Analysis Date2015-08-04 16:56:08
MD50c5891219da585d912fdcc9062b4679a
SHA13fd42b63db9f740a09257f00be991ebba1ea8f22

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 13e3e56391043f63fa7bd76a82010886 sha1: aac1d1b70c16c2bf68262fcf2b3d3c4a5613a322 size: 305152
Section.rdata md5: 902d75d7a6d7519e2ed62b704e9066e9 sha1: 2ea07c17603611e08e84d9356fa404f0c2e36f77 size: 58880
Section.data md5: a3c867e8033e88e9b375910fe19113c6 sha1: ef30abbf0f0ffcffc6bc14f061cdc0ab516bbdae size: 7680
Section.reloc md5: 15ab0f30281cc9bca7a3ebf0049f1399 sha1: 10a87642aacf305fdb6434b61ea33abb285b41b0 size: 23552
Timestamp2015-05-11 06:57:33
PackerMicrosoft Visual C++ 8
PEhash3cf1b5c0623a86641b330ec5da15bf56c5a722f0
IMPhash8d046123d5d245f8bcc9ddb3b557efe0
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVPadvishno_virus
AVDr. WebTrojan.Bayrob.1
AVMalwareBytesTrojan.Agent.KVTGen
AVMcafeePWS-FCCE!0C5891219DA5
AVBitDefenderGen:Variant.Kazy.611009
AVK7Trojan ( 004c3a4d1 )
AVEmsisoftGen:Variant.Kazy.611009
AVTrend MicroTROJ_BAYROB.SM0
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVF-SecureGen:Variant.Kazy.611009
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVFortinetW32/Bayrob.T!tr
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVKasperskyTrojan.Win32.Generic
AVIkarusTrojan.Win32.Bayrob
AVRisingTrojan.Win32.Bayrod.b
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVZillya!no_virus
AVClamAVno_virus
AVBullGuardGen:Variant.Kazy.611009
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVCA (E-Trust Ino)no_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.611009
AVEset (nod32)Win32/Bayrob.V.gen
AVFrisk (f-prot)no_virus
AVMicroWorld (escan)Gen:Variant.Kazy.611009

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\rebrlnqijcjn\cwdzdz0c
Creates FileC:\WINDOWS\rebrlnqijcjn\cwdzdz0c
Creates FileC:\rebrlnqijcjn\amt1lnilycmpicvlnv1.exe
Deletes FileC:\WINDOWS\rebrlnqijcjn\cwdzdz0c
Creates ProcessC:\rebrlnqijcjn\amt1lnilycmpicvlnv1.exe

Process
↳ C:\rebrlnqijcjn\amt1lnilycmpicvlnv1.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Service Interface Diagnostic ➝
C:\rebrlnqijcjn\wwmbesfnvijc.exe
Creates FileC:\rebrlnqijcjn\wwmbesfnvijc.exe
Creates FileC:\rebrlnqijcjn\cwdzdz0c
Creates FileC:\WINDOWS\rebrlnqijcjn\cwdzdz0c
Creates FilePIPE\lsarpc
Creates FileC:\rebrlnqijcjn\mnvn0ywxrwm
Deletes FileC:\WINDOWS\rebrlnqijcjn\cwdzdz0c
Creates ProcessC:\rebrlnqijcjn\wwmbesfnvijc.exe
Creates ServicePublication Center Provider Hardware - C:\rebrlnqijcjn\wwmbesfnvijc.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1172

Process
↳ C:\rebrlnqijcjn\wwmbesfnvijc.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\rebrlnqijcjn\cwdzdz0c
Creates FileC:\WINDOWS\rebrlnqijcjn\cwdzdz0c
Creates FileC:\rebrlnqijcjn\mnvn0ywxrwm
Creates File\Device\Afd\Endpoint
Creates FileC:\rebrlnqijcjn\le6shyy1lg
Creates FileC:\rebrlnqijcjn\qcovtcybuu.exe
Deletes FileC:\WINDOWS\rebrlnqijcjn\cwdzdz0c
Creates Processdvykcgqd5j05 "c:\rebrlnqijcjn\wwmbesfnvijc.exe"

Process
↳ C:\rebrlnqijcjn\wwmbesfnvijc.exe

Creates FileC:\rebrlnqijcjn\cwdzdz0c
Creates FileC:\WINDOWS\rebrlnqijcjn\cwdzdz0c
Deletes FileC:\WINDOWS\rebrlnqijcjn\cwdzdz0c

Process
↳ dvykcgqd5j05 "c:\rebrlnqijcjn\wwmbesfnvijc.exe"

Creates FileC:\rebrlnqijcjn\cwdzdz0c
Creates FileC:\WINDOWS\rebrlnqijcjn\cwdzdz0c
Deletes FileC:\WINDOWS\rebrlnqijcjn\cwdzdz0c

Network Details:

DNSdoctoropinion.net
Type: A
128.199.249.48
DNSbrokenpromise.net
Type: A
69.172.201.208
DNSoutsidesupply.net
Type: A
64.74.223.47
DNSoutsideoffice.net
Type: A
108.162.202.47
DNSoutsideoffice.net
Type: A
108.162.201.47
DNSmovementarrive.net
Type: A
95.211.230.75
DNSbuildingsupply.net
Type: A
67.212.232.207
DNSbuildingoffice.net
Type: A
46.20.7.163
DNSstoresupply.net
Type: A
69.172.201.208
DNSdoctoroffice.net
Type: A
72.52.4.119
DNSstoreopinion.net
Type: A
DNSmightopinion.net
Type: A
DNSstorepromise.net
Type: A
DNSmightpromise.net
Type: A
DNSdoctorshould.net
Type: A
DNSprettyshould.net
Type: A
DNSdoctorshort.net
Type: A
DNSprettyshort.net
Type: A
DNSprettyopinion.net
Type: A
DNSdoctorpromise.net
Type: A
DNSprettypromise.net
Type: A
DNSfellowshould.net
Type: A
DNSdoubleshould.net
Type: A
DNSfellowshort.net
Type: A
DNSdoubleshort.net
Type: A
DNSfellowopinion.net
Type: A
DNSdoubleopinion.net
Type: A
DNSfellowpromise.net
Type: A
DNSdoublepromise.net
Type: A
DNSbrokenshould.net
Type: A
DNSresultshould.net
Type: A
DNSbrokenshort.net
Type: A
DNSresultshort.net
Type: A
DNSbrokenopinion.net
Type: A
DNSresultopinion.net
Type: A
DNSresultpromise.net
Type: A
DNSprepareshould.net
Type: A
DNSdesireshould.net
Type: A
DNSprepareshort.net
Type: A
DNSdesireshort.net
Type: A
DNSprepareopinion.net
Type: A
DNSdesireopinion.net
Type: A
DNSpreparepromise.net
Type: A
DNSdesirepromise.net
Type: A
DNSstrengthshould.net
Type: A
DNSstillshould.net
Type: A
DNSstrengthshort.net
Type: A
DNSstillshort.net
Type: A
DNSstrengthopinion.net
Type: A
DNSstillopinion.net
Type: A
DNSstrengthpromise.net
Type: A
DNSstillpromise.net
Type: A
DNSmovementsupply.net
Type: A
DNSmovementdistance.net
Type: A
DNSoutsidedistance.net
Type: A
DNSmovementoffice.net
Type: A
DNSoutsidearrive.net
Type: A
DNSeveningsupply.net
Type: A
DNSbuildingdistance.net
Type: A
DNSeveningdistance.net
Type: A
DNSeveningoffice.net
Type: A
DNSbuildingarrive.net
Type: A
DNSeveningarrive.net
Type: A
DNSmightsupply.net
Type: A
DNSstoredistance.net
Type: A
DNSmightdistance.net
Type: A
DNSstoreoffice.net
Type: A
DNSmightoffice.net
Type: A
DNSstorearrive.net
Type: A
DNSmightarrive.net
Type: A
DNSdoctorsupply.net
Type: A
DNSprettysupply.net
Type: A
DNSdoctordistance.net
Type: A
DNSprettydistance.net
Type: A
DNSprettyoffice.net
Type: A
DNSdoctorarrive.net
Type: A
DNSprettyarrive.net
Type: A
DNSfellowsupply.net
Type: A
DNSdoublesupply.net
Type: A
DNSfellowdistance.net
Type: A
DNSdoubledistance.net
Type: A
DNSfellowoffice.net
Type: A
DNSdoubleoffice.net
Type: A
DNSfellowarrive.net
Type: A
DNSdoublearrive.net
Type: A
DNSbrokensupply.net
Type: A
HTTP GEThttp://doctoropinion.net/index.php
User-Agent:
HTTP GEThttp://brokenpromise.net/index.php
User-Agent:
HTTP GEThttp://outsidesupply.net/index.php
User-Agent:
HTTP GEThttp://outsideoffice.net/index.php
User-Agent:
HTTP GEThttp://movementarrive.net/index.php
User-Agent:
HTTP GEThttp://buildingsupply.net/index.php
User-Agent:
HTTP GEThttp://buildingoffice.net/index.php
User-Agent:
HTTP GEThttp://storesupply.net/index.php
User-Agent:
HTTP GEThttp://doctoroffice.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 128.199.249.48:80
Flows TCP192.168.1.1:1032 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1033 ➝ 64.74.223.47:80
Flows TCP192.168.1.1:1034 ➝ 108.162.202.47:80
Flows TCP192.168.1.1:1035 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1036 ➝ 67.212.232.207:80
Flows TCP192.168.1.1:1037 ➝ 46.20.7.163:80
Flows TCP192.168.1.1:1038 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.119:80

Raw Pcap

Strings