Analysis Date2016-04-23 04:58:42
MD53cb983edb4a4a45c0f21d07e09448d11
SHA1445f60ab9387c5e5625f8d9b10d33ab302e35c90

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6ed55669faf3319cbe164abb899cefc9 sha1: 3b2ee1e4968e621b49fa795be24920bd5cfb017b size: 268288
Section.rdata md5: 01e27c8a734cb11751ed2befb29f0878 sha1: 84653d3fb58cacf50d1facb064cad385aba8b7ef size: 41984
Section.data md5: cc8c38e18297b6d467aa7fa613f50b62 sha1: 7705522768450b50b551d46560b685156389f2ca size: 1536
Section.reloc md5: 78f661a49923ccdec105b146b678c8c6 sha1: 97408ce99aefefb4b39a97d123ac55119631355b size: 51712
Timestamp2015-12-23 04:06:11
PackerBorland Delphi 3.0 (???)
PEhashcc418ca800c50cc50b19f78da8a1fc16af1d409b
IMPhash0f1718e85379b9e4075889a4d09a59ba
AVCA (E-Trust Ino)Gen:Variant.Razy.11545
AVRisingNo Virus
AVMcafeeTrojan-FHPD!3CB983EDB4A4
AVAvira (antivir)No Virus
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.11545
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AQ
AVGrisoft (avg)Win32/Heur
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Razy.11545
AVK7Trojan ( 004db0c61 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CW
AVMicroWorld (escan)Gen:Variant.Razy.11545
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.F.gen!Eldorado
AVFrisk (f-prot)W32/Nivdort.F.gen!Eldorado
AVIkarusPUA.ConvertAd
AVEmsisoftGen:Variant.Razy.11545
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.Msgfake
AVBullGuardGen:Variant.Razy.11545
AVArcabit (arcavir)Gen:Variant.Razy.11545
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader18.33949
AVF-SecureGen:Variant.Razy.11545

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\qpqjlidmmiyez\le6qs704i
Creates FileC:\WINDOWS\qpqjlidmmiyez\le6qs704i
Creates FileC:\qpqjlidmmiyez\nxtti1kuffdwlvwafk.exe
Deletes FileC:\WINDOWS\qpqjlidmmiyez\le6qs704i
Creates ProcessC:\qpqjlidmmiyez\nxtti1kuffdwlvwafk.exe

Process
↳ C:\qpqjlidmmiyez\nxtti1kuffdwlvwafk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WWAN Access Event DHCP Locator Peer ➝
C:\qpqjlidmmiyez\oekofhpkhtsc.exe
Creates FileC:\qpqjlidmmiyez\oekofhpkhtsc.exe
Creates FileC:\qpqjlidmmiyez\le6qs704i
Creates FileC:\WINDOWS\qpqjlidmmiyez\le6qs704i
Creates FilePIPE\lsarpc
Creates FileC:\qpqjlidmmiyez\yddznw0tqwxe
Deletes FileC:\WINDOWS\qpqjlidmmiyez\le6qs704i
Creates ProcessC:\qpqjlidmmiyez\oekofhpkhtsc.exe
Creates ServiceDiagnostic PNRP Keying Auto - C:\qpqjlidmmiyez\oekofhpkhtsc.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1880

Process
↳ Pid 1180

Process
↳ C:\qpqjlidmmiyez\oekofhpkhtsc.exe

Creates FileC:\qpqjlidmmiyez\adukfyx.exe
Creates FileC:\qpqjlidmmiyez\le6qs704i
Creates FileC:\WINDOWS\qpqjlidmmiyez\le6qs704i
Creates Filepipe\net\NtControlPipe10
Creates FileC:\qpqjlidmmiyez\zkqfvitqbti
Creates File\Device\Afd\Endpoint
Creates FileC:\qpqjlidmmiyez\yddznw0tqwxe
Deletes FileC:\WINDOWS\qpqjlidmmiyez\le6qs704i
Creates Processif0gdrbttrje "c:\qpqjlidmmiyez\oekofhpkhtsc.exe"

Process
↳ C:\qpqjlidmmiyez\oekofhpkhtsc.exe

Creates FileC:\qpqjlidmmiyez\le6qs704i
Creates FileC:\WINDOWS\qpqjlidmmiyez\le6qs704i
Deletes FileC:\WINDOWS\qpqjlidmmiyez\le6qs704i

Process
↳ if0gdrbttrje "c:\qpqjlidmmiyez\oekofhpkhtsc.exe"

Creates FileC:\qpqjlidmmiyez\le6qs704i
Creates FileC:\WINDOWS\qpqjlidmmiyez\le6qs704i
Deletes FileC:\WINDOWS\qpqjlidmmiyez\le6qs704i

Network Details:

DNSseasonlisten.net
Type: A
195.22.28.196
DNSseasonlisten.net
Type: A
195.22.28.197
DNSseasonlisten.net
Type: A
195.22.28.198
DNSseasonlisten.net
Type: A
195.22.28.199
DNSquietdemand.net
Type: A
208.100.26.234
DNSnightstation.net
Type: A
69.163.152.49
DNSelectricstation.net
Type: A
50.63.202.37
DNStradestation.net
Type: A
65.211.211.21
DNSbreadstation.net
Type: A
208.100.26.234
DNSbreadchildhood.net
Type: A
195.22.28.196
DNSbreadchildhood.net
Type: A
195.22.28.198
DNSbreadchildhood.net
Type: A
195.22.28.199
DNSbreadchildhood.net
Type: A
195.22.28.197
DNSnightspace.net
Type: A
91.250.101.43
DNSdecideclose.net
Type: A
195.22.28.199
DNSdecideclose.net
Type: A
195.22.28.196
DNSdecideclose.net
Type: A
195.22.28.197
DNSdecideclose.net
Type: A
195.22.28.198
DNSlargespace.net
Type: A
62.22.102.59
DNScaptainspace.net
Type: A
208.100.26.234
DNScaptaintravel.net
Type: A
184.168.221.96
DNSrecordspace.net
Type: A
122.9.227.77
DNSstreetspace.net
Type: A
208.91.197.132
DNStradespace.net
Type: A
207.148.248.143
DNSstreettravel.net
Type: A
104.27.131.181
DNSstreettravel.net
Type: A
104.27.130.181
DNSbetterspace.net
Type: A
208.73.211.195
DNSbetterspace.net
Type: A
208.73.211.179
DNSbetterspace.net
Type: A
208.73.211.183
DNSbetterspace.net
Type: A
208.73.211.192
DNSgatherspace.net
Type: A
216.157.91.112
DNSbettertravel.net
Type: A
207.148.248.143
DNSbreadspace.net
Type: A
5.2.189.251
DNSthinkbeyond.net
Type: A
207.148.248.143
DNSpresentbeing.net
Type: A
69.16.192.64
DNSthinkbottom.net
Type: A
208.100.26.234
DNSbreadbring.net
Type: A
DNSflierlisten.net
Type: A
DNSbreadlisten.net
Type: A
DNSflierdemand.net
Type: A
DNSbreaddemand.net
Type: A
DNSfliershout.net
Type: A
DNSbreadshout.net
Type: A
DNSquietbring.net
Type: A
DNSseasonbring.net
Type: A
DNSquietlisten.net
Type: A
DNSseasondemand.net
Type: A
DNSquietshout.net
Type: A
DNSseasonshout.net
Type: A
DNSagainststation.net
Type: A
DNSdoubtstation.net
Type: A
DNSagainstthird.net
Type: A
DNSdoubtthird.net
Type: A
DNSagainstobject.net
Type: A
DNSdoubtobject.net
Type: A
DNSagainstchildhood.net
Type: A
DNSdoubtchildhood.net
Type: A
DNSdecidestation.net
Type: A
DNSnightthird.net
Type: A
DNSdecidethird.net
Type: A
DNSnightobject.net
Type: A
DNSdecideobject.net
Type: A
DNSnightchildhood.net
Type: A
DNSdecidechildhood.net
Type: A
DNSlargestation.net
Type: A
DNScaptainstation.net
Type: A
DNSlargethird.net
Type: A
DNScaptainthird.net
Type: A
DNSlargeobject.net
Type: A
DNScaptainobject.net
Type: A
DNSlargechildhood.net
Type: A
DNScaptainchildhood.net
Type: A
DNSrecordstation.net
Type: A
DNSrecordthird.net
Type: A
DNSelectricthird.net
Type: A
DNSrecordobject.net
Type: A
DNSelectricobject.net
Type: A
DNSrecordchildhood.net
Type: A
DNSelectricchildhood.net
Type: A
DNSstreetstation.net
Type: A
DNSstreetthird.net
Type: A
DNStradethird.net
Type: A
DNSstreetobject.net
Type: A
DNStradeobject.net
Type: A
DNSstreetchildhood.net
Type: A
DNStradechildhood.net
Type: A
DNSbetterstation.net
Type: A
DNSgatherstation.net
Type: A
DNSbetterthird.net
Type: A
DNSgatherthird.net
Type: A
DNSbetterobject.net
Type: A
DNSgatherobject.net
Type: A
DNSbetterchildhood.net
Type: A
DNSgatherchildhood.net
Type: A
DNSflierstation.net
Type: A
DNSflierthird.net
Type: A
DNSbreadthird.net
Type: A
DNSflierobject.net
Type: A
DNSbreadobject.net
Type: A
DNSflierchildhood.net
Type: A
DNSquietstation.net
Type: A
DNSseasonstation.net
Type: A
DNSquietthird.net
Type: A
DNSseasonthird.net
Type: A
DNSquietobject.net
Type: A
DNSseasonobject.net
Type: A
DNSquietchildhood.net
Type: A
DNSseasonchildhood.net
Type: A
DNSagainstspace.net
Type: A
DNSdoubtspace.net
Type: A
DNSagainsttravel.net
Type: A
DNSdoubttravel.net
Type: A
DNSagainstyellow.net
Type: A
DNSdoubtyellow.net
Type: A
DNSagainstclose.net
