Analysis Date2016-02-03 01:01:17
MD525969efdb4b43c319d552830dfeec532
SHA13a042be54f203bbfdf8179c1be9a5a6241040004

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 51612964a79d1c575b82ee289ce1528c sha1: c34ca1715d984ad59cc4d2ef493cf52132f7f837 size: 536064
Section.rdata md5: 6ac2196f9c32a0e552c190900400c058 sha1: b8bfb0ec6b442af5b6359fa077ec5c87767832d0 size: 26112
Section.data md5: 873cec06e7d1fd66e34a320b349d50dd sha1: bfbcb6cc8eafafe90348cd4bfd4998aee5689126 size: 20480
Section.reloc md5: 38fd90b0b1568956c450d8dcebe7b836 sha1: 0f79a4ae3416e04505cbda0f1bd5507834598764 size: 39936
Timestamp2014-11-17 22:56:29
PackerMicrosoft Visual C++ 8
PEhash83c9d27f2b192a868d50dee5464ce51fdfab2b87
IMPhash5d9cb7d22b332c480588f301d23e9e4e
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHSQ!25969EFDB4B4
AVAvira (antivir)TR/Taranis.2114
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAd-AwareGen:Variant.Zusy.141475
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.BM
AVGrisoft (avg)Generic37.AGIP
AVSymantecTrojan.Gen
AVFortinetW32/Bayrob.BM!tr
AVBitDefenderGen:Variant.Zusy.141475
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.141475
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVIkarusTrojan.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Zusy.141475
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Zusy.141475

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\gewzmlfrnozpebt\nqrwyb1w4y
Creates FileC:\gewzmlfrnozpebt\nqrwyb1w4y
Creates FileC:\gewzmlfrnozpebt\c31lnyheeollfmn.exe
Deletes FileC:\WINDOWS\gewzmlfrnozpebt\nqrwyb1w4y
Creates ProcessC:\gewzmlfrnozpebt\c31lnyheeollfmn.exe

Process
↳ C:\gewzmlfrnozpebt\c31lnyheeollfmn.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Auto BitLocker Audio TP Program ➝
C:\gewzmlfrnozpebt\iwebqbvl.exe
Creates FileC:\gewzmlfrnozpebt\l3fdcbujy
Creates FileC:\WINDOWS\gewzmlfrnozpebt\nqrwyb1w4y
Creates FileC:\gewzmlfrnozpebt\nqrwyb1w4y
Creates FileC:\gewzmlfrnozpebt\iwebqbvl.exe
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\gewzmlfrnozpebt\nqrwyb1w4y
Creates ProcessC:\gewzmlfrnozpebt\iwebqbvl.exe
Creates ServiceSSDP Thread Audio Driver Bluetooth Internet - C:\gewzmlfrnozpebt\iwebqbvl.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1172

Process
↳ C:\gewzmlfrnozpebt\iwebqbvl.exe

Creates FileC:\gewzmlfrnozpebt\l3fdcbujy
Creates FileC:\WINDOWS\gewzmlfrnozpebt\nqrwyb1w4y
Creates Filepipe\net\NtControlPipe10
Creates FileC:\gewzmlfrnozpebt\tddlbvomitrc.exe
Creates FileC:\gewzmlfrnozpebt\nqrwyb1w4y
Creates File\Device\Afd\Endpoint
Creates FileC:\gewzmlfrnozpebt\ahgubjqyxpwl
Deletes FileC:\WINDOWS\gewzmlfrnozpebt\nqrwyb1w4y
Creates Processr16fnngcp3oh "c:\gewzmlfrnozpebt\iwebqbvl.exe"

Process
↳ C:\gewzmlfrnozpebt\iwebqbvl.exe

Creates FileC:\WINDOWS\gewzmlfrnozpebt\nqrwyb1w4y
Creates FileC:\gewzmlfrnozpebt\nqrwyb1w4y
Deletes FileC:\WINDOWS\gewzmlfrnozpebt\nqrwyb1w4y

Process
↳ r16fnngcp3oh "c:\gewzmlfrnozpebt\iwebqbvl.exe"

Creates FileC:\WINDOWS\gewzmlfrnozpebt\nqrwyb1w4y
Creates FileC:\gewzmlfrnozpebt\nqrwyb1w4y
Deletes FileC:\WINDOWS\gewzmlfrnozpebt\nqrwyb1w4y

