Analysis Date2015-08-26 21:30:18
MD58526c12545616d0042934e5969fdf32f
SHA14cb543c90aa2cf0463ba0d7a4bd492056d5c4e27

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 91c20823676dbf0d3ab4813721d715a6 sha1: 5851f50fd6caaa2dc8dd0116bdcc32206a776e06 size: 327168
Section.rdata md5: 66e5f7c14902549bd44bae493cebecdd sha1: d713fae8e03d53e78938a49cfa28e6822c7f9368 size: 59904
Section.data md5: 8980162d93aeb43046278a9ddf1bed4e sha1: 9589be47f0af7ad5f275a576fc697c408691aec7 size: 7680
Section.reloc md5: 0ad956508b2cfedb6fded0956b183945 sha1: 389fa02ae762e3a0e7d445c88d6179bfa560aaca size: 27648
Timestamp2015-05-11 06:11:48
PackerMicrosoft Visual C++ 8
PEhashb9258d52170df4196c8a166b1e748d25b21ddca2
IMPhashb587e3b08e1ca490debef378d6f16944
AVGrisoft (avg)Win32/Cryptor
AVEmsisoftGen:Variant.Kazy.611656
AVCA (E-Trust Ino)no_virus
AVKasperskyTrojan.Win32.Generic
AVClamAVno_virus
AVTwisterno_virus
AVZillya!no_virus
AVTrend Microno_virus
AVBullGuardGen:Variant.Kazy.611656
AVMalwareBytesTrojan.Agent.KVTGen
AVSymantecDownloader.Upatre!g15
AVRisingTrojan.Win32.Bayrod.b
AVDr. WebTrojan.Bayrob.1
AVK7Trojan ( 004c3a4d1 )
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVPadvishno_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVArcabit (arcavir)Gen:Variant.Kazy.611656
AVAd-AwareGen:Variant.Kazy.611656
AVFrisk (f-prot)no_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVBitDefenderGen:Variant.Kazy.611656
AVFortinetW32/Bayrob.T!tr
AVEset (nod32)Win32/Bayrob.W
AVMicroWorld (escan)Gen:Variant.Kazy.611656
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMcafeePWS-FCCE!8526C1254561
AVVirusBlokAda (vba32)Trojan.Scar
AVIkarusTrojan.Win32.Bayrob
AVAvira (antivir)TR/Crypt.ZPACK.166527
AVF-SecureGen:Variant.Kazy.611656

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\mywowvlhjpt\v0byqkix
Creates FileC:\mywowvlhjpt\ig4evf6fuuen4dac6rh.exe
Creates FileC:\mywowvlhjpt\v0byqkix
Deletes FileC:\WINDOWS\mywowvlhjpt\v0byqkix
Creates ProcessC:\mywowvlhjpt\ig4evf6fuuen4dac6rh.exe

Process
↳ C:\mywowvlhjpt\ig4evf6fuuen4dac6rh.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WLAN Resource Reporting AuthIP Search Logs ➝
C:\mywowvlhjpt\ywloelbwvddi.exe
Creates FileC:\WINDOWS\mywowvlhjpt\v0byqkix
Creates FileC:\mywowvlhjpt\ywloelbwvddi.exe
Creates FilePIPE\lsarpc
Creates FileC:\mywowvlhjpt\v0byqkix
Creates FileC:\mywowvlhjpt\zuwltoxc
Deletes FileC:\WINDOWS\mywowvlhjpt\v0byqkix
Creates ProcessC:\mywowvlhjpt\ywloelbwvddi.exe
Creates ServiceTransfer Provider Agent Accounts Upgrade - C:\mywowvlhjpt\ywloelbwvddi.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FileWMIDataDevice

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\LIASEGSNCUSN.EXE-0874980B.pf
Creates FileC:\WINDOWS\Prefetch\IG4EVF6FUUEN4DAC6RH.EXE-234BA6D0.pf
Creates FileC:\WINDOWS\Prefetch\YWLOELBWVDDI.EXE-0042C957.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf

Process
↳ Pid 1204

Process
↳ Pid 1312

Process
↳ Pid 1860

Process
↳ Pid 1716

Process
↳ C:\mywowvlhjpt\ywloelbwvddi.exe

Creates FileC:\WINDOWS\mywowvlhjpt\v0byqkix
Creates Filepipe\net\NtControlPipe10
Creates FileC:\mywowvlhjpt\qnytzdql
Creates File\Device\Afd\Endpoint
Creates FileC:\mywowvlhjpt\v0byqkix
Creates FileC:\mywowvlhjpt\liasegsncusn.exe
Creates FileC:\mywowvlhjpt\zuwltoxc
Deletes FileC:\WINDOWS\mywowvlhjpt\v0byqkix
Creates Processoxrscgyi7b7k "c:\mywowvlhjpt\ywloelbwvddi.exe"

Process
↳ C:\mywowvlhjpt\ywloelbwvddi.exe

Creates FileC:\WINDOWS\mywowvlhjpt\v0byqkix
Creates FileC:\mywowvlhjpt\v0byqkix
Deletes FileC:\WINDOWS\mywowvlhjpt\v0byqkix

