Analysis Date2015-10-08 08:47:56
MD5cf9e0dfa177e5a84554a0a9b6a49239d
SHA13f7f63382ac8366e65f83f32b6f7e7ba473a41a4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ceff3fd8fb45c3fa4b8996ceac383624 sha1: ff36bf742d968df36a5ffb607d765764b3e5da1a size: 299008
Section.rdata md5: 07c501bc1472c010a8bb97895a8e0722 sha1: 8a32a146b5ea0ef7f9bedfc902e7a734df6f2056 size: 58368
Section.data md5: 874cf5c780ef8771e08d3d6ce0af427e sha1: f39ad6b3bcd6078cf5b5870c7a57a11ba7047a9d size: 7680
Section.reloc md5: 63e7a62a5f38bd6a543a9b9ec080451b sha1: 5a1191926af6643d798532c57d98b2440045e9e7 size: 22528
Timestamp2015-05-11 07:14:25
PackerMicrosoft Visual C++ 8
PEhash176d8d0f4797845b9b531986aaf7ab877e25b486
IMPhash41dec912140cd2bf4688be7b14e70aab
AVRisingTrojan.Win32.Bayrod.b
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.611656
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.611656
AVBullGuardGen:Variant.Kazy.611656
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.611656
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.611656
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!acf
AVK7Trojan ( 004c3a4d1 )
AVBitDefenderGen:Variant.Kazy.611656
AVFortinetW32/Bayrob.T!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.W
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.611656
AVTwisterno_virus
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVMcafeePWS-FCCE!CF9E0DFA177E

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ezrcusclyn\hw1kodfllzvgbyixg.exe
Creates FileC:\WINDOWS\ezrcusclyn\o4ryuep3p0q
Creates FileC:\ezrcusclyn\o4ryuep3p0q
Deletes FileC:\WINDOWS\ezrcusclyn\o4ryuep3p0q
Creates ProcessC:\ezrcusclyn\hw1kodfllzvgbyixg.exe

Process
↳ C:\ezrcusclyn\hw1kodfllzvgbyixg.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\PnP-X Update Store Event Defragmenter Endpoint ➝
C:\ezrcusclyn\mbodgje.exe
Creates FileC:\WINDOWS\ezrcusclyn\o4ryuep3p0q
Creates FileC:\ezrcusclyn\mbodgje.exe
Creates FilePIPE\lsarpc
Creates FileC:\ezrcusclyn\jlnkuhyo0us8
Creates FileC:\ezrcusclyn\o4ryuep3p0q
Deletes FileC:\WINDOWS\ezrcusclyn\o4ryuep3p0q
Creates ProcessC:\ezrcusclyn\mbodgje.exe
Creates ServiceSecondary TPM Registry BitLocker Detection - C:\ezrcusclyn\mbodgje.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1876

Process
↳ Pid 1136

Process
↳ C:\ezrcusclyn\mbodgje.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\ezrcusclyn\o4ryuep3p0q
Creates FileC:\ezrcusclyn\jlnkuhyo0us8
Creates FileC:\ezrcusclyn\o4ryuep3p0q
Creates File\Device\Afd\Endpoint
Creates FileC:\ezrcusclyn\qvuhsq
Creates FileC:\ezrcusclyn\lovmkqtpxk.exe
Deletes FileC:\WINDOWS\ezrcusclyn\o4ryuep3p0q
Creates Processzmshszelg6re "c:\ezrcusclyn\mbodgje.exe"

Process
↳ C:\ezrcusclyn\mbodgje.exe

Creates FileC:\WINDOWS\ezrcusclyn\o4ryuep3p0q
Creates FileC:\ezrcusclyn\o4ryuep3p0q
Deletes FileC:\WINDOWS\ezrcusclyn\o4ryuep3p0q

Process
↳ zmshszelg6re "c:\ezrcusclyn\mbodgje.exe"

Creates FileC:\WINDOWS\ezrcusclyn\o4ryuep3p0q
Creates FileC:\ezrcusclyn\o4ryuep3p0q
Deletes FileC:\WINDOWS\ezrcusclyn\o4ryuep3p0q

Network Details:

DNSamountaround.net
Type: A
195.22.26.253
DNSamountaround.net
Type: A
195.22.26.254
DNSamountaround.net
Type: A
195.22.26.231
DNSamountaround.net
Type: A
195.22.26.252
DNSclassaround.net
Type: A
104.155.10.64
DNSchiefneedle.net
Type: A
72.52.4.90
DNSaloneneedle.net
Type: A
208.100.26.234
DNSmiddlenature.net
Type: A
98.139.135.129
DNSstrangeenough.net
Type: A
93.115.38.30
DNSstrangegovern.net
Type: A
72.52.4.90
DNSthinkfurther.net
Type: A
207.148.248.143
DNSthinkbecome.net
Type: A
98.124.199.1
DNSweatherwelcome.net
Type: A
DNSweatheraround.net
Type: A
DNSamountproud.net
Type: A
DNSweatherproud.net
Type: A
DNSamountcomplete.net
Type: A
DNSweathercomplete.net
Type: A
DNSthickwelcome.net
Type: A
DNSclasswelcome.net
Type: A
DNSthickaround.net
Type: A
DNSthickproud.net
Type: A
DNSclassproud.net
Type: A
DNSthickcomplete.net
Type: A
DNSclasscomplete.net
Type: A
DNSthinknature.net
Type: A
DNSpresentnature.net
Type: A
DNSthinkneedle.net
Type: A
DNSpresentneedle.net
Type: A
DNSthinkenough.net
Type: A
DNSpresentenough.net
Type: A
DNSthinkgovern.net
Type: A
DNSpresentgovern.net
Type: A
DNSchiefnature.net
Type: A
DNScollegenature.net
Type: A
DNScollegeneedle.net
Type: A
DNSchiefenough.net
Type: A
DNScollegeenough.net
Type: A
DNSchiefgovern.net
Type: A
DNScollegegovern.net
Type: A
DNSoftennature.net
Type: A
DNSalonenature.net
Type: A
DNSoftenneedle.net
Type: A
DNSoftenenough.net
Type: A
DNSaloneenough.net
Type: A
DNSoftengovern.net
Type: A
DNSalonegovern.net
Type: A
DNStwelvenature.net
Type: A
DNSmiddleneedle.net
Type: A
DNStwelveneedle.net
Type: A
DNSmiddleenough.net
Type: A
DNStwelveenough.net
Type: A
DNSmiddlegovern.net
Type: A
DNStwelvegovern.net
Type: A
DNSrathernature.net
Type: A
DNSmorningnature.net
Type: A
DNSratherneedle.net
Type: A
DNSmorningneedle.net
Type: A
DNSratherenough.net
Type: A
DNSmorningenough.net
Type: A
DNSrathergovern.net
Type: A
DNSmorninggovern.net
Type: A
DNSstrangenature.net
Type: A
DNShistorynature.net
Type: A
DNSstrangeneedle.net
Type: A
DNShistoryneedle.net
Type: A
DNShistoryenough.net
Type: A
DNShistorygovern.net
Type: A
DNSamountnature.net
Type: A
DNSweathernature.net
Type: A
DNSamountneedle.net
Type: A
DNSweatherneedle.net
Type: A
DNSamountenough.net
Type: A
DNSweatherenough.net
Type: A
DNSamountgovern.net
Type: A
DNSweathergovern.net
Type: A
DNSthicknature.net
Type: A
DNSclassnature.net
Type: A
DNSthickneedle.net
Type: A
DNSclassneedle.net
Type: A
DNSthickenough.net
Type: A
DNSclassenough.net
Type: A
DNSthickgovern.net
Type: A
DNSclassgovern.net
Type: A
DNSpresentfurther.net
Type: A
DNSthinkcover.net
Type: A
DNSpresentcover.net
Type: A
DNSpresentbecome.net
Type: A
HTTP GEThttp://amountaround.net/index.php
User-Agent:
HTTP GEThttp://classaround.net/index.php
User-Agent:
HTTP GEThttp://chiefneedle.net/index.php
User-Agent:
HTTP GEThttp://aloneneedle.net/index.php
User-Agent:
HTTP GEThttp://middlenature.net/index.php
User-Agent:
HTTP GEThttp://strangeenough.net/index.php
User-Agent:
HTTP GEThttp://strangegovern.net/index.php
User-Agent:
HTTP GEThttp://thinkfurther.net/index.php
User-Agent:
HTTP GEThttp://thinkbecome.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1032 ➝ 104.155.10.64:80
Flows TCP192.168.1.1:1033 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1036 ➝ 93.115.38.30:80
Flows TCP192.168.1.1:1037 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1038 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1039 ➝ 98.124.199.1:80

Raw Pcap

Strings