Analysis Date2016-02-08 17:56:31
MD557f42271ab53afccb2817f2d67978de8
SHA155341d183f6a5406eecb6c7915a0a0c899224cf5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cb0b08148948c0b383b19c064c6b3c60 sha1: cb4e0d67ae41d63e26f51d04e06f068a46fbaf36 size: 180736
Section.rdata md5: 17a6ec2a959d269a40a9035c8461b7c8 sha1: 1ec8a022b5c19bdb840080aedf29a16b42f604f2 size: 2560
Section.data md5: 2251ab392b02c542e60dfae8f38b948d sha1: 06be3cf2a8a412a09c969d05627cb13ebd2cc340 size: 15360
Section.reloc md5: 0b226acdd6bc9cf3152b1b1e9646d70e sha1: cb0af18e8b2bb0b3f665b201ac80e80cb477c6b7 size: 30208
Timestamp2014-07-29 00:00:33
PEhash51d3e891262a4602ebf3622a164a1ae8b0f36865
IMPhash0f9b16538a7dcf156b5da9752ec2e54f
AVCA (E-Trust Ino)Gen:Variant.Kazy.788903
AVRisingNo Virus
AVMcafeeTrojan-FHQT!57F42271AB53
AVAvira (antivir)TR/Nivdort.A.34307
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.788903
AVAlwil (avast)Vupa [Cryp]
AVEset (nod32)Win32/Bayrob.BA
AVGrisoft (avg)Generic37.AKTE
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Kazy.788903
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DA
AVMicroWorld (escan)Gen:Variant.Kazy.788903
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVEmsisoftGen:Variant.Kazy.788903
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Kazy.788903
AVArcabit (arcavir)Gen:Variant.Kazy.788903
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Kazy.788903

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\efsjqunmu\vf71m03ps2oabwzok7pv.exe
Creates FileC:\WINDOWS\efsjqunmu\bobwqzowftb
Creates FileC:\efsjqunmu\bobwqzowftb
Deletes FileC:\WINDOWS\efsjqunmu\bobwqzowftb
Creates ProcessC:\efsjqunmu\vf71m03ps2oabwzok7pv.exe

Process
↳ C:\efsjqunmu\vf71m03ps2oabwzok7pv.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HomeGroup Key Profile WebClient Secondary COM+ ➝
C:\efsjqunmu\maefcprpmn.exe
Creates FileC:\WINDOWS\efsjqunmu\bobwqzowftb
Creates FilePIPE\lsarpc
Creates FileC:\efsjqunmu\yrlkewst
Creates FileC:\efsjqunmu\bobwqzowftb
Creates FileC:\efsjqunmu\maefcprpmn.exe
Deletes FileC:\WINDOWS\efsjqunmu\bobwqzowftb
Creates ProcessC:\efsjqunmu\maefcprpmn.exe
Creates ServiceEncryption WinHTTP Files Isolation Resolution - C:\efsjqunmu\maefcprpmn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1888

Process
↳ Pid 1172

Process
↳ C:\efsjqunmu\maefcprpmn.exe

Creates FileC:\efsjqunmu\pcbfdtls.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\efsjqunmu\bobwqzowftb
Creates FileC:\efsjqunmu\gvwunwmxrnmk
Creates File\Device\Afd\Endpoint
Creates FileC:\efsjqunmu\yrlkewst
Creates FileC:\efsjqunmu\bobwqzowftb
Deletes FileC:\WINDOWS\efsjqunmu\bobwqzowftb
Creates Processx6mxeagtiatp "c:\efsjqunmu\maefcprpmn.exe"

Process
↳ C:\efsjqunmu\maefcprpmn.exe

Creates FileC:\WINDOWS\efsjqunmu\bobwqzowftb
Creates FileC:\efsjqunmu\bobwqzowftb
Deletes FileC:\WINDOWS\efsjqunmu\bobwqzowftb

Process
↳ x6mxeagtiatp "c:\efsjqunmu\maefcprpmn.exe"

Creates FileC:\WINDOWS\efsjqunmu\bobwqzowftb
Creates FileC:\efsjqunmu\bobwqzowftb
Deletes FileC:\WINDOWS\efsjqunmu\bobwqzowftb

Network Details:

DNSfollowappear.net
Type: A
208.100.26.234
DNSsummerbusiness.net
Type: A
8.5.1.46
DNScrowdbusiness.net
Type: A
72.52.4.91
DNSwaterbusiness.net
Type: A
192.185.77.17
DNSwomanbusiness.net
Type: A
184.168.221.52
DNSpartybusiness.net
Type: A
50.62.253.1
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSthoughtexplain.net
Type: A
208.100.26.234
DNSsmokeinside.net
Type: A
50.63.202.34
DNSpartybright.net
Type: A
50.63.202.44
DNSknownpeople.net
Type: A
50.30.43.150
DNSsummerready.net
Type: A
198.71.232.3
DNSsummerpeople.net
Type: A
65.254.248.141
DNSwaterready.net
Type: A
98.124.243.38
DNSwaterpeople.net
Type: A
207.148.248.143
DNSsmokepeople.net
Type: A
195.22.26.248
DNSgentlemanbusiness.net
Type: A
DNSalreadybusiness.net
Type: A
DNSgentlemanappear.net
Type: A
DNSalreadyappear.net
Type: A
DNSfollowmanner.net
Type: A
DNSmembermanner.net
Type: A
DNSfollowanother.net
Type: A
DNSmemberanother.net
Type: A
DNSfollowbusiness.net
Type: A
DNSmemberbusiness.net
Type: A
DNSmemberappear.net
Type: A
DNSbeginmanner.net
Type: A
DNSknownmanner.net
Type: A
DNSbeginanother.net
Type: A
DNSknownanother.net
Type: A
DNSbeginbusiness.net
Type: A
DNSknownbusiness.net
Type: A
DNSbeginappear.net
Type: A
DNSknownappear.net
Type: A
DNSsummermanner.net
Type: A
DNScrowdmanner.net
Type: A
DNSsummeranother.net
Type: A
DNScrowdanother.net
Type: A
DNSsummerappear.net
Type: A
DNScrowdappear.net
Type: A
DNSthoughtmanner.net
Type: A
DNSwatermanner.net
Type: A
DNSthoughtanother.net
Type: A
DNSwateranother.net
Type: A
DNSthoughtbusiness.net
Type: A
DNSthoughtappear.net
Type: A
DNSwaterappear.net
Type: A
DNSwomanmanner.net
Type: A
DNSsmokemanner.net
Type: A
DNSwomananother.net
Type: A
DNSsmokeanother.net
Type: A
DNSsmokebusiness.net
Type: A
DNSwomanappear.net
Type: A
DNSsmokeappear.net
Type: A
DNSpartymanner.net
Type: A
DNSfightmanner.net
Type: A
DNSpartyanother.net
Type: A
DNSfightanother.net
Type: A
DNSfightbusiness.net
Type: A
DNSpartyappear.net
Type: A
DNSfightappear.net
Type: A
DNSfreshinstead.net
Type: A
DNSexperienceinstead.net
Type: A
DNSfreshexplain.net
Type: A
DNSexperienceexplain.net
Type: A
DNSfreshbright.net
Type: A
DNSexperiencebright.net
Type: A
DNSfreshinside.net
Type: A
DNSexperienceinside.net
Type: A
DNSgentlemaninstead.net
Type: A
DNSalreadyinstead.net
Type: A
DNSgentlemanexplain.net
Type: A
DNSalreadyexplain.net
Type: A
DNSgentlemanbright.net
Type: A
DNSalreadybright.net
Type: A
DNSgentlemaninside.net
Type: A
DNSalreadyinside.net
Type: A
DNSfollowinstead.net
Type: A
DNSmemberinstead.net
Type: A
DNSfollowexplain.net
Type: A
DNSmemberexplain.net
Type: A
DNSfollowbright.net
Type: A
DNSmemberbright.net
Type: A
DNSfollowinside.net
Type: A
DNSmemberinside.net
Type: A
DNSbegininstead.net
Type: A
DNSknowninstead.net
Type: A
DNSbeginexplain.net
Type: A
DNSknownexplain.net
Type: A
DNSbeginbright.net
Type: A
DNSknownbright.net
Type: A
DNSbegininside.net
Type: A
DNSknowninside.net
Type: A
DNSsummerinstead.net
Type: A
DNScrowdinstead.net
Type: A
DNSsummerexplain.net
Type: A
DNScrowdexplain.net
Type: A
DNSsummerbright.net
Type: A
DNScrowdbright.net
Type: A
DNSsummerinside.net
Type: A
DNScrowdinside.net
Type: A
DNSthoughtinstead.net
Type: A
DNSwaterinstead.net
Type: A
DNSwaterexplain.net
Type: A
DNSthoughtbright.net
Type: A
DNSwaterbright.net
Type: A
DNSthoughtinside.net
Type: A
DNSwaterinside.net
Type: A
DNSwomaninstead.net
