Analysis Date2016-04-22 02:05:04
MD566b9640c84d2c947e2b68c965212e174
SHA13977b007ed484219b6c197a81a04005493ec23c2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: eb33c24d6e02d47393abb27075f3f8c7 sha1: 8463e36c6b3577a14eb811c3e5098f01a1f75eb2 size: 218624
Section.rdata md5: 4216cb38fecb57580a09b6386ea11267 sha1: cd8cf645f44a1dccc5fc27c12815be6154b29d0a size: 17408
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 3974f946fd2287e6503e11d049d2ed15 sha1: 15af147ac4214efd77af8f0b881c1a7a93faec67 size: 40448
Timestamp2016-01-03 14:23:48
PEhashf2b7177fefdecb45cbfa00f748ed4d351a33c11b
IMPhash1fc52f3eed0c4aa63360328a45fd0269
AVRisingNo Virus
AVCA (E-Trust Ino)Gen:Variant.Razy.11545
AVF-SecureGen:Variant.Razy.11545
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.11545
AVBullGuardGen:Variant.Razy.11545
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVEmsisoftGen:Variant.Razy.11545
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/BayRob.D.gen!Eldorado
AVAuthentiumW32/BayRob.D.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.11545
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DD
AVK7Trojan ( 004db0c61 )
AVBitDefenderGen:Variant.Razy.11545
AVFortinetW32/Bayrob.AQ!tr
AVSymantecTrojan.Bayrob!gen6
AVGrisoft (avg)No Virus
AVEset (nod32)Win32/Bayrob.AT.gen
AVAlwil (avast)Win32:Malware-gen
AVAlwil (avast)Malware-gen
AVAd-AwareGen:Variant.Razy.11545
AVTwisterNo Virus
AVAvira (antivir)TR/Crypt.Xpack.ewqe
AVMcafeeTrojan-FHOH!66B9640C84D2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\gylgivyolij\qkibwqjto
Creates FileC:\gylgivyolij\qkibwqjto
Creates FileC:\gylgivyolij\im1lbdvmyasnio6d.exe
Deletes FileC:\WINDOWS\gylgivyolij\qkibwqjto
Creates ProcessC:\gylgivyolij\im1lbdvmyasnio6d.exe

Process
↳ C:\gylgivyolij\im1lbdvmyasnio6d.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CardSpace Print Tunneling Presentation ➝
C:\gylgivyolij\lluhmcvtce.exe
Creates FileC:\WINDOWS\gylgivyolij\qkibwqjto
Creates FileC:\gylgivyolij\lluhmcvtce.exe
Creates FilePIPE\lsarpc
Creates FileC:\gylgivyolij\qkibwqjto
Creates FileC:\gylgivyolij\vjlzvzysen
Deletes FileC:\WINDOWS\gylgivyolij\qkibwqjto
Creates ProcessC:\gylgivyolij\lluhmcvtce.exe
Creates ServiceService DCOM Bus BitLocker Remote Transfer - C:\gylgivyolij\lluhmcvtce.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1168

Process
↳ C:\gylgivyolij\lluhmcvtce.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\gylgivyolij\qkibwqjto
Creates FileC:\gylgivyolij\rpsgpbsiuhv.exe
Creates FileC:\gylgivyolij\qkibwqjto
Creates File\Device\Afd\Endpoint
Creates FileC:\gylgivyolij\ozsgvjowlal6
Creates FileC:\gylgivyolij\vjlzvzysen
Deletes FileC:\WINDOWS\gylgivyolij\qkibwqjto
Creates Processg2fpzuz3r9ic "c:\gylgivyolij\lluhmcvtce.exe"

Process
↳ C:\gylgivyolij\lluhmcvtce.exe

Creates FileC:\WINDOWS\gylgivyolij\qkibwqjto
Creates FileC:\gylgivyolij\qkibwqjto
Deletes FileC:\WINDOWS\gylgivyolij\qkibwqjto

Process
↳ g2fpzuz3r9ic "c:\gylgivyolij\lluhmcvtce.exe"

Creates FileC:\WINDOWS\gylgivyolij\qkibwqjto
Creates FileC:\gylgivyolij\qkibwqjto
Deletes FileC:\WINDOWS\gylgivyolij\qkibwqjto

Network Details:

