Analysis | #totalhash

Analysis Date	2016-04-23 04:25:34
MD5	ef92295f915489b7e0d91451959e0cde
SHA1	3a19576f748a9245799b99eff41c03eeb1802523

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 918e234cfddd66d1b64bcba0219276c2 sha1: 0eb7a54da9618b047913fe686c1a4dfcf874237b size: 184832
Section	.rdata md5: 044ff0e0d59b21ee24714689039a8c14 sha1: 5ced617ca6cb18bcababdc9cb9371ff4ab306549 size: 2560
Section	.data md5: 6db872b78baea0df36f0f7983bb9f7a4 sha1: 034e5606b61d3acb3a154b149051a753089df57b size: 14848
Section	.reloc md5: 83deaab6fe045e8c2b33c159fe57e52a sha1: c6e2bc9fc6f3b29f8ce69d390b65f0822ad107a5 size: 30720
Timestamp	2014-06-06 14:52:34
PEhash	073ec297f7829d6e6c79c47989ba15b75cd504a1
IMPhash	909ebcd6d25304ebeb783b183ab28a8e
AV	CA (E-Trust Ino)	Gen:Variant.Razy.15460
AV	Rising	No Virus
AV	Mcafee	Trojan-FHQT!EF92295F9154
AV	Avira (antivir)	TR/Nivdort.evwn
AV	Twister	No Virus
AV	Ad-Aware	Gen:Variant.Razy.15460
AV	Alwil (avast)	Evo-gen [Susp]
AV	Eset (nod32)	Win32/Bayrob.BA
AV	Grisoft (avg)	No Virus
AV	Symantec	Trojan.Bayrob!gen6
AV	Fortinet	W32/Bayrob.AQ!tr
AV	BitDefender	Gen:Variant.Razy.15460
AV	K7	Trojan ( 004dc2a31 )
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.DE
AV	MicroWorld (escan)	Gen:Variant.Razy.15460
AV	MalwareBytes	No Virus
AV	Authentium	W32/Nivdort.G.gen!Eldorado
AV	Frisk (f-prot)	W32/Nivdort.G.gen!Eldorado
AV	Ikarus	Trojan.Win32.Bayrob
AV	Emsisoft	Gen:Variant.Razy.15460
AV	Zillya!	No Virus
AV	Kaspersky	Trojan.Win32.Generic
AV	Trend Micro	No Virus
AV	CAT (quickheal)	TrojanSpy.Nivdort.WR4
AV	VirusBlokAda (vba32)	No Virus
AV	BullGuard	Gen:Variant.Razy.15460
AV	Arcabit (arcavir)	Gen:Variant.Razy.15460
AV	ClamAV	No Virus
AV	Dr. Web	No Virus
AV	F-Secure	Gen:Variant.Razy.15460

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\btfxqhfbymvhp\md1m1eedsfmevczqb.exe
Creates File	C:\WINDOWS\btfxqhfbymvhp\onhz7olier
Creates File	C:\btfxqhfbymvhp\onhz7olier
Deletes File	C:\WINDOWS\btfxqhfbymvhp\onhz7olier
Creates Process	C:\btfxqhfbymvhp\md1m1eedsfmevczqb.exe

Process
↳ C:\btfxqhfbymvhp\md1m1eedsfmevczqb.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NGEN Isolation SNMP PNRP Removal ➝ C:\btfxqhfbymvhp\xlmbyinrlzi.exe
Creates File	C:\WINDOWS\btfxqhfbymvhp\onhz7olier
Creates File	C:\btfxqhfbymvhp\xlmbyinrlzi.exe
Creates File	PIPE\lsarpc
Creates File	C:\btfxqhfbymvhp\onhz7olier
Creates File	C:\btfxqhfbymvhp\axqcnfyspdc
Deletes File	C:\WINDOWS\btfxqhfbymvhp\onhz7olier
Creates Process	C:\btfxqhfbymvhp\xlmbyinrlzi.exe
Creates Service	Gateway Foundation Routing - C:\btfxqhfbymvhp\xlmbyinrlzi.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	pipe\PCHFaultRepExecPipe

