Analysis Date2015-07-24 14:50:32
MD5a0a049d895310d25377f883c39ff2f40
SHA1478b56d29030de332683379ee92ea4d299a5c42a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dfa5b65076ed88bc6dcec3a0a2f09360 sha1: ff0fb6d9b87ff76038f5bd7edc86cd81eb5c3684 size: 288256
Section.rdata md5: ed9a574997c11ce469d923d67d53d564 sha1: 4f023a74ea8b9c155fe8ce4c7ce2431a03459493 size: 43520
Section.data md5: 24f130d5d7c40168b5262c1a7ffa2422 sha1: 7eda53714c77ed01373659265c7eaa510636d09e size: 6656
Section.reloc md5: b4741f4beec13e44a691746f5eae8739 sha1: cc927517ad2c47496572e7b208a7da068ca28925 size: 24064
Timestamp2015-05-21 04:28:25
PackerMicrosoft Visual C++ ?.?
PEhash8fb0f2ce2a2a822e8226c6777affcc27f323a0ff
IMPhash0ffc6042bf9f9e26e9d15a4370d18eb7
AVTwisterTrojan.Generic.saaq
AVAd-AwareGen:Variant.Diley.1
AVKasperskyTrojan.Win32.Scar.kkog
AVRising0x58e44cd5
AVBullGuardGen:Variant.Diley.1
AVSymantecDownloader.Upatre!g15
AVMcafeeTrojan-FGIJ!A0A049D89531
AVEmsisoftGen:Variant.Diley.1
AVGrisoft (avg)Win32/Cryptor
AVArcabit (arcavir)Gen:Variant.Diley.1
AVFrisk (f-prot)no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVFortinetW32/Babrob.Y!tr
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAvira (antivir)TR/Crypt.ZPACK.79982
AVDr. WebTrojan.DownLoader15.5450
AVCAT (quickheal)Trojan.Scar.r4
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Diley.1
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVAuthentiumW32/Scar.V.gen!Eldorado
AVClamAVno_virus
AVZillya!no_virus
AVIkarusTrojan.Win32.Bayrob
AVMalwareBytesTrojan.Bayrob.KVTGen
AVMicroWorld (escan)Gen:Variant.Diley.1
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Diley.1
AVTrend MicroTROJ_BAYROB.SM0
AVEset (nod32)Win32/Bayrob.Z

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\rkdjohulwspxo\ltbwpd8
Creates FileC:\rkdjohulwspxo\jq1lnijvkinbxm.exe
Creates FileC:\rkdjohulwspxo\ltbwpd8
Deletes FileC:\WINDOWS\rkdjohulwspxo\ltbwpd8
Creates ProcessC:\rkdjohulwspxo\jq1lnijvkinbxm.exe

Process
↳ C:\rkdjohulwspxo\jq1lnijvkinbxm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Search Audio NGEN Thread Bluetooth Spooler ➝
C:\rkdjohulwspxo\vdfunsa.exe
Creates FileC:\WINDOWS\rkdjohulwspxo\ltbwpd8
Creates FilePIPE\lsarpc
Creates FileC:\rkdjohulwspxo\dqyyejoxi
Creates FileC:\rkdjohulwspxo\ltbwpd8
Creates FileC:\rkdjohulwspxo\vdfunsa.exe
Deletes FileC:\WINDOWS\rkdjohulwspxo\ltbwpd8
Creates ProcessC:\rkdjohulwspxo\vdfunsa.exe
Creates ServiceWLAN Host CNG Shadow Initiator User - C:\rkdjohulwspxo\vdfunsa.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1152

Process
↳ C:\rkdjohulwspxo\vdfunsa.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\rkdjohulwspxo\z3vicq5xu
Creates FileC:\WINDOWS\rkdjohulwspxo\ltbwpd8
Creates FileC:\rkdjohulwspxo\dqyyejoxi
Creates File\Device\Afd\Endpoint
Creates FileC:\rkdjohulwspxo\vlujrjomap.exe
Creates FileC:\rkdjohulwspxo\ltbwpd8
Deletes FileC:\WINDOWS\rkdjohulwspxo\ltbwpd8
Creates Processhpiol03rgxgp "c:\rkdjohulwspxo\vdfunsa.exe"

Process
↳ C:\rkdjohulwspxo\vdfunsa.exe

Creates FileC:\WINDOWS\rkdjohulwspxo\ltbwpd8
Creates FileC:\rkdjohulwspxo\ltbwpd8
Deletes FileC:\WINDOWS\rkdjohulwspxo\ltbwpd8

Process
↳ hpiol03rgxgp "c:\rkdjohulwspxo\vdfunsa.exe"

Creates FileC:\WINDOWS\rkdjohulwspxo\ltbwpd8
Creates FileC:\rkdjohulwspxo\ltbwpd8
Deletes FileC:\WINDOWS\rkdjohulwspxo\ltbwpd8

Network Details:

DNSpartyfriend.net
Type: A
89.31.143.7
DNSexperiencesafety.net
Type: A
72.21.91.60
DNSfreshfuture.net
Type: A
66.39.68.24
DNSbeginearly.net
Type: A
95.211.230.75
DNSknownfuture.net
Type: A
94.127.112.92
DNSknownfuture.net
Type: A
94.127.112.93
DNScrowdfuture.net
Type: A
5.9.118.41
DNSwatersafety.net
Type: A
217.160.52.166
DNSwaterfuture.net
Type: A
184.168.221.9
DNSwomansafety.net
Type: A
64.99.64.32
DNSfreshhealth.net
Type: A
208.91.197.27
DNSexperiencehealth.net
Type: A
198.1.89.4
DNSfreshclothes.net
Type: A
188.93.150.107
DNSpartyfancy.net
Type: A
DNSfightfancy.net
Type: A
DNSpartyconsider.net
Type: A
DNSfightconsider.net
Type: A
DNSfightfriend.net
Type: A
DNSfreshsmell.net
Type: A
DNSexperiencesmell.net
Type: A
DNSfreshearly.net
Type: A
DNSexperienceearly.net
Type: A
DNSfreshsafety.net
Type: A
DNSexperiencefuture.net
Type: A
DNSgentlemansmell.net
Type: A
DNSalreadysmell.net
Type: A
DNSgentlemanearly.net
Type: A
DNSalreadyearly.net
Type: A
DNSgentlemansafety.net
Type: A
DNSalreadysafety.net
Type: A
DNSgentlemanfuture.net
Type: A
DNSalreadyfuture.net
Type: A
DNSfollowsmell.net
Type: A
DNSmembersmell.net
Type: A
DNSfollowearly.net
Type: A
DNSmemberearly.net
Type: A
DNSfollowsafety.net
Type: A
DNSmembersafety.net
Type: A
DNSfollowfuture.net
Type: A
DNSmemberfuture.net
Type: A
DNSbeginsmell.net
Type: A
DNSknownsmell.net
Type: A
DNSknownearly.net
Type: A
DNSbeginsafety.net
Type: A
DNSknownsafety.net
Type: A
DNSbeginfuture.net
Type: A
DNSsummersmell.net
Type: A
DNScrowdsmell.net
Type: A
DNSsummerearly.net
Type: A
DNScrowdearly.net
Type: A
DNSsummersafety.net
Type: A
DNScrowdsafety.net
Type: A
DNSsummerfuture.net
Type: A
DNSthoughtsmell.net
Type: A
DNSwatersmell.net
Type: A
DNSthoughtearly.net
Type: A
DNSwaterearly.net
Type: A
DNSthoughtsafety.net
Type: A
DNSthoughtfuture.net
Type: A
DNSwomansmell.net
Type: A
DNSsmokesmell.net
Type: A
DNSwomanearly.net
Type: A
DNSsmokeearly.net
Type: A
DNSsmokesafety.net
Type: A
DNSwomanfuture.net
Type: A
DNSsmokefuture.net
Type: A
DNSpartysmell.net
Type: A
DNSfightsmell.net
Type: A
DNSpartyearly.net
Type: A
DNSfightearly.net
Type: A
DNSpartysafety.net
Type: A
DNSfightsafety.net
Type: A
DNSpartyfuture.net
Type: A
DNSfightfuture.net
Type: A
DNSfreshseparate.net
Type: A
DNSexperienceseparate.net
Type: A
DNSexperienceclothes.net
Type: A
DNSfreshdistant.net
Type: A
DNSexperiencedistant.net
Type: A
DNSgentlemanseparate.net
Type: A
DNSalreadyseparate.net
Type: A
DNSgentlemanhealth.net
Type: A
DNSalreadyhealth.net
Type: A
DNSgentlemanclothes.net
Type: A
DNSalreadyclothes.net
Type: A
DNSgentlemandistant.net
Type: A
HTTP GEThttp://partyfriend.net/index.php
User-Agent:
HTTP GEThttp://experiencesafety.net/index.php
User-Agent:
HTTP GEThttp://freshfuture.net/index.php
User-Agent:
HTTP GEThttp://beginearly.net/index.php
User-Agent:
HTTP GEThttp://knownfuture.net/index.php
User-Agent:
HTTP GEThttp://crowdfuture.net/index.php
User-Agent:
HTTP GEThttp://watersafety.net/index.php
User-Agent:
HTTP GEThttp://waterfuture.net/index.php
User-Agent:
HTTP GEThttp://womansafety.net/index.php
User-Agent:
HTTP GEThttp://freshhealth.net/index.php
User-Agent:
HTTP GEThttp://experiencehealth.net/index.php
User-Agent:
HTTP GEThttp://freshclothes.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 89.31.143.7:80
Flows TCP192.168.1.1:1032 ➝ 72.21.91.60:80
Flows TCP192.168.1.1:1033 ➝ 66.39.68.24:80
Flows TCP192.168.1.1:1034 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1035 ➝ 94.127.112.92:80
Flows TCP192.168.1.1:1036 ➝ 5.9.118.41:80
Flows TCP192.168.1.1:1037 ➝ 217.160.52.166:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.9:80
Flows TCP192.168.1.1:1039 ➝ 64.99.64.32:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1041 ➝ 198.1.89.4:80
Flows TCP192.168.1.1:1042 ➝ 188.93.150.107:80

Raw Pcap

Strings