DNSdecidesilver.net
Type: A
208.100.26.234
DNScaptainsilver.net
Type: A
112.78.2.169
DNScaptainlabor.net
Type: A
195.22.28.198
DNScaptainlabor.net
Type: A
195.22.28.197
DNScaptainlabor.net
Type: A
195.22.28.196
DNScaptainlabor.net
Type: A
195.22.28.199
DNStradesilver.net
Type: A
68.65.123.213
DNStradevalley.net
Type: A
192.185.37.141
DNStradelabor.net
Type: A
109.68.33.18
DNSbettersilver.net
Type: A
208.100.26.234
DNSrecorddemand.net
Type: A
50.63.202.50
DNSelectricdemand.net
Type: A
208.100.26.234
DNSbetterbring.net
Type: A
195.22.28.198
DNSbetterbring.net
Type: A
195.22.28.196
DNSbetterbring.net
Type: A
195.22.28.199
DNSbetterbring.net
Type: A
195.22.28.197
DNSbetterlisten.net
Type: A
192.185.5.141
DNSquietdemand.net
Type: A
208.100.26.234
DNSnightstation.net
Type: A
69.163.152.49
DNSstreetmodern.net
Type: A
DNStrademodern.net
Type: A
DNSbetterescape.net
Type: A
DNSgatherescape.net
Type: A
DNSbetteranimal.net
Type: A
DNSgatheranimal.net
Type: A
DNSbetterproblem.net
Type: A
DNSgatherproblem.net
Type: A
DNSbettermodern.net
Type: A
DNSgathermodern.net
Type: A
DNSflierescape.net
Type: A
DNSbreadescape.net
Type: A
DNSflieranimal.net
Type: A
DNSbreadanimal.net
Type: A
DNSflierproblem.net
Type: A
DNSbreadproblem.net
Type: A
DNSfliermodern.net
Type: A
DNSbreadmodern.net
Type: A
DNSquietescape.net
Type: A
DNSseasonescape.net
Type: A
DNSquietanimal.net
Type: A
DNSseasonanimal.net
Type: A
DNSquietproblem.net
Type: A
DNSseasonproblem.net
Type: A
DNSquietmodern.net
Type: A
DNSseasonmodern.net
Type: A
DNSagainstsilver.net
Type: A
DNSdoubtsilver.net
Type: A
DNSagainstsister.net
Type: A
DNSdoubtsister.net
Type: A
DNSagainstvalley.net
Type: A
DNSdoubtvalley.net
Type: A
DNSagainstlabor.net
Type: A
DNSdoubtlabor.net
Type: A
DNSnightsilver.net
Type: A
DNSnightsister.net
Type: A
DNSdecidesister.net
Type: A
DNSnightvalley.net
Type: A
DNSdecidevalley.net
Type: A
DNSnightlabor.net
Type: A
DNSdecidelabor.net
Type: A
DNSlargesilver.net
Type: A
DNSlargesister.net
Type: A
DNScaptainsister.net
Type: A
DNSlargevalley.net
Type: A
DNScaptainvalley.net
Type: A
DNSlargelabor.net
Type: A
DNSrecordsilver.net
Type: A
DNSelectricsilver.net
Type: A
DNSrecordsister.net
Type: A
DNSelectricsister.net
Type: A
DNSrecordvalley.net
Type: A
DNSelectricvalley.net
Type: A
DNSrecordlabor.net
Type: A
DNSelectriclabor.net
Type: A
DNSstreetsilver.net
Type: A
DNSstreetsister.net
Type: A
DNStradesister.net
Type: A
DNSstreetvalley.net
Type: A
DNSstreetlabor.net
Type: A
DNSgathersilver.net
Type: A
DNSbettersister.net
Type: A
DNSgathersister.net
Type: A
DNSbettervalley.net
Type: A
DNSgathervalley.net
Type: A
DNSbetterlabor.net
Type: A
DNSgatherlabor.net
Type: A
DNSfliersilver.net
Type: A
DNSbreadsilver.net
Type: A
DNSfliersister.net
Type: A
DNSbreadsister.net
Type: A
DNSfliervalley.net
Type: A
DNSbreadvalley.net
Type: A
DNSflierlabor.net
Type: A
DNSbreadlabor.net
Type: A
DNSquietsilver.net
Type: A
DNSseasonsilver.net
Type: A
DNSquietsister.net
Type: A
DNSseasonsister.net
Type: A
DNSquietvalley.net
Type: A
DNSseasonvalley.net
Type: A
DNSquietlabor.net
Type: A
DNSseasonlabor.net
Type: A
DNSagainstbring.net
Type: A
DNSdoubtbring.net
Type: A
DNSagainstlisten.net
Type: A
DNSdoubtlisten.net
Type: A
DNSagainstdemand.net
Type: A
DNSdoubtdemand.net
Type: A
DNSagainstshout.net
Type: A
DNSdoubtshout.net
Type: A
DNSnightbring.net
Type: A
DNSdecidebring.net
Type: A
DNSnightlisten.net
Type: A
DNSdecidelisten.net
Type: A
DNSnightdemand.net
Type: A
DNSdecidedemand.net
Type: A
DNSnightshout.net
Type: A
DNSdecideshout.net
Type: A
DNSlargebring.net
Type: A
DNScaptainbring.net
Type: A
DNSlargelisten.net
Type: A
DNScaptainlisten.net
Type: A
DNSlargedemand.net
Type: A
DNScaptaindemand.net
Type: A
DNSlargeshout.net
Type: A
DNScaptainshout.net
Type: A
DNSrecordbring.net
Type: A
DNSelectricbring.net
Type: A
DNSrecordlisten.net
Type: A
DNSelectriclisten.net
Type: A
DNSrecordshout.net
Type: A
DNSelectricshout.net
Type: A
DNSstreetbring.net
