Analysis Date2015-08-15 17:04:40
MD568062960d6525b2790fc4171858eef1c
SHA14703bc81f5a446e460151715d86c824061b44198

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9caa051b6d054f079338e5a27aac482c sha1: c84573ca8b4782669c69d11a9f94c74a20797d74 size: 322048
Section.rdata md5: 1c1f4f8a9caf583c90000251f5a4c3a4 sha1: a0fa9c5f7e1095b10575398318d6c9f03863c676 size: 60416
Section.data md5: 441fdb41186940718ee7127cd863f5b6 sha1: a7b0db64bdbda013aa1a456d90d9bb6a7ca6e2b1 size: 7168
Section.reloc md5: cd11f595163beb61782c57f920a1898a sha1: 4f4b1ad3591c97ad97a7f3faa06a1414dbdd8884 size: 26624
Timestamp2015-05-11 06:50:44
PackerMicrosoft Visual C++ 8
PEhashde6d189364c0a74f861da7c8c843518743f66307
IMPhash938958993e22aabfbed01c2e8feed73d
AVBitDefenderGen:Variant.Kazy.611009
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVAd-AwareGen:Variant.Kazy.611009
AVKasperskyTrojan.Win32.Scar.jleq
AVSymantecDownloader.Upatre!g15
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVGrisoft (avg)Win32/Cryptor
AVPadvishno_virus
AVEset (nod32)Win32/Bayrob.W
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVF-SecureGen:Variant.Kazy.611009
AVTrend MicroTROJ_BAYROB.SM0
AVBullGuardGen:Variant.Kazy.611009
AVIkarusTrojan.Win32.Bayrob
AVK7Trojan ( 004c3a4d1 )
AVFrisk (f-prot)no_virus
AVClamAVno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVFortinetW32/Bayrob.T!tr
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVMcafeePWS-FCCE!68062960D652
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVVirusBlokAda (vba32)Trojan.Scar
AVTwisterno_virus
AVZillya!Trojan.Bayrob.Win32.846
AVDr. WebTrojan.Bayrob.1
AVEmsisoftGen:Variant.Kazy.611009
AVRisingTrojan.Win32.Bayrod.b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\fgsiooclazvnj\lbv8bqknwn
Creates FileC:\fgsiooclazvnj\lbv8bqknwn
Creates FileC:\fgsiooclazvnj\ve1lhgxlft4cuaa.exe
Deletes FileC:\WINDOWS\fgsiooclazvnj\lbv8bqknwn
Creates ProcessC:\fgsiooclazvnj\ve1lhgxlft4cuaa.exe

Process
↳ C:\fgsiooclazvnj\ve1lhgxlft4cuaa.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Quality Assistant DNS Experience ➝
C:\fgsiooclazvnj\mjowckjew.exe
Creates FileC:\WINDOWS\fgsiooclazvnj\lbv8bqknwn
Creates FileC:\fgsiooclazvnj\mjowckjew.exe
Creates FilePIPE\lsarpc
Creates FileC:\fgsiooclazvnj\lbv8bqknwn
Creates FileC:\fgsiooclazvnj\pbir4ewv
Deletes FileC:\WINDOWS\fgsiooclazvnj\lbv8bqknwn
Creates ProcessC:\fgsiooclazvnj\mjowckjew.exe
Creates ServiceEnumerator VC Window Netlogon - C:\fgsiooclazvnj\mjowckjew.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1844

Process
↳ Pid 1152

Process
↳ C:\fgsiooclazvnj\mjowckjew.exe

Creates FileC:\fgsiooclazvnj\ygnecdwm
Creates FileC:\WINDOWS\fgsiooclazvnj\lbv8bqknwn
Creates Filepipe\net\NtControlPipe10
Creates FileC:\fgsiooclazvnj\xipnpkryq.exe
Creates FileC:\fgsiooclazvnj\lbv8bqknwn
Creates File\Device\Afd\Endpoint
Creates FileC:\fgsiooclazvnj\pbir4ewv
Deletes FileC:\WINDOWS\fgsiooclazvnj\lbv8bqknwn
Creates Processxcc1rtrjfati "c:\fgsiooclazvnj\mjowckjew.exe"

Process
↳ C:\fgsiooclazvnj\mjowckjew.exe

Creates FileC:\WINDOWS\fgsiooclazvnj\lbv8bqknwn
Creates FileC:\fgsiooclazvnj\lbv8bqknwn
Deletes FileC:\WINDOWS\fgsiooclazvnj\lbv8bqknwn

