Analysis | #totalhash

Analysis Date	2016-03-04 20:26:46
MD5	292058b39e1878bda2e8adf904506c0e
SHA1	5254c6beb0d52104ae5e3aa5308aebac21357484

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: b2eba0b7093b63e776bb9b829393ed44 sha1: 91fd1d24a63e210077ede59d7e6d64049964ae0b size: 265216
Section	.rdata md5: 83ca09fb5f652bf4f7ce610e9b33882c sha1: 2bf50dba575c11fc2bfc4c14e7d7ab9cc7b8a666 size: 39424
Section	.data md5: b3a33ab243ba3061c78a5cab5e162a8a sha1: f772cf513b46977e0f7972618215a1f004f8663e size: 1536
Section	.reloc md5: a84ea35fcc21cb9c52cfb09f6b0696cd sha1: d73ce38c264e9e5c5282199572b9bcf79ff613ab size: 51200
Timestamp	2015-12-23 05:01:32
Packer	Borland Delphi 3.0 (???)
PEhash	0ac5a1f1ee5993498ebe9fd8dd6200cf8b07ce5a
IMPhash	95321cab17ead5f632c0dcf95fdc7a22
AV	VirusBlokAda (vba32)	BScope.Malware-Cryptor.Msgfake
AV	CA (E-Trust Ino)	Gen:Variant.Razy.11545
AV	Twister	No Virus
AV	Avira (antivir)	TR/Crypt.Xpack.413666
AV	CAT (quickheal)	TrojanSpy.Nivdort.WR4
AV	MicroWorld (escan)	Gen:Variant.Razy.11545
AV	Rising	No Virus
AV	Trend Micro	No Virus
AV	Frisk (f-prot)	W32/Nivdort.F.gen!Eldorado
AV	Fortinet	W32/Bayrob.AQ!tr
AV	Alwil (avast)	Win32:Malware-gen
AV	Alwil (avast)	Malware-gen
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort!rfn
AV	Authentium	W32/Nivdort.F.gen!Eldorado
AV	Kaspersky	Trojan.Win32.Generic
AV	Emsisoft	Gen:Variant.Razy.11545
AV	Symantec	Trojan.Bayrob!gen6
AV	Ikarus	Trojan.Win32.Bayrob
AV	Zillya!	No Virus
AV	K7	Trojan ( 004db0c61 )
AV	Dr. Web	Trojan.DownLoader18.45341
AV	ClamAV	No Virus
AV	Grisoft (avg)	Win32/Heur
AV	BitDefender	Gen:Variant.Razy.11545
AV	MalwareBytes	No Virus
AV	Arcabit (arcavir)	Gen:Variant.Razy.11545
AV	Mcafee	Trojan-FHPD!292058B39E18
AV	BullGuard	Gen:Variant.Razy.11545
AV	F-Secure	Gen:Variant.Razy.11545
AV	Ad-Aware	Gen:Variant.Razy.11545
AV	Eset (nod32)	Win32/Bayrob.AQ

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\sjjlsfsfpvc\hhy2fnsho
Creates File	C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho
Creates File	C:\sjjlsfsfpvc\ode1khus6vlust6xg.exe
Deletes File	C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho
Creates Process	C:\sjjlsfsfpvc\ode1khus6vlust6xg.exe

Process
↳ C:\sjjlsfsfpvc\ode1khus6vlust6xg.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Profile Connections Trap Config Agent ➝ C:\sjjlsfsfpvc\piljoky.exe
Creates File	C:\sjjlsfsfpvc\hhy2fnsho
Creates File	C:\sjjlsfsfpvc\icnebfvuy
Creates File	C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho
Creates File	C:\sjjlsfsfpvc\piljoky.exe
Creates File	PIPE\lsarpc
Deletes File	C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho
Creates Process	C:\sjjlsfsfpvc\piljoky.exe
Creates Service	Control Tablet Publication Search Secure - C:\sjjlsfsfpvc\piljoky.exe

Process
↳ Pid 816

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1120

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates File	WMIDataDevice

Process
↳ Pid 1864

Process
↳ Pid 1168

Process
↳ C:\sjjlsfsfpvc\piljoky.exe

Creates File	pipe\net\NtControlPipe10
Creates File	C:\sjjlsfsfpvc\hhy2fnsho
Creates File	C:\sjjlsfsfpvc\lwzix0e6jgi9
Creates File	C:\sjjlsfsfpvc\icnebfvuy
Creates File	C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho
Creates File	\Device\Afd\Endpoint
Creates File	C:\sjjlsfsfpvc\gdqidktsahxi.exe
Deletes File	C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho
Creates Process	asvdoodulsgq "c:\sjjlsfsfpvc\piljoky.exe"

Process
↳ C:\sjjlsfsfpvc\piljoky.exe

Creates File	C:\sjjlsfsfpvc\hhy2fnsho
Creates File	C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho
Deletes File	C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho

Process
↳ asvdoodulsgq "c:\sjjlsfsfpvc\piljoky.exe"

Creates File	C:\sjjlsfsfpvc\hhy2fnsho
Creates File	C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho
Deletes File	C:\WINDOWS\sjjlsfsfpvc\hhy2fnsho

Network Details:

DNS	crowdschool.net Type: A 59.106.167.73
DNS	thoughtschool.net Type: A 50.63.202.53
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	womanschool.net Type: A 121.254.178.252
DNS	smokeschool.net Type: A 69.89.31.60
DNS	partyschool.net Type: A 69.172.201.208
DNS	experiencetraining.net Type: A 74.220.199.8
DNS	summertraining.net Type: A 216.239.139.94
DNS	summerstorm.net Type: A 72.52.4.119
DNS	crowdstorm.net Type: A 184.168.221.41
DNS	summerthrown.net Type: A 208.100.26.234
DNS	watertraining.net Type: A 216.21.239.197
DNS	womantraining.net Type: A 208.91.197.66
DNS	partyhunger.net Type: A 82.165.25.210
DNS	fighthunger.net Type: A 72.52.4.120
DNS	fighttraining.net Type: A 69.172.201.208
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	followquestion.net Type: A
DNS	memberquestion.net Type: A
DNS	followtherefore.net Type: A
DNS	membertherefore.net Type: A
DNS	beginschool.net Type: A
DNS	knownschool.net Type: A
DNS	beginwhile.net Type: A
DNS	knownwhile.net Type: A
DNS	beginquestion.net Type: A
DNS	knownquestion.net Type: A
DNS	begintherefore.net Type: A
DNS	knowntherefore.net Type: A
DNS	summerschool.net Type: A
DNS	summerwhile.net Type: A
DNS	crowdwhile.net Type: A
DNS	summerquestion.net Type: A
DNS	crowdquestion.net Type: A
DNS	summertherefore.net Type: A
DNS	crowdtherefore.net Type: A
DNS	waterschool.net Type: A
DNS	thoughtwhile.net Type: A
DNS	waterwhile.net Type: A
DNS	thoughtquestion.net Type: A
DNS	waterquestion.net Type: A
DNS	thoughttherefore.net Type: A
DNS	watertherefore.net Type: A
DNS	womanwhile.net Type: A
DNS	smokewhile.net Type: A
DNS	womanquestion.net Type: A
DNS	smokequestion.net Type: A
DNS	womantherefore.net Type: A
DNS	smoketherefore.net Type: A
DNS	fightschool.net Type: A
DNS	partywhile.net Type: A
DNS	fightwhile.net Type: A
DNS	partyquestion.net Type: A
DNS	fightquestion.net Type: A
DNS	partytherefore.net Type: A
DNS	fighttherefore.net Type: A
DNS	freshhunger.net Type: A
DNS	experiencehunger.net Type: A
DNS	freshtraining.net Type: A
DNS	freshstorm.net Type: A
DNS	experiencestorm.net Type: A
DNS	freshthrown.net Type: A
DNS	experiencethrown.net Type: A
DNS	gentlemanhunger.net Type: A
DNS	alreadyhunger.net Type: A
DNS	gentlemantraining.net Type: A
DNS	alreadytraining.net Type: A
DNS	gentlemanstorm.net Type: A
DNS	alreadystorm.net Type: A
DNS	gentlemanthrown.net Type: A
DNS	alreadythrown.net Type: A
DNS	followhunger.net Type: A
DNS	memberhunger.net Type: A
DNS	followtraining.net Type: A
DNS	membertraining.net Type: A
DNS	followstorm.net Type: A
DNS	memberstorm.net Type: A
DNS	followthrown.net Type: A
DNS	memberthrown.net Type: A
DNS	beginhunger.net Type: A
DNS	knownhunger.net Type: A
DNS	begintraining.net Type: A
DNS	knowntraining.net Type: A
DNS	beginstorm.net Type: A
DNS	knownstorm.net Type: A
DNS	beginthrown.net Type: A
DNS	knownthrown.net Type: A
DNS	summerhunger.net Type: A
DNS	crowdhunger.net Type: A
DNS	crowdtraining.net Type: A
DNS	crowdthrown.net Type: A
DNS	thoughthunger.net Type: A
DNS	waterhunger.net Type: A
DNS	thoughttraining.net Type: A
DNS	thoughtstorm.net Type: A
DNS	waterstorm.net Type: A
DNS	thoughtthrown.net Type: A
DNS	waterthrown.net Type: A
DNS	womanhunger.net Type: A
DNS	smokehunger.net Type: A
DNS	smoketraining.net Type: A
DNS	womanstorm.net Type: A
DNS	smokestorm.net Type: A
DNS	womanthrown.net Type: A
DNS	smokethrown.net Type: A
DNS	partytraining.net Type: A
DNS	partystorm.net Type: A
DNS	fightstorm.net Type: A
