Analysis | #totalhash

Analysis Date	2016-03-04 17:27:55
MD5	686fa0b2eeb100c24ff07ec789522e72
SHA1	516b3e48e88b88445d8c6d2ad444d5a45a3ad33b

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 14a2cb70ec6693b50fea3d36bb5b4b17 sha1: 83cbdc79239014746e122124d47091e8d64e76aa size: 186368
Section	.rdata md5: b1b318fdc180c84e7c6ab49221bcfe59 sha1: 1fbd5d14e624bae217bff930ae8bf260bd221243 size: 2560
Section	.data md5: 6119dacc24421339a0a133f3503a5fc2 sha1: 51128dc48eeccbe242c2f0c5ad3072776b983c5e size: 16384
Section	.reloc md5: c14b809a619fd84298ebee7170adda41 sha1: dde39fc16fca3b46904120dc0216f4c9e7f00283 size: 31232
Timestamp	2015-01-09 00:38:09
PEhash	4f0716ef3de32dba745b7275fab0c9418b76433d
IMPhash	0e175bf5a6ad7d76230d6d638534abe4
AV	Mcafee	Trojan-FHQT!686FA0B2EEB1
AV	Zillya!	Trojan.Bayrob.Win32.12376
AV	Dr. Web	Trojan.DownLoader19.39651
AV	MalwareBytes	No Virus
AV	Authentium	W32/Nivdort.G.gen!Eldorado
AV	Emsisoft	Gen:Variant.Razy.15494
AV	Kaspersky	Trojan.Win32.Generic
AV	Trend Micro	No Virus
AV	Eset (nod32)	Win32/Bayrob.BA
AV	K7	Trojan ( 004dc2a31 )
AV	Alwil (avast)	Trojan-gen
AV	Fortinet	W32/Bayrob.AQ!tr
AV	Ikarus	Trojan.Win32.Bayrob
AV	Avira (antivir)	TR/Nivdort.A.36449
AV	Frisk (f-prot)	W32/Nivdort.G.gen!Eldorado
AV	Grisoft (avg)	Generic37.XNZ
AV	Symantec	Trojan.Bayrob!gen6
AV	F-Secure	Gen:Variant.Razy.15494
AV	Alwil (avast)	Win32:Trojan-gen
AV	BitDefender	Gen:Variant.Razy.15494
AV	VirusBlokAda (vba32)	No Virus
AV	BullGuard	Gen:Variant.Razy.15494
AV	Rising	No Virus
AV	Ad-Aware	Gen:Variant.Razy.15494
AV	CA (E-Trust Ino)	Gen:Variant.Razy.15494
AV	MicroWorld (escan)	Gen:Variant.Razy.15494
AV	Arcabit (arcavir)	Gen:Variant.Razy.15494
AV	CAT (quickheal)	TrojanSpy.Nivdort.WR4
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.DE
AV	Twister	No Virus
AV	ClamAV	No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\WINDOWS\tpkufbhp\rygicvesivt
Creates File	C:\tpkufbhp\rygicvesivt
Creates File	C:\tpkufbhp\irhk1l65ixpxyzxs7.exe
Deletes File	C:\WINDOWS\tpkufbhp\rygicvesivt
Creates Process	C:\tpkufbhp\irhk1l65ixpxyzxs7.exe

Process
↳ C:\tpkufbhp\irhk1l65ixpxyzxs7.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\DNS Defender Base Health Counter Endpoint Wired ➝ C:\tpkufbhp\rkwvbbml.exe
Creates File	C:\tpkufbhp\rkwvbbml.exe
Creates File	C:\WINDOWS\tpkufbhp\rygicvesivt
Creates File	C:\tpkufbhp\jzrnrz3fk2
Creates File	C:\tpkufbhp\rygicvesivt
Creates File	PIPE\lsarpc
Deletes File	C:\WINDOWS\tpkufbhp\rygicvesivt
Creates Process	C:\tpkufbhp\rkwvbbml.exe
Creates Service	Center Logs Office IKE Card Encryption - C:\tpkufbhp\rkwvbbml.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\WERd420.dir00\svchost.exe.hdmp
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\WERd420.dir00\svchost.exe.mdmp
Creates File	pipe\PCHFaultRepExecPipe
Creates Process	C:\WINDOWS\system32\dumprep.exe 1020 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERd420.dir00\svchost.exe.mdmp 16325836412031020

