Analysis Date2016-01-30 08:00:39
MD551fa0b2cf2d7c04bd15643a080ccac45
SHA132e27cb5b5bbc49aae7a1bafe1bc0b62ee88550a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ee4a811845e632d75ed4859dda4139a3 sha1: 4a9abcdc5e23b873247e942958a1f2fdd62dcb71 size: 306176
Section.rdata md5: 403354e67c1156781ba3730fc7aa4ded sha1: 3232855edab3ad390a2c1c0e64e77dca7639e5ee size: 26112
Section.data md5: 9af904efe9c4f958ceecef8e4ae13d85 sha1: 657c84eadaf1e61df11d8ac6095189cdf0871c14 size: 19968
Section.reloc md5: ba2f31d53da78768c3c5f6f82d19c01f sha1: da65226c5845b9e85b57776b2ec84d22c5220e67 size: 33280
Timestamp2014-02-06 10:59:43
PackerMicrosoft Visual C++ 8
PEhash07787d78b40b695620c8248e12c72e4921f0f981
IMPhash3c555131baaf7ee4457f76ec0856d02b
AVCA (E-Trust Ino)No Virus
AVF-SecureGen:Variant.Zusy.141475
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVBullGuardGen:Variant.Zusy.141475
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Bayrob.cngq
AVZillya!No Virus
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)W32/Nivdort.I.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.141475
AVAuthentiumW32/Nivdort.I.gen!Eldorado
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Zusy.141475
AVFortinetW32/Bayrob.BJ!tr
AVSymantecNo Virus
AVGrisoft (avg)Generic37.ACGP
AVEset (nod32)Win32/Bayrob.BJ
AVAlwil (avast)No Virus
AVAd-AwareGen:Variant.Zusy.141475
AVMalwareBytesNo Virus
AVTwisterNo Virus
AVAvira (antivir)TR/Taranis.2080
AVMcafeeTrojan-FHSQ!51FA0B2CF2D7
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\atkqvhokadt\fd1lm7sherh7t4gpq.exe
Creates FileC:\atkqvhokadt\u9n5jwsau
Creates FileC:\WINDOWS\atkqvhokadt\u9n5jwsau
Deletes FileC:\WINDOWS\atkqvhokadt\u9n5jwsau
Creates ProcessC:\atkqvhokadt\fd1lm7sherh7t4gpq.exe

Process
↳ C:\atkqvhokadt\fd1lm7sherh7t4gpq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Management DNS Cache Defender ➝
C:\atkqvhokadt\gtdnjpfqubnt.exe
Creates FileC:\atkqvhokadt\gtdnjpfqubnt.exe
Creates FilePIPE\lsarpc
Creates FileC:\atkqvhokadt\rlqcv3b
Creates FileC:\atkqvhokadt\u9n5jwsau
Creates FileC:\WINDOWS\atkqvhokadt\u9n5jwsau
Deletes FileC:\WINDOWS\atkqvhokadt\u9n5jwsau
Creates ProcessC:\atkqvhokadt\gtdnjpfqubnt.exe
Creates ServiceRemote Logs Storage Disk Manager PC - C:\atkqvhokadt\gtdnjpfqubnt.exe

Process
↳ Pid 800

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1132

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1168

Process
↳ C:\atkqvhokadt\gtdnjpfqubnt.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\atkqvhokadt\kjvjdh
Creates File\Device\Afd\Endpoint
Creates FileC:\atkqvhokadt\zimobjluoniv.exe
Creates FileC:\atkqvhokadt\rlqcv3b
Creates FileC:\atkqvhokadt\u9n5jwsau
Creates FileC:\WINDOWS\atkqvhokadt\u9n5jwsau
Deletes FileC:\WINDOWS\atkqvhokadt\u9n5jwsau
Creates Processfejvcww7ednx "c:\atkqvhokadt\gtdnjpfqubnt.exe"

Process
↳ C:\atkqvhokadt\gtdnjpfqubnt.exe

Creates FileC:\atkqvhokadt\u9n5jwsau
Creates FileC:\WINDOWS\atkqvhokadt\u9n5jwsau
Deletes FileC:\WINDOWS\atkqvhokadt\u9n5jwsau

Process
↳ fejvcww7ednx "c:\atkqvhokadt\gtdnjpfqubnt.exe"