Process
↳ Pid 1128

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1872

Process
↳ Pid 1148

Process
↳ C:\btfxqhfbymvhp\xlmbyinrlzi.exe

Creates File	C:\btfxqhfbymvhp\dolcom
Creates File	C:\WINDOWS\btfxqhfbymvhp\onhz7olier
Creates File	pipe\net\NtControlPipe10
Creates File	C:\btfxqhfbymvhp\onhz7olier
Creates File	\Device\Afd\Endpoint
Creates File	C:\btfxqhfbymvhp\ofvfkgkpg.exe
Creates File	C:\btfxqhfbymvhp\axqcnfyspdc
Deletes File	C:\WINDOWS\btfxqhfbymvhp\onhz7olier
Creates Process	fj1tuzfosuzw "c:\btfxqhfbymvhp\xlmbyinrlzi.exe"

Process
↳ C:\btfxqhfbymvhp\xlmbyinrlzi.exe

Creates File	C:\WINDOWS\btfxqhfbymvhp\onhz7olier
Creates File	C:\btfxqhfbymvhp\onhz7olier
Deletes File	C:\WINDOWS\btfxqhfbymvhp\onhz7olier

Process
↳ fj1tuzfosuzw "c:\btfxqhfbymvhp\xlmbyinrlzi.exe"

Creates File	C:\WINDOWS\btfxqhfbymvhp\onhz7olier
Creates File	C:\btfxqhfbymvhp\onhz7olier
Deletes File	C:\WINDOWS\btfxqhfbymvhp\onhz7olier

Network Details:

