Analysis Date2016-01-30 11:32:47
MD5e1904e2d01fd70c71854452666a00bdc
SHA14030ff4142a805863e35721f9a9df21bd5a5973f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 827b680868b0fa8bc9a21aacba30b2e3 sha1: 539358b258a8903585903699ed8efcb94a0f8e18 size: 529408
Section.rdata md5: c767b7d2789b0fcf23b3c56e149a45f0 sha1: a2d9a7cff59aab11baa812ae0df8362033333a9a size: 26112
Section.data md5: 14de1bb9303aa27a9cc20df804a1d5c0 sha1: a9a4a86adb57d2fa5c4c820c1953d8487db93dc3 size: 20480
Section.reloc md5: d305159fb101586f787b803edb05327b sha1: 2145edddc1b37ece6e2b76dec3fe12e2e469b021 size: 39424
Timestamp2014-10-14 04:08:48
PackerMicrosoft Visual C++ 8
PEhash721e100cca9d9cd56bfc557d612701f322bd92a8
IMPhash36d9e8edbaf98bfc626273db3e94c376
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHSQ!E1904E2D01FD
AVAvira (antivir)TR/Boryab.616448.102
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAd-AwareGen:Variant.Zusy.141475
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Bayrob.BM
AVGrisoft (avg)Generic_r.GYY
AVSymantecNo Virus
AVFortinetW32/Bayrob.BM!tr
AVBitDefenderGen:Variant.Zusy.141475
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.141475
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyNo Virus
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Zusy.141475
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Zusy.141475

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\eywksevqkm\lvdyas
Creates FileC:\eywksevqkm\reou1l0iqtwjkw6qj3.exe
Creates FileC:\eywksevqkm\lvdyas
Deletes FileC:\WINDOWS\eywksevqkm\lvdyas
Creates ProcessC:\eywksevqkm\reou1l0iqtwjkw6qj3.exe

Process
↳ C:\eywksevqkm\reou1l0iqtwjkw6qj3.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Program UserMode Authentication Grouping ➝
C:\eywksevqkm\rqibsrpdttnf.exe
Creates FileC:\eywksevqkm\rqibsrpdttnf.exe
Creates FileC:\WINDOWS\eywksevqkm\lvdyas
Creates FilePIPE\lsarpc
Creates FileC:\eywksevqkm\lvdyas
Creates FileC:\eywksevqkm\qgalh5lrjxaz
Deletes FileC:\WINDOWS\eywksevqkm\lvdyas
Creates ProcessC:\eywksevqkm\rqibsrpdttnf.exe
Creates ServiceCryptographic Grouping Window Protocol Routing - C:\eywksevqkm\rqibsrpdttnf.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1144

Process
↳ C:\eywksevqkm\rqibsrpdttnf.exe

Creates FileC:\eywksevqkm\jt6lsqwpxw
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\eywksevqkm\lvdyas
Creates FileC:\eywksevqkm\ckqtxzdv.exe
Creates FileC:\eywksevqkm\lvdyas
Creates File\Device\Afd\Endpoint
Creates FileC:\eywksevqkm\qgalh5lrjxaz
Deletes FileC:\WINDOWS\eywksevqkm\lvdyas
Creates Processhhmz442rttcd "c:\eywksevqkm\rqibsrpdttnf.exe"

Process
↳ C:\eywksevqkm\rqibsrpdttnf.exe

Creates FileC:\WINDOWS\eywksevqkm\lvdyas
Creates FileC:\eywksevqkm\lvdyas
Deletes FileC:\WINDOWS\eywksevqkm\lvdyas

Process
↳ hhmz442rttcd "c:\eywksevqkm\rqibsrpdttnf.exe"

Creates FileC:\WINDOWS\eywksevqkm\lvdyas
Creates FileC:\eywksevqkm\lvdyas
Deletes FileC:\WINDOWS\eywksevqkm\lvdyas

Network Details:

DNSmachinebusiness.net
Type: A
69.73.160.55
DNSforeignanother.net
Type: A
195.22.28.197
DNSforeignanother.net
Type: A
195.22.28.198
DNSforeignanother.net
Type: A
195.22.28.199
DNSforeignanother.net
Type: A
195.22.28.196
DNSthoughanother.net
Type: A
98.139.135.129
DNSthoughappear.net
Type: A
208.100.26.234
DNSpicturebusiness.net
Type: A
76.8.58.103
DNSfamilybusiness.net
Type: A
69.172.201.208
DNSenglishmanner.net
Type: A
202.143.64.131
DNSenglishbusiness.net
Type: A
184.168.221.71
DNSpicturebright.net
Type: A
72.52.4.90
DNSfamilybright.net
Type: A
208.91.197.39
DNSeitherinstead.net
Type: A
98.139.135.129
DNSrightpeople.net
Type: A
114.141.197.235
DNSfamilydivide.net
Type: A
DNSeitherstream.net
Type: A
DNSenglishstream.net
Type: A
DNSeithernothing.net
Type: A
DNSenglishnothing.net
Type: A
DNSeitherbottle.net
Type: A
DNSenglishbottle.net
Type: A
DNSeitherdivide.net
Type: A
DNSenglishdivide.net
Type: A
DNSexpectmanner.net
Type: A
DNSbecausemanner.net
Type: A
DNSexpectanother.net
Type: A
DNSbecauseanother.net
Type: A
DNSexpectbusiness.net
Type: A
DNSbecausebusiness.net
Type: A
DNSexpectappear.net
Type: A
DNSbecauseappear.net
Type: A
DNSpersonmanner.net
Type: A
DNSmachinemanner.net
Type: A
DNSpersonanother.net
Type: A
DNSmachineanother.net
Type: A
DNSpersonbusiness.net
Type: A
DNSpersonappear.net
Type: A
DNSmachineappear.net
Type: A
DNSsuddenmanner.net
Type: A
DNSforeignmanner.net
Type: A
DNSsuddenanother.net
Type: A
DNSsuddenbusiness.net
Type: A
DNSforeignbusiness.net
Type: A
DNSsuddenappear.net
Type: A
DNSforeignappear.net
Type: A
DNSwhethermanner.net
Type: A
DNSrightmanner.net
Type: A
DNSwhetheranother.net
Type: A
DNSrightanother.net
Type: A
DNSwhetherbusiness.net
Type: A
DNSrightbusiness.net
Type: A
DNSwhetherappear.net
Type: A
DNSrightappear.net
Type: A
DNSfiguremanner.net
Type: A
DNSthoughmanner.net
Type: A
DNSfigureanother.net
Type: A
DNSfigurebusiness.net
Type: A
DNSthoughbusiness.net
Type: A
DNSfigureappear.net
Type: A
DNSpicturemanner.net
Type: A
DNScigarettemanner.net
Type: A
DNSpictureanother.net
Type: A
DNScigaretteanother.net
Type: A
DNScigarettebusiness.net
Type: A
DNSpictureappear.net
Type: A
DNScigaretteappear.net
Type: A
DNSchildrenmanner.net
Type: A
DNSfamilymanner.net
Type: A
DNSchildrenanother.net
Type: A
DNSfamilyanother.net
Type: A
DNSchildrenbusiness.net
Type: A
DNSchildrenappear.net
Type: A
DNSfamilyappear.net
Type: A
DNSeithermanner.net
Type: A
DNSeitheranother.net
Type: A
DNSenglishanother.net
Type: A
DNSeitherbusiness.net
Type: A
DNSeitherappear.net
Type: A
DNSenglishappear.net
Type: A
DNSexpectinstead.net
Type: A
DNSbecauseinstead.net
Type: A
DNSexpectexplain.net
Type: A
DNSbecauseexplain.net
Type: A
DNSexpectbright.net
Type: A
DNSbecausebright.net
Type: A
DNSexpectinside.net
Type: A
DNSbecauseinside.net
Type: A
DNSpersoninstead.net
Type: A
DNSmachineinstead.net
Type: A
DNSpersonexplain.net
Type: A
DNSmachineexplain.net
Type: A
DNSpersonbright.net
Type: A
DNSmachinebright.net
Type: A
DNSpersoninside.net
Type: A
DNSmachineinside.net
Type: A
DNSsuddeninstead.net
Type: A
DNSforeigninstead.net
Type: A
DNSsuddenexplain.net
Type: A
DNSforeignexplain.net
Type: A
DNSsuddenbright.net
Type: A
DNSforeignbright.net
Type: A
DNSsuddeninside.net
Type: A
DNSforeigninside.net
Type: A
DNSwhetherinstead.net
Type: A
DNSrightinstead.net
Type: A
DNSwhetherexplain.net
Type: A
DNSrightexplain.net
Type: A
DNSwhetherbright.net
Type: A
DNSrightbright.net
Type: A
DNSwhetherinside.net
Type: A
DNSrightinside.net
Type: A
DNSfigureinstead.net
Type: A
DNSthoughinstead.net
Type: A
DNSfigureexplain.net
Type: A
DNSthoughexplain.net
Type: A
DNSfigurebright.net
Type: A
DNSthoughbright.net
Type: A
DNSfigureinside.net
Type: A
DNSthoughinside.net
Type: A
DNSpictureinstead.net
Type: A
DNScigaretteinstead.net
Type: A
DNSpictureexplain.net
Type: A
DNScigaretteexplain.net
Type: A
DNScigarettebright.net
Type: A
DNSpictureinside.net
Type: A
