Analysis Date | 2016-03-04 20:26:46 |
---|---|
MD5 | 292058b39e1878bda2e8adf904506c0e |
SHA1 | 5254c6beb0d52104ae5e3aa5308aebac21357484 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: b2eba0b7093b63e776bb9b829393ed44 sha1: 91fd1d24a63e210077ede59d7e6d64049964ae0b size: 265216 | |
Section | .rdata md5: 83ca09fb5f652bf4f7ce610e9b33882c sha1: 2bf50dba575c11fc2bfc4c14e7d7ab9cc7b8a666 size: 39424 | |
Section | .data md5: b3a33ab243ba3061c78a5cab5e162a8a sha1: f772cf513b46977e0f7972618215a1f004f8663e size: 1536 | |
Section | .reloc md5: a84ea35fcc21cb9c52cfb09f6b0696cd sha1: d73ce38c264e9e5c5282199572b9bcf79ff613ab size: 51200 | |
Timestamp | 2015-12-23 05:01:32 | |
Packer | Borland Delphi 3.0 (???) | |
PEhash | 0ac5a1f1ee5993498ebe9fd8dd6200cf8b07ce5a | |
IMPhash | 95321cab17ead5f632c0dcf95fdc7a22 | |
AV | VirusBlokAda (vba32) | BScope.Malware-Cryptor.Msgfake |
AV | CA (E-Trust Ino) | Gen:Variant.Razy.11545 |
AV | Twister | No Virus |
AV | Avira (antivir) | TR/Crypt.Xpack.413666 |
AV | CAT (quickheal) | TrojanSpy.Nivdort.WR4 |
AV | MicroWorld (escan) | Gen:Variant.Razy.11545 |
AV | Rising | No Virus |
AV | Trend Micro | No Virus |
AV | Frisk (f-prot) | W32/Nivdort.F.gen!Eldorado |
AV | Fortinet | W32/Bayrob.AQ!tr |
AV | Alwil (avast) | Win32:Malware-gen |
AV | Alwil (avast) | Malware-gen |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort!rfn |
AV | Authentium | W32/Nivdort.F.gen!Eldorado |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Emsisoft | Gen:Variant.Razy.11545 |
AV | Symantec | Trojan.Bayrob!gen6 |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Zillya! | No Virus |
AV | K7 | Trojan ( 004db0c61 ) |
AV | Dr. Web | Trojan.DownLoader18.45341 |
AV | ClamAV | No Virus |
AV | Grisoft (avg) | Win32/Heur |
AV | BitDefender | Gen:Variant.Razy.11545 |
AV | MalwareBytes | No Virus |
AV | Arcabit (arcavir) | Gen:Variant.Razy.11545 |
AV | Mcafee | Trojan-FHPD!292058B39E18 |
AV | BullGuard | Gen:Variant.Razy.11545 |
AV | F-Secure | Gen:Variant.Razy.11545 |
AV | Ad-Aware | Gen:Variant.Razy.11545 |
AV | Eset (nod32) | Win32/Bayrob.AQ |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\sjjlsfsfpvc\hhy2fnsho |
---|---|
Creates File | C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho |
Creates File | C:\sjjlsfsfpvc\ode1khus6vlust6xg.exe |
Deletes File | C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho |
Creates Process | C:\sjjlsfsfpvc\ode1khus6vlust6xg.exe |
Process
↳ C:\sjjlsfsfpvc\ode1khus6vlust6xg.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Profile Connections Trap Config Agent ➝ C:\sjjlsfsfpvc\piljoky.exe |
---|---|
Creates File | C:\sjjlsfsfpvc\hhy2fnsho |
Creates File | C:\sjjlsfsfpvc\icnebfvuy |
Creates File | C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho |
Creates File | C:\sjjlsfsfpvc\piljoky.exe |
Creates File | PIPE\lsarpc |
Deletes File | C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho |
Creates Process | C:\sjjlsfsfpvc\piljoky.exe |
Creates Service | Control Tablet Publication Search Secure - C:\sjjlsfsfpvc\piljoky.exe |
Process
↳ Pid 816
Process
↳ Pid 860
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1120
Process
↳ Pid 1216
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Creates File | WMIDataDevice |
Process
↳ Pid 1864
Process
↳ Pid 1168
Process
↳ C:\sjjlsfsfpvc\piljoky.exe
Creates File | pipe\net\NtControlPipe10 |
---|---|
Creates File | C:\sjjlsfsfpvc\hhy2fnsho |
Creates File | C:\sjjlsfsfpvc\lwzix0e6jgi9 |
Creates File | C:\sjjlsfsfpvc\icnebfvuy |
Creates File | C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\sjjlsfsfpvc\gdqidktsahxi.exe |
Deletes File | C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho |
Creates Process | asvdoodulsgq "c:\sjjlsfsfpvc\piljoky.exe" |
Process
↳ C:\sjjlsfsfpvc\piljoky.exe
Creates File | C:\sjjlsfsfpvc\hhy2fnsho |
---|---|
Creates File | C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho |
Deletes File | C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho |
Process
↳ asvdoodulsgq "c:\sjjlsfsfpvc\piljoky.exe"
Creates File | C:\sjjlsfsfpvc\hhy2fnsho |
---|---|
Creates File | C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho |
Deletes File | C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho |
Network Details:
Raw Pcap
Strings