DNS	nightstation.net Type: A 69.163.152.49
DNS	electricstation.net Type: A 50.63.202.37
DNS	tradestation.net Type: A 65.211.211.21
DNS	breadstation.net Type: A 208.100.26.234
DNS	breadchildhood.net Type: A 195.22.28.196
DNS	breadchildhood.net Type: A 195.22.28.197
DNS	breadchildhood.net Type: A 195.22.28.199
DNS	breadchildhood.net Type: A 195.22.28.198
DNS	nightspace.net Type: A 91.250.101.43
DNS	largespace.net Type: A 62.22.102.59
DNS	captainspace.net Type: A 208.100.26.234
DNS	captaintravel.net Type: A 184.168.221.96
DNS	recordspace.net Type: A 122.9.227.77
DNS	streetspace.net Type: A 208.91.197.132
DNS	tradespace.net Type: A 207.148.248.143
DNS	streettravel.net Type: A 104.27.131.181
DNS	streettravel.net Type: A 104.27.130.181
DNS	betterspace.net Type: A 208.73.211.183
DNS	betterspace.net Type: A 208.73.211.192
DNS	betterspace.net Type: A 208.73.211.179
DNS	betterspace.net Type: A 208.73.211.195
DNS	gatherspace.net Type: A 216.157.91.112
DNS	bettertravel.net Type: A 207.148.248.143
DNS	breadspace.net Type: A 5.2.189.251
DNS	thinkbeyond.net Type: A 207.148.248.143
DNS	presentbeing.net Type: A 69.16.192.64
DNS	thinkbottom.net Type: A 208.100.26.234
DNS	chiefbeyond.net Type: A 195.22.28.196
DNS	chiefbeyond.net Type: A 195.22.28.198
DNS	chiefbeyond.net Type: A 195.22.28.199
DNS	chiefbeyond.net Type: A 195.22.28.197
DNS	twelveforever.net Type: A 157.166.173.157
DNS	ratherforever.net Type: A 208.100.26.234
DNS	seasondemand.net Type: A
DNS	quietshout.net Type: A
DNS	seasonshout.net Type: A
DNS	againststation.net Type: A
DNS	doubtstation.net Type: A
DNS	againstthird.net Type: A
DNS	doubtthird.net Type: A
DNS	againstobject.net Type: A
DNS	doubtobject.net Type: A
DNS	againstchildhood.net Type: A
DNS	doubtchildhood.net Type: A
DNS	decidestation.net Type: A
DNS	nightthird.net Type: A
DNS	decidethird.net Type: A
DNS	nightobject.net Type: A
DNS	decideobject.net Type: A
DNS	nightchildhood.net Type: A
DNS	decidechildhood.net Type: A
DNS	largestation.net Type: A
DNS	captainstation.net Type: A
DNS	largethird.net Type: A
DNS	captainthird.net Type: A
DNS	largeobject.net Type: A
DNS	captainobject.net Type: A
DNS	largechildhood.net Type: A
DNS	captainchildhood.net Type: A
DNS	recordstation.net Type: A
DNS	recordthird.net Type: A
DNS	electricthird.net Type: A
DNS	recordobject.net Type: A
DNS	electricobject.net Type: A
DNS	recordchildhood.net Type: A
DNS	electricchildhood.net Type: A
DNS	streetstation.net Type: A
DNS	streetthird.net Type: A
DNS	tradethird.net Type: A
DNS	streetobject.net Type: A
DNS	tradeobject.net Type: A
DNS	streetchildhood.net Type: A
DNS	tradechildhood.net Type: A
DNS	betterstation.net Type: A
DNS	gatherstation.net Type: A
DNS	betterthird.net Type: A
DNS	gatherthird.net Type: A
DNS	betterobject.net Type: A
DNS	gatherobject.net Type: A
DNS	betterchildhood.net Type: A
DNS	gatherchildhood.net Type: A
DNS	flierstation.net Type: A
DNS	flierthird.net Type: A
DNS	breadthird.net Type: A
DNS	flierobject.net Type: A
DNS	breadobject.net Type: A
DNS	flierchildhood.net Type: A
DNS	quietstation.net Type: A
DNS	seasonstation.net Type: A
DNS	quietthird.net Type: A
DNS	seasonthird.net Type: A
DNS	quietobject.net Type: A
DNS	seasonobject.net Type: A
DNS	quietchildhood.net Type: A
DNS	seasonchildhood.net Type: A
DNS	againstspace.net Type: A
DNS	doubtspace.net Type: A
DNS	againsttravel.net Type: A
DNS	doubttravel.net Type: A
DNS	againstyellow.net Type: A
DNS	doubtyellow.net Type: A
DNS	againstclose.net Type: A
DNS	doubtclose.net Type: A
DNS	decidespace.net Type: A
DNS	nighttravel.net Type: A
DNS	decidetravel.net Type: A
DNS	nightyellow.net Type: A
DNS	decideyellow.net Type: A
DNS	nightclose.net Type: A
DNS	decideclose.net Type: A
DNS	largetravel.net Type: A
DNS	largeyellow.net Type: A
DNS	captainyellow.net Type: A
DNS	largeclose.net Type: A
DNS	captainclose.net Type: A
DNS	electricspace.net Type: A
DNS	recordtravel.net Type: A
DNS	electrictravel.net Type: A
DNS	recordyellow.net Type: A
DNS	electricyellow.net Type: A
DNS	recordclose.net Type: A
DNS	electricclose.net Type: A
