Analysis Date2016-03-19 07:59:23
MD57e694942277e56dead4d207ea77ba73a
SHA13c5326ca5b0fa9415093cf4be6fef723a4bf3135

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e5e4656d85d2231f7c26309c91271ace sha1: 388b693c58a44cc0c61483dcc56fd698175573d6 size: 215552
Section.rdata md5: 4bd846d204dcec6fd7073525bd9a4b2b sha1: 9c6dfac4348c6282d2ddf26095f86f632edbbfc6 size: 17408
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 47424e43d329cfa1a2b6e50c3d10db31 sha1: abd4e76baf78e5455b8a512d8a8fdb970d8b96d7 size: 40448
Timestamp2016-01-03 14:43:05
PEhash27e07c383a369ac18bf40692aeed56bc01133d97
IMPhash8022cda4796cb5ca906f7effa84983dc
AVCA (E-Trust Ino)Gen:Variant.Razy.11545
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DD
AVRisingNo Virus
AVMcafeeTrojan-FHOH!7E694942277E
AVMicroWorld (escan)Gen:Variant.Razy.11545
AVMalwareBytesNo Virus
AVAvira (antivir)TR/Crypt.Xpack.435808
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/BayRob.D.gen!Eldorado
AVAuthentiumW32/BayRob.D.gen!Eldorado
AVEmsisoftGen:Variant.Razy.11545
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.11545
AVZillya!No Virus
AVKasperskyTrojan.Win32.Agent.netsya
AVTrend MicroNo Virus
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AT.gen
AVGrisoft (avg)Win32/Heur
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVSymantecTrojan.Bayrob!gen6
AVBullGuardGen:Variant.Razy.11545
AVArcabit (arcavir)Gen:Variant.Razy.11545
AVFortinetW32/Bayrob.AQ!tr
AVClamAVNo Virus
AVBitDefenderGen:Variant.Razy.11545
AVDr. WebNo Virus
AVK7Trojan ( 004db0c61 )
AVF-SecureGen:Variant.Razy.11545

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\mnyrqisg\vun7krikt
Creates FileC:\WINDOWS\mnyrqisg\vun7krikt
Creates FileC:\mnyrqisg\kpi7z1kspphxunnxqte.exe
Deletes FileC:\WINDOWS\mnyrqisg\vun7krikt
Creates ProcessC:\mnyrqisg\kpi7z1kspphxunnxqte.exe

Process
↳ C:\mnyrqisg\kpi7z1kspphxunnxqte.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Credential Volume Shadow Services ➝
C:\mnyrqisg\mqfafhkldk.exe
Creates FileC:\mnyrqisg\vun7krikt
Creates FileC:\WINDOWS\mnyrqisg\vun7krikt
Creates FileC:\mnyrqisg\eikq4ajzrca8
Creates FilePIPE\lsarpc
Creates FileC:\mnyrqisg\mqfafhkldk.exe
Deletes FileC:\WINDOWS\mnyrqisg\vun7krikt
Creates ProcessC:\mnyrqisg\mqfafhkldk.exe
Creates ServiceIdentity Collector Encrypting PC Protected - C:\mnyrqisg\mqfafhkldk.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1872

Process
↳ Pid 1156

Process
↳ C:\mnyrqisg\mqfafhkldk.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\mnyrqisg\vun7krikt
Creates FileC:\WINDOWS\mnyrqisg\vun7krikt
Creates FileC:\mnyrqisg\eikq4ajzrca8
Creates FileC:\mnyrqisg\kwymdnqwl.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\mnyrqisg\swj2vzteytzb
Deletes FileC:\WINDOWS\mnyrqisg\vun7krikt
Creates Processsjwzldrdfj5d "c:\mnyrqisg\mqfafhkldk.exe"

Process
↳ C:\mnyrqisg\mqfafhkldk.exe

Creates FileC:\mnyrqisg\vun7krikt
Creates FileC:\WINDOWS\mnyrqisg\vun7krikt
Deletes FileC:\WINDOWS\mnyrqisg\vun7krikt

Process
↳ sjwzldrdfj5d "c:\mnyrqisg\mqfafhkldk.exe"

Creates FileC:\mnyrqisg\vun7krikt
Creates FileC:\WINDOWS\mnyrqisg\vun7krikt
Deletes FileC:\WINDOWS\mnyrqisg\vun7krikt

Network Details:

DNSbecausemister.net
Type: A
195.22.28.198
DNSbecausemister.net
Type: A
195.22.28.199
DNSbecausemister.net
Type: A
195.22.28.196
DNSbecausemister.net
Type: A
195.22.28.197
DNSexpectservice.net
Type: A
50.63.202.35
DNSpersonservice.net
Type: A
216.239.38.21
DNSpersonservice.net
Type: A
216.239.36.21
DNSpersonservice.net
Type: A
216.239.34.21
DNSpersonservice.net
Type: A
216.239.32.21
DNSmachineservice.net
Type: A
207.148.248.143
DNSsuddenservice.net
Type: A
75.103.84.175
DNSforeignservice.net
Type: A
72.52.4.120
DNSrightservice.net
Type: A
209.51.138.138
DNSfiguremister.net
Type: A
208.100.26.234
DNScigarettemister.net
Type: A
195.22.28.198
DNScigarettemister.net
Type: A
195.22.28.199
DNScigarettemister.net
Type: A
195.22.28.196
DNScigarettemister.net
Type: A
195.22.28.197
DNSpictureservice.net
Type: A
82.210.7.23
DNSfamilyservice.net
Type: A
207.148.248.143
DNSforeignhappen.net
Type: A
195.22.26.248
DNSpictureshare.net
Type: A
192.64.147.142
DNSchildrenhappen.net
Type: A
195.22.28.196
DNSchildrenhappen.net
Type: A
195.22.28.199
DNSchildrenhappen.net
Type: A
195.22.28.198
DNSchildrenhappen.net
Type: A
195.22.28.197
DNSchildrenshake.net
Type: A
208.100.26.234
DNSfamilyshare.net
Type: A
141.8.225.124
DNSenglishshare.net
Type: A
116.126.87.104
DNSenglishdried.net
Type: A
DNSeitherfifteen.net
Type: A
DNSenglishfifteen.net
Type: A
DNSeitherangry.net
Type: A
DNSenglishangry.net
Type: A
DNSeitherarticle.net
Type: A
DNSenglisharticle.net
Type: A
DNSexpectmister.net
Type: A
DNSexpectsuppose.net
Type: A
DNSbecausesuppose.net
Type: A
DNSbecauseservice.net
Type: A
DNSexpectriver.net
Type: A
DNSbecauseriver.net
Type: A
DNSpersonmister.net
Type: A
DNSmachinemister.net
Type: A
DNSpersonsuppose.net
Type: A
DNSmachinesuppose.net
Type: A
DNSpersonriver.net
Type: A
DNSmachineriver.net
Type: A
DNSsuddenmister.net
Type: A
DNSforeignmister.net
Type: A
DNSsuddensuppose.net
Type: A
DNSforeignsuppose.net
Type: A
DNSsuddenriver.net
Type: A
DNSforeignriver.net
Type: A
DNSwhethermister.net
Type: A
DNSrightmister.net
Type: A
DNSwhethersuppose.net
Type: A
DNSrightsuppose.net
Type: A
DNSwhetherservice.net
Type: A
DNSwhetherriver.net
Type: A
DNSrightriver.net
Type: A
DNSthoughmister.net
Type: A
DNSfiguresuppose.net
Type: A
DNSthoughsuppose.net
Type: A
DNSfigureservice.net
Type: A
DNSthoughservice.net
Type: A
DNSfigureriver.net
Type: A
DNSthoughriver.net
Type: A
DNSpicturemister.net
Type: A
DNSpicturesuppose.net
Type: A
DNScigarettesuppose.net
Type: A
DNScigaretteservice.net
Type: A
DNSpictureriver.net
Type: A
DNScigaretteriver.net
Type: A
DNSchildrenmister.net
Type: A
DNSfamilymister.net
Type: A
DNSchildrensuppose.net
Type: A
DNSfamilysuppose.net
Type: A
DNSchildrenservice.net
Type: A
DNSchildrenriver.net
Type: A
DNSfamilyriver.net
Type: A
DNSeithermister.net
Type: A
DNSenglishmister.net
Type: A
DNSeithersuppose.net
Type: A
DNSenglishsuppose.net
Type: A
DNSeitherservice.net
Type: A
DNSenglishservice.net
Type: A
DNSeitherriver.net
Type: A
DNSenglishriver.net
Type: A
DNSexpectnearly.net
Type: A
DNSbecausenearly.net
Type: A
DNSexpecthappen.net
Type: A
DNSbecausehappen.net
Type: A
DNSexpectshake.net
Type: A
DNSbecauseshake.net
Type: A
DNSexpectshare.net
Type: A
DNSbecauseshare.net
Type: A
DNSpersonnearly.net
Type: A
DNSmachinenearly.net
Type: A
