: A
DNSmemberhonor.net
Type: A
DNSfollowneither.net
Type: A
DNSmemberneither.net
Type: A
DNSfollowsystem.net
Type: A
DNSmembertrust.net
Type: A
DNSbeginhonor.net
Type: A
DNSknownhonor.net
Type: A
DNSbeginneither.net
Type: A
DNSknownneither.net
Type: A
DNSbeginsystem.net
Type: A
DNSknownsystem.net
Type: A
DNSbegintrust.net
Type: A
DNSknowntrust.net
Type: A
DNSsummerhonor.net
Type: A
DNScrowdhonor.net
Type: A
DNSsummerneither.net
Type: A
DNScrowdneither.net
Type: A
DNSsummersystem.net
Type: A
DNScrowdsystem.net
Type: A
DNSsummertrust.net
Type: A
DNScrowdtrust.net
Type: A
DNSthoughthonor.net
Type: A
DNSwaterhonor.net
Type: A
DNSthoughtneither.net
Type: A
DNSwaterneither.net
Type: A
DNSthoughttrust.net
Type: A
DNSwomanhonor.net
Type: A
DNSsmokehonor.net
Type: A
DNSwomanneither.net
Type: A
DNSsmokeneither.net
Type: A
DNSwomansystem.net
Type: A
DNSwomantrust.net
Type: A
DNSpartyhonor.net
Type: A
DNSfighthonor.net
Type: A
DNSpartyneither.net
Type: A
DNSfightneither.net
Type: A
DNSfightsystem.net
Type: A
DNSpartytrust.net
Type: A
DNSfighttrust.net
Type: A
DNSfreshlaughter.net
Type: A
DNSexperiencelaughter.net
Type: A
DNSfreshfancy.net
Type: A
DNSexperiencefancy.net
Type: A
DNSfreshconsider.net
Type: A
DNSexperienceconsider.net
Type: A
DNSfreshfriend.net
Type: A
DNSexperiencefriend.net
Type: A
DNSgentlemanlaughter.net
Type: A
DNSalreadylaughter.net
Type: A
DNSgentlemanfancy.net
Type: A
DNSalreadyfancy.net
Type: A
DNSgentlemanconsider.net
Type: A
DNSalreadyconsider.net
Type: A
DNSgentlemanfriend.net
Type: A
DNSalreadyfriend.net
Type: A
DNSfollowlaughter.net
Type: A
DNSmemberlaughter.net
Type: A
DNSfollowfancy.net
Type: A
DNSmemberfancy.net
Type: A
DNSfollowconsider.net
Type: A
DNSmemberconsider.net
Type: A
DNSfollowfriend.net
Type: A
DNSmemberfriend.net
Type: A
DNSbeginlaughter.net
Type: A
DNSknownlaughter.net
Type: A
DNSbeginfancy.net
Type: A
DNSknownfancy.net
Type: A
DNSbeginconsider.net
Type: A
DNSknownconsider.net
Type: A
DNSbeginfriend.net
Type: A
DNSknownfriend.net
Type: A
DNSsummerlaughter.net
Type: A
DNScrowdlaughter.net
Type: A
DNSsummerfancy.net
Type: A
DNScrowdfancy.net
Type: A
DNSsummerconsider.net
Type: A
DNScrowdconsider.net
Type: A
DNSsummerfriend.net
Type: A
DNSthoughtlaughter.net
Type: A
DNSwaterlaughter.net
Type: A
DNSthoughtfancy.net
Type: A
DNSwaterfancy.net
Type: A
DNSthoughtconsider.net
Type: A
DNSwaterconsider.net
Type: A
DNSthoughtfriend.net
Type: A
DNSwomanlaughter.net
Type: A
DNSsmokelaughter.net
Type: A
DNSwomanfancy.net
Type: A
DNSsmokefancy.net
Type: A
DNSwomanconsider.net
Type: A
DNSsmokeconsider.net
Type: A
DNSwomanfriend.net
Type: A
HTTP GEThttp://beginbelieve.net/index.php
User-Agent:
HTTP GEThttp://crowdbranch.net/index.php
User-Agent:
HTTP GEThttp://summerbelieve.net/index.php
User-Agent:
HTTP GEThttp://summerquarter.net/index.php
User-Agent:
HTTP GEThttp://membersystem.net/index.php
User-Agent:
HTTP GEThttp://followtrust.net/index.php
User-Agent:
HTTP GEThttp://thoughtsystem.net/index.php
User-Agent:
HTTP GEThttp://watersystem.net/index.php
User-Agent:
HTTP GEThttp://watertrust.net/index.php
User-Agent:
HTTP GEThttp://smokesystem.net/index.php
User-Agent:
HTTP GEThttp://smoketrust.net/index.php
User-Agent:
HTTP GEThttp://partysystem.net/index.php
User-Agent:
HTTP GEThttp://crowdfriend.net/index.php
User-Agent:
HTTP GEThttp://waterfriend.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1032 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 46.30.212.27:80
Flows TCP192.168.1.1:1035 ➝ 85.13.128.193:80
Flows TCP192.168.1.1:1036 ➝ 68.178.232.100:80
Flows TCP192.168.1.1:1037 ➝ 213.171.195.105:80
Flows TCP192.168.1.1:1038 ➝ 199.59.243.120:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1041 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1042 ➝ 82.165.73.79:80
Flows TCP192.168.1.1:1043 ➝ 50.63.202.48:80
Flows TCP192.168.1.1:1044 ➝ 69.64.147.242:80

Raw Pcap

Strings