DNS	tradetravel.net Type: A
DNS	streetyellow.net Type: A
DNS	tradeyellow.net Type: A
DNS	streetclose.net Type: A
DNS	tradeclose.net Type: A
DNS	gathertravel.net Type: A
DNS	betteryellow.net Type: A
DNS	gatheryellow.net Type: A
DNS	betterclose.net Type: A
DNS	gatherclose.net Type: A
DNS	flierspace.net Type: A
DNS	fliertravel.net Type: A
DNS	breadtravel.net Type: A
DNS	flieryellow.net Type: A
DNS	breadyellow.net Type: A
DNS	flierclose.net Type: A
DNS	breadclose.net Type: A
DNS	quietspace.net Type: A
DNS	seasonspace.net Type: A
DNS	quiettravel.net Type: A
DNS	seasontravel.net Type: A
DNS	quietyellow.net Type: A
DNS	seasonyellow.net Type: A
DNS	quietclose.net Type: A
DNS	seasonclose.net Type: A
DNS	presentbeyond.net Type: A
DNS	thinkbeing.net Type: A
DNS	thinkforever.net Type: A
DNS	presentforever.net Type: A
DNS	presentbottom.net Type: A
DNS	collegebeyond.net Type: A
DNS	chiefbeing.net Type: A
DNS	collegebeing.net Type: A
DNS	chiefforever.net Type: A
DNS	collegeforever.net Type: A
DNS	chiefbottom.net Type: A
DNS	collegebottom.net Type: A
DNS	oftenbeyond.net Type: A
DNS	alonebeyond.net Type: A
DNS	oftenbeing.net Type: A
DNS	alonebeing.net Type: A
DNS	oftenforever.net Type: A
DNS	aloneforever.net Type: A
DNS	oftenbottom.net Type: A
DNS	alonebottom.net Type: A
DNS	middlebeyond.net Type: A
DNS	twelvebeyond.net Type: A
DNS	middlebeing.net Type: A
DNS	twelvebeing.net Type: A
DNS	middleforever.net Type: A
DNS	middlebottom.net Type: A
DNS	twelvebottom.net Type: A
DNS	ratherbeyond.net Type: A
DNS	morningbeyond.net Type: A
DNS	ratherbeing.net Type: A
DNS	morningbeing.net Type: A
DNS	morningforever.net Type: A
DNS	ratherbottom.net Type: A
HTTP GET	http://nightstation.net/index.php User-Agent:
HTTP GET	http://electricstation.net/index.php User-Agent:
HTTP GET	http://tradestation.net/index.php User-Agent:
HTTP GET	http://breadstation.net/index.php User-Agent:
HTTP GET	http://breadchildhood.net/index.php User-Agent:
HTTP GET	http://nightspace.net/index.php User-Agent:
HTTP GET	http://largespace.net/index.php User-Agent:
HTTP GET	http://captainspace.net/index.php User-Agent:
HTTP GET	http://captaintravel.net/index.php User-Agent:
HTTP GET	http://recordspace.net/index.php User-Agent:
HTTP GET	http://streetspace.net/index.php User-Agent:
HTTP GET	http://tradespace.net/index.php User-Agent:
HTTP GET	http://streettravel.net/index.php User-Agent:
HTTP GET	http://betterspace.net/index.php User-Agent:
HTTP GET	http://gatherspace.net/index.php User-Agent:
HTTP GET	http://bettertravel.net/index.php User-Agent:
HTTP GET	http://breadspace.net/index.php User-Agent:
HTTP GET	http://thinkbeyond.net/index.php User-Agent:
HTTP GET	http://presentbeing.net/index.php User-Agent:
HTTP GET	http://thinkbottom.net/index.php User-Agent:
HTTP GET	http://chiefbeyond.net/index.php User-Agent:
HTTP GET	http://twelveforever.net/index.php User-Agent:
HTTP GET	http://ratherforever.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 69.163.152.49:80
Flows TCP	192.168.1.1:1032 ➝ 50.63.202.37:80
Flows TCP	192.168.1.1:1033 ➝ 65.211.211.21:80
Flows TCP	192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1035 ➝ 195.22.28.196:80
Flows TCP	192.168.1.1:1036 ➝ 91.250.101.43:80
Flows TCP	192.168.1.1:1037 ➝ 62.22.102.59:80
Flows TCP	192.168.1.1:1038 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1039 ➝ 184.168.221.96:80
Flows TCP	192.168.1.1:1040 ➝ 122.9.227.77:80
Flows TCP	192.168.1.1:1041 ➝ 208.91.197.132:80
Flows TCP	192.168.1.1:1042 ➝ 207.148.248.143:80
Flows TCP	192.168.1.1:1043 ➝ 104.27.131.181:80
Flows TCP	192.168.1.1:1044 ➝ 208.73.211.183:80
Flows TCP	192.168.1.1:1045 ➝ 216.157.91.112:80
Flows TCP	192.168.1.1:1046 ➝ 207.148.248.143:80
Flows TCP	192.168.1.1:1047 ➝ 5.2.189.251:80
Flows TCP	192.168.1.1:1048 ➝ 207.148.248.143:80
Flows TCP	192.168.1.1:1049 ➝ 69.16.192.64:80
Flows TCP	192.168.1.1:1050 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1051 ➝ 195.22.28.196:80
Flows TCP	192.168.1.1:1052 ➝ 157.166.173.157:80
Flows TCP	192.168.1.1:1053 ➝ 208.100.26.234:80

Raw Pcap

Strings