Analysis Date2016-02-08 08:01:59
MD5a6840bbc7fb71f397c06c793e2cf6b99
SHA154ec6fcbc846b49fc388bba197c5cd5a0f5e411b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0c23bfa032a831e4ef55a0ceef971387 sha1: 3845126dd47c17922030cbab68554049c0ee8683 size: 532480
Section.rdata md5: 03a6a05c6ca6980454e5747954fb5466 sha1: 3fbc4f4af75ef163d6aa7458dac620d736e9d26a size: 26112
Section.data md5: 086ff9e645016198c112bcccc23e2278 sha1: adf155d1d04d8910ce67456e37434b9c252acd5d size: 20480
Section.reloc md5: dd43f68a3b090363368c5f309e1b3dc9 sha1: 33d2ebaee1a9744ec8d89e032d6557ea2b10a052 size: 39424
Timestamp2014-08-05 06:15:27
PackerMicrosoft Visual C++ 8
PEhashd693788ebb02a2696ceaabc24286d1a56cbf1c4f
IMPhash8b2879f534220481f08d6b6046c1152e
AVCA (E-Trust Ino)No Virus
AVF-SecureGen:Variant.Zusy.141475
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVBullGuardGen:Variant.Zusy.141475
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Bayrob.dupg
AVZillya!No Virus
AVIkarusTrojan.Bayrob
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.141475
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Zusy.141475
AVFortinetW32/Bayrob.BM!tr
AVSymantecNo Virus
AVGrisoft (avg)Generic37.AKRC
AVEset (nod32)Win32/Bayrob.BM
AVAlwil (avast)Win32:Malware-gen
AVRisingNo Virus
AVAd-AwareGen:Variant.Zusy.141475
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAvira (antivir)TR/Taranis.2132
AVMcafeeTrojan-FHSQ!A6840BBC7FB7

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\zegchxphjpo\qs1mbei0yhwlfjx.exe
Creates FileC:\zegchxphjpo\jovcdy
Creates FileC:\WINDOWS\zegchxphjpo\jovcdy
Deletes FileC:\WINDOWS\zegchxphjpo\jovcdy
Creates ProcessC:\zegchxphjpo\qs1mbei0yhwlfjx.exe

Process
↳ C:\zegchxphjpo\qs1mbei0yhwlfjx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Audio Defragmenter Base Process ➝
C:\zegchxphjpo\aedzdjjysdfb.exe
Creates FileC:\zegchxphjpo\jovcdy
Creates FileC:\zegchxphjpo\aedzdjjysdfb.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\zegchxphjpo\jovcdy
Creates FileC:\zegchxphjpo\sfv1xveml
Deletes FileC:\WINDOWS\zegchxphjpo\jovcdy
Creates ProcessC:\zegchxphjpo\aedzdjjysdfb.exe
Creates ServiceAccounts Keying Plug Services Link - C:\zegchxphjpo\aedzdjjysdfb.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1120

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1164

Process
↳ C:\zegchxphjpo\aedzdjjysdfb.exe

Creates FileC:\zegchxphjpo\jovcdy
Creates Filepipe\net\NtControlPipe10
Creates FileC:\zegchxphjpo\xphialec.exe
Creates FileC:\zegchxphjpo\dvukcp
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\zegchxphjpo\jovcdy
Creates FileC:\zegchxphjpo\sfv1xveml
Deletes FileC:\WINDOWS\zegchxphjpo\jovcdy
Creates Processg3fyu1deq3bc "c:\zegchxphjpo\aedzdjjysdfb.exe"

Process
↳ C:\zegchxphjpo\aedzdjjysdfb.exe

Creates FileC:\zegchxphjpo\jovcdy
Creates FileC:\WINDOWS\zegchxphjpo\jovcdy
Deletes FileC:\WINDOWS\zegchxphjpo\jovcdy

Process
↳ g3fyu1deq3bc "c:\zegchxphjpo\aedzdjjysdfb.exe"

Creates FileC:\zegchxphjpo\jovcdy
Creates FileC:\WINDOWS\zegchxphjpo\jovcdy
Deletes FileC:\WINDOWS\zegchxphjpo\jovcdy

Network Details:

DNSknownstream.net
Type: A
74.208.56.10
DNSsummerstream.net
Type: A
66.96.149.16
DNScrowdstream.net
Type: A
184.168.221.61
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSthoughtstream.net
Type: A
202.172.28.186
DNSwaterstream.net
Type: A
91.198.165.243
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSwaterbottle.net
Type: A
209.15.13.134
DNSpartystream.net
Type: A
162.255.119.251
DNSfightstream.net
Type: A
184.168.221.32
DNSpartybottle.net
Type: A
91.215.216.53
DNSfreshbusiness.net
Type: A
72.52.4.120
DNSexperiencebusiness.net
Type: A
188.40.135.139
DNSfollowappear.net
Type: A
208.100.26.234
DNSsummerbusiness.net
Type: A
8.5.1.46
DNScrowdbusiness.net
Type: A
72.52.4.91
DNSwaterbusiness.net
Type: A
192.185.77.17
DNSwomanbusiness.net
Type: A
184.168.221.52
DNSpartybusiness.net
Type: A
50.62.253.1
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSfreshnothing.net
Type: A
DNSexperiencenothing.net
Type: A
DNSfreshbottle.net
Type: A
DNSexperiencebottle.net
Type: A
DNSfreshdivide.net
Type: A
DNSexperiencedivide.net
Type: A
DNSgentlemanstream.net
Type: A
DNSalreadystream.net
Type: A
DNSgentlemannothing.net
Type: A
DNSalreadynothing.net
Type: A
DNSgentlemanbottle.net
Type: A
DNSalreadybottle.net
Type: A
DNSgentlemandivide.net
Type: A
DNSalreadydivide.net
Type: A
DNSfollowstream.net
Type: A
DNSmemberstream.net
Type: A
DNSfollownothing.net
Type: A
DNSmembernothing.net
Type: A
DNSfollowbottle.net
Type: A
DNSmemberbottle.net
Type: A
DNSfollowdivide.net
Type: A
DNSmemberdivide.net
Type: A
DNSbeginstream.net
Type: A
DNSbeginnothing.net
Type: A
DNSknownnothing.net
Type: A
DNSbeginbottle.net
Type: A
DNSknownbottle.net
Type: A
DNSbegindivide.net
Type: A
DNSknowndivide.net
Type: A
DNSsummernothing.net
Type: A
DNScrowdnothing.net
Type: A
DNSsummerbottle.net
Type: A
DNScrowdbottle.net
Type: A
DNSsummerdivide.net
Type: A
DNScrowddivide.net
Type: A
DNSthoughtnothing.net
Type: A
DNSwaternothing.net
Type: A
DNSthoughtbottle.net
Type: A
DNSthoughtdivide.net
Type: A
DNSwaterdivide.net
Type: A
DNSwomanstream.net
Type: A
DNSsmokestream.net
Type: A
DNSwomannothing.net
Type: A
DNSsmokenothing.net
Type: A
DNSwomanbottle.net
Type: A
DNSsmokebottle.net
Type: A
DNSwomandivide.net
Type: A
DNSsmokedivide.net
Type: A
DNSpartynothing.net
Type: A
DNSfightnothing.net
Type: A
DNSfightbottle.net
Type: A
DNSpartydivide.net
Type: A
DNSfightdivide.net
Type: A
DNSfreshmanner.net
Type: A
DNSexperiencemanner.net
Type: A
DNSfreshanother.net
Type: A
DNSexperienceanother.net
Type: A
DNSfreshappear.net
Type: A
DNSexperienceappear.net
Type: A
DNSgentlemanmanner.net
Type: A
DNSalreadymanner.net
Type: A
DNSgentlemananother.net
Type: A
DNSalreadyanother.net
Type: A
DNSgentlemanbusiness.net
Type: A
DNSalreadybusiness.net
Type: A
DNSgentlemanappear.net
Type: A
DNSalreadyappear.net
Type: A
DNSfollowmanner.net
Type: A
DNSmembermanner.net
Type: A
DNSfollowanother.net
Type: A
DNSmemberanother.net
Type: A
DNSfollowbusiness.net
Type: A
DNSmemberbusiness.net
Type: A
DNSmemberappear.net
Type: A
DNSbeginmanner.net
Type: A
DNSknownmanner.net
Type: A
DNSbeginanother.net
Type: A
DNSknownanother.net
Type: A
DNSbeginbusiness.net
Type: A
DNSknownbusiness.net
Type: A
DNSbeginappear.net
Type: A
DNSknownappear.net
Type: A
DNSsummermanner.net
Type: A
DNScrowdmanner.net
Type: A
DNSsummeranother.net
Type: A
DNScrowdanother.net
Type: A
DNSsummerappear.net
Type: A
DNScrowdappear.net
Type: A
DNSthoughtmanner.net
Type: A
DNSwatermanner.net
Type: A
DNSthoughtanother.net
Type: A
DNSwateranother.net
Type: A
DNSthoughtbusiness.net
Type: A
DNSthoughtappear.net
Type: A
DNSwaterappear.net
Type: A
DNSwomanmanner.net
Type: A
DNSsmokemanner.net
Type: A
