Analysis Date2015-09-27 16:30:04
MD5359edc40387a04cf265908c96a806fc2
SHA14b37fb9114132f381e70df371d78ce390ff8b7b5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 58889a80580b3350078977c3fdaf4060 sha1: 0de2af3afdea7d2f0a1f0fcf0dda5bb41c8de6e7 size: 197120
Section.rdata md5: 43910e09196402f70bfb2f58509576d5 sha1: 0f2a4288393b236903556df698b2a6198554e33c size: 51712
Section.data md5: c4d077443f296707a763e7d7a4a0fd52 sha1: cd942e43a2975d6bd16864dab9800ad356dbe117 size: 7680
Section.reloc md5: be13d163ed438757876c390c3d10be83 sha1: 063fd49d39a5a211d482ecaaacc0bea594f11f33 size: 14336
Timestamp2015-04-29 19:04:10
PackerMicrosoft Visual C++ 8
PEhashe2583b4a982b76d57b54cae7e2befc6794134946
IMPhash087941d35087375853b589e14f34302f
AVRisingTrojan.Win32.Bayrod.a
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVBullGuardGen:Variant.Kazy.604861
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.604861
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AF
AVK7Trojan ( 004c12491 )
AVBitDefenderGen:Variant.Kazy.604861
AVFortinetW32/Generic.AC.215362
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Q
AVAlwil (avast)VB-AJEW [Trj]
AVAd-AwareGen:Variant.Kazy.604861
AVTwisterTrojan.0000E9000000006A1.mg
AVAvira (antivir)TR/Kryptik.qgmpd
AVMcafeeTrojan-FGIJ!359EDC40387A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\aehxuxbhbhjwp\ev11lxbfjmywatckj.exe
Creates FileC:\aehxuxbhbhjwp\cbwz5axooiya
Creates FileC:\WINDOWS\aehxuxbhbhjwp\cbwz5axooiya
Deletes FileC:\WINDOWS\aehxuxbhbhjwp\cbwz5axooiya
Creates ProcessC:\aehxuxbhbhjwp\ev11lxbfjmywatckj.exe

Process
↳ C:\aehxuxbhbhjwp\ev11lxbfjmywatckj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Problem Removal Modules System PNRP Netlogon ➝
C:\aehxuxbhbhjwp\egcuhmmds.exe
Creates FileC:\aehxuxbhbhjwp\egcuhmmds.exe
Creates FileC:\aehxuxbhbhjwp\zxej7etqcrdf
Creates FilePIPE\lsarpc
Creates FileC:\aehxuxbhbhjwp\cbwz5axooiya
Creates FileC:\WINDOWS\aehxuxbhbhjwp\cbwz5axooiya
Deletes FileC:\WINDOWS\aehxuxbhbhjwp\cbwz5axooiya
Creates ProcessC:\aehxuxbhbhjwp\egcuhmmds.exe

Process
↳ C:\aehxuxbhbhjwp\egcuhmmds.exe

Creates FileC:\aehxuxbhbhjwp\eixglqtbycuq.exe
Creates FileC:\aehxuxbhbhjwp\onhkbiv
Creates FileC:\aehxuxbhbhjwp\zxej7etqcrdf
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\aehxuxbhbhjwp\cbwz5axooiya
Creates FileC:\WINDOWS\aehxuxbhbhjwp\cbwz5axooiya
Deletes FileC:\aehxuxbhbhjwp\ev11lxbfjmywatckj.exe
Deletes FileC:\WINDOWS\aehxuxbhbhjwp\cbwz5axooiya
Creates Processtj0hbnzvqyle "c:\aehxuxbhbhjwp\egcuhmmds.exe"

Process
↳ tj0hbnzvqyle "c:\aehxuxbhbhjwp\egcuhmmds.exe"

Creates FileC:\aehxuxbhbhjwp\cbwz5axooiya
Creates FileC:\WINDOWS\aehxuxbhbhjwp\cbwz5axooiya
Deletes FileC:\WINDOWS\aehxuxbhbhjwp\cbwz5axooiya

Network Details:

DNSincreasebeing.net
Type: A
95.211.230.75
DNSrememberforever.net
Type: A
188.40.1.55
DNSlittleflower.net
Type: A
62.116.130.8
DNSlittleminute.net
Type: A
74.220.199.8
DNSriddenbeyond.net
Type: A
DNSbelongbeyond.net
Type: A
DNSriddenbeing.net
Type: A
DNSbelongbeing.net
Type: A
DNSriddenforever.net
Type: A
DNSbelongforever.net
Type: A
DNSriddenbottom.net
Type: A
DNSbelongbottom.net
Type: A
DNSchairbeyond.net
Type: A
DNSthosebeyond.net
Type: A
DNSchairbeing.net
Type: A
DNSthosebeing.net
Type: A
DNSchairforever.net
Type: A
DNSthoseforever.net
Type: A
DNSchairbottom.net
Type: A
DNSthosebottom.net
Type: A
DNSwithinbeyond.net
Type: A
DNSsufferbeyond.net
Type: A
DNSwithinbeing.net
Type: A
DNSsufferbeing.net
Type: A
DNSwithinforever.net
Type: A
DNSsufferforever.net
Type: A
DNSwithinbottom.net
Type: A
DNSsufferbottom.net
Type: A
DNSeffortbeyond.net
Type: A
DNSthroughbeyond.net
Type: A
DNSeffortbeing.net
Type: A
DNSthroughbeing.net
Type: A
DNSeffortforever.net
Type: A
DNSthroughforever.net
Type: A
DNSeffortbottom.net
Type: A
DNSthroughbottom.net
Type: A
DNSforgetbeyond.net
Type: A
DNSincreasebeyond.net
Type: A
DNSforgetbeing.net
Type: A
DNSforgetforever.net
Type: A
DNSincreaseforever.net
Type: A
DNSforgetbottom.net
Type: A
DNSincreasebottom.net
Type: A
DNSwouldbeyond.net
Type: A
DNSrememberbeyond.net
Type: A
DNSwouldbeing.net
Type: A
DNSrememberbeing.net
Type: A
DNSwouldforever.net
Type: A
DNSwouldbottom.net
Type: A
DNSrememberbottom.net
Type: A
DNSjourneyflower.net
Type: A
DNShusbandflower.net
Type: A
DNSjourneyminute.net
Type: A
DNShusbandminute.net
Type: A
DNSjourneyspecial.net
Type: A
DNShusbandspecial.net
Type: A
DNSjourneycorner.net
Type: A
DNShusbandcorner.net
Type: A
DNSdestroyflower.net
Type: A
DNSdestroyminute.net
Type: A
DNSdestroyspecial.net
Type: A
DNSlittlespecial.net
Type: A
DNSdestroycorner.net
Type: A
DNSlittlecorner.net
Type: A
DNSriddenflower.net
Type: A
DNSbelongflower.net
Type: A
DNSriddenminute.net
Type: A
DNSbelongminute.net
Type: A
DNSriddenspecial.net
Type: A
DNSbelongspecial.net
Type: A
DNSriddencorner.net
Type: A
DNSbelongcorner.net
Type: A
DNSchairflower.net
Type: A
DNSthoseflower.net
Type: A
DNSchairminute.net
Type: A
DNSthoseminute.net
Type: A
DNSchairspecial.net
Type: A
DNSthosespecial.net
Type: A
DNSchaircorner.net
Type: A
DNSthosecorner.net
Type: A
DNSwithinflower.net
Type: A
DNSsufferflower.net
Type: A
DNSwithinminute.net
Type: A
DNSsufferminute.net
Type: A
DNSwithinspecial.net
Type: A
HTTP GEThttp://increasebeing.net/index.php
User-Agent:
HTTP GEThttp://rememberforever.net/index.php
User-Agent:
HTTP GEThttp://littleflower.net/index.php
User-Agent:
HTTP GEThttp://littleminute.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 188.40.1.55:80
Flows TCP192.168.1.1:1033 ➝ 62.116.130.8:80
Flows TCP192.168.1.1:1034 ➝ 74.220.199.8:80

Raw Pcap

Strings