Analysis Date2016-03-30 04:43:48
MD59415ab7aabc52a137731a49db7453721
SHA14a0931e8be70b77da43be1138d03dbec74badff9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d122487f80402f4a38d8e5d7a395ffe4 sha1: 4222902a82ba4671fa285f77117166039769ff98 size: 191488
Section.rdata md5: 1f2fbdae270ad138f163defba67d8c3f sha1: 585d1df9932b2c5c68ff878e9574ff1236628f49 size: 17920
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: a29c40330740f7e81b7ad8854278c58d sha1: 704da2a5839f70a5b0cbcf61c80f9bf4a9611fff size: 30720
Timestamp2016-01-06 12:19:31
PEhashdb105803a575c0a13b7b0cc665a511610fdd6a8b
IMPhash9500b299c2518827ba23e536ba63cf71
AVCA (E-Trust Ino)Gen:Variant.Razy.12226
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DA
AVRisingNo Virus
AVMcafeeTrojan-FHPX!9415AB7AABC5
AVMicroWorld (escan)Gen:Variant.Razy.12226
AVMalwareBytesNo Virus
AVAvira (antivir)TR/Nivdort.nojk
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/BayRob.G.gen!Eldorado
AVAuthentiumW32/BayRob.G.gen!Eldorado
AVEmsisoftGen:Variant.Razy.12226
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.12226
AVZillya!Trojan.Agent.Win32.652984
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AT.gen
AVGrisoft (avg)Win32/Heur
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVSymantecTrojan.Bayrob!gen6
AVBullGuardGen:Variant.Razy.12226
AVArcabit (arcavir)Gen:Variant.Razy.12226
AVFortinetW32/Bayrob.AQ!tr
AVClamAVNo Virus
AVBitDefenderGen:Variant.Razy.12226
AVDr. WebNo Virus
AVK7Trojan ( 004db0c61 )
AVF-SecureGen:Variant.Razy.12226

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\lylrdossrfqxqd\reiovh2lfv
Creates FileC:\lylrdossrfqxqd\nix1ku0rluvfjh6.exe
Creates FileC:\lylrdossrfqxqd\reiovh2lfv
Deletes FileC:\WINDOWS\lylrdossrfqxqd\reiovh2lfv
Creates ProcessC:\lylrdossrfqxqd\nix1ku0rluvfjh6.exe

Process
↳ C:\lylrdossrfqxqd\nix1ku0rluvfjh6.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Coordinator Alerts Connections Visual Plug ➝
C:\lylrdossrfqxqd\xlulmqdkaumn.exe
Creates FileC:\lylrdossrfqxqd\xlulmqdkaumn.exe
Creates FilePIPE\lsarpc
Creates FileC:\lylrdossrfqxqd\by0wfk6ar
Creates FileC:\WINDOWS\lylrdossrfqxqd\reiovh2lfv
Creates FileC:\lylrdossrfqxqd\reiovh2lfv
Deletes FileC:\WINDOWS\lylrdossrfqxqd\reiovh2lfv
Creates ProcessC:\lylrdossrfqxqd\xlulmqdkaumn.exe
Creates ServiceHomeGroup Program Event Multimedia Hardware - C:\lylrdossrfqxqd\xlulmqdkaumn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1132

Process
↳ C:\lylrdossrfqxqd\xlulmqdkaumn.exe

Creates FileC:\lylrdossrfqxqd\krlfkjvwcy
Creates FileC:\lylrdossrfqxqd\arneegq.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\lylrdossrfqxqd\by0wfk6ar
Creates FileC:\WINDOWS\lylrdossrfqxqd\reiovh2lfv
Creates File\Device\Afd\Endpoint
Creates FileC:\lylrdossrfqxqd\reiovh2lfv
Deletes FileC:\WINDOWS\lylrdossrfqxqd\reiovh2lfv
Creates Processydoxsyqqziyd "c:\lylrdossrfqxqd\xlulmqdkaumn.exe"

Process
↳ C:\lylrdossrfqxqd\xlulmqdkaumn.exe

Creates FileC:\WINDOWS\lylrdossrfqxqd\reiovh2lfv
Creates FileC:\lylrdossrfqxqd\reiovh2lfv
Deletes FileC:\WINDOWS\lylrdossrfqxqd\reiovh2lfv

Process
↳ ydoxsyqqziyd "c:\lylrdossrfqxqd\xlulmqdkaumn.exe"

Creates FileC:\WINDOWS\lylrdossrfqxqd\reiovh2lfv
Creates FileC:\lylrdossrfqxqd\reiovh2lfv
Deletes FileC:\WINDOWS\lylrdossrfqxqd\reiovh2lfv