Type: A
DNStradebring.net
Type: A
DNSstreetlisten.net
Type: A
DNStradelisten.net
Type: A
DNSstreetdemand.net
Type: A
DNStradedemand.net
Type: A
DNSstreetshout.net
Type: A
DNStradeshout.net
Type: A
DNSgatherbring.net
Type: A
DNSgatherlisten.net
Type: A
DNSbetterdemand.net
Type: A
DNSgatherdemand.net
Type: A
DNSbettershout.net
Type: A
DNSgathershout.net
Type: A
DNSflierbring.net
Type: A
DNSbreadbring.net
Type: A
DNSflierlisten.net
Type: A
DNSbreadlisten.net
Type: A
DNSflierdemand.net
Type: A
DNSbreaddemand.net
Type: A
DNSfliershout.net
Type: A
DNSbreadshout.net
Type: A
DNSquietbring.net
Type: A
DNSseasonbring.net
Type: A
DNSquietlisten.net
Type: A
DNSseasonlisten.net
Type: A
DNSseasondemand.net
Type: A
DNSquietshout.net
Type: A
DNSseasonshout.net
Type: A
DNSagainststation.net
Type: A
DNSdoubtstation.net
Type: A
DNSagainstthird.net
Type: A
DNSdoubtthird.net
Type: A
DNSagainstobject.net
Type: A
DNSdoubtobject.net
Type: A
DNSagainstchildhood.net
Type: A
DNSdoubtchildhood.net
Type: A
DNSdecidestation.net
Type: A
DNSnightthird.net
Type: A
DNSdecidethird.net
Type: A
DNSnightobject.net
Type: A
DNSdecideobject.net
Type: A
DNSnightchildhood.net
Type: A
DNSdecidechildhood.net
Type: A
HTTP GEThttp://decidesilver.net/index.php
User-Agent:
HTTP GEThttp://captainsilver.net/index.php
User-Agent:
HTTP GEThttp://captainlabor.net/index.php
User-Agent:
HTTP GEThttp://tradesilver.net/index.php
User-Agent:
HTTP GEThttp://tradevalley.net/index.php
User-Agent:
HTTP GEThttp://tradelabor.net/index.php
User-Agent:
HTTP GEThttp://bettersilver.net/index.php
User-Agent:
HTTP GEThttp://recorddemand.net/index.php
User-Agent:
HTTP GEThttp://electricdemand.net/index.php
User-Agent:
HTTP GEThttp://betterbring.net/index.php
User-Agent:
HTTP GEThttp://betterlisten.net/index.php
User-Agent:
HTTP GEThttp://quietdemand.net/index.php
User-Agent:
HTTP GEThttp://nightstation.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 112.78.2.169:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1034 ➝ 68.65.123.213:80
Flows TCP192.168.1.1:1035 ➝ 192.185.37.141:80
Flows TCP192.168.1.1:1036 ➝ 109.68.33.18:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 50.63.202.50:80
Flows TCP192.168.1.1:1039 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1040 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1041 ➝ 192.185.5.141:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1043 ➝ 69.163.152.49:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   65636964 6573696c 7665722e 6e65740d   ecidesilver.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e7369 6c766572 2e6e6574   aptainsilver.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e6c61 626f722e 6e65740d   aptainlabor.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   72616465 73696c76 65722e6e 65740d0a   radesilver.net..
0x00000050 (00080)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   72616465 76616c6c 65792e6e 65740d0a   radevalley.net..
0x00000050 (00080)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   72616465 6c61626f 722e6e65 740d0a0d   radelabor.net...
0x00000050 (00080)   0a0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   65747465 7273696c 7665722e 6e65740d   ettersilver.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   65636f72 6464656d 616e642e 6e65740d   ecorddemand.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6c656374 72696364 656d616e 642e6e65   lectricdemand.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   65747465 72627269 6e672e6e 65740d0a   etterbring.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   65747465 726c6973 74656e2e 6e65740d   etterlisten.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2071   : close..Host: q
0x00000040 (00064)   75696574 64656d61 6e642e6e 65740d0a   uietdemand.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   69676874 73746174 696f6e2e 6e65740d   ightstation.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....


Strings