Analysis Date2016-01-28 09:07:14
MD58d518624b0fd478739766d68872a702d
SHA145276af6debf5235f50ae25d8c07958e033f45dd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6a62a73cca2f58b8e7fdfba819cabd10 sha1: 2ef410537dc3f18e1c8ceecf0b6af30a54c0daa3 size: 652800
Section.rdata md5: 1594da3c290f31f53c05f18cc034cd1e sha1: f520765f654795550a7e0a09f98962493ee673d8 size: 211968
Section.data md5: 9bb26ba51c79116ac90b69580f5c7936 sha1: 597d0189c65f538e79d75bab11a20b70e10382f0 size: 5120
Section.reloc md5: 720627e18dc2079b2083c6cfa7246a10 sha1: 256973934940d2d2628e2aec9ba916b6d334e966 size: 88576
Timestamp2013-05-23 06:45:15
PackerMicrosoft Visual C++ ?.?
PEhashf6318ec219992d750d6849482c4b83cfdd812d02
IMPhasheec452fa1347cc3c38dfae783d2e248e
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHSI!8D518624B0FD
AVAvira (antivir)TR/Nivdort.A.31028
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.791077
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Bayrob.BK
AVGrisoft (avg)Crypt_c.APTN
AVSymantecNo Virus
AVFortinetW32/Bayrob.AT!tr
AVBitDefenderGen:Variant.Kazy.791077
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.791077
AVMalwareBytesNo Virus
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.791077
AVZillya!No Virus
AVKasperskyTrojan.Win32.Swizzor.e
AVTrend MicroNo Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Kazy.791077
AVArcabit (arcavir)Gen:Variant.Kazy.791077
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.6909
AVF-SecureGen:Variant.Kazy.791077

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\glfzbknmz\tst
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zieprye39nueyep9ojszurte.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\zieprye39nueyep9ojszurte.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\zieprye39nueyep9ojszurte.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\DLL AuthIP Certificate Task Encryption ➝
C:\WINDOWS\system32\ynnjzoqqznrh.exe
Creates FileC:\WINDOWS\system32\glfzbknmz\tst
Creates FileC:\WINDOWS\system32\ynnjzoqqznrh.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\glfzbknmz\lck
Creates ProcessC:\WINDOWS\system32\ynnjzoqqznrh.exe
Creates ServiceAwareness Logon Alerts Shadow - C:\WINDOWS\system32\ynnjzoqqznrh.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1172

Process
↳ C:\WINDOWS\system32\ynnjzoqqznrh.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\glfzbknmz\rng
Creates FileC:\WINDOWS\system32\glfzbknmz\tst
Creates FileC:\WINDOWS\system32\glfzbknmz\lck
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\glfzbknmz\run
Creates FileC:\WINDOWS\system32\lpnwjjuuja.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\ziepryes5xafeep9.exe
Creates FileC:\WINDOWS\system32\glfzbknmz\cfg
Creates ProcessC:\WINDOWS\TEMP\ziepryes5xafeep9.exe -r 37093 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\ynnjzoqqznrh.exe"

Process
↳ C:\WINDOWS\system32\ynnjzoqqznrh.exe

Creates FileC:\WINDOWS\system32\glfzbknmz\tst
Creates FilePIPE\lsarpc

Process
↳ WATCHDOGPROC "c:\windows\system32\ynnjzoqqznrh.exe"

