Analysis Date2015-07-28 23:14:40
MD5e16b5f6f24f0d9f7f71aa959d533956b
SHA12a0575da5bffdc55ff1ccdf3af38c837bbced342

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 670a4ee2dfe3047680c01b8f44ae3f80 sha1: 86daa2be38f617d469d179e5d8a5cf0e08e8ab51 size: 200192
Section.rdata md5: 0a8d0c5adaf3819be0f0a3fa40fba304 sha1: 27647e16d1a2f017f44039b1bcb6edc6566ded90 size: 53248
Section.data md5: 6564a90dc0e9a4f5578a105dd112c6f8 sha1: 2dd870285275fd997d64ff085d9baf9682c2e8c3 size: 7168
Section.reloc md5: f43c5e9533edcf56f24ec60d660f32a5 sha1: e1c8929dc3f8eabb45c7d050a09e9c80fb7c6d60 size: 14848
Timestamp2015-04-29 19:04:12
PackerMicrosoft Visual C++ 8
PEhash7ecb20e912faed36b0e76ead4a90708e06691e15
IMPhash7b6f63d280c342e9bf48f09d4698c9c1
AVRisingTrojan.Win32.Bayrod.a
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVBullGuardGen:Variant.Kazy.604861
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend MicroTROJ_BAYROB.SM0
AVKasperskyTrojan.Win32.Scar.jcjz
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.604861
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVK7Trojan ( 004c12491 )
AVBitDefenderGen:Variant.Kazy.604861
AVFortinetW32/Generic.AC.215362
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Q
AVAlwil (avast)VB-AJEW [Trj]
AVAd-AwareGen:Variant.Kazy.604861
AVTwisterTrojan.0000E9000000006A1.mg
AVAvira (antivir)TR/Kryptik.qgmpd
AVMcafeeTrojan-FGIJ!E16B5F6F24F0

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\vjwvrunlb\vija6cmfbnmw
Creates FileC:\vjwvrunlb\bhckz1md4ohmtzqjkvoy.exe
Creates FileC:\WINDOWS\vjwvrunlb\vija6cmfbnmw
Deletes FileC:\WINDOWS\vjwvrunlb\vija6cmfbnmw
Creates ProcessC:\vjwvrunlb\bhckz1md4ohmtzqjkvoy.exe

Process
↳ C:\vjwvrunlb\bhckz1md4ohmtzqjkvoy.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Peer Fax Location Launcher Identity ➝
C:\vjwvrunlb\gbghrofdvln.exe
Creates FileC:\vjwvrunlb\vjkgsxisa
Creates FilePIPE\lsarpc
Creates FileC:\vjwvrunlb\vija6cmfbnmw
Creates FileC:\vjwvrunlb\gbghrofdvln.exe
Creates FileC:\WINDOWS\vjwvrunlb\vija6cmfbnmw
Deletes FileC:\WINDOWS\vjwvrunlb\vija6cmfbnmw
Creates ProcessC:\vjwvrunlb\gbghrofdvln.exe

Process
↳ C:\vjwvrunlb\gbghrofdvln.exe

Creates FileC:\vjwvrunlb\laqppys
Creates FileC:\vjwvrunlb\vjkgsxisa
Creates FileC:\vjwvrunlb\cofwivjmnh.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\vjwvrunlb\vija6cmfbnmw
Creates FileC:\WINDOWS\vjwvrunlb\vija6cmfbnmw
Deletes FileC:\vjwvrunlb\bhckz1md4ohmtzqjkvoy.exe
Deletes FileC:\WINDOWS\vjwvrunlb\vija6cmfbnmw
Creates Processtb8dgaflzhda "c:\vjwvrunlb\gbghrofdvln.exe"

Process
↳ tb8dgaflzhda "c:\vjwvrunlb\gbghrofdvln.exe"

Creates FileC:\vjwvrunlb\vija6cmfbnmw
Creates FileC:\WINDOWS\vjwvrunlb\vija6cmfbnmw
Deletes FileC:\WINDOWS\vjwvrunlb\vija6cmfbnmw

Network Details:

DNSwaterpaint.net
Type: A
72.81.253.90
DNSwatercourse.net
Type: A
192.185.35.30
DNSwaterwomen.net
Type: A
209.1.144.192
DNSsmokeclean.net
Type: A
50.63.202.26
DNSfightclean.net
Type: A
176.74.176.184
DNSpartypaint.net
Type: A
74.220.199.6
DNSfollownothing.net
Type: A
95.211.230.75
DNSknownstream.net
Type: A
74.208.56.10
DNSsummerstream.net
Type: A
66.96.132.53
DNScrowdstream.net
Type: A
184.168.221.61
DNScrowdnothing.net
Type: A
208.91.197.241
DNSthoughtstream.net
Type: A
50.63.202.54
DNSwaterstream.net
Type: A
91.198.165.243
DNSwaterbottle.net
Type: A
209.15.13.134
DNSfightstream.net
Type: A
184.168.221.32
DNSpartybottle.net
Type: A
91.215.216.53
DNSthoughtpaint.net
Type: A
DNSthoughtcourse.net
Type: A
DNSthoughtwomen.net
Type: A
DNSwomanclean.net
Type: A
DNSwomanpaint.net
Type: A
DNSsmokepaint.net
Type: A
DNSwomancourse.net
Type: A
DNSsmokecourse.net
Type: A
DNSwomanwomen.net
Type: A
DNSsmokewomen.net
Type: A
DNSpartyclean.net
Type: A
DNSfightpaint.net
Type: A
DNSpartycourse.net
Type: A
DNSfightcourse.net
Type: A
DNSpartywomen.net
Type: A
DNSfightwomen.net
Type: A
DNSfreshstream.net
Type: A
DNSexperiencestream.net
Type: A
DNSfreshnothing.net
Type: A
DNSexperiencenothing.net
Type: A
DNSfreshbottle.net
Type: A
DNSexperiencebottle.net
Type: A
DNSfreshdivide.net
Type: A
DNSexperiencedivide.net
Type: A
DNSgentlemanstream.net
Type: A
DNSalreadystream.net
Type: A
DNSgentlemannothing.net
Type: A
DNSalreadynothing.net
Type: A
DNSgentlemanbottle.net
Type: A
DNSalreadybottle.net
Type: A
DNSgentlemandivide.net
Type: A
DNSalreadydivide.net
Type: A
DNSfollowstream.net
Type: A
DNSmemberstream.net
Type: A
DNSmembernothing.net
Type: A
DNSfollowbottle.net
Type: A
DNSmemberbottle.net
Type: A
DNSfollowdivide.net
Type: A
DNSmemberdivide.net
Type: A
DNSbeginstream.net
Type: A
DNSbeginnothing.net
Type: A
DNSknownnothing.net
Type: A
DNSbeginbottle.net
Type: A
DNSknownbottle.net
Type: A
DNSbegindivide.net
Type: A
DNSknowndivide.net
Type: A
DNSsummernothing.net
Type: A
DNSsummerbottle.net
Type: A
DNScrowdbottle.net
Type: A
DNSsummerdivide.net
Type: A
DNScrowddivide.net
Type: A
DNSthoughtnothing.net
Type: A
DNSwaternothing.net
Type: A
DNSthoughtbottle.net
Type: A
DNSthoughtdivide.net
Type: A
DNSwaterdivide.net
Type: A
DNSwomanstream.net
Type: A
DNSsmokestream.net
Type: A
DNSwomannothing.net
Type: A
DNSsmokenothing.net
Type: A
DNSwomanbottle.net
Type: A
DNSsmokebottle.net
Type: A
DNSwomandivide.net
Type: A
DNSsmokedivide.net
Type: A
DNSpartystream.net
Type: A
DNSpartynothing.net
Type: A
DNSfightnothing.net
Type: A
DNSfightbottle.net
Type: A
DNSpartydivide.net
Type: A
HTTP GEThttp://waterpaint.net/index.php
User-Agent:
HTTP GEThttp://watercourse.net/index.php
User-Agent:
HTTP GEThttp://waterwomen.net/index.php
User-Agent:
HTTP GEThttp://smokeclean.net/index.php
User-Agent:
HTTP GEThttp://fightclean.net/index.php
User-Agent:
HTTP GEThttp://partypaint.net/index.php
User-Agent:
HTTP GEThttp://follownothing.net/index.php
User-Agent:
HTTP GEThttp://knownstream.net/index.php
User-Agent:
HTTP GEThttp://summerstream.net/index.php
User-Agent:
HTTP GEThttp://crowdstream.net/index.php
User-Agent:
HTTP GEThttp://crowdnothing.net/index.php
User-Agent:
HTTP GEThttp://thoughtstream.net/index.php
User-Agent:
HTTP GEThttp://waterstream.net/index.php
User-Agent:
HTTP GEThttp://waterbottle.net/index.php
User-Agent:
HTTP GEThttp://fightstream.net/index.php
User-Agent:
HTTP GEThttp://partybottle.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 72.81.253.90:80
Flows TCP192.168.1.1:1032 ➝ 192.185.35.30:80
Flows TCP192.168.1.1:1033 ➝ 209.1.144.192:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.26:80
Flows TCP192.168.1.1:1035 ➝ 176.74.176.184:80
Flows TCP192.168.1.1:1036 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1037 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1038 ➝ 74.208.56.10:80
Flows TCP192.168.1.1:1039 ➝ 66.96.132.53:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.61:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 50.63.202.54:80
Flows TCP192.168.1.1:1043 ➝ 91.198.165.243:80
Flows TCP192.168.1.1:1044 ➝ 209.15.13.134:80
Flows TCP192.168.1.1:1045 ➝ 184.168.221.32:80
Flows TCP192.168.1.1:1046 ➝ 91.215.216.53:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 7061696e 742e6e65 740d0a0d   aterpaint.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 636f7572 73652e6e 65740d0a   atercourse.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 776f6d65 6e2e6e65 740d0a0d   aterwomen.net...
0x00000050 (00080)   0a0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   6d6f6b65 636c6561 6e2e6e65 740d0a0d   mokeclean.net...
0x00000050 (00080)   0a0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   69676874 636c6561 6e2e6e65 740d0a0d   ightclean.net...
0x00000050 (00080)   0a0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 7061696e 742e6e65 740d0a0d   artypaint.net...
0x00000050 (00080)   0a0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f6c6c6f 776e6f74 68696e67 2e6e6574   ollownothing.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206b   : close..Host: k
0x00000040 (00064)   6e6f776e 73747265 616d2e6e 65740d0a   nownstream.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   756d6d65 72737472 65616d2e 6e65740d   ummerstream.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 73747265 616d2e6e 65740d0a   rowdstream.net..
0x00000050 (00080)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 6e6f7468 696e672e 6e65740d   rowdnothing.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7567 68747374 7265616d 2e6e6574   houghtstream.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 73747265 616d2e6e 65740d0a   aterstream.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 626f7474 6c652e6e 65740d0a   aterbottle.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   69676874 73747265 616d2e6e 65740d0a   ightstream.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 626f7474 6c652e6e 65740d0a   artybottle.net..
0x00000050 (00080)   0d0a0d0a                              ....


Strings