Analysis Date2015-08-20 18:02:57
MD5139644257dd1b9b58345d3cff9459780
SHA1361c749b579ea826878f0452100d6e826247e630

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 43d7763dc396a2d833fe968eb537ad07 sha1: 716c8f10fc61114590c66b312c1d0f36b5ec179e size: 648704
Section.rdata md5: 1c3492455f4d48f27667c31962b61547 sha1: c18fe972468726c54d10d674b0d9cd3eafabe0b3 size: 89088
Section.data md5: 828b54f78774a1b3e3f9bf2a1e065d32 sha1: 231775360b3b1de8f3d242bafa437e662187bf72 size: 7168
Section.reloc md5: 9804b986860283d29e511380ccae36fc sha1: 2699e4f0193ad1926427816ba1c36c08268c1215 size: 68096
Timestamp2015-05-08 06:52:03
PackerMicrosoft Visual C++ 8
PEhashd3a3bfa1fb7aced40b59db27c439f74582b741fa
IMPhash34639bd698e2149a1190d400460f30e4
AVRisingTrojan.Win32.Bayrod.a
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.609540
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.609540
AVBullGuardGen:Variant.Kazy.609540
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend MicroTROJ_BAYROB.SM0
AVKasperskyTrojan.Win32.Scar.jiyn
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.609540
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.609540
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AF
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Kazy.609540
AVFortinetW32/Generic.AC.215362
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.T
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.609540
AVTwisterW32.Bayrob.T.vlab
AVAvira (antivir)TR/Kryptik.qgmpd
AVMcafeeRDN/Generic PWS.y

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\cvrcsfc\xzcrtrany
Creates FileC:\cvrcsfc\esq11lkhm6jiycvgvem.exe
Creates FileC:\cvrcsfc\xzcrtrany
Deletes FileC:\WINDOWS\cvrcsfc\xzcrtrany
Creates ProcessC:\cvrcsfc\esq11lkhm6jiycvgvem.exe

Process
↳ C:\cvrcsfc\esq11lkhm6jiycvgvem.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NetBIOS Transfer Information Cryptographic ➝
C:\cvrcsfc\rcfhcqp.exe
Creates FileC:\cvrcsfc\uebgddqvly
Creates FileC:\cvrcsfc\rcfhcqp.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\cvrcsfc\xzcrtrany
Creates FileC:\cvrcsfc\xzcrtrany
Deletes FileC:\WINDOWS\cvrcsfc\xzcrtrany
Creates ProcessC:\cvrcsfc\rcfhcqp.exe
Creates ServiceUPnP Interface Framework Tracking Event - C:\cvrcsfc\rcfhcqp.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1140

Process
↳ C:\cvrcsfc\rcfhcqp.exe

Creates FileC:\cvrcsfc\uebgddqvly
Creates Filepipe\net\NtControlPipe10
Creates FileC:\cvrcsfc\cxxgvblvugjp.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\cvrcsfc\sqsjmm
Creates FileC:\WINDOWS\cvrcsfc\xzcrtrany
Creates FileC:\cvrcsfc\xzcrtrany
Deletes FileC:\WINDOWS\cvrcsfc\xzcrtrany
Creates Processvpgerxzlybow "c:\cvrcsfc\rcfhcqp.exe"

Process
↳ C:\cvrcsfc\rcfhcqp.exe

Creates FileC:\WINDOWS\cvrcsfc\xzcrtrany
Creates FileC:\cvrcsfc\xzcrtrany
Deletes FileC:\WINDOWS\cvrcsfc\xzcrtrany

Process
↳ vpgerxzlybow "c:\cvrcsfc\rcfhcqp.exe"

Creates FileC:\WINDOWS\cvrcsfc\xzcrtrany
Creates FileC:\cvrcsfc\xzcrtrany
Deletes FileC:\WINDOWS\cvrcsfc\xzcrtrany

Network Details:

DNSwinterbasket.net
Type: A
95.211.230.75
DNSfinishbasket.net
Type: A
195.22.26.254
DNSfinishbasket.net
Type: A
195.22.26.231
DNSfinishbasket.net
Type: A
195.22.26.252
DNSfinishbasket.net
Type: A
195.22.26.253
DNSsweetindustry.net
Type: A
98.124.198.1
DNSsweetbasket.net
Type: A
210.157.19.51
DNSsimplelanguage.net
Type: A
82.165.126.64
DNSmountainlanguage.net
Type: A
184.168.221.27
DNSpossibleindustry.net
Type: A
DNSmountainbecame.net
Type: A
DNSpossiblebecame.net
Type: A
DNSmountaincontain.net
Type: A
DNSpossiblecontain.net
Type: A
DNSmountainbasket.net
Type: A
DNSpossiblebasket.net
Type: A
DNSperhapsindustry.net
Type: A
DNSwindowindustry.net
Type: A
DNSperhapsbecame.net
Type: A
DNSwindowbecame.net
Type: A
DNSperhapscontain.net
Type: A
DNSwindowcontain.net
Type: A
DNSperhapsbasket.net
Type: A
DNSwindowbasket.net
Type: A
DNSwinterindustry.net
Type: A
DNSsubjectindustry.net
Type: A
DNSwinterbecame.net
Type: A
DNSsubjectbecame.net
Type: A
DNSwintercontain.net
Type: A
DNSsubjectcontain.net
Type: A
DNSsubjectbasket.net
Type: A
DNSfinishindustry.net
Type: A
DNSleaveindustry.net
Type: A
DNSfinishbecame.net
Type: A
DNSleavebecame.net
Type: A
DNSfinishcontain.net
Type: A
DNSleavecontain.net
Type: A
DNSleavebasket.net
Type: A
DNSprobablyindustry.net
Type: A
DNSsweetbecame.net
Type: A
DNSprobablybecame.net
Type: A
DNSsweetcontain.net
Type: A
DNSprobablycontain.net
Type: A
DNSprobablybasket.net
Type: A
DNSseveralindustry.net
Type: A
DNSmaterialindustry.net
Type: A
DNSseveralbecame.net
Type: A
DNSmaterialbecame.net
Type: A
DNSseveralcontain.net
Type: A
DNSmaterialcontain.net
Type: A
DNSseveralbasket.net
Type: A
DNSmaterialbasket.net
Type: A
DNSseverasettle.net
Type: A
DNSlaughsettle.net
Type: A
DNSseveralanguage.net
Type: A
DNSlaughlanguage.net
Type: A
DNSseveradevice.net
Type: A
DNSlaughdevice.net
Type: A
DNSseverabefore.net
Type: A
DNSlaughbefore.net
Type: A
DNSsimplesettle.net
Type: A
DNSmothersettle.net
Type: A
DNSmotherlanguage.net
Type: A
DNSsimpledevice.net
Type: A
DNSmotherdevice.net
Type: A
DNSsimplebefore.net
Type: A
DNSmotherbefore.net
Type: A
DNSmountainsettle.net
Type: A
DNSpossiblesettle.net
Type: A
DNSpossiblelanguage.net
Type: A
DNSmountaindevice.net
Type: A
DNSpossibledevice.net
Type: A
DNSmountainbefore.net
Type: A
DNSpossiblebefore.net
Type: A
DNSperhapssettle.net
Type: A
DNSwindowsettle.net
Type: A
DNSperhapslanguage.net
Type: A
DNSwindowlanguage.net
Type: A
DNSperhapsdevice.net
Type: A
DNSwindowdevice.net
Type: A
DNSperhapsbefore.net
Type: A
DNSwindowbefore.net
Type: A
DNSwintersettle.net
Type: A
DNSsubjectsettle.net
Type: A
DNSwinterlanguage.net
Type: A
DNSsubjectlanguage.net
Type: A
DNSwinterdevice.net
Type: A
DNSsubjectdevice.net
Type: A
HTTP GEThttp://winterbasket.net/index.php
User-Agent:
HTTP GEThttp://finishbasket.net/index.php
User-Agent:
HTTP GEThttp://sweetindustry.net/index.php
User-Agent:
HTTP GEThttp://sweetbasket.net/index.php
User-Agent:
HTTP GEThttp://simplelanguage.net/index.php
User-Agent:
HTTP GEThttp://mountainlanguage.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1033 ➝ 98.124.198.1:80
Flows TCP192.168.1.1:1034 ➝ 210.157.19.51:80
Flows TCP192.168.1.1:1035 ➝ 82.165.126.64:80
Flows TCP192.168.1.1:1036 ➝ 184.168.221.27:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e7465 72626173 6b65742e 6e65740d   interbasket.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   696e6973 68626173 6b65742e 6e65740d   inishbasket.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 696e6475 73747279 2e6e6574   weetindustry.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 6261736b 65742e6e 65740d0a   weetbasket.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d706c 656c616e 67756167 652e6e65   implelanguage.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e6c 616e6775 6167652e   ountainlanguage.
0x00000050 (00080)   6e65740d 0a0d0a                       net....


Strings