DNSpersonhappen.net
Type: A
DNSmachinehappen.net
Type: A
DNSpersonshake.net
Type: A
DNSmachineshake.net
Type: A
DNSpersonshare.net
Type: A
DNSmachineshare.net
Type: A
DNSsuddennearly.net
Type: A
DNSforeignnearly.net
Type: A
DNSsuddenhappen.net
Type: A
DNSsuddenshake.net
Type: A
DNSforeignshake.net
Type: A
DNSsuddenshare.net
Type: A
DNSforeignshare.net
Type: A
DNSwhethernearly.net
Type: A
DNSrightnearly.net
Type: A
DNSwhetherhappen.net
Type: A
DNSrighthappen.net
Type: A
DNSwhethershake.net
Type: A
DNSrightshake.net
Type: A
DNSwhethershare.net
Type: A
DNSrightshare.net
Type: A
DNSfigurenearly.net
Type: A
DNSthoughnearly.net
Type: A
DNSfigurehappen.net
Type: A
DNSthoughhappen.net
Type: A
DNSfigureshake.net
Type: A
DNSthoughshake.net
Type: A
DNSfigureshare.net
Type: A
DNSthoughshare.net
Type: A
DNSpicturenearly.net
Type: A
DNScigarettenearly.net
Type: A
DNSpicturehappen.net
Type: A
DNScigarettehappen.net
Type: A
DNSpictureshake.net
Type: A
DNScigaretteshake.net
Type: A
DNScigaretteshare.net
Type: A
DNSchildrennearly.net
Type: A
DNSfamilynearly.net
Type: A
DNSfamilyhappen.net
Type: A
DNSfamilyshake.net
Type: A
DNSchildrenshare.net
Type: A
DNSeithernearly.net
Type: A
DNSenglishnearly.net
Type: A
DNSeitherhappen.net
Type: A
DNSenglishhappen.net
Type: A
DNSeithershake.net
Type: A
DNSenglishshake.net
Type: A
DNSeithershare.net
Type: A
DNSexpectsucceed.net
Type: A
DNSbecausesucceed.net
Type: A
DNSexpectbetween.net
Type: A
DNSbecausebetween.net
Type: A
DNSexpectproduce.net
Type: A
HTTP GEThttp://becausemister.net/index.php
User-Agent:
HTTP GEThttp://expectservice.net/index.php
User-Agent:
HTTP GEThttp://personservice.net/index.php
User-Agent:
HTTP GEThttp://machineservice.net/index.php
User-Agent:
HTTP GEThttp://suddenservice.net/index.php
User-Agent:
HTTP GEThttp://foreignservice.net/index.php
User-Agent:
HTTP GEThttp://rightservice.net/index.php
User-Agent:
HTTP GEThttp://figuremister.net/index.php
User-Agent:
HTTP GEThttp://cigarettemister.net/index.php
User-Agent:
HTTP GEThttp://pictureservice.net/index.php
User-Agent:
HTTP GEThttp://familyservice.net/index.php
User-Agent:
HTTP GEThttp://foreignhappen.net/index.php
User-Agent:
HTTP GEThttp://pictureshare.net/index.php
User-Agent:
HTTP GEThttp://childrenhappen.net/index.php
User-Agent:
HTTP GEThttp://childrenshake.net/index.php
User-Agent:
HTTP GEThttp://familyshare.net/index.php
User-Agent:
HTTP GEThttp://englishshare.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1032 ➝ 50.63.202.35:80
Flows TCP192.168.1.1:1033 ➝ 216.239.38.21:80
Flows TCP192.168.1.1:1034 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1035 ➝ 75.103.84.175:80
Flows TCP192.168.1.1:1036 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1037 ➝ 209.51.138.138:80
Flows TCP192.168.1.1:1038 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1039 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1040 ➝ 82.210.7.23:80
Flows TCP192.168.1.1:1041 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1042 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1043 ➝ 192.64.147.142:80
Flows TCP192.168.1.1:1044 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1045 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1046 ➝ 141.8.225.124:80
Flows TCP192.168.1.1:1047 ➝ 116.126.87.104:80

Raw Pcap

Strings