Process
↳ xcc1rtrjfati "c:\fgsiooclazvnj\mjowckjew.exe"

Creates FileC:\WINDOWS\fgsiooclazvnj\lbv8bqknwn
Creates FileC:\fgsiooclazvnj\lbv8bqknwn
Deletes FileC:\WINDOWS\fgsiooclazvnj\lbv8bqknwn

Network Details:

DNSrightcharge.net
Type: A
95.211.230.75
DNSalreadyshort.net
Type: A
195.22.26.253
DNSalreadyshort.net
Type: A
195.22.26.254
DNSalreadyshort.net
Type: A
195.22.26.231
DNSalreadyshort.net
Type: A
195.22.26.252
DNSpersondifference.net
Type: A
DNSmachinedifference.net
Type: A
DNSpersonevery.net
Type: A
DNSmachineevery.net
Type: A
DNSsuddensingle.net
Type: A
DNSforeignsingle.net
Type: A
DNSsuddencharge.net
Type: A
DNSforeigncharge.net
Type: A
DNSsuddendifference.net
Type: A
DNSforeigndifference.net
Type: A
DNSsuddenevery.net
Type: A
DNSforeignevery.net
Type: A
DNSwhethersingle.net
Type: A
DNSrightsingle.net
Type: A
DNSwhethercharge.net
Type: A
DNSwhetherdifference.net
Type: A
DNSrightdifference.net
Type: A
DNSwhetherevery.net
Type: A
DNSrightevery.net
Type: A
DNSfiguresingle.net
Type: A
DNSthoughsingle.net
Type: A
DNSfigurecharge.net
Type: A
DNSthoughcharge.net
Type: A
DNSfiguredifference.net
Type: A
DNSthoughdifference.net
Type: A
DNSfigureevery.net
Type: A
DNSthoughevery.net
Type: A
DNSpicturesingle.net
Type: A
DNScigarettesingle.net
Type: A
DNSpicturecharge.net
Type: A
DNScigarettecharge.net
Type: A
DNSpicturedifference.net
Type: A
DNScigarettedifference.net
Type: A
DNSpictureevery.net
Type: A
DNScigaretteevery.net
Type: A
DNSchildrensingle.net
Type: A
DNSfamilysingle.net
Type: A
DNSchildrencharge.net
Type: A
DNSfamilycharge.net
Type: A
DNSchildrendifference.net
Type: A
DNSfamilydifference.net
Type: A
DNSchildrenevery.net
Type: A
DNSfamilyevery.net
Type: A
DNSeithersingle.net
Type: A
DNSenglishsingle.net
Type: A
DNSeithercharge.net
Type: A
DNSenglishcharge.net
Type: A
DNSeitherdifference.net
Type: A
DNSenglishdifference.net
Type: A
DNSeitherevery.net
Type: A
DNSenglishevery.net
Type: A
DNSfreshshould.net
Type: A
DNSexperienceshould.net
Type: A
DNSfreshshort.net
Type: A
DNSexperienceshort.net
Type: A
DNSfreshopinion.net
Type: A
DNSexperienceopinion.net
Type: A
DNSfreshpromise.net
Type: A
DNSexperiencepromise.net
Type: A
DNSgentlemanshould.net
Type: A
DNSalreadyshould.net
Type: A
DNSgentlemanshort.net
Type: A
DNSgentlemanopinion.net
Type: A
DNSalreadyopinion.net
Type: A
DNSgentlemanpromise.net
Type: A
DNSalreadypromise.net
Type: A
DNSfollowshould.net
Type: A
DNSmembershould.net
Type: A
DNSfollowshort.net
Type: A
DNSmembershort.net
Type: A
DNSfollowopinion.net
Type: A
DNSmemberopinion.net
Type: A
DNSfollowpromise.net
Type: A
DNSmemberpromise.net
Type: A
DNSbeginshould.net
Type: A
DNSknownshould.net
Type: A
DNSbeginshort.net
Type: A
DNSknownshort.net
Type: A
DNSbeginopinion.net
Type: A
DNSknownopinion.net
Type: A
DNSbeginpromise.net
Type: A
DNSknownpromise.net
Type: A
DNSsummershould.net
Type: A
HTTP GEThttp://rightcharge.net/index.php
User-Agent:
HTTP GEThttp://alreadyshort.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.253:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69676874 63686172 67652e6e 65740d0a   ightcharge.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2061   : close..Host: a
0x00000040 (00064)   6c726561 64797368 6f72742e 6e65740d   lreadyshort.net.
0x00000050 (00080)   0a0d0a                                ...


Strings