Analysis Date | 2015-08-13 04:06:11 |
---|---|
MD5 | e20282620b6697a1306eddeb329b1b5c |
SHA1 | 3a890e2d6e92e19464a8fb3018ca93ff6bc83c13 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 9b0c279618144bc6d0d0c149b9dc087b sha1: 79015e3a5fc19cd5c56dbfff0667968b39c9383f size: 314880 | |
Section | .rdata md5: e4ba21880eb05288536ffb19d5533fab sha1: 3e63ad6487f1ba2c2cd310dbf2c047e7be3e89f4 size: 59392 | |
Section | .data md5: 0dc39820e00a58425adb9e032ab7c796 sha1: 8ee9e4098f8f2b1105cb752c1ab26df4cd610ed9 size: 7680 | |
Section | .reloc md5: d8531df5f1e3b5e66a5c98e5418ceffc sha1: 2de07e9f9523df9b667452d0163f30b33818a208 size: 25600 | |
Timestamp | 2015-05-11 07:02:07 | |
Packer | Microsoft Visual C++ 8 | |
PEhash | 88685983267e864d3c6c6e17a2c77e7d2d9ca21d | |
IMPhash | 2af1e62de3632aa0eb070ae38a3599e0 | |
AV | Rising | Trojan.Win32.Bayrod.b |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Kazy.611009 |
AV | Dr. Web | Trojan.Bayrob.1 |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Kazy.611009 |
AV | BullGuard | Gen:Variant.Kazy.611009 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | TrojanSpy.Nivdort.OD4 |
AV | Trend Micro | TROJ_BAYROB.SM0 |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Zillya! | no_virus |
AV | Emsisoft | Gen:Variant.Kazy.611009 |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/Nivdort.B.gen!Eldorado |
AV | MalwareBytes | Trojan.Agent.KVTGen |
AV | MicroWorld (escan) | Gen:Variant.Kazy.611009 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.AL |
AV | K7 | Trojan ( 004c3a4d1 ) |
AV | BitDefender | Gen:Variant.Kazy.611009 |
AV | Fortinet | W32/Bayrob.T!tr |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Eset (nod32) | Win32/Bayrob.W |
AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
AV | Ad-Aware | Gen:Variant.Kazy.611009 |
AV | Twister | no_virus |
AV | Avira (antivir) | TR/Spy.ZBot.xbbeomq |
AV | Mcafee | PWS-FCCE!E20282620B66 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\WINDOWS\nppogskm\cpjrozygvsl |
---|---|
Creates File | C:\nppogskm\te1ks9xdeewqkvbavf.exe |
Creates File | C:\nppogskm\cpjrozygvsl |
Deletes File | C:\WINDOWS\nppogskm\cpjrozygvsl |
Creates Process | C:\nppogskm\te1ks9xdeewqkvbavf.exe |
Process
↳ C:\nppogskm\te1ks9xdeewqkvbavf.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Support Compatibility Portable Connections ➝ C:\nppogskm\zonqbtkbhvcm.exe |
---|---|
Creates File | C:\WINDOWS\nppogskm\cpjrozygvsl |
Creates File | C:\nppogskm\zonqbtkbhvcm.exe |
Creates File | PIPE\lsarpc |
Creates File | C:\nppogskm\dszytvuhuto |
Creates File | C:\nppogskm\cpjrozygvsl |
Deletes File | C:\WINDOWS\nppogskm\cpjrozygvsl |
Creates Process | C:\nppogskm\zonqbtkbhvcm.exe |
Creates Service | Registry Framework DLL Auto Tablet Alerts - C:\nppogskm\zonqbtkbhvcm.exe |
Process
↳ Pid 804
Process
↳ Pid 856
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1116
Process
↳ Pid 1212
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1868
Process
↳ Pid 1148
Process
↳ C:\nppogskm\zonqbtkbhvcm.exe
Creates File | C:\WINDOWS\nppogskm\cpjrozygvsl |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\nppogskm\dqrsxax.exe |
Creates File | C:\nppogskm\ut2inul |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\nppogskm\dszytvuhuto |
Creates File | C:\nppogskm\cpjrozygvsl |
Deletes File | C:\WINDOWS\nppogskm\cpjrozygvsl |
Creates Process | qmsqao3mkn43 "c:\nppogskm\zonqbtkbhvcm.exe" |
Process
↳ C:\nppogskm\zonqbtkbhvcm.exe
Creates File | C:\WINDOWS\nppogskm\cpjrozygvsl |
---|---|
Creates File | C:\nppogskm\cpjrozygvsl |
Deletes File | C:\WINDOWS\nppogskm\cpjrozygvsl |
Process
↳ qmsqao3mkn43 "c:\nppogskm\zonqbtkbhvcm.exe"
Creates File | C:\WINDOWS\nppogskm\cpjrozygvsl |
---|---|
Creates File | C:\nppogskm\cpjrozygvsl |
Deletes File | C:\WINDOWS\nppogskm\cpjrozygvsl |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 616d696c 79746f67 65746865 722e6e65 amilytogether.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 68696c64 72656e63 6f6e7472 6f6c2e6e hildrencontrol.n 0x00000050 (00080) 65740d0a 0d0a et.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 6572736f 6e6d6561 73757265 2e6e6574 ersonmeasure.net 0x00000050 (00080) 0d0a0d0a 0d0a ......
Strings