DNScigaretteinside.net
Type: A
DNSchildreninstead.net
Type: A
DNSfamilyinstead.net
Type: A
DNSchildrenexplain.net
Type: A
DNSfamilyexplain.net
Type: A
DNSchildrenbright.net
Type: A
DNSchildreninside.net
Type: A
DNSfamilyinside.net
Type: A
DNSenglishinstead.net
Type: A
DNSeitherexplain.net
Type: A
DNSenglishexplain.net
Type: A
DNSeitherbright.net
Type: A
DNSenglishbright.net
Type: A
DNSeitherinside.net
Type: A
DNSenglishinside.net
Type: A
DNSexpectready.net
Type: A
DNSbecauseready.net
Type: A
DNSexpectbrown.net
Type: A
DNSbecausebrown.net
Type: A
DNSexpectpeople.net
Type: A
DNSbecausepeople.net
Type: A
DNSexpectdaughter.net
Type: A
DNSbecausedaughter.net
Type: A
DNSpersonready.net
Type: A
DNSmachineready.net
Type: A
DNSpersonbrown.net
Type: A
DNSmachinebrown.net
Type: A
DNSpersonpeople.net
Type: A
DNSmachinepeople.net
Type: A
DNSpersondaughter.net
Type: A
DNSmachinedaughter.net
Type: A
DNSsuddenready.net
Type: A
DNSforeignready.net
Type: A
DNSsuddenbrown.net
Type: A
DNSforeignbrown.net
Type: A
DNSsuddenpeople.net
Type: A
DNSforeignpeople.net
Type: A
DNSsuddendaughter.net
Type: A
DNSforeigndaughter.net
Type: A
DNSwhetherready.net
Type: A
DNSrightready.net
Type: A
DNSwhetherbrown.net
Type: A
DNSrightbrown.net
Type: A
DNSwhetherpeople.net
Type: A
DNSwhetherdaughter.net
Type: A
DNSrightdaughter.net
Type: A
DNSfigureready.net
Type: A
HTTP GEThttp://machinebusiness.net/index.php
User-Agent:
HTTP GEThttp://foreignanother.net/index.php
User-Agent:
HTTP GEThttp://thoughanother.net/index.php
User-Agent:
HTTP GEThttp://thoughappear.net/index.php
User-Agent:
HTTP GEThttp://picturebusiness.net/index.php
User-Agent:
HTTP GEThttp://familybusiness.net/index.php
User-Agent:
HTTP GEThttp://englishmanner.net/index.php
User-Agent:
HTTP GEThttp://englishbusiness.net/index.php
User-Agent:
HTTP GEThttp://picturebright.net/index.php
User-Agent:
HTTP GEThttp://familybright.net/index.php
User-Agent:
HTTP GEThttp://eitherinstead.net/index.php
User-Agent:
HTTP GEThttp://rightpeople.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 69.73.160.55:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1033 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 76.8.58.103:80
Flows TCP192.168.1.1:1036 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1037 ➝ 202.143.64.131:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.71:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.39:80
Flows TCP192.168.1.1:1041 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1042 ➝ 114.141.197.235:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61636869 6e656275 73696e65 73732e6e   achinebusiness.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f726569 676e616e 6f746865 722e6e65   oreignanother.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7567 68616e6f 74686572 2e6e6574   houghanother.net
0x00000050 (00080)   0d0a0d0a 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7567 68617070 6561722e 6e65740d   houghappear.net.
0x00000050 (00080)   0a0d0a0a 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   69637475 72656275 73696e65 73732e6e   icturebusiness.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79627573 696e6573 732e6e65   amilybusiness.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 73686d61 6e6e6572 2e6e6574   nglishmanner.net
0x00000050 (00080)   0d0a0d0a 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 73686275 73696e65 73732e6e   nglishbusiness.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   69637475 72656272 69676874 2e6e6574   icturebright.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79627269 6768742e 6e65740d   amilybright.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   69746865 72696e73 74656164 2e6e6574   itherinstead.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69676874 70656f70 6c652e6e 65740d0a   ightpeople.net..
0x00000050 (00080)   0d0a                                  ..


Strings