Type: A
DNSdoubtclose.net
Type: A
DNSdecidespace.net
Type: A
DNSnighttravel.net
Type: A
DNSdecidetravel.net
Type: A
DNSnightyellow.net
Type: A
DNSdecideyellow.net
Type: A
DNSnightclose.net
Type: A
DNSlargetravel.net
Type: A
DNSlargeyellow.net
Type: A
DNScaptainyellow.net
Type: A
DNSlargeclose.net
Type: A
DNScaptainclose.net
Type: A
DNSelectricspace.net
Type: A
DNSrecordtravel.net
Type: A
DNSelectrictravel.net
Type: A
DNSrecordyellow.net
Type: A
DNSelectricyellow.net
Type: A
DNSrecordclose.net
Type: A
DNSelectricclose.net
Type: A
DNStradetravel.net
Type: A
DNSstreetyellow.net
Type: A
DNStradeyellow.net
Type: A
DNSstreetclose.net
Type: A
DNStradeclose.net
Type: A
DNSgathertravel.net
Type: A
DNSbetteryellow.net
Type: A
DNSgatheryellow.net
Type: A
DNSbetterclose.net
Type: A
DNSgatherclose.net
Type: A
DNSflierspace.net
Type: A
DNSfliertravel.net
Type: A
DNSbreadtravel.net
Type: A
DNSflieryellow.net
Type: A
DNSbreadyellow.net
Type: A
DNSflierclose.net
Type: A
DNSbreadclose.net
Type: A
DNSquietspace.net
Type: A
DNSseasonspace.net
Type: A
DNSquiettravel.net
Type: A
DNSseasontravel.net
Type: A
DNSquietyellow.net
Type: A
DNSseasonyellow.net
Type: A
DNSquietclose.net
Type: A
DNSseasonclose.net
Type: A
DNSpresentbeyond.net
Type: A
DNSthinkbeing.net
Type: A
DNSthinkforever.net
Type: A
DNSpresentforever.net
Type: A
DNSpresentbottom.net
Type: A
HTTP GEThttp://seasonlisten.net/index.php
User-Agent:
HTTP GEThttp://quietdemand.net/index.php
User-Agent:
HTTP GEThttp://nightstation.net/index.php
User-Agent:
HTTP GEThttp://electricstation.net/index.php
User-Agent:
HTTP GEThttp://tradestation.net/index.php
User-Agent:
HTTP GEThttp://breadstation.net/index.php
User-Agent:
HTTP GEThttp://breadchildhood.net/index.php
User-Agent:
HTTP GEThttp://nightspace.net/index.php
User-Agent:
HTTP GEThttp://decideclose.net/index.php
User-Agent:
HTTP GEThttp://largespace.net/index.php
User-Agent:
HTTP GEThttp://captainspace.net/index.php
User-Agent:
HTTP GEThttp://captaintravel.net/index.php
User-Agent:
HTTP GEThttp://recordspace.net/index.php
User-Agent:
HTTP GEThttp://streetspace.net/index.php
User-Agent:
HTTP GEThttp://tradespace.net/index.php
User-Agent:
HTTP GEThttp://streettravel.net/index.php
User-Agent:
HTTP GEThttp://betterspace.net/index.php
User-Agent:
HTTP GEThttp://gatherspace.net/index.php
User-Agent:
HTTP GEThttp://bettertravel.net/index.php
User-Agent:
HTTP GEThttp://breadspace.net/index.php
User-Agent:
HTTP GEThttp://thinkbeyond.net/index.php
User-Agent:
HTTP GEThttp://presentbeing.net/index.php
User-Agent:
HTTP GEThttp://thinkbottom.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1032 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1033 ➝ 69.163.152.49:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.37:80
Flows TCP192.168.1.1:1035 ➝ 65.211.211.21:80
Flows TCP192.168.1.1:1036 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1037 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1038 ➝ 91.250.101.43:80
Flows TCP192.168.1.1:1039 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1040 ➝ 62.22.102.59:80
Flows TCP192.168.1.1:1041 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1042 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1043 ➝ 122.9.227.77:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.132:80
Flows TCP192.168.1.1:1045 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1046 ➝ 104.27.131.181:80
Flows TCP192.168.1.1:1047 ➝ 208.73.211.195:80
Flows TCP192.168.1.1:1048 ➝ 216.157.91.112:80
Flows TCP192.168.1.1:1049 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1050 ➝ 5.2.189.251:80
Flows TCP192.168.1.1:1051 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1052 ➝ 69.16.192.64:80
Flows TCP192.168.1.1:1053 ➝ 208.100.26.234:80

Raw Pcap

Strings