Network Details:

DNSmembersystem.net
Type: A
85.13.128.193
DNSfollowtrust.net
Type: A
68.178.232.100
DNScrowdneither.net
Type: A
195.22.28.198
DNScrowdneither.net
Type: A
195.22.28.199
DNScrowdneither.net
Type: A
195.22.28.196
DNScrowdneither.net
Type: A
195.22.28.197
DNSthoughtsystem.net
Type: A
213.171.195.105
DNSwatersystem.net
Type: A
199.59.243.120
DNSwatertrust.net
Type: A
208.91.197.27
DNSsmokesystem.net
Type: A
208.100.26.234
DNSsmoketrust.net
Type: A
98.139.135.129
DNSpartysystem.net
Type: A
82.165.73.79
DNScrowdfriend.net
Type: A
50.63.202.48
DNSwaterfriend.net
Type: A
69.64.147.242
DNSpartyfriend.net
Type: A
89.31.143.16
DNSfreshfuture.net
Type: A
66.39.68.24
DNSgentlemanearly.net
Type: A
208.100.26.234
DNSgentlemanhonor.net
Type: A
DNSalreadyhonor.net
Type: A
DNSgentlemanneither.net
Type: A
DNSalreadyneither.net
Type: A
DNSgentlemansystem.net
Type: A
DNSalreadysystem.net
Type: A
DNSgentlemantrust.net
Type: A
DNSalreadytrust.net
Type: A
DNSfollowhonor.net
Type: A
DNSmemberhonor.net
Type: A
DNSfollowneither.net
Type: A
DNSmemberneither.net
Type: A
DNSfollowsystem.net
Type: A
DNSmembertrust.net
Type: A
DNSbeginhonor.net
Type: A
DNSknownhonor.net
Type: A
DNSbeginneither.net
Type: A
DNSknownneither.net
Type: A
DNSbeginsystem.net
Type: A
DNSknownsystem.net
Type: A
DNSbegintrust.net
Type: A
DNSknowntrust.net
Type: A
DNSsummerhonor.net
Type: A
DNScrowdhonor.net
Type: A
DNSsummerneither.net
Type: A
DNSsummersystem.net
Type: A
DNScrowdsystem.net
Type: A
DNSsummertrust.net
Type: A
DNScrowdtrust.net
Type: A
DNSthoughthonor.net
Type: A
DNSwaterhonor.net
Type: A
DNSthoughtneither.net
Type: A
DNSwaterneither.net
Type: A
DNSthoughttrust.net
Type: A
DNSwomanhonor.net
Type: A
DNSsmokehonor.net
Type: A
DNSwomanneither.net
Type: A
DNSsmokeneither.net
Type: A
DNSwomansystem.net
Type: A
DNSwomantrust.net
Type: A
DNSpartyhonor.net
Type: A
DNSfighthonor.net
Type: A
DNSpartyneither.net
Type: A
DNSfightneither.net
Type: A
DNSfightsystem.net
Type: A
DNSpartytrust.net
Type: A
DNSfighttrust.net
Type: A
DNSfreshlaughter.net
Type: A
DNSexperiencelaughter.net
Type: A
DNSfreshfancy.net
Type: A
DNSexperiencefancy.net
Type: A
DNSfreshconsider.net
Type: A
DNSexperienceconsider.net
Type: A
DNSfreshfriend.net
Type: A
DNSexperiencefriend.net
Type: A
DNSgentlemanlaughter.net
Type: A
DNSalreadylaughter.net
Type: A
DNSgentlemanfancy.net
Type: A
DNSalreadyfancy.net
Type: A
DNSgentlemanconsider.net
Type: A
DNSalreadyconsider.net
Type: A
DNSgentlemanfriend.net
Type: A
DNSalreadyfriend.net
Type: A
DNSfollowlaughter.net
Type: A
DNSmemberlaughter.net
Type: A
DNSfollowfancy.net
Type: A
DNSmemberfancy.net
Type: A
DNSfollowconsider.net
Type: A
DNSmemberconsider.net
Type: A
DNSfollowfriend.net
Type: A
DNSmemberfriend.net
Type: A
DNSbeginlaughter.net
Type: A
DNSknownlaughter.net
Type: A
DNSbeginfancy.net
Type: A
DNSknownfancy.net
Type: A
DNSbeginconsider.net
Type: A