DNS	partythrown.net Type: A
DNS	fightthrown.net Type: A
DNS	freshchoose.net Type: A
DNS	experiencechoose.net Type: A
DNS	freshalthough.net Type: A
DNS	experiencealthough.net Type: A
DNS	freshperiod.net Type: A
DNS	experienceperiod.net Type: A
DNS	freshhowever.net Type: A
DNS	experiencehowever.net Type: A
DNS	gentlemanchoose.net Type: A
DNS	alreadychoose.net Type: A
DNS	gentlemanalthough.net Type: A
DNS	alreadyalthough.net Type: A
DNS	gentlemanperiod.net Type: A
DNS	alreadyperiod.net Type: A
DNS	gentlemanhowever.net Type: A
DNS	alreadyhowever.net Type: A
DNS	followchoose.net Type: A
DNS	memberchoose.net Type: A
DNS	followalthough.net Type: A
DNS	memberalthough.net Type: A
DNS	followperiod.net Type: A
DNS	memberperiod.net Type: A
DNS	followhowever.net Type: A
DNS	memberhowever.net Type: A
DNS	beginchoose.net Type: A
DNS	knownchoose.net Type: A
DNS	beginalthough.net Type: A
DNS	knownalthough.net Type: A
DNS	beginperiod.net Type: A
DNS	knownperiod.net Type: A
DNS	beginhowever.net Type: A
DNS	knownhowever.net Type: A
DNS	summerchoose.net Type: A
DNS	crowdchoose.net Type: A
DNS	summeralthough.net Type: A
DNS	crowdalthough.net Type: A
DNS	summerperiod.net Type: A
DNS	crowdperiod.net Type: A
DNS	summerhowever.net Type: A
DNS	crowdhowever.net Type: A
DNS	thoughtchoose.net Type: A
DNS	waterchoose.net Type: A
DNS	thoughtalthough.net Type: A
DNS	wateralthough.net Type: A
DNS	thoughtperiod.net Type: A
DNS	waterperiod.net Type: A
DNS	thoughthowever.net Type: A
DNS	waterhowever.net Type: A
DNS	womanchoose.net Type: A
DNS	smokechoose.net Type: A
DNS	womanalthough.net Type: A
DNS	smokealthough.net Type: A
DNS	womanperiod.net Type: A
DNS	smokeperiod.net Type: A
DNS	womanhowever.net Type: A
DNS	smokehowever.net Type: A
DNS	partychoose.net Type: A
DNS	fightchoose.net Type: A
DNS	partyalthough.net Type: A
DNS	fightalthough.net Type: A
DNS	partyperiod.net Type: A
DNS	fightperiod.net Type: A
HTTP GET	http://crowdschool.net/index.php User-Agent:
HTTP GET	http://thoughtschool.net/index.php User-Agent:
HTTP GET	http://thoughttherefore.net/index.php User-Agent:
HTTP GET	http://womanschool.net/index.php User-Agent:
HTTP GET	http://smokeschool.net/index.php User-Agent:
HTTP GET	http://partyschool.net/index.php User-Agent:
HTTP GET	http://experiencetraining.net/index.php User-Agent:
HTTP GET	http://summertraining.net/index.php User-Agent:
HTTP GET	http://summerstorm.net/index.php User-Agent:
HTTP GET	http://crowdstorm.net/index.php User-Agent:
HTTP GET	http://summerthrown.net/index.php User-Agent:
HTTP GET	http://watertraining.net/index.php User-Agent:
HTTP GET	http://womantraining.net/index.php User-Agent:
HTTP GET	http://partyhunger.net/index.php User-Agent:
HTTP GET	http://fighthunger.net/index.php User-Agent:
HTTP GET	http://fighttraining.net/index.php User-Agent:
HTTP GET	http://alreadyperiod.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 59.106.167.73:80
Flows TCP	192.168.1.1:1032 ➝ 50.63.202.53:80
Flows TCP	192.168.1.1:1033 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1034 ➝ 121.254.178.252:80
Flows TCP	192.168.1.1:1035 ➝ 69.89.31.60:80
Flows TCP	192.168.1.1:1036 ➝ 69.172.201.208:80
Flows TCP	192.168.1.1:1037 ➝ 74.220.199.8:80
Flows TCP	192.168.1.1:1038 ➝ 216.239.139.94:80
Flows TCP	192.168.1.1:1039 ➝ 72.52.4.119:80
Flows TCP	192.168.1.1:1040 ➝ 184.168.221.41:80
Flows TCP	192.168.1.1:1041 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1042 ➝ 216.21.239.197:80
Flows TCP	192.168.1.1:1043 ➝ 208.91.197.66:80
Flows TCP	192.168.1.1:1044 ➝ 82.165.25.210:80
Flows TCP	192.168.1.1:1045 ➝ 72.52.4.120:80
Flows TCP	192.168.1.1:1046 ➝ 69.172.201.208:80
Flows TCP	192.168.1.1:1047 ➝ 8.5.1.16:80

Raw Pcap

Strings