Analysis Date2016-02-17 19:00:39
MD59bdf0579b3b8c66b85626cf8f1e24d82
SHA14056f8459e8aa33b97c6f9179b5c4bcd62787f81

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c5cfecd9b3fdd8c57544a714950639f0 sha1: 715fdfc4bca5e71086716ef6ca1c68428a18d2d3 size: 305152
Section.rdata md5: a3d8061d2e6a896d2b7adc9a4a31c4f0 sha1: 0efd8337dc3115c65b6006cd23ab02f2aa036673 size: 26112
Section.data md5: 4ce2b8636c0a7e7bf9190c1b31690799 sha1: d0f83c5a8951b5d872f7a52f00ce03e96ad84da7 size: 21504
Section.reloc md5: 2ee04482766c660b3304ca2bc47ddd35 sha1: abd36988a15272493bc2442b4b0d6de1b78a1cf6 size: 32768
Timestamp2014-03-04 12:26:14
PackerMicrosoft Visual C++ 8
PEhashec53827014edd6f91e64d948a8d221c68fa5b4bb
IMPhash5e3335148cae03e25b18b7acc112b53c
AVCA (E-Trust Ino)Gen:Variant.Razy.15381
AVF-SecureGen:Variant.Razy.15381
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.15381
AVBullGuardGen:Variant.Razy.15381
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Swizzor.e
AVZillya!Trojan.SwizzorGen.Win32.1
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)W32/Nivdort.I.gen!Eldorado
AVEmsisoftGen:Variant.Razy.15381
AVAuthentiumW32/Nivdort.I.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.15381
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Razy.15381
AVFortinetW32/Bayrob.BJ!tr
AVSymantecTrojan.Gen
AVGrisoft (avg)Generic37.AHBY
AVEset (nod32)Win32/Bayrob.BJ
AVAlwil (avast)Win32:Malware-gen
AVRisingNo Virus
AVAd-AwareGen:Variant.Razy.15381
AVTwisterNo Virus
AVAvira (antivir)TR/Taranis.2080
AVMcafeeTrojan-FHSQ!9BDF0579B3B8

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\gnbpqrmvzso\gwzjkdiy
Creates FileC:\gnbpqrmvzso\jx5gk1kjlrrso8pcxy1f.exe
Creates FileC:\WINDOWS\gnbpqrmvzso\gwzjkdiy
Deletes FileC:\WINDOWS\gnbpqrmvzso\gwzjkdiy
Creates ProcessC:\gnbpqrmvzso\jx5gk1kjlrrso8pcxy1f.exe

Process
↳ C:\gnbpqrmvzso\jx5gk1kjlrrso8pcxy1f.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Distributed Initiator KtmRm Problem ➝
C:\gnbpqrmvzso\tfnqjqhftcq.exe
Creates FileC:\gnbpqrmvzso\gwzjkdiy
Creates FileC:\gnbpqrmvzso\tfnqjqhftcq.exe
Creates FilePIPE\lsarpc
Creates FileC:\gnbpqrmvzso\qmpmu6h
Creates FileC:\WINDOWS\gnbpqrmvzso\gwzjkdiy
Deletes FileC:\WINDOWS\gnbpqrmvzso\gwzjkdiy
Creates ProcessC:\gnbpqrmvzso\tfnqjqhftcq.exe
Creates ServiceHuman Error Application IP - C:\gnbpqrmvzso\tfnqjqhftcq.exe

Process
↳ Pid 820

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1124

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1888

Process
↳ Pid 1192

Process
↳ C:\gnbpqrmvzso\tfnqjqhftcq.exe

Creates FileC:\gnbpqrmvzso\gwzjkdiy
Creates Filepipe\net\NtControlPipe10
Creates FileC:\gnbpqrmvzso\rnomkzpb.exe
Creates FileC:\gnbpqrmvzso\decan3hwzrsx
Creates File\Device\Afd\Endpoint
Creates FileC:\gnbpqrmvzso\qmpmu6h
Creates FileC:\WINDOWS\gnbpqrmvzso\gwzjkdiy
Deletes FileC:\WINDOWS\gnbpqrmvzso\gwzjkdiy
Creates Processqqdpaju01yer "c:\gnbpqrmvzso\tfnqjqhftcq.exe"

Process
↳ C:\gnbpqrmvzso\tfnqjqhftcq.exe

Creates FileC:\gnbpqrmvzso\gwzjkdiy
Creates FileC:\WINDOWS\gnbpqrmvzso\gwzjkdiy
Deletes FileC:\WINDOWS\gnbpqrmvzso\gwzjkdiy

Process
↳ qqdpaju01yer "c:\gnbpqrmvzso\tfnqjqhftcq.exe"

Creates FileC:\gnbpqrmvzso\gwzjkdiy
Creates FileC:\WINDOWS\gnbpqrmvzso\gwzjkdiy
Deletes FileC:\WINDOWS\gnbpqrmvzso\gwzjkdiy

Network Details:

