Analysis Date | 2016-03-04 17:27:55 |
---|---|
MD5 | 686fa0b2eeb100c24ff07ec789522e72 |
SHA1 | 516b3e48e88b88445d8c6d2ad444d5a45a3ad33b |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 14a2cb70ec6693b50fea3d36bb5b4b17 sha1: 83cbdc79239014746e122124d47091e8d64e76aa size: 186368 | |
Section | .rdata md5: b1b318fdc180c84e7c6ab49221bcfe59 sha1: 1fbd5d14e624bae217bff930ae8bf260bd221243 size: 2560 | |
Section | .data md5: 6119dacc24421339a0a133f3503a5fc2 sha1: 51128dc48eeccbe242c2f0c5ad3072776b983c5e size: 16384 | |
Section | .reloc md5: c14b809a619fd84298ebee7170adda41 sha1: dde39fc16fca3b46904120dc0216f4c9e7f00283 size: 31232 | |
Timestamp | 2015-01-09 00:38:09 | |
PEhash | 4f0716ef3de32dba745b7275fab0c9418b76433d | |
IMPhash | 0e175bf5a6ad7d76230d6d638534abe4 | |
AV | Mcafee | Trojan-FHQT!686FA0B2EEB1 |
AV | Zillya! | Trojan.Bayrob.Win32.12376 |
AV | Dr. Web | Trojan.DownLoader19.39651 |
AV | MalwareBytes | No Virus |
AV | Authentium | W32/Nivdort.G.gen!Eldorado |
AV | Emsisoft | Gen:Variant.Razy.15494 |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Trend Micro | No Virus |
AV | Eset (nod32) | Win32/Bayrob.BA |
AV | K7 | Trojan ( 004dc2a31 ) |
AV | Alwil (avast) | Trojan-gen |
AV | Fortinet | W32/Bayrob.AQ!tr |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Avira (antivir) | TR/Nivdort.A.36449 |
AV | Frisk (f-prot) | W32/Nivdort.G.gen!Eldorado |
AV | Grisoft (avg) | Generic37.XNZ |
AV | Symantec | Trojan.Bayrob!gen6 |
AV | F-Secure | Gen:Variant.Razy.15494 |
AV | Alwil (avast) | Win32:Trojan-gen |
AV | BitDefender | Gen:Variant.Razy.15494 |
AV | VirusBlokAda (vba32) | No Virus |
AV | BullGuard | Gen:Variant.Razy.15494 |
AV | Rising | No Virus |
AV | Ad-Aware | Gen:Variant.Razy.15494 |
AV | CA (E-Trust Ino) | Gen:Variant.Razy.15494 |
AV | MicroWorld (escan) | Gen:Variant.Razy.15494 |
AV | Arcabit (arcavir) | Gen:Variant.Razy.15494 |
AV | CAT (quickheal) | TrojanSpy.Nivdort.WR4 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.DE |
AV | Twister | No Virus |
AV | ClamAV | No Virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\WINDOWS\tpkufbhp\rygicvesivt |
---|---|
Creates File | C:\tpkufbhp\rygicvesivt |
Creates File | C:\tpkufbhp\irhk1l65ixpxyzxs7.exe |
Deletes File | C:\WINDOWS\tpkufbhp\rygicvesivt |
Creates Process | C:\tpkufbhp\irhk1l65ixpxyzxs7.exe |
Process
↳ C:\tpkufbhp\irhk1l65ixpxyzxs7.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\DNS Defender Base Health Counter Endpoint Wired ➝ C:\tpkufbhp\rkwvbbml.exe |
---|---|
Creates File | C:\tpkufbhp\rkwvbbml.exe |
Creates File | C:\WINDOWS\tpkufbhp\rygicvesivt |
Creates File | C:\tpkufbhp\jzrnrz3fk2 |
Creates File | C:\tpkufbhp\rygicvesivt |
Creates File | PIPE\lsarpc |
Deletes File | C:\WINDOWS\tpkufbhp\rygicvesivt |
Creates Process | C:\tpkufbhp\rkwvbbml.exe |
Creates Service | Center Logs Office IKE Card Encryption - C:\tpkufbhp\rkwvbbml.exe |
Process
↳ Pid 804
Process
↳ Pid 852
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\WERd420.dir00\svchost.exe.hdmp |
---|---|
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\WERd420.dir00\svchost.exe.mdmp |
Creates File | pipe\PCHFaultRepExecPipe |
