Analysis Date2016-04-12 23:36:53
MD54ee6e3fe85ca5cac6e3edb95928a02ca
SHA147f158af337075ed68f55c0cf6538c68d2c9975a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4ec5b6c81c01733dd2591404db92f369 sha1: dfeedbc997998285151be35b3e267ab4a120032d size: 545792
Section.rdata md5: 940e89cc7b65eeeba5cbd3cb48196ad8 sha1: c04f5de3f2509b7047b4fb90be8277003f1ba8ac size: 221184
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 83e2f372f847aa35632768e44d0d549e sha1: 265b1f4d05235442272b7bb9d6dc0f39f68f7d31 size: 86016
Timestamp2015-12-29 20:39:24
PEhash328e2019c78aed5c549cf2e10352419836177d6c
IMPhash3a337d7529ed7443a5606980c5465a64
AVRisingNo Virus
AVCA (E-Trust Ino)Gen:Variant.Razy.13381
AVF-SecureGen:Variant.Razy.13381
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.13381
AVBullGuardGen:Variant.Razy.13381
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Bayrob.Win32.15190
AVEmsisoftGen:Variant.Razy.13381
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)No Virus
AVAuthentiumW32/Trojan.VPMI-2727
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.13381
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DU
AVK7Trojan ( 004db0c61 )
AVBitDefenderGen:Variant.Razy.13381
AVFortinetW32/Bayrob.AQ!tr
AVSymantecNo Virus
AVGrisoft (avg)Win32/Heur
AVEset (nod32)Win32/Bayrob.AS
AVAlwil (avast)Dropper-gen [Drp]
AVAd-AwareGen:Variant.Razy.13381
AVTwisterNo Virus
AVAvira (antivir)TR/Nivdort.vfce
AVMcafeeTrojan-FHOH!4EE6E3FE85CA

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\eqzgmvzjiok\tst
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\sxeffmznrmpxqvjrzsknozwn.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\sxeffmznrmpxqvjrzsknozwn.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\sxeffmznrmpxqvjrzsknozwn.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Proxy WMI WLAN Locator Sharing ➝
C:\WINDOWS\system32\rebzdrivi.exe
Creates FileC:\WINDOWS\system32\rebzdrivi.exe
Creates FileC:\WINDOWS\system32\eqzgmvzjiok\tst
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\eqzgmvzjiok\lck
Creates ProcessC:\WINDOWS\system32\rebzdrivi.exe
Creates ServiceDetection WMI Netlogon - C:\WINDOWS\system32\rebzdrivi.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1848

Process
↳ Pid 1160

Process
↳ C:\WINDOWS\system32\rebzdrivi.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\eqzgmvzjiok\run
Creates FileC:\WINDOWS\system32\eqzgmvzjiok\cfg
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\WINDOWS\system32\eqzgmvzjiok\rng
Creates FileC:\WINDOWS\TEMP\sxeffmzntzx37mjrz.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\eqzgmvzjiok\tst
Creates FileC:\WINDOWS\system32\ffghvchj.exe
Creates FileC:\WINDOWS\system32\eqzgmvzjiok\lck
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "c:\windows\system32\rebzdrivi.exe"
Creates ProcessC:\WINDOWS\TEMP\sxeffmzntzx37mjrz.exe -r 50847 tcp

Process
↳ C:\WINDOWS\system32\rebzdrivi.exe

Creates FileC:\WINDOWS\system32\eqzgmvzjiok\tst
Creates FilePIPE\lsarpc

Process
↳ WATCHDOGPROC "c:\windows\system32\rebzdrivi.exe"

Creates FileC:\WINDOWS\system32\eqzgmvzjiok\tst

Process
↳ C:\WINDOWS\TEMP\sxeffmzntzx37mjrz.exe -r 50847 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSriddenstorm.net
Type: A
66.147.240.171
DNSdoubleobject.net
Type: A
DNSbrokenthird.net
Type: A
DNSmightspecial.net
Type: A
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 199.189.248.96:443
Flows TCP192.168.1.1:1038 ➝ 66.147.240.171:80

Raw Pcap

Strings