DNSknownconsider.net
Type: A
DNSbeginfriend.net
Type: A
DNSknownfriend.net
Type: A
DNSsummerlaughter.net
Type: A
DNScrowdlaughter.net
Type: A
DNSsummerfancy.net
Type: A
DNScrowdfancy.net
Type: A
DNSsummerconsider.net
Type: A
DNScrowdconsider.net
Type: A
DNSsummerfriend.net
Type: A
DNSthoughtlaughter.net
Type: A
DNSwaterlaughter.net
Type: A
DNSthoughtfancy.net
Type: A
DNSwaterfancy.net
Type: A
DNSthoughtconsider.net
Type: A
DNSwaterconsider.net
Type: A
DNSthoughtfriend.net
Type: A
DNSwomanlaughter.net
Type: A
DNSsmokelaughter.net
Type: A
DNSwomanfancy.net
Type: A
DNSsmokefancy.net
Type: A
DNSwomanconsider.net
Type: A
DNSsmokeconsider.net
Type: A
DNSwomanfriend.net
Type: A
DNSsmokefriend.net
Type: A
DNSpartylaughter.net
Type: A
DNSfightlaughter.net
Type: A
DNSpartyfancy.net
Type: A
DNSfightfancy.net
Type: A
DNSpartyconsider.net
Type: A
DNSfightconsider.net
Type: A
DNSfightfriend.net
Type: A
DNSfreshsmell.net
Type: A
DNSexperiencesmell.net
Type: A
DNSfreshearly.net
Type: A
DNSexperienceearly.net
Type: A
DNSfreshsafety.net
Type: A
DNSexperiencesafety.net
Type: A
DNSexperiencefuture.net
Type: A
DNSgentlemansmell.net
Type: A
DNSalreadysmell.net
Type: A
DNSalreadyearly.net
Type: A
DNSgentlemansafety.net
Type: A
DNSalreadysafety.net
Type: A
DNSgentlemanfuture.net
Type: A
DNSalreadyfuture.net
Type: A
DNSfollowsmell.net
Type: A
DNSmembersmell.net
Type: A
DNSfollowearly.net
Type: A
DNSmemberearly.net
Type: A
DNSfollowsafety.net
Type: A
DNSmembersafety.net
Type: A
DNSfollowfuture.net
Type: A
DNSmemberfuture.net
Type: A
DNSbeginsmell.net
Type: A
DNSknownsmell.net
Type: A
DNSbeginearly.net
Type: A
HTTP GEThttp://membersystem.net/index.php
User-Agent:
HTTP GEThttp://followtrust.net/index.php
User-Agent:
HTTP GEThttp://crowdneither.net/index.php
User-Agent:
HTTP GEThttp://thoughtsystem.net/index.php
User-Agent:
HTTP GEThttp://watersystem.net/index.php
User-Agent:
HTTP GEThttp://watertrust.net/index.php
User-Agent:
HTTP GEThttp://smokesystem.net/index.php
User-Agent:
HTTP GEThttp://smoketrust.net/index.php
User-Agent:
HTTP GEThttp://partysystem.net/index.php
User-Agent:
HTTP GEThttp://crowdfriend.net/index.php
User-Agent:
HTTP GEThttp://waterfriend.net/index.php
User-Agent:
HTTP GEThttp://partyfriend.net/index.php
User-Agent:
HTTP GEThttp://freshfuture.net/index.php
User-Agent:
HTTP GEThttp://gentlemanearly.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 85.13.128.193:80
Flows TCP192.168.1.1:1032 ➝ 68.178.232.100:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1034 ➝ 213.171.195.105:80
Flows TCP192.168.1.1:1035 ➝ 199.59.243.120:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 82.165.73.79:80
Flows TCP192.168.1.1:1040 ➝ 50.63.202.48:80
Flows TCP192.168.1.1:1041 ➝ 69.64.147.242:80
Flows TCP192.168.1.1:1042 ➝ 89.31.143.16:80
Flows TCP192.168.1.1:1043 ➝ 66.39.68.24:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80

Raw Pcap

Strings