Creates Process | C:\WINDOWS\system32\dumprep.exe 1020 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERd420.dir00\svchost.exe.mdmp 16325836412031020 |
Process
↳ Pid 1112
Process
↳ Pid 1208
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1860
Process
↳ Pid 1144
Process
↳ C:\tpkufbhp\rkwvbbml.exe
Creates File | C:\WINDOWS\tpkufbhp\rygicvesivt |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\tpkufbhp\jzrnrz3fk2 |
Creates File | C:\tpkufbhp\rygicvesivt |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\tpkufbhp\kxpboxjek |
Creates File | C:\tpkufbhp\kqemhbhosns.exe |
Deletes File | C:\WINDOWS\tpkufbhp\rygicvesivt |
Creates Process | uqwe9nsc2kel "c:\tpkufbhp\rkwvbbml.exe" |
Process
↳ C:\tpkufbhp\rkwvbbml.exe
Creates File | C:\WINDOWS\tpkufbhp\rygicvesivt |
---|---|
Creates File | C:\tpkufbhp\rygicvesivt |
Deletes File | C:\WINDOWS\tpkufbhp\rygicvesivt |
Process
↳ C:\WINDOWS\system32\dumprep.exe 1020 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERd420.dir00\svchost.exe.mdmp 16325836412031020
Process
↳ uqwe9nsc2kel "c:\tpkufbhp\rkwvbbml.exe"
Creates File | C:\WINDOWS\tpkufbhp\rygicvesivt |
---|---|
Creates File | C:\tpkufbhp\rygicvesivt |
Deletes File | C:\WINDOWS\tpkufbhp\rygicvesivt |
Network Details:
DNS | fightanger.net Type: A 52.0.217.44 |
---|---|
DNS | freshschool.net Type: A 203.189.109.65 |
DNS | followschool.net Type: A 208.100.26.234 |
DNS | crowdschool.net Type: A 59.106.167.73 |
DNS | thoughtschool.net Type: A 50.63.202.53 |
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
DNS | womanschool.net Type: A 121.254.178.252 |
DNS | smokeschool.net Type: A 69.89.31.60 |
DNS | partyschool.net Type: A 69.172.201.208 |
DNS | experiencetraining.net Type: A 74.220.199.8 |
DNS | summertraining.net Type: A 216.239.139.94 |
DNS | summerstorm.net Type: A 72.52.4.119 |
DNS | crowdstorm.net Type: A 184.168.221.41 |
DNS | summerthrown.net Type: A 208.100.26.234 |
DNS | watertraining.net Type: A 216.21.239.197 |
DNS | womantraining.net Type: A 208.91.197.66 |
DNS | partyhunger.net Type: A 82.165.25.210 |
DNS | fighthunger.net Type: A 72.52.4.120 |
DNS | fighttraining.net Type: A 69.172.201.208 |
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
DNS | partyalways.net Type: A |
DNS | fightalways.net Type: A |
DNS | partyforest.net Type: A |
DNS | fightforest.net Type: A |
DNS | experienceschool.net Type: A |
DNS | freshwhile.net Type: A |
DNS | experiencewhile.net Type: A |
DNS | freshquestion.net Type: A |
DNS | experiencequestion.net Type: A |
DNS | freshtherefore.net Type: A |
DNS | experiencetherefore.net Type: A |
DNS | gentlemanschool.net Type: A |
DNS | alreadyschool.net Type: A |
DNS | gentlemanwhile.net Type: A |
DNS | alreadywhile.net Type: A |
DNS | gentlemanquestion.net Type: A |
DNS | alreadyquestion.net Type: A |
DNS | gentlemantherefore.net Type: A |
DNS | alreadytherefore.net Type: A |
DNS | memberschool.net Type: A |
DNS | followwhile.net Type: A |
DNS | memberwhile.net Type: A |
DNS | followquestion.net Type: A |
DNS | memberquestion.net Type: A |
DNS | followtherefore.net Type: A |
DNS | membertherefore.net Type: A |
DNS | beginschool.net Type: A |
DNS | knownschool.net Type: A |
DNS | beginwhile.net Type: A |
