Analysis Date2015-08-28 09:24:31
MD538ad07f335c1da377ac6050a85eedf82
SHA149fb24ab223157036990059b2116c1bf680f4346

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 23cf38f4b79a325c84372245f352030d sha1: 266755305a726579c3a7f9d0242c07559886ed89 size: 289792
Section.rdata md5: 18546c4105af8f07954ce0ca235b9ff6 sha1: d22d46829e194af888e0f6405ed85a708467c332 size: 59392
Section.data md5: 0b9e41648bfa18db8e88c3c5200b3ed6 sha1: b3a9cc1e04e848614df8252225d91fdaebf718ef size: 7168
Section.reloc md5: 20e0e76fd1bb159eaede0906cd1ce6d3 sha1: f5d841e0aa8973730ed263c01454a95462e57f23 size: 20480
Timestamp2015-05-11 06:29:59
PackerMicrosoft Visual C++ 8
PEhash979cd59e6f2ebd0a5c45b079e309abbb69803afa
IMPhash0f3ccc463c6b37f1ad5eed3b9c57ccfb
AVRisingTrojan.Win32.Bayrod.b
AVMcafeePWS-FCCE!38AD07F335C1
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVTwisterno_virus
AVAd-AwareGen:Variant.Diley.1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.W
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.T!tr
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004c3a4d1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Diley.1
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Diley.1
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\wnbzpbd\iqnxxh
Creates FileC:\wnbzpbd\xqk1l29ezilol6sja.exe
Creates FileC:\wnbzpbd\iqnxxh
Deletes FileC:\WINDOWS\wnbzpbd\iqnxxh
Creates ProcessC:\wnbzpbd\xqk1l29ezilol6sja.exe

Process
↳ C:\wnbzpbd\xqk1l29ezilol6sja.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Filtering Themes Location Process Disk Panel ➝
C:\wnbzpbd\rdkckljbzj.exe
Creates FileC:\wnbzpbd\acrnxe
Creates FileC:\WINDOWS\wnbzpbd\iqnxxh
Creates FileC:\wnbzpbd\rdkckljbzj.exe
Creates FilePIPE\lsarpc
Creates FileC:\wnbzpbd\iqnxxh
Deletes FileC:\WINDOWS\wnbzpbd\iqnxxh
Creates ProcessC:\wnbzpbd\rdkckljbzj.exe
Creates ServiceRedirector Biometric Secure Hardware Installer - C:\wnbzpbd\rdkckljbzj.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1876

Process
↳ Pid 1160

Process
↳ C:\wnbzpbd\rdkckljbzj.exe

Creates FileC:\wnbzpbd\acrnxe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\wnbzpbd\iqnxxh
Creates FileC:\wnbzpbd\iqnxxh
Creates File\Device\Afd\Endpoint
Creates FileC:\wnbzpbd\ldklqtcb
Creates FileC:\wnbzpbd\supchgwi.exe
Deletes FileC:\WINDOWS\wnbzpbd\iqnxxh
Creates Processndinifnmsnyd "c:\wnbzpbd\rdkckljbzj.exe"

Process
↳ C:\wnbzpbd\rdkckljbzj.exe

Creates FileC:\WINDOWS\wnbzpbd\iqnxxh
Creates FileC:\wnbzpbd\iqnxxh
Deletes FileC:\WINDOWS\wnbzpbd\iqnxxh

Process
↳ ndinifnmsnyd "c:\wnbzpbd\rdkckljbzj.exe"

Creates FileC:\WINDOWS\wnbzpbd\iqnxxh
Creates FileC:\wnbzpbd\iqnxxh
Deletes FileC:\WINDOWS\wnbzpbd\iqnxxh

Network Details:

DNSoutsidechance.net
Type: A
74.200.250.184
DNSbuildingtwenty.net
Type: A
66.6.44.4
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSfellowunderstood.net
Type: A
93.115.38.30
DNSbrokentwenty.net
Type: A
95.211.230.75
DNSstrengthalmost.net
Type: A
DNSstillalmost.net
Type: A
DNSstrengthreason.net
Type: A
DNSstillreason.net
Type: A
DNSstrengthorderly.net
Type: A
DNSstillorderly.net
Type: A
DNSstrengthvalue.net
Type: A
DNSstillvalue.net
Type: A
DNSmovementchance.net
Type: A
DNSmovementmeeting.net
Type: A
DNSoutsidemeeting.net
Type: A
DNSmovementtwenty.net
Type: A
DNSoutsidetwenty.net
Type: A
DNSmovementunderstood.net
Type: A
DNSoutsideunderstood.net
Type: A
DNSbuildingchance.net
Type: A
DNSeveningchance.net
Type: A
DNSbuildingmeeting.net
Type: A
DNSeveningmeeting.net
Type: A
DNSeveningtwenty.net
Type: A
DNSbuildingunderstood.net
Type: A
DNSeveningunderstood.net
Type: A
DNSstorechance.net
Type: A
DNSmightchance.net
Type: A
DNSstoremeeting.net
Type: A
DNSmightmeeting.net
Type: A
DNSstoretwenty.net
Type: A
DNSmighttwenty.net
Type: A
DNSstoreunderstood.net
Type: A
DNSmightunderstood.net
Type: A
DNSdoctorchance.net
Type: A
DNSprettychance.net
Type: A
DNSdoctormeeting.net
Type: A
DNSprettymeeting.net
Type: A
DNSdoctortwenty.net
Type: A
DNSprettytwenty.net
Type: A
DNSdoctorunderstood.net
Type: A
DNSprettyunderstood.net
Type: A
DNSfellowchance.net
Type: A
DNSdoublechance.net
Type: A
DNSfellowmeeting.net
Type: A
DNSdoublemeeting.net
Type: A
DNSfellowtwenty.net
Type: A
DNSdoubletwenty.net
Type: A
DNSdoubleunderstood.net
Type: A
DNSbrokenchance.net
Type: A
DNSresultchance.net
Type: A
DNSbrokenmeeting.net
Type: A
DNSresultmeeting.net
Type: A
DNSresulttwenty.net
Type: A
DNSbrokenunderstood.net
Type: A
DNSresultunderstood.net
Type: A
DNSpreparechance.net
Type: A
DNSdesirechance.net
Type: A
DNSpreparemeeting.net
Type: A
DNSdesiremeeting.net
Type: A
DNSpreparetwenty.net
Type: A
DNSdesiretwenty.net
Type: A
DNSprepareunderstood.net
Type: A
DNSdesireunderstood.net
Type: A
DNSstrengthchance.net
Type: A
DNSstillchance.net
Type: A
DNSstrengthmeeting.net
Type: A
DNSstillmeeting.net
Type: A
DNSstrengthtwenty.net
Type: A
DNSstilltwenty.net
Type: A
DNSstrengthunderstood.net
Type: A
DNSstillunderstood.net
Type: A
DNSmovementborrow.net
Type: A
DNSoutsideborrow.net
Type: A
DNSmovementtrain.net
Type: A
DNSoutsidetrain.net
Type: A
DNSmovementelectricity.net
Type: A
DNSoutsideelectricity.net
Type: A
DNSmovementdelight.net
Type: A
DNSoutsidedelight.net
Type: A
DNSbuildingborrow.net
Type: A
DNSeveningborrow.net
Type: A
DNSbuildingtrain.net
Type: A
DNSeveningtrain.net
Type: A
DNSbuildingelectricity.net
Type: A
HTTP GEThttp://outsidechance.net/index.php
User-Agent:
HTTP GEThttp://buildingtwenty.net/index.php
User-Agent:
HTTP GEThttp://mightmeeting.net/index.php
User-Agent:
HTTP GEThttp://fellowunderstood.net/index.php
User-Agent:
HTTP GEThttp://brokentwenty.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 74.200.250.184:80
Flows TCP192.168.1.1:1032 ➝ 66.6.44.4:80
Flows TCP192.168.1.1:1033 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1034 ➝ 93.115.38.30:80
Flows TCP192.168.1.1:1035 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64656368 616e6365 2e6e6574   utsidechance.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6774 77656e74 792e6e65   uildingtwenty.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   69676874 6d656574 696e672e 6e65740d   ightmeeting.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   656c6c6f 77756e64 65727374 6f6f642e   ellowunderstood.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e747765 6e74792e 6e65740d   rokentwenty.net.
0x00000050 (00080)   0a0d0a0d 0a0d0a                       .......


Strings