DNSexpectpresident.net
Type: A
208.100.26.234
DNScigarettepresident.net
Type: A
195.22.28.196
DNScigarettepresident.net
Type: A
195.22.28.199
DNScigarettepresident.net
Type: A
195.22.28.198
DNScigarettepresident.net
Type: A
195.22.28.197
DNSchildrenstrong.net
Type: A
50.63.202.52
DNSfamilystrong.net
Type: A
104.193.182.229
DNSrightcontinue.net
Type: A
208.100.26.234
DNSpicturemaster.net
Type: A
207.148.248.143
DNSfamilydiscover.net
Type: A
64.34.157.130
DNSenglishmaster.net
Type: A
49.212.180.208
DNSbecausebasket.net
Type: A
195.22.28.198
DNSbecausebasket.net
Type: A
195.22.28.199
DNSbecausebasket.net
Type: A
195.22.28.196
DNSbecausebasket.net
Type: A
195.22.28.197
DNSexpectstrong.net
Type: A
DNSbecausestrong.net
Type: A
DNSexpecttrouble.net
Type: A
DNSbecausetrouble.net
Type: A
DNSbecausepresident.net
Type: A
DNSexpectcaught.net
Type: A
DNSbecausecaught.net
Type: A
DNSpersonstrong.net
Type: A
DNSmachinestrong.net
Type: A
DNSpersontrouble.net
Type: A
DNSmachinetrouble.net
Type: A
DNSpersonpresident.net
Type: A
DNSmachinepresident.net
Type: A
DNSpersoncaught.net
Type: A
DNSmachinecaught.net
Type: A
DNSsuddenstrong.net
Type: A
DNSforeignstrong.net
Type: A
DNSsuddentrouble.net
Type: A
DNSforeigntrouble.net
Type: A
DNSsuddenpresident.net
Type: A
DNSforeignpresident.net
Type: A
DNSsuddencaught.net
Type: A
DNSforeigncaught.net
Type: A
DNSwhetherstrong.net
Type: A
DNSrightstrong.net
Type: A
DNSwhethertrouble.net
Type: A
DNSrighttrouble.net
Type: A
DNSwhetherpresident.net
Type: A
DNSrightpresident.net
Type: A
DNSwhethercaught.net
Type: A
DNSrightcaught.net
Type: A
DNSfigurestrong.net
Type: A
DNSthoughstrong.net
Type: A
DNSfiguretrouble.net
Type: A
DNSthoughtrouble.net
Type: A
DNSfigurepresident.net
Type: A
DNSthoughpresident.net
Type: A
DNSfigurecaught.net
Type: A
DNSthoughcaught.net
Type: A
DNSpicturestrong.net
Type: A
DNScigarettestrong.net
Type: A
DNSpicturetrouble.net
Type: A
DNScigarettetrouble.net
Type: A
DNSpicturepresident.net
Type: A
DNSpicturecaught.net
Type: A
DNScigarettecaught.net
Type: A
DNSchildrentrouble.net
Type: A
DNSfamilytrouble.net
Type: A
DNSchildrenpresident.net
Type: A
DNSfamilypresident.net
Type: A
DNSchildrencaught.net
Type: A
DNSfamilycaught.net
Type: A
DNSeitherstrong.net
Type: A
DNSenglishstrong.net
Type: A
DNSeithertrouble.net
Type: A
DNSenglishtrouble.net
Type: A
DNSeitherpresident.net
Type: A
DNSenglishpresident.net
Type: A
DNSeithercaught.net
Type: A
DNSenglishcaught.net
Type: A
DNSexpectcontinue.net
Type: A
DNSbecausecontinue.net
Type: A
DNSexpectmaster.net
Type: A
DNSbecausemaster.net
Type: A
DNSexpectwonder.net
Type: A
DNSbecausewonder.net
Type: A
DNSexpectdiscover.net
Type: A
DNSbecausediscover.net
Type: A
DNSpersoncontinue.net
Type: A
DNSmachinecontinue.net
Type: A
DNSpersonmaster.net
Type: A
DNSmachinemaster.net
Type: A
DNSpersonwonder.net
Type: A
DNSmachinewonder.net
Type: A
DNSpersondiscover.net
Type: A
DNSmachinediscover.net
Type: A
DNSsuddencontinue.net
Type: A
DNSforeigncontinue.net
Type: A
DNSsuddenmaster.net
Type: A
DNSforeignmaster.net
Type: A
DNSsuddenwonder.net
Type: A
DNSforeignwonder.net
Type: A
DNSsuddendiscover.net
Type: A
DNSforeigndiscover.net
Type: A
DNSwhethercontinue.net
Type: A
DNSwhethermaster.net
Type: A
DNSrightmaster.net
Type: A
DNSwhetherwonder.net
Type: A
DNSrightwonder.net
Type: A
DNSwhetherdiscover.net
Type: A
DNSrightdiscover.net
Type: A
DNSfigurecontinue.net
Type: A
DNSthoughcontinue.net
Type: A
DNSfiguremaster.net
Type: A
DNSthoughmaster.net
Type: A
DNSfigurewonder.net
Type: A
DNSthoughwonder.net
Type: A
DNSfigurediscover.net
Type: A
DNSthoughdiscover.net
Type: A
DNSpicturecontinue.net
Type: A
DNScigarettecontinue.net
Type: A
DNScigarettemaster.net
Type: A
DNSpicturewonder.net
Type: A
DNScigarettewonder.net
Type: A
DNSpicturediscover.net
Type: A
DNScigarettediscover.net
Type: A
DNSchildrencontinue.net
Type: A
DNSfamilycontinue.net
Type: A
DNSchildrenmaster.net