DNS | knownwhile.net Type: A |
DNS | beginquestion.net Type: A |
DNS | knownquestion.net Type: A |
DNS | begintherefore.net Type: A |
DNS | knowntherefore.net Type: A |
DNS | summerschool.net Type: A |
DNS | summerwhile.net Type: A |
DNS | crowdwhile.net Type: A |
DNS | summerquestion.net Type: A |
DNS | crowdquestion.net Type: A |
DNS | summertherefore.net Type: A |
DNS | crowdtherefore.net Type: A |
DNS | waterschool.net Type: A |
DNS | thoughtwhile.net Type: A |
DNS | waterwhile.net Type: A |
DNS | thoughtquestion.net Type: A |
DNS | waterquestion.net Type: A |
DNS | thoughttherefore.net Type: A |
DNS | watertherefore.net Type: A |
DNS | womanwhile.net Type: A |
DNS | smokewhile.net Type: A |
DNS | womanquestion.net Type: A |
DNS | smokequestion.net Type: A |
DNS | womantherefore.net Type: A |
DNS | smoketherefore.net Type: A |
DNS | fightschool.net Type: A |
DNS | partywhile.net Type: A |
DNS | fightwhile.net Type: A |
DNS | partyquestion.net Type: A |
DNS | fightquestion.net Type: A |
DNS | partytherefore.net Type: A |
DNS | fighttherefore.net Type: A |
DNS | freshhunger.net Type: A |
DNS | experiencehunger.net Type: A |
DNS | freshtraining.net Type: A |
DNS | freshstorm.net Type: A |
DNS | experiencestorm.net Type: A |
DNS | freshthrown.net Type: A |
DNS | experiencethrown.net Type: A |
DNS | gentlemanhunger.net Type: A |
DNS | alreadyhunger.net Type: A |
DNS | gentlemantraining.net Type: A |
DNS | alreadytraining.net Type: A |
DNS | gentlemanstorm.net Type: A |
DNS | alreadystorm.net Type: A |
DNS | gentlemanthrown.net Type: A |
DNS | alreadythrown.net Type: A |
DNS | followhunger.net Type: A |
DNS | memberhunger.net Type: A |
DNS | followtraining.net Type: A |
DNS | membertraining.net Type: A |
DNS | followstorm.net Type: A |
DNS | memberstorm.net Type: A |
DNS | followthrown.net Type: A |
DNS | memberthrown.net Type: A |
DNS | beginhunger.net Type: A |
DNS | knownhunger.net Type: A |
DNS | begintraining.net Type: A |
DNS | knowntraining.net Type: A |
DNS | beginstorm.net Type: A |
DNS | knownstorm.net Type: A |
DNS | beginthrown.net Type: A |
DNS | knownthrown.net Type: A |
DNS | summerhunger.net Type: A |
DNS | crowdhunger.net Type: A |
DNS | crowdtraining.net Type: A |
DNS | crowdthrown.net Type: A |
DNS | thoughthunger.net Type: A |
DNS | waterhunger.net Type: A |
DNS | thoughttraining.net Type: A |
DNS | thoughtstorm.net Type: A |
DNS | waterstorm.net Type: A |
DNS | thoughtthrown.net Type: A |
DNS | waterthrown.net Type: A |
DNS | womanhunger.net Type: A |
DNS | smokehunger.net Type: A |
DNS | smoketraining.net Type: A |
DNS | womanstorm.net Type: A |
DNS | smokestorm.net Type: A |
DNS | womanthrown.net Type: A |
DNS | smokethrown.net Type: A |
DNS | partytraining.net Type: A |
DNS | partystorm.net Type: A |
DNS | fightstorm.net Type: A |
DNS | partythrown.net Type: A |
DNS | fightthrown.net Type: A |
DNS | freshchoose.net Type: A |
DNS | experiencechoose.net Type: A |
DNS | freshalthough.net Type: A |
DNS | experiencealthough.net Type: A |
DNS | freshperiod.net Type: A |
DNS | experienceperiod.net Type: A |
DNS | freshhowever.net Type: A |
DNS | experiencehowever.net Type: A |
DNS | gentlemanchoose.net Type: A |