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1144

Process
↳ C:\tpkufbhp\rkwvbbml.exe

Creates File	C:\WINDOWS\tpkufbhp\rygicvesivt
Creates File	pipe\net\NtControlPipe10
Creates File	C:\tpkufbhp\jzrnrz3fk2
Creates File	C:\tpkufbhp\rygicvesivt
Creates File	\Device\Afd\Endpoint
Creates File	C:\tpkufbhp\kxpboxjek
Creates File	C:\tpkufbhp\kqemhbhosns.exe
Deletes File	C:\WINDOWS\tpkufbhp\rygicvesivt
Creates Process	uqwe9nsc2kel "c:\tpkufbhp\rkwvbbml.exe"

Process
↳ C:\tpkufbhp\rkwvbbml.exe

Creates File	C:\WINDOWS\tpkufbhp\rygicvesivt
Creates File	C:\tpkufbhp\rygicvesivt
Deletes File	C:\WINDOWS\tpkufbhp\rygicvesivt

Process
↳ C:\WINDOWS\system32\dumprep.exe 1020 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERd420.dir00\svchost.exe.mdmp 16325836412031020

Process
↳ uqwe9nsc2kel "c:\tpkufbhp\rkwvbbml.exe"

Creates File	C:\WINDOWS\tpkufbhp\rygicvesivt
Creates File	C:\tpkufbhp\rygicvesivt
Deletes File	C:\WINDOWS\tpkufbhp\rygicvesivt

Network Details:

DNS	fightanger.net Type: A 52.0.217.44
DNS	freshschool.net Type: A 203.189.109.65
DNS	followschool.net Type: A 208.100.26.234
DNS	crowdschool.net Type: A 59.106.167.73
DNS	thoughtschool.net Type: A 50.63.202.53
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	womanschool.net Type: A 121.254.178.252
DNS	smokeschool.net Type: A 69.89.31.60
DNS	partyschool.net Type: A 69.172.201.208
DNS	experiencetraining.net Type: A 74.220.199.8
DNS	summertraining.net Type: A 216.239.139.94
DNS	summerstorm.net Type: A 72.52.4.119
DNS	crowdstorm.net Type: A 184.168.221.41
DNS	summerthrown.net Type: A 208.100.26.234
DNS	watertraining.net Type: A 216.21.239.197
DNS	womantraining.net Type: A 208.91.197.66
DNS	partyhunger.net Type: A 82.165.25.210
DNS	fighthunger.net Type: A 72.52.4.120
DNS	fighttraining.net Type: A 69.172.201.208
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	partyalways.net Type: A
DNS	fightalways.net Type: A
DNS	partyforest.net Type: A
DNS	fightforest.net Type: A
DNS	experienceschool.net Type: A
DNS	freshwhile.net Type: A
DNS	experiencewhile.net Type: A
DNS	freshquestion.net Type: A
DNS	experiencequestion.net Type: A
DNS	freshtherefore.net Type: A
DNS	experiencetherefore.net Type: A
DNS	gentlemanschool.net Type: A
DNS	alreadyschool.net Type: A
DNS	gentlemanwhile.net Type: A
DNS	alreadywhile.net Type: A
DNS	gentlemanquestion.net Type: A
DNS	alreadyquestion.net Type: A
DNS	gentlemantherefore.net Type: A
DNS	alreadytherefore.net Type: A
DNS	memberschool.net Type: A
DNS	followwhile.net Type: A
DNS	memberwhile.net Type: A
DNS	followquestion.net Type: A
DNS	memberquestion.net Type: A
DNS	followtherefore.net Type: A
DNS	membertherefore.net Type: A
DNS	beginschool.net Type: A
DNS	knownschool.net Type: A
DNS	beginwhile.net Type: A
DNS	knownwhile.net Type: A
DNS	beginquestion.net Type: A
DNS	knownquestion.net Type: A
DNS	begintherefore.net Type: A
DNS	knowntherefore.net Type: A
DNS	summerschool.net Type: A
DNS	summerwhile.net Type: A
DNS	crowdwhile.net Type: A
DNS	summerquestion.net Type: A
DNS	crowdquestion.net Type: A
DNS	summertherefore.net Type: A
DNS	crowdtherefore.net Type: A
DNS	waterschool.net Type: A
DNS	thoughtwhile.net Type: A
DNS	waterwhile.net Type: A
DNS	thoughtquestion.net Type: A
DNS	waterquestion.net Type: A
DNS	thoughttherefore.net Type: A
DNS	watertherefore.net Type: A
DNS	womanwhile.net Type: A
DNS	smokewhile.net Type: A
DNS	womanquestion.net Type: A
DNS	smokequestion.net Type: A
DNS	womantherefore.net Type: A
DNS	smoketherefore.net Type: A
DNS	fightschool.net Type: A
DNS	partywhile.net Type: A
DNS	fightwhile.net Type: A
DNS	partyquestion.net Type: A
DNS	fightquestion.net Type: A
DNS	partytherefore.net Type: A
DNS	fighttherefore.net Type: A
DNS	freshhunger.net Type: A
DNS	experiencehunger.net Type: A
DNS	freshtraining.net Type: A
DNS	freshstorm.net Type: A
DNS	experiencestorm.net Type: A
DNS	freshthrown.net Type: A
DNS	experiencethrown.net Type: A
DNS	gentlemanhunger.net Type: A
DNS	alreadyhunger.net Type: A
DNS	gentlemantraining.net Type: A
DNS	alreadytraining.net Type: A
DNS	gentlemanstorm.net Type: A
DNS	alreadystorm.net Type: A
DNS	gentlemanthrown.net Type: A
DNS	alreadythrown.net Type: A
DNS	followhunger.net Type: A
DNS	memberhunger.net Type: A
DNS	followtraining.net Type: A
DNS	membertraining.net Type: A
DNS	followstorm.net Type: A
DNS	memberstorm.net Type: A
DNS	followthrown.net Type: A
DNS	memberthrown.net Type: A
DNS	beginhunger.net Type: A
DNS	knownhunger.net Type: A
DNS	begintraining.net Type: A
DNS	knowntraining.net Type: A
DNS	beginstorm.net Type: A
DNS	knownstorm.net Type: A
DNS	beginthrown.net Type: A
DNS	knownthrown.net Type: A
DNS	summerhunger.net Type: A
DNS	crowdhunger.net Type: A
DNS	crowdtraining.net Type: A
DNS	crowdthrown.net Type: A