Creates FileC:\WINDOWS\system32\glfzbknmz\tst

Process
↳ C:\WINDOWS\TEMP\ziepryes5xafeep9.exe -r 37093 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSdoubleobject.net
Type: A
69.195.124.153
DNSbrokenthird.net
Type: A
74.220.215.249
DNSriddenstorm.net
Type: A
66.147.240.171
DNSgentleangry.net
Type: A
98.139.135.129
DNSsimonettedwerryhouse.net
Type: A
98.139.135.129
DNSmorningduring.net
Type: A
98.139.135.129
DNSwifeabout.net
Type: A
98.139.135.129
DNScasestep.net
Type: A
98.139.135.129
DNSwestboat.net
Type: A
213.186.33.104
DNSwestrest.net
Type: A
208.100.26.234
DNSleadpress.net
Type: A
98.124.199.4
DNSmightspecial.net
Type: A
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
DNSaloneneighbor.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSseasonstrong.net
Type: A
DNSoftensurprise.net
Type: A
DNSchiefanother.net
Type: A
DNSlikrkind.net
Type: A
DNSfearwild.net
Type: A
DNSwestwild.net
Type: A
DNSfearjune.net
Type: A
DNSwestjune.net
Type: A
DNSfearbegan.net
Type: A
DNSwestbegan.net
Type: A
DNSfearkind.net
Type: A
DNSwestkind.net
Type: A
DNStablewild.net
Type: A
DNSleadwild.net
Type: A
DNStablejune.net
Type: A
DNSleadjune.net
Type: A
DNStablebegan.net
Type: A
DNSleadbegan.net
Type: A
DNStablekind.net
Type: A
DNSleadkind.net
Type: A
DNSpointwild.net
Type: A
DNScallwild.net
Type: A
DNSpointjune.net
Type: A
DNScalljune.net
Type: A
DNSpointbegan.net
Type: A
DNScallbegan.net
Type: A
DNSpointkind.net
Type: A
DNScallkind.net
Type: A
DNSnonewild.net
Type: A
DNSliarwild.net
Type: A
DNSnonejune.net
Type: A
DNSliarjune.net
Type: A
DNSnonebegan.net
Type: A
DNSliarbegan.net
Type: A
DNSnonekind.net
Type: A
DNSliarkind.net
Type: A
DNSwellwild.net
Type: A
DNSnosewild.net
Type: A
DNSwelljune.net
Type: A
DNSnosejune.net
Type: A
DNSwellbegan.net
Type: A
DNSnosebegan.net
Type: A
DNSwellkind.net
Type: A
DNSnosekind.net
Type: A
DNSringwild.net
Type: A
DNSfavorwild.net
Type: A
DNSringjune.net
Type: A
DNSfavorjune.net
Type: A
DNSringbegan.net
Type: A
DNSfavorbegan.net
Type: A
DNSringkind.net
Type: A
DNSfavorkind.net
Type: A
DNSsorryboat.net
Type: A
DNSfiftyboat.net
Type: A
DNSsorrypress.net
Type: A
DNSfiftypress.net
Type: A
DNSsorryrest.net
Type: A
DNSfiftyrest.net
Type: A
DNSsorryopen.net
Type: A
DNSfiftyopen.net
Type: A
DNStheirboat.net
Type: A
DNSlikrboat.net
Type: A
DNStheirpress.net
Type: A
DNSlikrpress.net
Type: A
DNStheirrest.net
Type: A
DNSlikrrest.net
Type: A
DNStheiropen.net
Type: A
DNSlikropen.net
Type: A
DNSfearboat.net
Type: A
DNSfearpress.net
Type: A
DNSwestpress.net
Type: A
DNSfearrest.net
Type: A
DNSfearopen.net
Type: A
DNSwestopen.net
Type: A
DNStableboat.net
Type: A
DNSleadboat.net
Type: A
DNStablepress.net
Type: A
DNStablerest.net
Type: A
DNSleadrest.net
Type: A
DNStableopen.net
Type: A
DNSleadopen.net
Type: A
DNSpointboat.net
Type: A
DNScallboat.net
Type: A
DNSpointpress.net
Type: A
DNScallpress.net
Type: A
HTTP GEThttp://doubleobject.net/index.php
User-Agent:
HTTP GEThttp://brokenthird.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://gentleangry.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
HTTP GEThttp://morningduring.net/index.php
User-Agent:
HTTP GEThttp://wifeabout.net/index.php
User-Agent:
HTTP GEThttp://casestep.net/index.php
User-Agent:
HTTP GEThttp://westboat.net/index.php
User-Agent:
HTTP GEThttp://westrest.net/index.php
User-Agent:
HTTP GEThttp://leadpress.net/index.php
User-Agent:
HTTP GEThttp://doubleobject.net/index.php
User-Agent:
HTTP GEThttp://brokenthird.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 69.195.124.153:80
Flows TCP192.168.1.1:1037 ➝ 74.220.215.249:80
Flows TCP192.168.1.1:1038 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1040 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1041 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1042 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1043 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1044 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1045 ➝ 213.186.33.104:80
Flows TCP192.168.1.1:1046 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1047 ➝ 98.124.199.4:80
Flows TCP192.168.1.1:1049 ➝ 69.195.124.153:80
Flows TCP192.168.1.1:1050 ➝ 74.220.215.249:80
Flows TCP192.168.1.1:1051 ➝ 66.147.240.171:80

Raw Pcap

Strings