Analysis Date2016-02-13 22:40:37
MD55e88f494ef9dfd25a9ea18fab91874a2
SHA158ecdfb78fc30a26552959e07f17fcdc0a2500b7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c92873030f380bdd669d3a450a7b25ec sha1: f0ace624c8a01d5d9ed2d92fff24fe39a80430b5 size: 198656
Section.rdata md5: 65248190216d03e5180e1254440ce0ca sha1: d658abba909cc41bce25903a6ec58e6b5d049d2f size: 2560
Section.data md5: 43b8a90414b131c90848df4e895ec0db sha1: 324db5536b5d24c3ace0fb78a5adc35b53653788 size: 15872
Section.reloc md5: 82b0efec54860d02e6a86624c0f04277 sha1: 254b81e8b1bcb86c3c03e288c4cf6d5cd45b32a6 size: 30720
Timestamp2014-05-29 23:19:13
PEhash8b9487c4e0ea65c03f97fdd2e9e70d7842bafff7
IMPhashe1bd0d3283067530aef5f3580bfb757e
AVCA (E-Trust Ino)Gen:Heur.Kelios.1
AVF-SecureGen:Heur.Kelios.1
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Heur.Kelios.1
AVBullGuardGen:Heur.Kelios.1
AVCAT (quickheal)TrojanSpy.Nivdort.r4
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Bayrob.Win32.13064
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.H.gen!Eldorado
AVEmsisoftGen:Heur.Kelios.1
AVAuthentiumW32/Nivdort.H.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Heur.Kelios.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DD
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Heur.Kelios.1
AVFortinetW32/Bayrob.AQ!tr
AVSymantecTrojan.Bayrob!gen6
AVGrisoft (avg)Generic37.AKQS
AVEset (nod32)Win32/Bayrob.AT.gen
AVAlwil (avast)Vupa [Cryp]
AVRisingNo Virus
AVAd-AwareGen:Heur.Kelios.1
AVTwisterTrojan.DOMG.mbgd
AVAvira (antivir)TR/Nivdort.A.29053
AVMcafeeTrojan-FHRG!5E88F494EF9D

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\ylwtcrodftlcw\a6ebrqe
Creates FileC:\ylwtcrodftlcw\ocnc1lx2k86idfbpby.exe
Creates FileC:\ylwtcrodftlcw\a6ebrqe
Deletes FileC:\WINDOWS\ylwtcrodftlcw\a6ebrqe
Creates ProcessC:\ylwtcrodftlcw\ocnc1lx2k86idfbpby.exe

Process
↳ C:\ylwtcrodftlcw\ocnc1lx2k86idfbpby.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Upgrade Office IPsec Presentation ➝
C:\ylwtcrodftlcw\ggfbqar.exe
Creates FileC:\WINDOWS\ylwtcrodftlcw\a6ebrqe
Creates FilePIPE\lsarpc
Creates FileC:\ylwtcrodftlcw\ggfbqar.exe
Creates FileC:\ylwtcrodftlcw\ssyrxcv
Creates FileC:\ylwtcrodftlcw\a6ebrqe
Deletes FileC:\WINDOWS\ylwtcrodftlcw\a6ebrqe
Creates ProcessC:\ylwtcrodftlcw\ggfbqar.exe
Creates ServiceNetlogon Configuration Search Encrypting TP - C:\ylwtcrodftlcw\ggfbqar.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1136

Process
↳ C:\ylwtcrodftlcw\ggfbqar.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\ylwtcrodftlcw\a6ebrqe
Creates File\Device\Afd\Endpoint
Creates FileC:\ylwtcrodftlcw\mmxodboju.exe
Creates FileC:\ylwtcrodftlcw\kladfroruvb3
Creates FileC:\ylwtcrodftlcw\ssyrxcv
Creates FileC:\ylwtcrodftlcw\a6ebrqe
Deletes FileC:\WINDOWS\ylwtcrodftlcw\a6ebrqe
Creates Processwelpnbirnsw6 "c:\ylwtcrodftlcw\ggfbqar.exe"

Process
↳ C:\ylwtcrodftlcw\ggfbqar.exe

Creates FileC:\WINDOWS\ylwtcrodftlcw\a6ebrqe
Creates FileC:\ylwtcrodftlcw\a6ebrqe
Deletes FileC:\WINDOWS\ylwtcrodftlcw\a6ebrqe

Process
↳ welpnbirnsw6 "c:\ylwtcrodftlcw\ggfbqar.exe"

Creates FileC:\WINDOWS\ylwtcrodftlcw\a6ebrqe
Creates FileC:\ylwtcrodftlcw\a6ebrqe
Deletes FileC:\WINDOWS\ylwtcrodftlcw\a6ebrqe

Network Details:

DNSdoctoropinion.net
Type: A
103.48.83.103
DNSbrokenpromise.net
Type: A
69.172.201.208
DNSpreparepromise.net
Type: A
208.100.26.234
DNSoutsidesupply.net
Type: A
98.124.243.47
DNSoutsideoffice.net
Type: A
104.24.17.64
DNSoutsideoffice.net
Type: A
104.24.16.64
DNSbuildingsupply.net
Type: A
67.212.232.207
DNSbuildingoffice.net
Type: A
46.20.7.163
DNSstoresupply.net
Type: A
69.172.201.208
DNSdoctorsupply.net
Type: A
184.168.221.96
DNSdoctoroffice.net
Type: A
69.172.201.208
DNSstillsupply.net
Type: A
50.63.202.15
DNSprettystrong.net
Type: A
50.62.236.1
DNSprobablydifferent.net
Type: A
DNSseveralsurprise.net
Type: A
DNSmaterialsurprise.net
Type: A
DNSseveralbeside.net
Type: A
DNSmaterialbeside.net
Type: A
DNSseveralletter.net
Type: A
DNSmaterialletter.net
Type: A
DNSseveraldifferent.net
Type: A
DNSmaterialdifferent.net
Type: A
DNSmovementshould.net
Type: A
DNSoutsideshould.net
Type: A
DNSmovementshort.net
Type: A
DNSoutsideshort.net
Type: A
DNSmovementopinion.net
Type: A
DNSoutsideopinion.net
Type: A
DNSmovementpromise.net
Type: A
DNSoutsidepromise.net
Type: A
DNSbuildingshould.net
Type: A
DNSeveningshould.net
Type: A
DNSbuildingshort.net
Type: A
DNSeveningshort.net
Type: A
DNSbuildingopinion.net
Type: A
DNSeveningopinion.net
Type: A
DNSbuildingpromise.net
Type: A
DNSeveningpromise.net
Type: A
DNSstoreshould.net
Type: A
DNSmightshould.net
Type: A
DNSstoreshort.net
Type: A
DNSmightshort.net
Type: A
DNSstoreopinion.net
Type: A
DNSmightopinion.net
Type: A
DNSstorepromise.net
Type: A
DNSmightpromise.net
Type: A
DNSdoctorshould.net
Type: A
DNSprettyshould.net
Type: A
DNSdoctorshort.net
Type: A
DNSprettyshort.net
Type: A
DNSprettyopinion.net
Type: A
DNSdoctorpromise.net
Type: A
DNSprettypromise.net
Type: A
DNSfellowshould.net
Type: A
DNSdoubleshould.net
Type: A
DNSfellowshort.net
Type: A
DNSdoubleshort.net
Type: A
DNSfellowopinion.net
Type: A
DNSdoubleopinion.net
Type: A
DNSfellowpromise.net
Type: A
DNSdoublepromise.net
Type: A
DNSbrokenshould.net
Type: A
DNSresultshould.net
Type: A
DNSbrokenshort.net
Type: A
DNSresultshort.net
Type: A
DNSbrokenopinion.net
Type: A
DNSresultopinion.net
Type: A
DNSresultpromise.net
Type: A
DNSprepareshould.net
Type: A
DNSdesireshould.net
Type: A
DNSprepareshort.net
Type: A
DNSdesireshort.net
Type: A
DNSprepareopinion.net
Type: A
DNSdesireopinion.net
Type: A
DNSdesirepromise.net
Type: A
DNSstrengthshould.net
Type: A
DNSstillshould.net
Type: A
DNSstrengthshort.net
Type: A
DNSstillshort.net
Type: A
DNSstrengthopinion.net
Type: A
DNSstillopinion.net
Type: A
DNSstrengthpromise.net
Type: A
DNSstillpromise.net
Type: A
DNSmovementsupply.net
Type: A
DNSmovementdistance.net
Type: A
DNSoutsidedistance.net
Type: A
DNSmovementoffice.net
Type: A
DNSmovementarrive.net
Type: A
DNSoutsidearrive.net
Type: A
DNSeveningsupply.net
Type: A
DNSbuildingdistance.net
Type: A
DNSeveningdistance.net
Type: A
DNSeveningoffice.net
Type: A
DNSbuildingarrive.net
Type: A
DNSeveningarrive.net
Type: A
DNSmightsupply.net
Type: A
DNSstoredistance.net
Type: A
DNSmightdistance.net
Type: A
DNSstoreoffice.net
Type: A
DNSmightoffice.net
Type: A
DNSstorearrive.net
Type: A
DNSmightarrive.net
Type: A
DNSprettysupply.net
Type: A
DNSdoctordistance.net
Type: A
DNSprettydistance.net
Type: A
DNSprettyoffice.net
Type: A
DNSdoctorarrive.net
Type: A
DNSprettyarrive.net
Type: A
DNSfellowsupply.net
Type: A
DNSdoublesupply.net
Type: A
DNSfellowdistance.net
Type: A
DNSdoubledistance.net
Type: A
DNSfellowoffice.net
Type: A
DNSdoubleoffice.net
Type: A
DNSfellowarrive.net
Type: A
DNSdoublearrive.net
Type: A
DNSbrokensupply.net
Type: A
DNSresultsupply.net
Type: A
DNSbrokendistance.net
Type: A
DNSresultdistance.net
Type: A
DNSbrokenoffice.net
Type: A
DNSresultoffice.net
Type: A
DNSbrokenarrive.net
Type: A
DNSresultarrive.net
Type: A
DNSpreparesupply.net