DNS	thoughthunger.net Type: A
DNS	waterhunger.net Type: A
DNS	thoughttraining.net Type: A
DNS	thoughtstorm.net Type: A
DNS	waterstorm.net Type: A
DNS	thoughtthrown.net Type: A
DNS	waterthrown.net Type: A
DNS	womanhunger.net Type: A
DNS	smokehunger.net Type: A
DNS	smoketraining.net Type: A
DNS	womanstorm.net Type: A
DNS	smokestorm.net Type: A
DNS	womanthrown.net Type: A
DNS	smokethrown.net Type: A
DNS	partytraining.net Type: A
DNS	partystorm.net Type: A
DNS	fightstorm.net Type: A
DNS	partythrown.net Type: A
DNS	fightthrown.net Type: A
DNS	freshchoose.net Type: A
DNS	experiencechoose.net Type: A
DNS	freshalthough.net Type: A
DNS	experiencealthough.net Type: A
DNS	freshperiod.net Type: A
DNS	experienceperiod.net Type: A
DNS	freshhowever.net Type: A
DNS	experiencehowever.net Type: A
DNS	gentlemanchoose.net Type: A
DNS	alreadychoose.net Type: A
DNS	gentlemanalthough.net Type: A
DNS	alreadyalthough.net Type: A
DNS	gentlemanperiod.net Type: A
DNS	alreadyperiod.net Type: A
DNS	gentlemanhowever.net Type: A
DNS	alreadyhowever.net Type: A
DNS	followchoose.net Type: A
DNS	memberchoose.net Type: A
DNS	followalthough.net Type: A
DNS	memberalthough.net Type: A
DNS	followperiod.net Type: A
DNS	memberperiod.net Type: A
DNS	followhowever.net Type: A
DNS	memberhowever.net Type: A
DNS	beginchoose.net Type: A
DNS	knownchoose.net Type: A
DNS	beginalthough.net Type: A
DNS	knownalthough.net Type: A
DNS	beginperiod.net Type: A
DNS	knownperiod.net Type: A
DNS	beginhowever.net Type: A
DNS	knownhowever.net Type: A
DNS	summerchoose.net Type: A
DNS	crowdchoose.net Type: A
DNS	summeralthough.net Type: A
DNS	crowdalthough.net Type: A
DNS	summerperiod.net Type: A
HTTP GET	http://fightanger.net/index.php User-Agent:
HTTP GET	http://freshschool.net/index.php User-Agent:
HTTP GET	http://followschool.net/index.php User-Agent:
HTTP GET	http://crowdschool.net/index.php User-Agent:
HTTP GET	http://thoughtschool.net/index.php User-Agent:
HTTP GET	http://thoughttherefore.net/index.php User-Agent:
HTTP GET	http://womanschool.net/index.php User-Agent:
HTTP GET	http://smokeschool.net/index.php User-Agent:
HTTP GET	http://partyschool.net/index.php User-Agent:
HTTP GET	http://experiencetraining.net/index.php User-Agent:
HTTP GET	http://summertraining.net/index.php User-Agent:
HTTP GET	http://summerstorm.net/index.php User-Agent:
HTTP GET	http://crowdstorm.net/index.php User-Agent:
HTTP GET	http://summerthrown.net/index.php User-Agent:
HTTP GET	http://watertraining.net/index.php User-Agent:
HTTP GET	http://womantraining.net/index.php User-Agent:
HTTP GET	http://partyhunger.net/index.php User-Agent:
HTTP GET	http://fighthunger.net/index.php User-Agent:
HTTP GET	http://fighttraining.net/index.php User-Agent:
HTTP GET	http://alreadyperiod.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 52.0.217.44:80
Flows TCP	192.168.1.1:1032 ➝ 203.189.109.65:80
Flows TCP	192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1034 ➝ 59.106.167.73:80
Flows TCP	192.168.1.1:1035 ➝ 50.63.202.53:80
Flows TCP	192.168.1.1:1036 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1037 ➝ 121.254.178.252:80
Flows TCP	192.168.1.1:1038 ➝ 69.89.31.60:80
Flows TCP	192.168.1.1:1039 ➝ 69.172.201.208:80
Flows TCP	192.168.1.1:1040 ➝ 74.220.199.8:80
Flows TCP	192.168.1.1:1041 ➝ 216.239.139.94:80
Flows TCP	192.168.1.1:1042 ➝ 72.52.4.119:80
Flows TCP	192.168.1.1:1043 ➝ 184.168.221.41:80
Flows TCP	192.168.1.1:1044 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1045 ➝ 216.21.239.197:80
Flows TCP	192.168.1.1:1046 ➝ 208.91.197.66:80
Flows TCP	192.168.1.1:1047 ➝ 82.165.25.210:80
Flows TCP	192.168.1.1:1048 ➝ 72.52.4.120:80
Flows TCP	192.168.1.1:1049 ➝ 69.172.201.208:80
Flows TCP	192.168.1.1:1050 ➝ 8.5.1.16:80

Raw Pcap

Strings