Type: A
DNSsmokeinstead.net
Type: A
DNSwomanexplain.net
Type: A
DNSsmokeexplain.net
Type: A
DNSwomanbright.net
Type: A
DNSsmokebright.net
Type: A
DNSwomaninside.net
Type: A
DNSpartyinstead.net
Type: A
DNSfightinstead.net
Type: A
DNSpartyexplain.net
Type: A
DNSfightexplain.net
Type: A
DNSfightbright.net
Type: A
DNSpartyinside.net
Type: A
DNSfightinside.net
Type: A
DNSfreshready.net
Type: A
DNSexperienceready.net
Type: A
DNSfreshbrown.net
Type: A
DNSexperiencebrown.net
Type: A
DNSfreshpeople.net
Type: A
DNSexperiencepeople.net
Type: A
DNSfreshdaughter.net
Type: A
DNSexperiencedaughter.net
Type: A
DNSgentlemanready.net
Type: A
DNSalreadyready.net
Type: A
DNSgentlemanbrown.net
Type: A
DNSalreadybrown.net
Type: A
DNSgentlemanpeople.net
Type: A
DNSalreadypeople.net
Type: A
DNSgentlemandaughter.net
Type: A
DNSalreadydaughter.net
Type: A
DNSfollowready.net
Type: A
DNSmemberready.net
Type: A
DNSfollowbrown.net
Type: A
DNSmemberbrown.net
Type: A
DNSfollowpeople.net
Type: A
DNSmemberpeople.net
Type: A
DNSfollowdaughter.net
Type: A
DNSmemberdaughter.net
Type: A
DNSbeginready.net
Type: A
DNSknownready.net
Type: A
DNSbeginbrown.net
Type: A
DNSknownbrown.net
Type: A
DNSbeginpeople.net
Type: A
DNSbegindaughter.net
Type: A
DNSknowndaughter.net
Type: A
DNScrowdready.net
Type: A
DNSsummerbrown.net
Type: A
DNScrowdbrown.net
Type: A
DNScrowdpeople.net
Type: A
DNSsummerdaughter.net
Type: A
DNScrowddaughter.net
Type: A
DNSthoughtready.net
Type: A
DNSthoughtbrown.net
Type: A
DNSwaterbrown.net
Type: A
DNSthoughtpeople.net
Type: A
DNSthoughtdaughter.net
Type: A
DNSwaterdaughter.net
Type: A
DNSwomanready.net
Type: A
DNSsmokeready.net
Type: A
DNSwomanbrown.net
Type: A
DNSsmokebrown.net
Type: A
DNSwomanpeople.net
Type: A
HTTP GEThttp://followappear.net/index.php
User-Agent:
HTTP GEThttp://summerbusiness.net/index.php
User-Agent:
HTTP GEThttp://crowdbusiness.net/index.php
User-Agent:
HTTP GEThttp://waterbusiness.net/index.php
User-Agent:
HTTP GEThttp://womanbusiness.net/index.php
User-Agent:
HTTP GEThttp://partybusiness.net/index.php
User-Agent:
HTTP GEThttp://partyappear.net/index.php
User-Agent:
HTTP GEThttp://thoughtexplain.net/index.php
User-Agent:
HTTP GEThttp://smokeinside.net/index.php
User-Agent:
HTTP GEThttp://partybright.net/index.php
User-Agent:
HTTP GEThttp://knownpeople.net/index.php
User-Agent:
HTTP GEThttp://summerready.net/index.php
User-Agent:
HTTP GEThttp://summerpeople.net/index.php
User-Agent:
HTTP GEThttp://waterready.net/index.php
User-Agent:
HTTP GEThttp://waterpeople.net/index.php
User-Agent:
HTTP GEThttp://smokepeople.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 8.5.1.46:80
Flows TCP192.168.1.1:1033 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1034 ➝ 192.185.77.17:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.52:80
Flows TCP192.168.1.1:1036 ➝ 50.62.253.1:80
Flows TCP192.168.1.1:1037 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1038 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1039 ➝ 50.63.202.34:80
Flows TCP192.168.1.1:1040 ➝ 50.63.202.44:80
Flows TCP192.168.1.1:1041 ➝ 50.30.43.150:80
Flows TCP192.168.1.1:1042 ➝ 198.71.232.3:80
Flows TCP192.168.1.1:1043 ➝ 65.254.248.141:80
Flows TCP192.168.1.1:1044 ➝ 98.124.243.38:80
Flows TCP192.168.1.1:1045 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1046 ➝ 195.22.26.248:80

Raw Pcap

Strings