Network Details:

DNScrowdmethod.net
Type: A
50.63.202.63
DNSsummeraction.net
Type: A
184.168.221.36
DNScrowddirect.net
Type: A
69.64.147.242
DNSthoughtaction.net
Type: A
74.220.199.8
DNSwateraction.net
Type: A
50.63.202.22
DNSwaterdirect.net
Type: A
66.96.149.32
DNSpartymethod.net
Type: A
195.22.28.199
DNSpartymethod.net
Type: A
195.22.28.196
DNSpartymethod.net
Type: A
195.22.28.197
DNSpartymethod.net
Type: A
195.22.28.198
DNSfightmethod.net
Type: A
69.41.190.52
DNSknownoclock.net
Type: A
208.100.26.234
DNSleavebehind.net
Type: A
141.8.225.244
DNSsweetbehind.net
Type: A
208.100.26.234
DNSknownaction.net
Type: A
DNSbegindirect.net
Type: A
DNSknowndirect.net
Type: A
DNSbeginbrought.net
Type: A
DNSknownbrought.net
Type: A
DNSsummermethod.net
Type: A
DNScrowdaction.net
Type: A
DNSsummerdirect.net
Type: A
DNSsummerbrought.net
Type: A
DNScrowdbrought.net
Type: A
DNSthoughtmethod.net
Type: A
DNSwatermethod.net
Type: A
DNSthoughtdirect.net
Type: A
DNSthoughtbrought.net
Type: A
DNSwaterbrought.net
Type: A
DNSwomanmethod.net
Type: A
DNSsmokemethod.net
Type: A
DNSwomanaction.net
Type: A
DNSsmokeaction.net
Type: A
DNSwomandirect.net
Type: A
DNSsmokedirect.net
Type: A
DNSwomanbrought.net
Type: A
DNSsmokebrought.net
Type: A
DNSpartyaction.net
Type: A
DNSfightaction.net
Type: A
DNSpartydirect.net
Type: A
DNSfightdirect.net
Type: A
DNSpartybrought.net
Type: A
DNSfightbrought.net
Type: A
DNSfreshspeak.net
Type: A
DNSexperiencespeak.net
Type: A
DNSfreshniece.net
Type: A
DNSexperienceniece.net
Type: A
DNSfreshwrite.net
Type: A
DNSexperiencewrite.net
Type: A
DNSfreshoclock.net
Type: A
DNSexperienceoclock.net
Type: A
DNSgentlemanspeak.net
Type: A
DNSalreadyspeak.net
Type: A
DNSgentlemanniece.net
Type: A
DNSalreadyniece.net
Type: A
DNSgentlemanwrite.net
Type: A
DNSalreadywrite.net
Type: A
DNSgentlemanoclock.net
Type: A
DNSalreadyoclock.net
Type: A
DNSfollowspeak.net
Type: A
DNSmemberspeak.net
Type: A
DNSfollowniece.net
Type: A
DNSmemberniece.net
Type: A
DNSfollowwrite.net
Type: A
DNSmemberwrite.net
Type: A
DNSfollowoclock.net
Type: A
DNSmemberoclock.net
Type: A
DNSbeginspeak.net
Type: A
DNSknownspeak.net
Type: A
DNSbeginniece.net
Type: A
DNSknownniece.net
Type: A
DNSbeginwrite.net
Type: A
DNSknownwrite.net
Type: A
DNSbeginoclock.net
Type: A
DNSsummerspeak.net
Type: A
DNScrowdspeak.net
Type: A
DNSsummerniece.net
Type: A
DNScrowdniece.net
Type: A
DNSsummerwrite.net
Type: A
DNScrowdwrite.net
Type: A
DNSsummeroclock.net
Type: A
DNScrowdoclock.net
Type: A
DNSthoughtspeak.net
Type: A
DNSwaterspeak.net
Type: A
DNSthoughtniece.net
Type: A
DNSwaterniece.net
Type: A
DNSthoughtwrite.net
Type: A
DNSwaterwrite.net
Type: A
DNSthoughtoclock.net
Type: A
DNSwateroclock.net
Type: A
DNSwomanspeak.net
Type: A
DNSsmokespeak.net
Type: A
DNSwomanniece.net
Type: A
DNSsmokeniece.net
Type: A
DNSwomanwrite.net
Type: A
DNSsmokewrite.net
Type: A
DNSwomanoclock.net
Type: A
DNSsmokeoclock.net
Type: A
DNSpartyspeak.net
Type: A
DNSfightspeak.net
Type: A
DNSpartyniece.net
Type: A
DNSfightniece.net
Type: A
DNSpartywrite.net
Type: A
DNSfightwrite.net
Type: A
DNSpartyoclock.net
Type: A
