Analysis Date2016-02-25 15:13:27
MD5cd96201ec1eac43d29d5af73cdf2f5b6
SHA162451cce7a67bdd7f96b8566a6cf21ed3ade3c0d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 91ebadfc4200f886979b839d23538d4b sha1: a64c51f7d81eed6964b7f1dc237bb5d6eec1ee8b size: 197632
Section.rdata md5: 989e6ac22f292408b644b600b140fb46 sha1: 3a94a08a63c2eda6e4e045f306b4324f1a005616 size: 3072
Section.data md5: acc3949d43e9d64967701cd82014df16 sha1: bb6ae60c6593c108c59b864f97d89e0224ef0932 size: 15872
Section.reloc md5: 47076130183c02dbc3a2306b9a4b560d sha1: 21e952f81cffda2bea6a317127142fe17bd6cf04 size: 30720
Timestamp2014-12-12 04:17:31
PEhash700dc24893d033cb9d48632069cd6848cd8b624b
IMPhashea4dfd238e00ed41467a93b2811fc4f8
AVCA (E-Trust Ino)Gen:Variant.Razy.15460
AVF-SecureGen:Variant.Razy.15460
AVDr. WebTrojan.DownLoader19.32066
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.15460
AVBullGuardGen:Variant.Razy.15460
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Bayrob.Win32.12513
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.H.gen!Eldorado
AVEmsisoftGen:Variant.Razy.15460
AVAuthentiumW32/Nivdort.H.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.15460
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DD
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Razy.15460
AVFortinetW32/Bayrob.AQ!tr
AVSymantecTrojan.Bayrob!gen6
AVGrisoft (avg)Generic_r.GVH
AVEset (nod32)Win32/Bayrob.AT.gen
AVAlwil (avast)Vupa [Cryp]
AVRisingNo Virus
AVAd-AwareGen:Variant.Razy.15460
AVTwisterNo Virus
AVAvira (antivir)TR/Nivdort.A.35863
AVMcafeeTrojan-FHRG!CD96201EC1EA

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\rhnrrojyqknx\dizivugutyk
Creates FileC:\rhnrrojyqknx\bbnz9z7uqockp09c7.exe
Creates FileC:\WINDOWS\rhnrrojyqknx\dizivugutyk
Deletes FileC:\WINDOWS\rhnrrojyqknx\dizivugutyk
Creates ProcessC:\rhnrrojyqknx\bbnz9z7uqockp09c7.exe

Process
↳ C:\rhnrrojyqknx\bbnz9z7uqockp09c7.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Visual Acquisition Spooler Isolation Key ➝
C:\rhnrrojyqknx\igecsexsdtgw.exe
Creates FileC:\rhnrrojyqknx\dizivugutyk
Creates FileC:\rhnrrojyqknx\ed3snge3
Creates FileC:\rhnrrojyqknx\igecsexsdtgw.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\rhnrrojyqknx\dizivugutyk
Deletes FileC:\WINDOWS\rhnrrojyqknx\dizivugutyk
Creates ProcessC:\rhnrrojyqknx\igecsexsdtgw.exe
Creates ServiceCoordinator Device Input User - C:\rhnrrojyqknx\igecsexsdtgw.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf
Creates FileC:\WINDOWS\Prefetch\IGECSEXSDTGW.EXE-308F9FBD.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\GQRZIGSQP.EXE-39DD96A3.pf
Creates FileC:\WINDOWS\Prefetch\BBNZ9Z7UQOCKP09C7.EXE-256ADFCA.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1120

Process
↳ Pid 1204

Process
↳ Pid 1320

Process
↳ Pid 1860

Process
↳ Pid 1832

Process
↳ C:\rhnrrojyqknx\igecsexsdtgw.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\rhnrrojyqknx\dizivugutyk
Creates FileC:\rhnrrojyqknx\wi3xyjomg
Creates FileC:\rhnrrojyqknx\ed3snge3
Creates FileC:\rhnrrojyqknx\gqrzigsqp.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\rhnrrojyqknx\dizivugutyk
Deletes FileC:\WINDOWS\rhnrrojyqknx\dizivugutyk
Creates Processduouxypliubx "c:\rhnrrojyqknx\igecsexsdtgw.exe"

Process
↳ C:\rhnrrojyqknx\igecsexsdtgw.exe

Creates FileC:\rhnrrojyqknx\dizivugutyk
Creates FileC:\WINDOWS\rhnrrojyqknx\dizivugutyk
Deletes FileC:\WINDOWS\rhnrrojyqknx\dizivugutyk