Type: A
DNSfamilymaster.net
Type: A
DNSchildrenwonder.net
Type: A
DNSfamilywonder.net
Type: A
DNSchildrendiscover.net
Type: A
DNSeithercontinue.net
Type: A
DNSenglishcontinue.net
Type: A
DNSeithermaster.net
Type: A
DNSeitherwonder.net
Type: A
DNSenglishwonder.net
Type: A
DNSeitherdiscover.net
Type: A
DNSenglishdiscover.net
Type: A
DNSexpectindustry.net
Type: A
DNSbecauseindustry.net
Type: A
DNSexpectbecame.net
Type: A
DNSbecausebecame.net
Type: A
DNSexpectcontain.net
Type: A
DNSbecausecontain.net
Type: A
DNSexpectbasket.net
Type: A
DNSpersonindustry.net
Type: A
DNSmachineindustry.net
Type: A
DNSpersonbecame.net
Type: A
DNSmachinebecame.net
Type: A
DNSpersoncontain.net
Type: A
DNSmachinecontain.net
Type: A
DNSpersonbasket.net
Type: A
DNSmachinebasket.net
Type: A
DNSsuddenindustry.net
Type: A
DNSforeignindustry.net
Type: A
DNSsuddenbecame.net
Type: A
DNSforeignbecame.net
Type: A
DNSsuddencontain.net
Type: A
DNSforeigncontain.net
Type: A
DNSsuddenbasket.net
Type: A
DNSforeignbasket.net
Type: A
DNSwhetherindustry.net
Type: A
DNSrightindustry.net
Type: A
DNSwhetherbecame.net
Type: A
DNSrightbecame.net
Type: A
DNSwhethercontain.net
Type: A
DNSrightcontain.net
Type: A
DNSwhetherbasket.net
Type: A
DNSrightbasket.net
Type: A
DNSfigureindustry.net
Type: A
DNSthoughindustry.net
Type: A
DNSfigurebecame.net
Type: A
DNSthoughbecame.net
Type: A
DNSfigurecontain.net
Type: A
DNSthoughcontain.net
Type: A
DNSfigurebasket.net
Type: A
DNSthoughbasket.net
Type: A
DNSpictureindustry.net
Type: A
DNScigaretteindustry.net
Type: A
HTTP GEThttp://expectpresident.net/index.php
User-Agent:
HTTP GEThttp://cigarettepresident.net/index.php
User-Agent:
HTTP GEThttp://childrenstrong.net/index.php
User-Agent:
HTTP GEThttp://familystrong.net/index.php
User-Agent:
HTTP GEThttp://rightcontinue.net/index.php
User-Agent:
HTTP GEThttp://picturemaster.net/index.php
User-Agent:
HTTP GEThttp://familydiscover.net/index.php
User-Agent:
HTTP GEThttp://englishmaster.net/index.php
User-Agent:
HTTP GEThttp://becausebasket.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1033 ➝ 50.63.202.52:80
Flows TCP192.168.1.1:1034 ➝ 104.193.182.229:80
Flows TCP192.168.1.1:1035 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1036 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1037 ➝ 64.34.157.130:80
Flows TCP192.168.1.1:1038 ➝ 49.212.180.208:80
Flows TCP192.168.1.1:1039 ➝ 195.22.28.198:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   78706563 74707265 73696465 6e742e6e   xpectpresident.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   69676172 65747465 70726573 6964656e   igarettepresiden
0x00000050 (00080)   742e6e65 740d0a0d 0a                  t.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   68696c64 72656e73 74726f6e 672e6e65   hildrenstrong.ne
0x00000050 (00080)   740d0a0d 0a0d0a0d 0a                  t........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79737472 6f6e672e 6e65740d   amilystrong.net.
0x00000050 (00080)   0a0d0a0d 0a0d0a0d 0a                  .........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69676874 636f6e74 696e7565 2e6e6574   ightcontinue.net
0x00000050 (00080)   0d0a0d0a 0a0d0a0d 0a                  .........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   69637475 72656d61 73746572 2e6e6574   icturemaster.net
0x00000050 (00080)   0d0a0d0a 0a0d0a0d 0a                  .........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79646973 636f7665 722e6e65   amilydiscover.ne
0x00000050 (00080)   740d0a0d 0a0d0a0d 0a                  t........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 73686d61 73746572 2e6e6574   nglishmaster.net
0x00000050 (00080)   0d0a0d0a 0a0d0a0d 0a                  .........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   65636175 73656261 736b6574 2e6e6574   ecausebasket.net
0x00000050 (00080)   0d0a0d0a 0a0d0a0d 0a                  .........


Strings