Creates FileC:\atkqvhokadt\u9n5jwsau
Creates FileC:\WINDOWS\atkqvhokadt\u9n5jwsau
Deletes FileC:\WINDOWS\atkqvhokadt\u9n5jwsau

Network Details:

DNSpicturestream.net
Type: A
104.130.192.137
DNSfamilystream.net
Type: A
149.210.210.187
DNSmachinebusiness.net
Type: A
69.73.160.55
DNSthoughappear.net
Type: A
208.100.26.234
DNSpicturebusiness.net
Type: A
76.8.58.103
DNSfamilybusiness.net
Type: A
69.172.201.208
DNSenglishmanner.net
Type: A
202.143.64.131
DNSenglishbusiness.net
Type: A
184.168.221.71
DNSpicturebright.net
Type: A
72.52.4.90
DNSfamilybright.net
Type: A
208.91.197.39
DNSrightbottle.net
Type: A
DNSwhetherdivide.net
Type: A
DNSrightdivide.net
Type: A
DNSfigurestream.net
Type: A
DNSthoughstream.net
Type: A
DNSfigurenothing.net
Type: A
DNSthoughnothing.net
Type: A
DNSfigurebottle.net
Type: A
DNSthoughbottle.net
Type: A
DNSfiguredivide.net
Type: A
DNSthoughdivide.net
Type: A
DNScigarettestream.net
Type: A
DNSpicturenothing.net
Type: A
DNScigarettenothing.net
Type: A
DNSpicturebottle.net
Type: A
DNScigarettebottle.net
Type: A
DNSpicturedivide.net
Type: A
DNScigarettedivide.net
Type: A
DNSchildrenstream.net
Type: A
DNSchildrennothing.net
Type: A
DNSfamilynothing.net
Type: A
DNSchildrenbottle.net
Type: A
DNSfamilybottle.net
Type: A
DNSchildrendivide.net
Type: A
DNSfamilydivide.net
Type: A
DNSeitherstream.net
Type: A
DNSenglishstream.net
Type: A
DNSeithernothing.net
Type: A
DNSenglishnothing.net
Type: A
DNSeitherbottle.net
Type: A
DNSenglishbottle.net
Type: A
DNSeitherdivide.net
Type: A
DNSenglishdivide.net
Type: A
DNSexpectmanner.net
Type: A
DNSbecausemanner.net
Type: A
DNSexpectanother.net
Type: A
DNSbecauseanother.net
Type: A
DNSexpectbusiness.net
Type: A
DNSbecausebusiness.net
Type: A
DNSexpectappear.net
Type: A
DNSbecauseappear.net
Type: A
DNSpersonmanner.net
Type: A
DNSmachinemanner.net
Type: A
DNSpersonanother.net
Type: A
DNSmachineanother.net
Type: A
DNSpersonbusiness.net
Type: A
DNSpersonappear.net
Type: A
DNSmachineappear.net
Type: A
DNSsuddenmanner.net
Type: A
DNSforeignmanner.net
Type: A
DNSsuddenanother.net
Type: A
DNSforeignanother.net
Type: A
DNSsuddenbusiness.net
Type: A
DNSforeignbusiness.net
Type: A
DNSsuddenappear.net
Type: A
DNSforeignappear.net
Type: A
DNSwhethermanner.net
Type: A
DNSrightmanner.net
Type: A
DNSwhetheranother.net
Type: A
DNSrightanother.net
Type: A
DNSwhetherbusiness.net
Type: A
DNSrightbusiness.net
Type: A
DNSwhetherappear.net
Type: A
DNSrightappear.net
Type: A
DNSfiguremanner.net
Type: A
DNSthoughmanner.net
Type: A
DNSfigureanother.net
Type: A
DNSthoughanother.net
Type: A
DNSfigurebusiness.net
Type: A
DNSthoughbusiness.net
Type: A
DNSfigureappear.net
Type: A
DNSpicturemanner.net
Type: A
DNScigarettemanner.net
Type: A
DNSpictureanother.net
Type: A
DNScigaretteanother.net
Type: A
DNScigarettebusiness.net
Type: A
DNSpictureappear.net
Type: A
DNScigaretteappear.net
Type: A
DNSchildrenmanner.net
Type: A
DNSfamilymanner.net
Type: A
DNSchildrenanother.net
Type: A
DNSfamilyanother.net
Type: A
DNSchildrenbusiness.net
Type: A
DNSchildrenappear.net
Type: A
DNSfamilyappear.net
Type: A
DNSeithermanner.net
Type: A
DNSeitheranother.net