Process
↳ duouxypliubx "c:\rhnrrojyqknx\igecsexsdtgw.exe"

Creates FileC:\rhnrrojyqknx\dizivugutyk
Creates FileC:\WINDOWS\rhnrrojyqknx\dizivugutyk
Deletes FileC:\WINDOWS\rhnrrojyqknx\dizivugutyk

Network Details:

DNSchildrenalthough.net
Type: A
195.22.28.198
DNSchildrenalthough.net
Type: A
195.22.28.199
DNSchildrenalthough.net
Type: A
195.22.28.196
DNSchildrenalthough.net
Type: A
195.22.28.197
DNSbecausecharge.net
Type: A
195.22.28.198
DNSbecausecharge.net
Type: A
195.22.28.199
DNSbecausecharge.net
Type: A
195.22.28.196
DNSbecausecharge.net
Type: A
195.22.28.197
DNSpersoncharge.net
Type: A
208.100.26.234
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSalreadyshort.net
Type: A
195.22.28.198
DNSalreadyshort.net
Type: A
195.22.28.199
DNSalreadyshort.net
Type: A
195.22.28.196
DNSalreadyshort.net
Type: A
195.22.28.197
DNSknownpromise.net
Type: A
208.100.26.234
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSfreshoffice.net
Type: A
82.165.89.154
DNScigarettealthough.net
Type: A
DNSpictureperiod.net
Type: A
DNScigaretteperiod.net
Type: A
DNSpicturehowever.net
Type: A
DNScigarettehowever.net
Type: A
DNSchildrenchoose.net
Type: A
DNSfamilychoose.net
Type: A
DNSfamilyalthough.net
Type: A
DNSchildrenperiod.net
Type: A
DNSfamilyperiod.net
Type: A
DNSchildrenhowever.net
Type: A
DNSfamilyhowever.net
Type: A
DNSeitherchoose.net
Type: A
DNSenglishchoose.net
Type: A
DNSeitheralthough.net
Type: A
DNSenglishalthough.net
Type: A
DNSeitherperiod.net
Type: A
DNSenglishperiod.net
Type: A
DNSeitherhowever.net
Type: A
DNSenglishhowever.net
Type: A
DNSexpectsingle.net
Type: A
DNSbecausesingle.net
Type: A
DNSexpectcharge.net
Type: A
DNSexpectdifference.net
Type: A
DNSbecausedifference.net
Type: A
DNSexpectevery.net
Type: A
DNSbecauseevery.net
Type: A
DNSpersonsingle.net
Type: A
DNSmachinesingle.net
Type: A
DNSmachinecharge.net
Type: A
DNSpersondifference.net
Type: A
DNSmachinedifference.net
Type: A
DNSpersonevery.net
Type: A
DNSmachineevery.net
Type: A
DNSsuddensingle.net
Type: A
DNSforeignsingle.net
Type: A
DNSsuddencharge.net
Type: A
DNSforeigncharge.net
Type: A
DNSsuddendifference.net
Type: A
DNSforeigndifference.net
Type: A
DNSsuddenevery.net
Type: A
DNSforeignevery.net
Type: A
DNSwhethersingle.net
Type: A
DNSrightsingle.net
Type: A
DNSwhethercharge.net
Type: A
DNSrightcharge.net
Type: A
DNSwhetherdifference.net
Type: A
DNSrightdifference.net
Type: A
DNSwhetherevery.net
Type: A
DNSrightevery.net
Type: A
DNSfiguresingle.net
Type: A
DNSthoughsingle.net
Type: A
DNSfigurecharge.net
Type: A
DNSthoughcharge.net
Type: A
DNSfiguredifference.net
Type: A
DNSthoughdifference.net
Type: A
DNSfigureevery.net
Type: A
DNSthoughevery.net
Type: A
DNSpicturesingle.net
Type: A
DNScigarettesingle.net
Type: A
DNSpicturecharge.net
Type: A
DNScigarettecharge.net
Type: A
DNSpicturedifference.net
Type: A
DNScigarettedifference.net
Type: A
DNSpictureevery.net
Type: A
DNScigaretteevery.net
Type: A
DNSchildrensingle.net
Type: A
DNSfamilysingle.net
Type: A
DNSchildrencharge.net
Type: A
DNSfamilycharge.net
Type: A
DNSchildrendifference.net
Type: A
DNSfamilydifference.net
Type: A
DNSchildrenevery.net
Type: A
DNSfamilyevery.net
Type: A
DNSeithersingle.net
Type: A
DNSenglishsingle.net
Type: A