DNS | alreadychoose.net Type: A |
DNS | gentlemanalthough.net Type: A |
DNS | alreadyalthough.net Type: A |
DNS | gentlemanperiod.net Type: A |
DNS | alreadyperiod.net Type: A |
DNS | gentlemanhowever.net Type: A |
DNS | alreadyhowever.net Type: A |
DNS | followchoose.net Type: A |
DNS | memberchoose.net Type: A |
DNS | followalthough.net Type: A |
DNS | memberalthough.net Type: A |
DNS | followperiod.net Type: A |
DNS | memberperiod.net Type: A |
DNS | followhowever.net Type: A |
DNS | memberhowever.net Type: A |
DNS | beginchoose.net Type: A |
DNS | knownchoose.net Type: A |
DNS | beginalthough.net Type: A |
DNS | knownalthough.net Type: A |
DNS | beginperiod.net Type: A |
DNS | knownperiod.net Type: A |
DNS | beginhowever.net Type: A |
DNS | knownhowever.net Type: A |
DNS | summerchoose.net Type: A |
DNS | crowdchoose.net Type: A |
DNS | summeralthough.net Type: A |
DNS | crowdalthough.net Type: A |
DNS | summerperiod.net Type: A |
HTTP GET | http://fightanger.net/index.php User-Agent: |
HTTP GET | http://freshschool.net/index.php User-Agent: |
HTTP GET | http://followschool.net/index.php User-Agent: |
HTTP GET | http://crowdschool.net/index.php User-Agent: |
HTTP GET | http://thoughtschool.net/index.php User-Agent: |
HTTP GET | http://thoughttherefore.net/index.php User-Agent: |
HTTP GET | http://womanschool.net/index.php User-Agent: |
HTTP GET | http://smokeschool.net/index.php User-Agent: |
HTTP GET | http://partyschool.net/index.php User-Agent: |
HTTP GET | http://experiencetraining.net/index.php User-Agent: |
HTTP GET | http://summertraining.net/index.php User-Agent: |
HTTP GET | http://summerstorm.net/index.php User-Agent: |
HTTP GET | http://crowdstorm.net/index.php User-Agent: |
HTTP GET | http://summerthrown.net/index.php User-Agent: |
HTTP GET | http://watertraining.net/index.php User-Agent: |
HTTP GET | http://womantraining.net/index.php User-Agent: |
HTTP GET | http://partyhunger.net/index.php User-Agent: |
HTTP GET | http://fighthunger.net/index.php User-Agent: |
HTTP GET | http://fighttraining.net/index.php User-Agent: |
HTTP GET | http://alreadyperiod.net/index.php User-Agent: |
Flows TCP | 192.168.1.1:1031 ➝ 52.0.217.44:80 |
Flows TCP | 192.168.1.1:1032 ➝ 203.189.109.65:80 |
Flows TCP | 192.168.1.1:1033 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1034 ➝ 59.106.167.73:80 |
Flows TCP | 192.168.1.1:1035 ➝ 50.63.202.53:80 |
Flows TCP | 192.168.1.1:1036 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1037 ➝ 121.254.178.252:80 |
Flows TCP | 192.168.1.1:1038 ➝ 69.89.31.60:80 |
Flows TCP | 192.168.1.1:1039 ➝ 69.172.201.208:80 |
Flows TCP | 192.168.1.1:1040 ➝ 74.220.199.8:80 |
Flows TCP | 192.168.1.1:1041 ➝ 216.239.139.94:80 |
Flows TCP | 192.168.1.1:1042 ➝ 72.52.4.119:80 |
Flows TCP | 192.168.1.1:1043 ➝ 184.168.221.41:80 |
Flows TCP | 192.168.1.1:1044 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1045 ➝ 216.21.239.197:80 |
Flows TCP | 192.168.1.1:1046 ➝ 208.91.197.66:80 |
Flows TCP | 192.168.1.1:1047 ➝ 82.165.25.210:80 |
Flows TCP | 192.168.1.1:1048 ➝ 72.52.4.120:80 |
Flows TCP | 192.168.1.1:1049 ➝ 69.172.201.208:80 |
Flows TCP | 192.168.1.1:1050 ➝ 8.5.1.16:80 |
Raw Pcap
Strings