Analysis Date2015-09-16 06:04:48
MD55ec0e5a0a20239c948f5963db6055602
SHA12c0dfbd2b729245b62f15c9e40f1a4a9acca0cfb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3bc4677696101a9f26d5dfa9b81ae86a sha1: b299e5505148a0eca82b11843a9f21c7e6e13775 size: 325632
Section.rdata md5: cebd246656961368904978bee493a5a3 sha1: db3c90b74ccc948bc90cb3bb11f419c20f7ab12f size: 61440
Section.data md5: ca5dd161f88fb6c0e52dba03699cfd94 sha1: 01b6a4d2bf1712d2934f8ab9f2ee8a60e54cd862 size: 7680
Section.reloc md5: 9d2bbb461f40e9fed617795a4307ef9c sha1: be93dc0919ad443c5d4dbbd4c8994545af4e47a6 size: 27648
Timestamp2015-05-11 06:32:41
PackerMicrosoft Visual C++ 8
PEhasha3f51ce11630c4a1090ffc0b9c58523e090dd6cf
IMPhash6dd83282de76bc4b1146db841e865db6
AVRisingTrojan.Win32.Bayrod.b
AVMcafeePWS-FCCE!5EC0E5A0A202
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.611009
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.W
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.T!tr
AVBitDefenderGen:Variant.Kazy.611009
AVK7Trojan ( 004c3a4d1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.611009
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.611009
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Kazy.611009
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\fopwvstzhtbksnl\gyqzj1laxwqjzaiwvw.exe
Creates FileC:\WINDOWS\fopwvstzhtbksnl\z7z6arva
Creates FileC:\fopwvstzhtbksnl\z7z6arva
Deletes FileC:\WINDOWS\fopwvstzhtbksnl\z7z6arva
Creates ProcessC:\fopwvstzhtbksnl\gyqzj1laxwqjzaiwvw.exe

Process
↳ C:\fopwvstzhtbksnl\gyqzj1laxwqjzaiwvw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Machine WMI Experience Logon ➝
C:\fopwvstzhtbksnl\abcylbbrrt.exe
Creates FileC:\WINDOWS\fopwvstzhtbksnl\z7z6arva
Creates FileC:\fopwvstzhtbksnl\abcylbbrrt.exe
Creates FileC:\fopwvstzhtbksnl\wpsg4xtbsiki
Creates FilePIPE\lsarpc
Creates FileC:\fopwvstzhtbksnl\z7z6arva
Deletes FileC:\WINDOWS\fopwvstzhtbksnl\z7z6arva
Creates ProcessC:\fopwvstzhtbksnl\abcylbbrrt.exe
Creates ServiceConnect Topology DLL Accounts - C:\fopwvstzhtbksnl\abcylbbrrt.exe

Process
↳ Pid 804

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1204

Process
↳ C:\fopwvstzhtbksnl\abcylbbrrt.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\fopwvstzhtbksnl\z7z6arva
Creates FileC:\fopwvstzhtbksnl\jnqw4zgvwz
Creates FileC:\fopwvstzhtbksnl\mqplbzhodo.exe
Creates FileC:\fopwvstzhtbksnl\wpsg4xtbsiki
Creates File\Device\Afd\Endpoint
Creates FileC:\fopwvstzhtbksnl\z7z6arva
Deletes FileC:\WINDOWS\fopwvstzhtbksnl\z7z6arva
Creates Processourxzurw2jsy "c:\fopwvstzhtbksnl\abcylbbrrt.exe"

Process
↳ C:\fopwvstzhtbksnl\abcylbbrrt.exe

Creates FileC:\WINDOWS\fopwvstzhtbksnl\z7z6arva
Creates FileC:\fopwvstzhtbksnl\z7z6arva
Deletes FileC:\WINDOWS\fopwvstzhtbksnl\z7z6arva

Process
↳ ourxzurw2jsy "c:\fopwvstzhtbksnl\abcylbbrrt.exe"

Creates FileC:\WINDOWS\fopwvstzhtbksnl\z7z6arva
Creates FileC:\fopwvstzhtbksnl\z7z6arva
Deletes FileC:\WINDOWS\fopwvstzhtbksnl\z7z6arva

Network Details:

DNSwatermister.net
Type: A
192.185.5.125
DNSwaterservice.net
Type: A
207.148.248.143
DNSwomanservice.net
Type: A
31.31.204.59
DNSpartyservice.net
Type: A
176.28.54.20
DNSfreshshare.net
Type: A
216.239.34.21
DNSfreshshare.net
Type: A
216.239.36.21
DNSfreshshare.net
Type: A
216.239.38.21
DNSfreshshare.net
Type: A
184.168.221.32
DNSfreshshare.net
Type: A
216.239.32.21
DNSexperienceshare.net
Type: A
50.63.202.60
DNSmembershare.net
Type: A
173.236.228.75
DNSsummershare.net
Type: A
74.208.61.248
DNScrowdshare.net
Type: A
72.52.4.91
DNSthoughtshare.net
Type: A
184.168.221.61
DNSsmokehappen.net
Type: A
95.211.230.75
DNSthoughtsuppose.net
Type: A
DNSwatersuppose.net
Type: A
DNSthoughtservice.net
Type: A
DNSthoughtriver.net
Type: A
DNSwaterriver.net
Type: A
DNSwomanmister.net
Type: A
DNSsmokemister.net
Type: A
DNSwomansuppose.net
Type: A
DNSsmokesuppose.net
Type: A
DNSsmokeservice.net
Type: A
DNSwomanriver.net
Type: A
DNSsmokeriver.net
Type: A
DNSpartymister.net
Type: A
DNSfightmister.net
Type: A
DNSpartysuppose.net
Type: A
DNSfightsuppose.net
Type: A
DNSfightservice.net
Type: A
DNSpartyriver.net
Type: A
DNSfightriver.net
Type: A
DNSfreshnearly.net
Type: A
DNSexperiencenearly.net
Type: A
DNSfreshhappen.net
Type: A
DNSexperiencehappen.net
Type: A
DNSfreshshake.net
Type: A
DNSexperienceshake.net
Type: A
DNSgentlemannearly.net
Type: A
DNSalreadynearly.net
Type: A
DNSgentlemanhappen.net
Type: A
DNSalreadyhappen.net
Type: A
DNSgentlemanshake.net
Type: A
DNSalreadyshake.net
Type: A
DNSgentlemanshare.net
Type: A
DNSalreadyshare.net
Type: A
DNSfollownearly.net
Type: A
DNSmembernearly.net
Type: A
DNSfollowhappen.net
Type: A
DNSmemberhappen.net
Type: A
DNSfollowshake.net
Type: A
DNSmembershake.net
Type: A
DNSfollowshare.net
Type: A
DNSbeginnearly.net
Type: A
DNSknownnearly.net
Type: A
DNSbeginhappen.net
Type: A
DNSknownhappen.net
Type: A
DNSbeginshake.net
Type: A
DNSknownshake.net
Type: A
DNSbeginshare.net
Type: A
DNSknownshare.net
Type: A
DNSsummernearly.net
Type: A
DNScrowdnearly.net
Type: A
DNSsummerhappen.net
Type: A
DNScrowdhappen.net
Type: A
DNSsummershake.net
Type: A
DNScrowdshake.net
Type: A
DNSthoughtnearly.net
Type: A
DNSwaternearly.net
Type: A
DNSthoughthappen.net
Type: A
DNSwaterhappen.net
Type: A
DNSthoughtshake.net
Type: A
DNSwatershake.net
Type: A
DNSwatershare.net
Type: A
DNSwomannearly.net
Type: A
DNSsmokenearly.net
Type: A
DNSwomanhappen.net
Type: A
DNSwomanshake.net
Type: A
DNSsmokeshake.net
Type: A
DNSwomanshare.net
Type: A
DNSsmokeshare.net
Type: A
DNSpartynearly.net
Type: A
DNSfightnearly.net
Type: A
DNSpartyhappen.net
Type: A
DNSfighthappen.net
Type: A
DNSpartyshake.net
Type: A
DNSfightshake.net
Type: A
HTTP GEThttp://watermister.net/index.php
User-Agent:
HTTP GEThttp://waterservice.net/index.php
User-Agent:
HTTP GEThttp://womanservice.net/index.php
User-Agent:
HTTP GEThttp://partyservice.net/index.php
User-Agent:
HTTP GEThttp://freshshare.net/index.php
User-Agent:
HTTP GEThttp://experienceshare.net/index.php
User-Agent:
HTTP GEThttp://membershare.net/index.php
User-Agent:
HTTP GEThttp://summershare.net/index.php
User-Agent:
HTTP GEThttp://crowdshare.net/index.php
User-Agent:
HTTP GEThttp://thoughtshare.net/index.php
User-Agent:
HTTP GEThttp://smokehappen.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 192.185.5.125:80
Flows TCP192.168.1.1:1032 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1033 ➝ 31.31.204.59:80
Flows TCP192.168.1.1:1034 ➝ 176.28.54.20:80
Flows TCP192.168.1.1:1035 ➝ 216.239.34.21:80
Flows TCP192.168.1.1:1036 ➝ 50.63.202.60:80
Flows TCP192.168.1.1:1037 ➝ 173.236.228.75:80
Flows TCP192.168.1.1:1038 ➝ 74.208.61.248:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.61:80
Flows TCP192.168.1.1:1041 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 6d697374 65722e6e 65740d0a   atermister.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 73657276 6963652e 6e65740d   aterservice.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   6f6d616e 73657276 6963652e 6e65740d   omanservice.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 73657276 6963652e 6e65740d   artyservice.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   72657368 73686172 652e6e65 740d0a0d   reshshare.net...
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   78706572 69656e63 65736861 72652e6e   xperienceshare.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   656d6265 72736861 72652e6e 65740d0a   embershare.net..
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   756d6d65 72736861 72652e6e 65740d0a   ummershare.net..
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 73686172 652e6e65 740d0a0d   rowdshare.net...
0x00000050 (00080)   0a0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7567 68747368 6172652e 6e65740d   houghtshare.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   6d6f6b65 68617070 656e2e6e 65740d0a   mokehappen.net..
0x00000050 (00080)   0d0a                                  ..


Strings