Type: A
DNSdesiresupply.net
Type: A
DNSpreparedistance.net
Type: A
DNSdesiredistance.net
Type: A
DNSprepareoffice.net
Type: A
DNSdesireoffice.net
Type: A
DNSpreparearrive.net
Type: A
DNSdesirearrive.net
Type: A
DNSstrengthsupply.net
Type: A
DNSstrengthdistance.net
Type: A
DNSstilldistance.net
Type: A
DNSstrengthoffice.net
Type: A
DNSstilloffice.net
Type: A
DNSstrengtharrive.net
Type: A
DNSstillarrive.net
Type: A
DNSmovementstrong.net
Type: A
DNSoutsidestrong.net
Type: A
DNSmovementtrouble.net
Type: A
DNSoutsidetrouble.net
Type: A
DNSmovementpresident.net
Type: A
DNSoutsidepresident.net
Type: A
DNSmovementcaught.net
Type: A
DNSoutsidecaught.net
Type: A
DNSbuildingstrong.net
Type: A
DNSeveningstrong.net
Type: A
DNSbuildingtrouble.net
Type: A
DNSeveningtrouble.net
Type: A
DNSbuildingpresident.net
Type: A
DNSeveningpresident.net
Type: A
DNSbuildingcaught.net
Type: A
DNSeveningcaught.net
Type: A
DNSstorestrong.net
Type: A
DNSmightstrong.net
Type: A
DNSstoretrouble.net
Type: A
DNSmighttrouble.net
Type: A
DNSstorepresident.net
Type: A
DNSmightpresident.net
Type: A
DNSstorecaught.net
Type: A
DNSmightcaught.net
Type: A
DNSdoctorstrong.net
Type: A
DNSdoctortrouble.net
Type: A
DNSprettytrouble.net
Type: A
DNSdoctorpresident.net
Type: A
DNSprettypresident.net
Type: A
DNSdoctorcaught.net
Type: A
DNSprettycaught.net
Type: A
DNSfellowstrong.net
Type: A
HTTP GEThttp://doctoropinion.net/index.php
User-Agent:
HTTP GEThttp://brokenpromise.net/index.php
User-Agent:
HTTP GEThttp://preparepromise.net/index.php
User-Agent:
HTTP GEThttp://outsidesupply.net/index.php
User-Agent:
HTTP GEThttp://outsideoffice.net/index.php
User-Agent:
HTTP GEThttp://buildingsupply.net/index.php
User-Agent:
HTTP GEThttp://buildingoffice.net/index.php
User-Agent:
HTTP GEThttp://storesupply.net/index.php
User-Agent:
HTTP GEThttp://doctorsupply.net/index.php
User-Agent:
HTTP GEThttp://doctoroffice.net/index.php
User-Agent:
HTTP GEThttp://stillsupply.net/index.php
User-Agent:
HTTP GEThttp://prettystrong.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 103.48.83.103:80
Flows TCP192.168.1.1:1032 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 98.124.243.47:80
Flows TCP192.168.1.1:1035 ➝ 104.24.17.64:80
Flows TCP192.168.1.1:1036 ➝ 67.212.232.207:80
Flows TCP192.168.1.1:1037 ➝ 46.20.7.163:80
Flows TCP192.168.1.1:1038 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1039 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1040 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1041 ➝ 50.63.202.15:80
Flows TCP192.168.1.1:1042 ➝ 50.62.236.1:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726f7069 6e696f6e 2e6e6574   octoropinion.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e70726f 6d697365 2e6e6574   rokenpromise.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657061 72657072 6f6d6973 652e6e65   reparepromise.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64657375 70706c79 2e6e6574   utsidesupply.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64656f66 66696365 2e6e6574   utsideoffice.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6773 7570706c 792e6e65   uildingsupply.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e676f 66666963 652e6e65   uildingoffice.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   746f7265 73757070 6c792e6e 65740d0a   toresupply.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72737570 706c792e 6e65740d   octorsupply.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726f6666 6963652e 6e65740d   octoroffice.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74696c6c 73757070 6c792e6e 65740d0a   tillsupply.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657474 79737472 6f6e672e 6e65740d   rettystrong.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....


Strings