Process
↳ oxrscgyi7b7k "c:\mywowvlhjpt\ywloelbwvddi.exe"

Creates FileC:\WINDOWS\mywowvlhjpt\v0byqkix
Creates FileC:\mywowvlhjpt\v0byqkix
Deletes FileC:\WINDOWS\mywowvlhjpt\v0byqkix

Network Details:

DNSpossibletraining.net
Type: A
50.63.202.54
DNSwinterstorm.net
Type: A
64.91.240.250
DNSleavethrown.net
Type: A
95.211.230.75
DNSsimplechoose.net
Type: A
123.108.108.168
DNSseverahunger.net
Type: A
DNSlaughhunger.net
Type: A
DNSseveratraining.net
Type: A
DNSlaughtraining.net
Type: A
DNSseverastorm.net
Type: A
DNSlaughstorm.net
Type: A
DNSseverathrown.net
Type: A
DNSlaughthrown.net
Type: A
DNSsimplehunger.net
Type: A
DNSmotherhunger.net
Type: A
DNSsimpletraining.net
Type: A
DNSmothertraining.net
Type: A
DNSsimplestorm.net
Type: A
DNSmotherstorm.net
Type: A
DNSsimplethrown.net
Type: A
DNSmotherthrown.net
Type: A
DNSmountainhunger.net
Type: A
DNSpossiblehunger.net
Type: A
DNSmountaintraining.net
Type: A
DNSmountainstorm.net
Type: A
DNSpossiblestorm.net
Type: A
DNSmountainthrown.net
Type: A
DNSpossiblethrown.net
Type: A
DNSperhapshunger.net
Type: A
DNSwindowhunger.net
Type: A
DNSperhapstraining.net
Type: A
DNSwindowtraining.net
Type: A
DNSperhapsstorm.net
Type: A
DNSwindowstorm.net
Type: A
DNSperhapsthrown.net
Type: A
DNSwindowthrown.net
Type: A
DNSwinterhunger.net
Type: A
DNSsubjecthunger.net
Type: A
DNSwintertraining.net
Type: A
DNSsubjecttraining.net
Type: A
DNSsubjectstorm.net
Type: A
DNSwinterthrown.net
Type: A
DNSsubjectthrown.net
Type: A
DNSfinishhunger.net
Type: A
DNSleavehunger.net
Type: A
DNSfinishtraining.net
Type: A
DNSleavetraining.net
Type: A
DNSfinishstorm.net
Type: A
DNSleavestorm.net
Type: A
DNSfinishthrown.net
Type: A
DNSsweethunger.net
Type: A
DNSprobablyhunger.net
Type: A
DNSsweettraining.net
Type: A
DNSprobablytraining.net
Type: A
DNSsweetstorm.net
Type: A
DNSprobablystorm.net
Type: A
DNSsweetthrown.net
Type: A
DNSprobablythrown.net
Type: A
DNSseveralhunger.net
Type: A
DNSmaterialhunger.net
Type: A
DNSseveraltraining.net
Type: A
DNSmaterialtraining.net
Type: A
DNSseveralstorm.net
Type: A
DNSmaterialstorm.net
Type: A
DNSseveralthrown.net
Type: A
DNSmaterialthrown.net
Type: A
DNSseverachoose.net
Type: A
DNSlaughchoose.net
Type: A
DNSseveraalthough.net
Type: A
DNSlaughalthough.net
Type: A
DNSseveraperiod.net
Type: A
DNSlaughperiod.net
Type: A
DNSseverahowever.net
Type: A
DNSlaughhowever.net
Type: A
DNSmotherchoose.net
Type: A
DNSsimplealthough.net
Type: A
DNSmotheralthough.net
Type: A
DNSsimpleperiod.net
Type: A
DNSmotherperiod.net
Type: A
DNSsimplehowever.net
Type: A
DNSmotherhowever.net
Type: A
DNSmountainchoose.net
Type: A
DNSpossiblechoose.net
Type: A
DNSmountainalthough.net
Type: A
DNSpossiblealthough.net
Type: A
DNSmountainperiod.net
Type: A
HTTP GEThttp://possibletraining.net/index.php
User-Agent:
HTTP GEThttp://winterstorm.net/index.php
User-Agent:
HTTP GEThttp://leavethrown.net/index.php
User-Agent:
HTTP GEThttp://simplechoose.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.54:80
Flows TCP192.168.1.1:1032 ➝ 64.91.240.250:80
Flows TCP192.168.1.1:1033 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1034 ➝ 123.108.108.168:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6f737369 626c6574 7261696e 696e672e   ossibletraining.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e7465 7273746f 726d2e6e 65740d0a   interstorm.net..
0x00000050 (00080)   0d0a740d 0a0d0a                       ..t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   65617665 7468726f 776e2e6e 65740d0a   eavethrown.net..
0x00000050 (00080)   0d0a740d 0a0d0a                       ..t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d706c 6563686f 6f73652e 6e65740d   implechoose.net.
0x00000050 (00080)   0a0d0a0d 0a0d0a                       .......


Strings