DNSfightoclock.net
Type: A
DNSseveraunderstand.net
Type: A
DNSlaughunderstand.net
Type: A
DNSseverabroad.net
Type: A
DNSlaughbroad.net
Type: A
DNSseverabehind.net
Type: A
DNSlaughbehind.net
Type: A
DNSseverabutter.net
Type: A
DNSlaughbutter.net
Type: A
DNSsimpleunderstand.net
Type: A
DNSmotherunderstand.net
Type: A
DNSsimplebroad.net
Type: A
DNSmotherbroad.net
Type: A
DNSsimplebehind.net
Type: A
DNSmotherbehind.net
Type: A
DNSsimplebutter.net
Type: A
DNSmotherbutter.net
Type: A
DNSmountainunderstand.net
Type: A
DNSpossibleunderstand.net
Type: A
DNSmountainbroad.net
Type: A
DNSpossiblebroad.net
Type: A
DNSmountainbehind.net
Type: A
DNSpossiblebehind.net
Type: A
DNSmountainbutter.net
Type: A
DNSpossiblebutter.net
Type: A
DNSperhapsunderstand.net
Type: A
DNSwindowunderstand.net
Type: A
DNSperhapsbroad.net
Type: A
DNSwindowbroad.net
Type: A
DNSperhapsbehind.net
Type: A
DNSwindowbehind.net
Type: A
DNSperhapsbutter.net
Type: A
DNSwindowbutter.net
Type: A
DNSwinterunderstand.net
Type: A
DNSsubjectunderstand.net
Type: A
DNSwinterbroad.net
Type: A
DNSsubjectbroad.net
Type: A
DNSwinterbehind.net
Type: A
DNSsubjectbehind.net
Type: A
DNSwinterbutter.net
Type: A
DNSsubjectbutter.net
Type: A
DNSfinishunderstand.net
Type: A
DNSleaveunderstand.net
Type: A
DNSfinishbroad.net
Type: A
DNSleavebroad.net
Type: A
DNSfinishbehind.net
Type: A
DNSfinishbutter.net
Type: A
DNSleavebutter.net
Type: A
DNSsweetunderstand.net
Type: A
DNSprobablyunderstand.net
Type: A
DNSsweetbroad.net
Type: A
DNSprobablybroad.net
Type: A
DNSprobablybehind.net
Type: A
DNSsweetbutter.net
Type: A
DNSprobablybutter.net
Type: A
DNSseveralunderstand.net
Type: A
DNSmaterialunderstand.net
Type: A
DNSseveralbroad.net
Type: A
DNSmaterialbroad.net
Type: A
DNSseveralbehind.net
Type: A
DNSmaterialbehind.net
Type: A
DNSseveralbutter.net
Type: A
DNSmaterialbutter.net
Type: A
DNSseveradried.net
Type: A
DNSlaughdried.net
Type: A
DNSseverafifteen.net
Type: A
DNSlaughfifteen.net
Type: A
DNSseveraangry.net
Type: A
HTTP GEThttp://crowdmethod.net/index.php
User-Agent:
HTTP GEThttp://summeraction.net/index.php
User-Agent:
HTTP GEThttp://crowddirect.net/index.php
User-Agent:
HTTP GEThttp://thoughtaction.net/index.php
User-Agent:
HTTP GEThttp://wateraction.net/index.php
User-Agent:
HTTP GEThttp://waterdirect.net/index.php
User-Agent:
HTTP GEThttp://partymethod.net/index.php
User-Agent:
HTTP GEThttp://fightmethod.net/index.php
User-Agent:
HTTP GEThttp://knownoclock.net/index.php
User-Agent:
HTTP GEThttp://leavebehind.net/index.php
User-Agent:
HTTP GEThttp://sweetbehind.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.63:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1033 ➝ 69.64.147.242:80
Flows TCP192.168.1.1:1034 ➝ 74.220.199.8:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.22:80
Flows TCP192.168.1.1:1036 ➝ 66.96.149.32:80
Flows TCP192.168.1.1:1037 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1038 ➝ 69.41.190.52:80
Flows TCP192.168.1.1:1039 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1040 ➝ 141.8.225.244:80
Flows TCP192.168.1.1:1041 ➝ 208.100.26.234:80

Raw Pcap

Strings