Type: A
DNSenglishanother.net
Type: A
DNSeitherbusiness.net
Type: A
DNSeitherappear.net
Type: A
DNSenglishappear.net
Type: A
DNSexpectinstead.net
Type: A
DNSbecauseinstead.net
Type: A
DNSexpectexplain.net
Type: A
DNSbecauseexplain.net
Type: A
DNSexpectbright.net
Type: A
DNSbecausebright.net
Type: A
DNSexpectinside.net
Type: A
DNSbecauseinside.net
Type: A
DNSpersoninstead.net
Type: A
DNSmachineinstead.net
Type: A
DNSpersonexplain.net
Type: A
DNSmachineexplain.net
Type: A
DNSpersonbright.net
Type: A
DNSmachinebright.net
Type: A
DNSpersoninside.net
Type: A
DNSmachineinside.net
Type: A
DNSsuddeninstead.net
Type: A
DNSforeigninstead.net
Type: A
DNSsuddenexplain.net
Type: A
DNSforeignexplain.net
Type: A
DNSsuddenbright.net
Type: A
DNSforeignbright.net
Type: A
DNSsuddeninside.net
Type: A
DNSforeigninside.net
Type: A
DNSwhetherinstead.net
Type: A
DNSrightinstead.net
Type: A
DNSwhetherexplain.net
Type: A
DNSrightexplain.net
Type: A
DNSwhetherbright.net
Type: A
DNSrightbright.net
Type: A
DNSwhetherinside.net
Type: A
DNSrightinside.net
Type: A
DNSfigureinstead.net
Type: A
DNSthoughinstead.net
Type: A
DNSfigureexplain.net
Type: A
DNSthoughexplain.net
Type: A
DNSfigurebright.net
Type: A
DNSthoughbright.net
Type: A
DNSfigureinside.net
Type: A
DNSthoughinside.net
Type: A
DNSpictureinstead.net
Type: A
DNScigaretteinstead.net
Type: A
DNSpictureexplain.net
Type: A
DNScigaretteexplain.net
Type: A
DNScigarettebright.net
Type: A
DNSpictureinside.net
Type: A
DNScigaretteinside.net
Type: A
DNSchildreninstead.net
Type: A
DNSfamilyinstead.net
Type: A
DNSchildrenexplain.net
Type: A
DNSfamilyexplain.net
Type: A
DNSchildrenbright.net
Type: A
DNSchildreninside.net
Type: A
DNSfamilyinside.net
Type: A
DNSeitherinstead.net
Type: A
DNSenglishinstead.net
Type: A
DNSeitherexplain.net
Type: A
DNSenglishexplain.net
Type: A
DNSeitherbright.net
Type: A
DNSenglishbright.net
Type: A
DNSeitherinside.net
Type: A
DNSenglishinside.net
Type: A
DNSexpectready.net
Type: A
DNSbecauseready.net
Type: A
DNSexpectbrown.net
Type: A
DNSbecausebrown.net
Type: A
DNSexpectpeople.net
Type: A
DNSbecausepeople.net
Type: A
DNSexpectdaughter.net
Type: A
HTTP GEThttp://picturestream.net/index.php
User-Agent:
HTTP GEThttp://familystream.net/index.php
User-Agent:
HTTP GEThttp://machinebusiness.net/index.php
User-Agent:
HTTP GEThttp://thoughappear.net/index.php
User-Agent:
HTTP GEThttp://picturebusiness.net/index.php
User-Agent:
HTTP GEThttp://familybusiness.net/index.php
User-Agent:
HTTP GEThttp://englishmanner.net/index.php
User-Agent:
HTTP GEThttp://englishbusiness.net/index.php
User-Agent:
HTTP GEThttp://picturebright.net/index.php
User-Agent:
HTTP GEThttp://familybright.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 104.130.192.137:80
Flows TCP192.168.1.1:1032 ➝ 149.210.210.187:80
Flows TCP192.168.1.1:1033 ➝ 69.73.160.55:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 76.8.58.103:80
Flows TCP192.168.1.1:1036 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1037 ➝ 202.143.64.131:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.71:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.39:80

Raw Pcap

Strings