DNSeithercharge.net
Type: A
DNSenglishcharge.net
Type: A
DNSeitherdifference.net
Type: A
DNSenglishdifference.net
Type: A
DNSeitherevery.net
Type: A
DNSenglishevery.net
Type: A
DNSfreshshould.net
Type: A
DNSexperienceshould.net
Type: A
DNSfreshshort.net
Type: A
DNSexperienceshort.net
Type: A
DNSfreshopinion.net
Type: A
DNSexperienceopinion.net
Type: A
DNSfreshpromise.net
Type: A
DNSexperiencepromise.net
Type: A
DNSgentlemanshould.net
Type: A
DNSalreadyshould.net
Type: A
DNSgentlemanshort.net
Type: A
DNSgentlemanopinion.net
Type: A
DNSalreadyopinion.net
Type: A
DNSgentlemanpromise.net
Type: A
DNSalreadypromise.net
Type: A
DNSfollowshould.net
Type: A
DNSmembershould.net
Type: A
DNSfollowshort.net
Type: A
DNSmembershort.net
Type: A
DNSfollowopinion.net
Type: A
DNSmemberopinion.net
Type: A
DNSfollowpromise.net
Type: A
DNSmemberpromise.net
Type: A
DNSbeginshould.net
Type: A
DNSknownshould.net
Type: A
DNSbeginshort.net
Type: A
DNSknownshort.net
Type: A
DNSbeginopinion.net
Type: A
DNSknownopinion.net
Type: A
DNSbeginpromise.net
Type: A
DNSsummershould.net
Type: A
DNScrowdshould.net
Type: A
DNSsummershort.net
Type: A
DNScrowdshort.net
Type: A
DNSsummeropinion.net
Type: A
DNScrowdopinion.net
Type: A
DNSsummerpromise.net
Type: A
DNScrowdpromise.net
Type: A
DNSthoughtshould.net
Type: A
DNSwatershould.net
Type: A
DNSthoughtshort.net
Type: A
DNSwatershort.net
Type: A
DNSthoughtopinion.net
Type: A
DNSwateropinion.net
Type: A
DNSthoughtpromise.net
Type: A
DNSwaterpromise.net
Type: A
DNSwomanshould.net
Type: A
DNSsmokeshould.net
Type: A
DNSwomanshort.net
Type: A
DNSsmokeshort.net
Type: A
DNSwomanopinion.net
Type: A
DNSsmokeopinion.net
Type: A
DNSwomanpromise.net
Type: A
DNSsmokepromise.net
Type: A
DNSpartyshould.net
Type: A
DNSfightshould.net
Type: A
DNSpartyshort.net
Type: A
DNSfightshort.net
Type: A
DNSpartyopinion.net
Type: A
DNSfightopinion.net
Type: A
DNSpartypromise.net
Type: A
DNSfightpromise.net
Type: A
DNSfreshsupply.net
Type: A
DNSexperiencesupply.net
Type: A
DNSfreshdistance.net
Type: A
DNSexperiencedistance.net
Type: A
DNSexperienceoffice.net
Type: A
DNSfresharrive.net
Type: A
DNSexperiencearrive.net
Type: A
DNSgentlemansupply.net
Type: A
DNSalreadysupply.net
Type: A
DNSgentlemandistance.net
Type: A
DNSalreadydistance.net
Type: A
DNSgentlemanoffice.net
Type: A
DNSalreadyoffice.net
Type: A
DNSgentlemanarrive.net
Type: A
DNSalreadyarrive.net
Type: A
DNSfollowsupply.net
Type: A
DNSmembersupply.net
Type: A
DNSfollowdistance.net
Type: A
DNSmemberdistance.net
Type: A
DNSfollowoffice.net
Type: A
HTTP GEThttp://childrenalthough.net/index.php
User-Agent:
HTTP GEThttp://becausecharge.net/index.php
User-Agent:
HTTP GEThttp://personcharge.net/index.php
User-Agent:
HTTP GEThttp://rightdifference.net/index.php
User-Agent:
HTTP GEThttp://alreadyshort.net/index.php
User-Agent:
HTTP GEThttp://knownpromise.net/index.php
User-Agent:
HTTP GEThttp://womanshort.net/index.php
User-Agent:
HTTP GEThttp://freshoffice.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1035 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1036 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1037 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1038 ➝ 82.165.89.154:80

Raw Pcap

Strings