Analysis Date2016-01-29 03:26:43
MD5b5c8b6205b7a9cec612c09bce95220cb
SHA147aa0a81c09ccf53c74be2bfb705c080d25a9ea4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 463aed84ce5a8159ddf83c74c6fecc76 sha1: 064fc4dfb493e3b831d1681cb821f8169fdb7b55 size: 201728
Section.rdata md5: bf80ad9e37d2da669fb58dbb1f113e14 sha1: d86e78b5e52ee5dc1f1bca5af18e782956ce9b32 size: 3072
Section.data md5: 9eaded51536458ccc4690767de5b3027 sha1: dd6e44a33a48df241f645ec90d3417a622623229 size: 14848
Section.reloc md5: 69df6507c2b08d939268dc353b37b8a6 sha1: d129eeb0740f396a416008b78864139290bca6e8 size: 31744
Timestamp2014-12-14 11:30:07
PEhashf5c84412cf57966df48acc0071bdba4d7899db1e
IMPhash56e1461701d7cfc42889238375e6bf80
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHRG!B5C8B6205B7A
AVAvira (antivir)TR/Nivdort.A.31033
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.788903
AVAlwil (avast)Vupa [Cryp]
AVEset (nod32)Win32/Bayrob.AT.gen
AVGrisoft (avg)Generic_r.GVH
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AT!tr
AVBitDefenderGen:Variant.Kazy.788903
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DD
AVMicroWorld (escan)Gen:Variant.Kazy.788903
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.H.gen!Eldorado
AVEmsisoftGen:Variant.Kazy.788903
AVFrisk (f-prot)W32/Nivdort.H.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Kazy.788903
AVArcabit (arcavir)Gen:Variant.Kazy.788903
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Kazy.788903

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\rwdmkwubewoa\bhi4guai4e
Creates FileC:\rwdmkwubewoa\way3wfwfwyiauxqrda.exe
Creates FileC:\WINDOWS\rwdmkwubewoa\bhi4guai4e
Deletes FileC:\WINDOWS\rwdmkwubewoa\bhi4guai4e
Creates ProcessC:\rwdmkwubewoa\way3wfwfwyiauxqrda.exe

Process
↳ C:\rwdmkwubewoa\way3wfwfwyiauxqrda.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\DLL Card Host Sharing Thread ➝
C:\rwdmkwubewoa\tcgdvceyuenf.exe
Creates FileC:\rwdmkwubewoa\tcgdvceyuenf.exe
Creates FileC:\rwdmkwubewoa\bhi4guai4e
Creates FileC:\rwdmkwubewoa\hktstcxa
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\rwdmkwubewoa\bhi4guai4e
Deletes FileC:\WINDOWS\rwdmkwubewoa\bhi4guai4e
Creates ProcessC:\rwdmkwubewoa\tcgdvceyuenf.exe
Creates ServiceUPnP Discovery PNRP CNG Power Launcher NetBIOS - C:\rwdmkwubewoa\tcgdvceyuenf.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 796

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf
Creates FileC:\WINDOWS\Prefetch\WAY3WFWFWYIAUXQRDA.EXE-2F073F49.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\NXYBDAXX.EXE-01552070.pf
Creates FileC:\WINDOWS\Prefetch\TCGDVCEYUENF.EXE-00238559.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1204

Process
↳ Pid 1328

Process
↳ Pid 1864

Process
↳ Pid 976

Process
↳ C:\rwdmkwubewoa\tcgdvceyuenf.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\rwdmkwubewoa\nxybdaxx.exe
Creates FileC:\rwdmkwubewoa\bhi4guai4e
Creates FileC:\rwdmkwubewoa\y9wdcwjyc
Creates FileC:\rwdmkwubewoa\hktstcxa
Creates FileC:\WINDOWS\rwdmkwubewoa\bhi4guai4e
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\rwdmkwubewoa\bhi4guai4e
Creates Processbpued90y2aj7 "c:\rwdmkwubewoa\tcgdvceyuenf.exe"

Process
↳ C:\rwdmkwubewoa\tcgdvceyuenf.exe

Creates FileC:\rwdmkwubewoa\bhi4guai4e
Creates FileC:\WINDOWS\rwdmkwubewoa\bhi4guai4e
Deletes FileC:\WINDOWS\rwdmkwubewoa\bhi4guai4e

Process
↳ bpued90y2aj7 "c:\rwdmkwubewoa\tcgdvceyuenf.exe"

Creates FileC:\rwdmkwubewoa\bhi4guai4e
Creates FileC:\WINDOWS\rwdmkwubewoa\bhi4guai4e
Deletes FileC:\WINDOWS\rwdmkwubewoa\bhi4guai4e

Network Details:

DNSbrokennation.net
Type: A
208.91.197.27
DNSresultnation.net
Type: A
208.91.197.27
DNSbrokensoldier.net
Type: A
173.236.158.114
DNSbuildingpower.net
Type: A
188.40.84.184
DNSdoctorcentury.net
Type: A
195.22.28.198
DNSdoctorcentury.net
Type: A
195.22.28.199
DNSdoctorcentury.net
Type: A
195.22.28.196
DNSdoctorcentury.net
Type: A
195.22.28.197
DNSprettypower.net
Type: A
208.91.197.23
DNSdoublefamous.net
Type: A
210.157.1.134
DNSfellowpower.net
Type: A
98.139.135.129
DNSbrokenfamous.net
Type: A
208.100.26.234
DNSbrokenpower.net
Type: A
72.167.131.57
DNSstillpower.net
Type: A
184.168.221.34
DNSdoctorletter.net
Type: A
162.255.119.251
DNSdoctordifferent.net
Type: A
184.168.221.43
DNSprettydifferent.net
Type: A
23.236.62.147
DNSstillsurprise.net
Type: A
98.139.135.129
DNSstrengthdifferent.net
Type: A
208.100.26.234
DNSmachineclean.net
Type: A
208.109.181.40
DNSdoublecondition.net
Type: A
DNSresultsoldier.net
Type: A
DNSbrokenplease.net
Type: A
DNSresultplease.net
Type: A
DNSbrokencondition.net
Type: A
DNSresultcondition.net
Type: A
DNSpreparenation.net
Type: A
DNSdesirenation.net
Type: A
DNSpreparesoldier.net
Type: A
DNSdesiresoldier.net
Type: A
DNSprepareplease.net
Type: A
DNSdesireplease.net
Type: A
DNSpreparecondition.net
Type: A
DNSdesirecondition.net
Type: A
DNSstrengthnation.net
Type: A
DNSstillnation.net
Type: A
DNSstrengthsoldier.net
Type: A
DNSstillsoldier.net
Type: A
DNSstrengthplease.net
Type: A
DNSstillplease.net
Type: A
DNSstrengthcondition.net
Type: A
DNSstillcondition.net
Type: A
DNSmovementcentury.net
Type: A
DNSoutsidecentury.net
Type: A
DNSmovementfamous.net
Type: A
DNSoutsidefamous.net
Type: A
DNSmovementpower.net
Type: A
DNSoutsidepower.net
Type: A
DNSmovementcountry.net
Type: A
DNSoutsidecountry.net
Type: A
DNSbuildingcentury.net
Type: A
DNSeveningcentury.net
Type: A
DNSbuildingfamous.net
Type: A
DNSeveningfamous.net
Type: A
DNSeveningpower.net
Type: A
DNSbuildingcountry.net
Type: A
DNSeveningcountry.net
Type: A
DNSstorecentury.net
Type: A
DNSmightcentury.net
Type: A
DNSstorefamous.net
Type: A
DNSmightfamous.net
Type: A
DNSstorepower.net
Type: A
DNSmightpower.net
Type: A
DNSstorecountry.net
Type: A
DNSmightcountry.net
Type: A
DNSprettycentury.net
Type: A
DNSdoctorfamous.net
Type: A
DNSprettyfamous.net
Type: A
DNSdoctorpower.net
Type: A
DNSdoctorcountry.net
Type: A
DNSprettycountry.net
Type: A
DNSfellowcentury.net
Type: A
DNSdoublecentury.net
Type: A
DNSfellowfamous.net
Type: A
DNSdoublepower.net
Type: A
DNSfellowcountry.net
Type: A
DNSdoublecountry.net
Type: A
DNSbrokencentury.net
Type: A
DNSresultcentury.net
Type: A
DNSresultfamous.net
Type: A
DNSresultpower.net
Type: A
DNSbrokencountry.net
Type: A
DNSresultcountry.net
Type: A
DNSpreparecentury.net
Type: A
DNSdesirecentury.net
Type: A
DNSpreparefamous.net
Type: A
DNSdesirefamous.net
Type: A
DNSpreparepower.net
Type: A
DNSdesirepower.net
Type: A
DNSpreparecountry.net
Type: A
DNSdesirecountry.net
Type: A
DNSstrengthcentury.net
Type: A
DNSstillcentury.net
Type: A
DNSstrengthfamous.net
Type: A
DNSstillfamous.net
Type: A
DNSstrengthpower.net
Type: A
DNSstrengthcountry.net
Type: A
DNSstillcountry.net
Type: A
DNSmovementsurprise.net
Type: A
DNSoutsidesurprise.net
Type: A
DNSmovementbeside.net
Type: A
DNSoutsidebeside.net
Type: A
DNSmovementletter.net
Type: A
DNSoutsideletter.net
Type: A
DNSmovementdifferent.net
Type: A
DNSoutsidedifferent.net
Type: A
DNSbuildingsurprise.net
Type: A
DNSeveningsurprise.net
Type: A
DNSbuildingbeside.net
Type: A
DNSeveningbeside.net