DNSwomananother.net
Type: A
DNSsmokeanother.net
Type: A
DNSsmokebusiness.net
Type: A
DNSwomanappear.net
Type: A
DNSsmokeappear.net
Type: A
DNSpartymanner.net
Type: A
DNSfightmanner.net
Type: A
DNSpartyanother.net
Type: A
DNSfightanother.net
Type: A
DNSfightbusiness.net
Type: A
DNSpartyappear.net
Type: A
DNSfightappear.net
Type: A
DNSfreshinstead.net
Type: A
DNSexperienceinstead.net
Type: A
DNSfreshexplain.net
Type: A
DNSexperienceexplain.net
Type: A
DNSfreshbright.net
Type: A
DNSexperiencebright.net
Type: A
DNSfreshinside.net
Type: A
DNSexperienceinside.net
Type: A
DNSgentlemaninstead.net
Type: A
DNSalreadyinstead.net
Type: A
DNSgentlemanexplain.net
Type: A
DNSalreadyexplain.net
Type: A
DNSgentlemanbright.net
Type: A
DNSalreadybright.net
Type: A
DNSgentlemaninside.net
Type: A
DNSalreadyinside.net
Type: A
DNSfollowinstead.net
Type: A
DNSmemberinstead.net
Type: A
DNSfollowexplain.net
Type: A
DNSmemberexplain.net
Type: A
DNSfollowbright.net
Type: A
DNSmemberbright.net
Type: A
DNSfollowinside.net
Type: A
DNSmemberinside.net
Type: A
DNSbegininstead.net
Type: A
DNSknowninstead.net
Type: A
DNSbeginexplain.net
Type: A
DNSknownexplain.net
Type: A
DNSbeginbright.net
Type: A
DNSknownbright.net
Type: A
DNSbegininside.net
Type: A
DNSknowninside.net
Type: A
DNSsummerinstead.net
Type: A
DNScrowdinstead.net
Type: A
DNSsummerexplain.net
Type: A
DNScrowdexplain.net
Type: A
DNSsummerbright.net
Type: A
DNScrowdbright.net
Type: A
DNSsummerinside.net
Type: A
DNScrowdinside.net
Type: A
DNSthoughtinstead.net
Type: A
DNSwaterinstead.net
Type: A
DNSthoughtexplain.net
Type: A
DNSwaterexplain.net
Type: A
HTTP GEThttp://knownstream.net/index.php
User-Agent:
HTTP GEThttp://summerstream.net/index.php
User-Agent:
HTTP GEThttp://crowdstream.net/index.php
User-Agent:
HTTP GEThttp://crowdnothing.net/index.php
User-Agent:
HTTP GEThttp://thoughtstream.net/index.php
User-Agent:
HTTP GEThttp://waterstream.net/index.php
User-Agent:
HTTP GEThttp://thoughtnothing.net/index.php
User-Agent:
HTTP GEThttp://waterbottle.net/index.php
User-Agent:
HTTP GEThttp://partystream.net/index.php
User-Agent:
HTTP GEThttp://fightstream.net/index.php
User-Agent:
HTTP GEThttp://partybottle.net/index.php
User-Agent:
HTTP GEThttp://freshbusiness.net/index.php
User-Agent:
HTTP GEThttp://experiencebusiness.net/index.php
User-Agent:
HTTP GEThttp://followappear.net/index.php
User-Agent:
HTTP GEThttp://summerbusiness.net/index.php
User-Agent:
HTTP GEThttp://crowdbusiness.net/index.php
User-Agent:
HTTP GEThttp://waterbusiness.net/index.php
User-Agent:
HTTP GEThttp://womanbusiness.net/index.php
User-Agent:
HTTP GEThttp://partybusiness.net/index.php
User-Agent:
HTTP GEThttp://partyappear.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 74.208.56.10:80
Flows TCP192.168.1.1:1032 ➝ 66.96.149.16:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.61:80
Flows TCP192.168.1.1:1034 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1035 ➝ 202.172.28.186:80
Flows TCP192.168.1.1:1036 ➝ 91.198.165.243:80
Flows TCP192.168.1.1:1037 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1038 ➝ 209.15.13.134:80
Flows TCP192.168.1.1:1039 ➝ 162.255.119.251:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.32:80
Flows TCP192.168.1.1:1041 ➝ 91.215.216.53:80
Flows TCP192.168.1.1:1042 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1043 ➝ 188.40.135.139:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1045 ➝ 8.5.1.46:80
Flows TCP192.168.1.1:1046 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1047 ➝ 192.185.77.17:80
Flows TCP192.168.1.1:1048 ➝ 184.168.221.52:80
Flows TCP192.168.1.1:1049 ➝ 50.62.253.1:80
Flows TCP192.168.1.1:1050 ➝ 8.5.1.16:80

Raw Pcap

Strings