Analysis Date2016-01-29 21:01:45
MD50627da28486b68a6dcdc5615307f41f1
SHA15f0b0af5e6521d1eabcbe8ce1babe3813aa6202b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 16051f67f8157b60eb60ad27e50e770d sha1: b43424c7ce80ded248da992f3544a3922159b1aa size: 307200
Section.rdata md5: aabe1c1a5406c9099282f4dff610cdc9 sha1: 72dd77a35693940d9c8bd551219113d709f84a7c size: 25600
Section.data md5: 0d08cb0ce8cf6613bfb7ba8e3cc7204b sha1: 3a2409f6796c8c6741ac08b0afde4ae69b8da04d size: 19968
Section.reloc md5: 4da6afd3987e603843a4aecf0795635b sha1: 7536ec4b5094bbebdbf3637b5dd59faf7d74bb16 size: 33280
Timestamp2014-11-22 06:00:55
PackerMicrosoft Visual C++ 8
PEhash9112a289d5c870d170e978e33524ab51f6486974
IMPhash46fe74e2f77f8a0d72b4bcaec74d025e
AVFortinetW32/Bayrob.BJ!tr
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVF-SecureTrojan.Generic.15798067
AVMalwareBytesNo Virus
AVMcafeeTrojan-FHSQ!0627DA28486B
AVIkarusTrojan-Spy.Win32.Nivdort
AVTrend MicroNo Virus
AVDr. WebTrojan.DownLoader19.11323
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVAuthentiumW32/Nivdort.I.gen!Eldorado
AVGrisoft (avg)Generic37.ACOU
AVTwisterNo Virus
AVBullGuardGen:Variant.Zusy.141475
AVZillya!No Virus
AVFrisk (f-prot)W32/Nivdort.I.gen!Eldorado
AVKasperskyTrojan.Win32.Bayrob.clzo
AVCAT (quickheal)No Virus
AVClamAVNo Virus
AVEset (nod32)Win32/Bayrob.BJ
AVAlwil (avast)Win32:Malware-gen
AVCA (E-Trust Ino)No Virus
AVBitDefenderTrojan.Generic.15798067
AVEmsisoftTrojan.Generic.15798067
AVSymantecNo Virus
AVK7Trojan ( 004dc2a31 )
AVAd-AwareTrojan.Generic.15798067
AVAvira (antivir)TR/Nivdort.A.31446
AVArcabit (arcavir)Trojan.Generic.15798067
AVVirusBlokAda (vba32)No Virus
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\vrfsorpz\vfgxd1l2ouajchpb9zawo.exe
Creates FileC:\vrfsorpz\iwxs8njswqnu
Creates FileC:\WINDOWS\vrfsorpz\iwxs8njswqnu
Deletes FileC:\WINDOWS\vrfsorpz\iwxs8njswqnu
Creates ProcessC:\vrfsorpz\vfgxd1l2ouajchpb9zawo.exe

Process
↳ C:\vrfsorpz\vfgxd1l2ouajchpb9zawo.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Problem Desktop Proxy Auto Bus AuthIP Application ➝
C:\vrfsorpz\pxeevtx.exe
Creates FileC:\vrfsorpz\mo76kuo8a
Creates FileC:\vrfsorpz\iwxs8njswqnu
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\vrfsorpz\iwxs8njswqnu
Creates FileC:\vrfsorpz\pxeevtx.exe
Deletes FileC:\WINDOWS\vrfsorpz\iwxs8njswqnu
Creates ProcessC:\vrfsorpz\pxeevtx.exe
Creates ServiceApplication Detection Interactive Shadow Store - C:\vrfsorpz\pxeevtx.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1872

Process
↳ Pid 1120

Process
↳ C:\vrfsorpz\pxeevtx.exe

Creates FileC:\vrfsorpz\mo76kuo8a
Creates Filepipe\net\NtControlPipe10
Creates FileC:\vrfsorpz\somhsfluz.exe
Creates FileC:\vrfsorpz\qvihztnmwq
Creates FileC:\vrfsorpz\iwxs8njswqnu
Creates FileC:\WINDOWS\vrfsorpz\iwxs8njswqnu
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\vrfsorpz\iwxs8njswqnu
Creates Processlqmvbnfeaufs "c:\vrfsorpz\pxeevtx.exe"

Process
↳ C:\vrfsorpz\pxeevtx.exe

Creates FileC:\vrfsorpz\iwxs8njswqnu
Creates FileC:\WINDOWS\vrfsorpz\iwxs8njswqnu
Deletes FileC:\WINDOWS\vrfsorpz\iwxs8njswqnu

Process
↳ lqmvbnfeaufs "c:\vrfsorpz\pxeevtx.exe"

Creates FileC:\vrfsorpz\iwxs8njswqnu
Creates FileC:\WINDOWS\vrfsorpz\iwxs8njswqnu
Deletes FileC:\WINDOWS\vrfsorpz\iwxs8njswqnu

Network Details:

DNSmachineclean.net
Type: A
208.109.181.40
DNSrightclean.net
Type: A
66.175.213.119
DNSrightcourse.net
Type: A
72.167.191.69
DNSfamilyclean.net
Type: A
176.34.121.15
DNSfamilyclean.net
Type: A
176.34.232.209
DNSfamilyclean.net
Type: A
46.137.98.88
DNSfamilyclean.net
Type: A
54.75.224.248
DNSfamilyclean.net
Type: A
54.228.214.122
DNSfamilyclean.net
Type: A
54.247.165.51
DNSenglishpaint.net
Type: A
82.165.249.114
DNSenglishcourse.net
Type: A
50.63.202.2
DNSenglishwomen.net
Type: A
207.148.248.143
DNSsuddennothing.net
Type: A
208.100.26.234
DNSpersonclean.net
Type: A
DNSpersonpaint.net
Type: A
DNSmachinepaint.net
Type: A
DNSpersoncourse.net
Type: A
DNSmachinecourse.net
Type: A
DNSpersonwomen.net
Type: A
DNSmachinewomen.net
Type: A
DNSsuddenclean.net
Type: A
DNSforeignclean.net
Type: A
DNSsuddenpaint.net
Type: A
DNSforeignpaint.net
Type: A
DNSsuddencourse.net
Type: A
DNSforeigncourse.net
Type: A
DNSsuddenwomen.net
Type: A
DNSforeignwomen.net
Type: A
DNSwhetherclean.net
Type: A
DNSwhetherpaint.net
Type: A
DNSrightpaint.net
Type: A
DNSwhethercourse.net
Type: A
DNSwhetherwomen.net
Type: A
DNSrightwomen.net
Type: A
DNSfigureclean.net
Type: A
DNSthoughclean.net
Type: A
DNSfigurepaint.net
Type: A
DNSthoughpaint.net
Type: A
DNSfigurecourse.net
Type: A
DNSthoughcourse.net
Type: A
DNSfigurewomen.net
Type: A
DNSthoughwomen.net
Type: A
DNSpictureclean.net
Type: A
DNScigaretteclean.net
Type: A
DNSpicturepaint.net
Type: A
DNScigarettepaint.net
Type: A
DNSpicturecourse.net
Type: A
DNScigarettecourse.net
Type: A
DNSpicturewomen.net
Type: A
DNScigarettewomen.net
Type: A
DNSchildrenclean.net
Type: A
DNSchildrenpaint.net
Type: A
DNSfamilypaint.net
Type: A
DNSchildrencourse.net
Type: A
DNSfamilycourse.net
Type: A
DNSchildrenwomen.net
Type: A
DNSfamilywomen.net
Type: A
DNSeitherclean.net
Type: A
DNSenglishclean.net
Type: A
DNSeitherpaint.net
Type: A
DNSeithercourse.net
Type: A
DNSeitherwomen.net
Type: A
DNSexpectstream.net
Type: A
DNSbecausestream.net
Type: A
DNSexpectnothing.net
Type: A
DNSbecausenothing.net
Type: A
DNSexpectbottle.net
Type: A
DNSbecausebottle.net
Type: A
DNSexpectdivide.net
Type: A
DNSbecausedivide.net
Type: A
DNSpersonstream.net
Type: A
DNSmachinestream.net
Type: A
DNSpersonnothing.net
Type: A
DNSmachinenothing.net
Type: A
DNSpersonbottle.net
Type: A
DNSmachinebottle.net
Type: A
DNSpersondivide.net
Type: A
DNSmachinedivide.net
Type: A
DNSsuddenstream.net
Type: A
DNSforeignstream.net
Type: A
DNSforeignnothing.net
Type: A
DNSsuddenbottle.net
Type: A
DNSforeignbottle.net
Type: A
DNSsuddendivide.net
Type: A
DNSforeigndivide.net
Type: A
DNSwhetherstream.net
Type: A
DNSrightstream.net
Type: A
DNSwhethernothing.net
Type: A
DNSrightnothing.net
Type: A
DNSwhetherbottle.net
Type: A
DNSrightbottle.net
Type: A
DNSwhetherdivide.net
Type: A
DNSrightdivide.net
Type: A
DNSfigurestream.net
Type: A
DNSthoughstream.net
Type: A
DNSfigurenothing.net
Type: A
DNSthoughnothing.net
Type: A
HTTP GEThttp://machineclean.net/index.php
User-Agent:
HTTP GEThttp://rightclean.net/index.php
User-Agent:
HTTP GEThttp://rightcourse.net/index.php
User-Agent:
HTTP GEThttp://familyclean.net/index.php
User-Agent:
HTTP GEThttp://englishpaint.net/index.php
User-Agent:
HTTP GEThttp://englishcourse.net/index.php
User-Agent:
HTTP GEThttp://englishwomen.net/index.php
User-Agent:
HTTP GEThttp://suddennothing.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.109.181.40:80
Flows TCP192.168.1.1:1032 ➝ 66.175.213.119:80
Flows TCP192.168.1.1:1033 ➝ 72.167.191.69:80
Flows TCP192.168.1.1:1034 ➝ 176.34.121.15:80
Flows TCP192.168.1.1:1035 ➝ 82.165.249.114:80
Flows TCP192.168.1.1:1036 ➝ 50.63.202.2:80
Flows TCP192.168.1.1:1037 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1038 ➝ 208.100.26.234:80

Raw Pcap

Strings