Type: A
DNSbuildingletter.net
Type: A
DNSeveningletter.net
Type: A
DNSbuildingdifferent.net
Type: A
DNSeveningdifferent.net
Type: A
DNSstoresurprise.net
Type: A
DNSmightsurprise.net
Type: A
DNSstorebeside.net
Type: A
DNSmightbeside.net
Type: A
DNSstoreletter.net
Type: A
DNSmightletter.net
Type: A
DNSstoredifferent.net
Type: A
DNSmightdifferent.net
Type: A
DNSdoctorsurprise.net
Type: A
DNSprettysurprise.net
Type: A
DNSdoctorbeside.net
Type: A
DNSprettybeside.net
Type: A
DNSprettyletter.net
Type: A
DNSfellowsurprise.net
Type: A
DNSdoublesurprise.net
Type: A
DNSfellowbeside.net
Type: A
DNSdoublebeside.net
Type: A
DNSfellowletter.net
Type: A
DNSdoubleletter.net
Type: A
DNSfellowdifferent.net
Type: A
DNSdoubledifferent.net
Type: A
DNSbrokensurprise.net
Type: A
DNSresultsurprise.net
Type: A
DNSbrokenbeside.net
Type: A
DNSresultbeside.net
Type: A
DNSbrokenletter.net
Type: A
DNSresultletter.net
Type: A
DNSbrokendifferent.net
Type: A
DNSresultdifferent.net
Type: A
DNSpreparesurprise.net
Type: A
DNSdesiresurprise.net
Type: A
DNSpreparebeside.net
Type: A
DNSdesirebeside.net
Type: A
DNSprepareletter.net
Type: A
DNSdesireletter.net
Type: A
DNSpreparedifferent.net
Type: A
DNSdesiredifferent.net
Type: A
DNSstrengthsurprise.net
Type: A
DNSstrengthbeside.net
Type: A
DNSstillbeside.net
Type: A
DNSstrengthletter.net
Type: A
DNSstillletter.net
Type: A
DNSstilldifferent.net
Type: A
DNSexpectclean.net
Type: A
DNSbecauseclean.net
Type: A
DNSexpectpaint.net
Type: A
DNSbecausepaint.net
Type: A
DNSexpectcourse.net
Type: A
DNSbecausecourse.net
Type: A
DNSexpectwomen.net
Type: A
DNSbecausewomen.net
Type: A
DNSpersonclean.net
Type: A
DNSpersonpaint.net
Type: A
DNSmachinepaint.net
Type: A
DNSpersoncourse.net
Type: A
DNSmachinecourse.net
Type: A
DNSpersonwomen.net
Type: A
DNSmachinewomen.net
Type: A
DNSsuddenclean.net
Type: A
HTTP GEThttp://brokennation.net/index.php
User-Agent:
HTTP GEThttp://resultnation.net/index.php
User-Agent:
HTTP GEThttp://brokensoldier.net/index.php
User-Agent:
HTTP GEThttp://buildingpower.net/index.php
User-Agent:
HTTP GEThttp://doctorcentury.net/index.php
User-Agent:
HTTP GEThttp://prettypower.net/index.php
User-Agent:
HTTP GEThttp://doublefamous.net/index.php
User-Agent:
HTTP GEThttp://fellowpower.net/index.php
User-Agent:
HTTP GEThttp://brokenfamous.net/index.php
User-Agent:
HTTP GEThttp://brokenpower.net/index.php
User-Agent:
HTTP GEThttp://stillpower.net/index.php
User-Agent:
HTTP GEThttp://doctorletter.net/index.php
User-Agent:
HTTP GEThttp://doctordifferent.net/index.php
User-Agent:
HTTP GEThttp://prettydifferent.net/index.php
User-Agent:
HTTP GEThttp://stillsurprise.net/index.php
User-Agent:
HTTP GEThttp://strengthdifferent.net/index.php
User-Agent:
HTTP GEThttp://machineclean.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1032 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1033 ➝ 173.236.158.114:80
Flows TCP192.168.1.1:1034 ➝ 188.40.84.184:80
Flows TCP192.168.1.1:1035 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.23:80
Flows TCP192.168.1.1:1037 ➝ 210.157.1.134:80
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1040 ➝ 72.167.131.57:80
Flows TCP192.168.1.1:1041 ➝ 184.168.221.34:80
Flows TCP192.168.1.1:1042 ➝ 162.255.119.251:80
Flows TCP192.168.1.1:1043 ➝ 184.168.221.43:80
Flows TCP192.168.1.1:1044 ➝ 23.236.62.147:80
Flows TCP192.168.1.1:1045 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1046 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1047 ➝ 208.109.181.40:80

Raw Pcap



Strings