Analysis Date2016-04-21 04:47:00
MD50a679f83d6c00bd517575767c075b399
SHA165ead451b3e23d580a1eceaa910de9239b91412e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8d0a8931df22a419963bd2ce24cb279f sha1: fc118c0ee875b2088f141b5688ff1b2ac4398aa8 size: 303104
Section.rdata md5: 2cd3dc16d4b74209bcb1f0d4752b4c8b sha1: 8f3d35b352739ecc61eaaa5ae59957be46578916 size: 26112
Section.data md5: c52e3200d611ee34b09c702535351979 sha1: ceea139c39077e56aea012e1ea9e97983a67be98 size: 20480
Section.reloc md5: 6496f3acd731cf9e054e2402fc836d12 sha1: 31c677fa9b2331ded16fffe1e3e0e86bdb0c9301 size: 32768
Timestamp2014-06-20 13:07:45
PackerMicrosoft Visual C++ 8
PEhash33f1ba0384b514d79efe8c6d8d22fa574be9599c
IMPhash8d02ff85a074fa14cb353110c505c6d6
AVRisingNo Virus
AVCA (E-Trust Ino)Gen:Variant.Razy.15381
AVF-SecureGen:Variant.Razy.15381
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.15381
AVBullGuardGen:Variant.Razy.15381
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Swizzor.e
AVZillya!No Virus
AVEmsisoftGen:Variant.Razy.15381
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.I.gen!Eldorado
AVAuthentiumW32/Nivdort.I.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.15381
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Razy.15381
AVFortinetW32/Bayrob.AQ!tr
AVSymantecNo Virus
AVGrisoft (avg)Generic37.AEXG
AVEset (nod32)Win32/Bayrob.BJ
AVAlwil (avast)Win32:Malware-gen
AVAlwil (avast)Malware-gen
AVAd-AwareGen:Variant.Razy.15381
AVTwisterNo Virus
AVAvira (antivir)TR/Taranis.2015
AVMcafeeTrojan-FHRY!0A679F83D6C0

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\deiezreaan\bgzhldq
Creates FileC:\WINDOWS\deiezreaan\bgzhldq
Creates FileC:\deiezreaan\xjloz1kqjp6fgyptfdq.exe
Deletes FileC:\WINDOWS\deiezreaan\bgzhldq
Creates ProcessC:\deiezreaan\xjloz1kqjp6fgyptfdq.exe

Process
↳ C:\deiezreaan\xjloz1kqjp6fgyptfdq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Human Panel Protection Task Window ➝
C:\deiezreaan\sxfqzdj.exe
Creates FileC:\deiezreaan\saiumr
Creates FileC:\deiezreaan\bgzhldq
Creates FileC:\WINDOWS\deiezreaan\bgzhldq
Creates FilePIPE\lsarpc
Creates FileC:\deiezreaan\sxfqzdj.exe
Deletes FileC:\WINDOWS\deiezreaan\bgzhldq
Creates ProcessC:\deiezreaan\sxfqzdj.exe
Creates ServiceBuilder Disk Connections Policy - C:\deiezreaan\sxfqzdj.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1136

Process
↳ C:\deiezreaan\sxfqzdj.exe

Creates FileC:\deiezreaan\saiumr
Creates FileC:\deiezreaan\bgzhldq
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\deiezreaan\bgzhldq
Creates File\Device\Afd\Endpoint
Creates FileC:\deiezreaan\tiponnsbpg.exe
Creates FileC:\deiezreaan\xpvelpgj9
Deletes FileC:\WINDOWS\deiezreaan\bgzhldq
Creates Processfrjhurkbo6qc "c:\deiezreaan\sxfqzdj.exe"

Process
↳ C:\deiezreaan\sxfqzdj.exe

Creates FileC:\deiezreaan\bgzhldq
Creates FileC:\WINDOWS\deiezreaan\bgzhldq
Deletes FileC:\WINDOWS\deiezreaan\bgzhldq

Process
↳ frjhurkbo6qc "c:\deiezreaan\sxfqzdj.exe"

Creates FileC:\deiezreaan\bgzhldq
Creates FileC:\WINDOWS\deiezreaan\bgzhldq
Deletes FileC:\WINDOWS\deiezreaan\bgzhldq

Network Details:

DNSnightflower.net
Type: A
207.148.248.143
DNSdecidespecial.net
Type: A
208.100.26.234
DNSstreetflower.net
Type: A
46.101.57.37
DNStrademinute.net
Type: A
184.168.221.51
DNSstreetcorner.net
Type: A
184.168.221.28
DNStradecorner.net
Type: A
207.148.248.143
DNSgathercorner.net
Type: A
54.169.86.95
DNSbreadflower.net
Type: A
195.22.28.199
DNSbreadflower.net
Type: A
195.22.28.196
DNSbreadflower.net
Type: A
195.22.28.197
DNSbreadflower.net
Type: A
195.22.28.198
DNSbreadcorner.net
Type: A
98.124.243.46
DNSseasonflower.net
Type: A
157.7.107.65
DNSquietcorner.net
Type: A
216.218.207.107
DNSstreetstranger.net
Type: A
208.100.26.234
DNSfliergoodbye.net
Type: A
208.91.197.241
DNSbreadgoodbye.net
Type: A
208.100.26.234
DNSagainstanimal.net
Type: A
195.22.28.199
DNSagainstanimal.net
Type: A
195.22.28.196
DNSagainstanimal.net
Type: A
195.22.28.197
DNSagainstanimal.net
Type: A
195.22.28.198
DNScaptainescape.net
Type: A
50.63.202.16
DNSlargeanimal.net
Type: A
52.70.175.181
DNScaptainanimal.net
Type: A
208.100.26.234
DNSelectricescape.net
Type: A
103.250.233.242
DNSdoubtminute.net
Type: A
DNSagainstspecial.net
Type: A
DNSdoubtspecial.net
Type: A
DNSagainstcorner.net
Type: A
DNSdoubtcorner.net
Type: A
DNSdecideflower.net
Type: A
DNSnightminute.net
Type: A
DNSdecideminute.net
Type: A
DNSnightspecial.net
Type: A
DNSnightcorner.net
Type: A
DNSdecidecorner.net
Type: A
DNSlargeflower.net
Type: A
DNScaptainflower.net
Type: A
DNSlargeminute.net
Type: A
DNScaptainminute.net
Type: A
DNSlargespecial.net
Type: A
DNScaptainspecial.net
Type: A
DNSlargecorner.net
Type: A
DNScaptaincorner.net
Type: A
DNSrecordflower.net
Type: A
DNSelectricflower.net
Type: A
DNSrecordminute.net
Type: A
DNSelectricminute.net
Type: A
DNSrecordspecial.net
Type: A
DNSelectricspecial.net
Type: A
DNSrecordcorner.net
Type: A
DNSelectriccorner.net
Type: A
DNStradeflower.net
Type: A
DNSstreetminute.net
Type: A
DNSstreetspecial.net
Type: A
DNStradespecial.net
Type: A
DNSbetterflower.net
Type: A
DNSgatherflower.net
Type: A
DNSbetterminute.net
Type: A
DNSgatherminute.net
Type: A
DNSbetterspecial.net
Type: A
DNSgatherspecial.net
Type: A
DNSbettercorner.net
Type: A
DNSflierflower.net
Type: A
DNSflierminute.net
Type: A
DNSbreadminute.net
Type: A
DNSflierspecial.net
Type: A
DNSbreadspecial.net
Type: A
DNSfliercorner.net
Type: A
DNSquietflower.net
Type: A
DNSquietminute.net
Type: A
DNSseasonminute.net
Type: A
DNSquietspecial.net
Type: A
DNSseasonspecial.net
Type: A
DNSseasoncorner.net
Type: A
DNSagainstadvance.net
Type: A
DNSdoubtadvance.net
Type: A
DNSagainststranger.net
Type: A
DNSdoubtstranger.net
Type: A
DNSagainstgoodbye.net
Type: A
DNSdoubtgoodbye.net
Type: A
DNSagainstfortieth.net
Type: A
DNSdoubtfortieth.net
Type: A
DNSnightadvance.net
Type: A
DNSdecideadvance.net
Type: A
DNSnightstranger.net
Type: A
DNSdecidestranger.net
Type: A
DNSnightgoodbye.net
Type: A
DNSdecidegoodbye.net
Type: A
DNSnightfortieth.net
Type: A
DNSdecidefortieth.net
Type: A
DNSlargeadvance.net
Type: A
DNScaptainadvance.net
Type: A
DNSlargestranger.net
Type: A
DNScaptainstranger.net
Type: A
DNSlargegoodbye.net
Type: A
DNScaptaingoodbye.net
Type: A
DNSlargefortieth.net
Type: A
DNScaptainfortieth.net
Type: A
DNSrecordadvance.net
Type: A
DNSelectricadvance.net
Type: A
DNSrecordstranger.net
Type: A
DNSelectricstranger.net
Type: A
DNSrecordgoodbye.net
Type: A
DNSelectricgoodbye.net
Type: A
DNSrecordfortieth.net
Type: A
DNSelectricfortieth.net
Type: A
DNSstreetadvance.net
Type: A
DNStradeadvance.net
Type: A
DNStradestranger.net
Type: A
DNSstreetgoodbye.net
Type: A
DNStradegoodbye.net
Type: A
DNSstreetfortieth.net
Type: A
DNStradefortieth.net
Type: A
DNSbetteradvance.net
Type: A
DNSgatheradvance.net
Type: A
DNSbetterstranger.net
Type: A
DNSgatherstranger.net
Type: A
DNSbettergoodbye.net
Type: A
DNSgathergoodbye.net
Type: A
DNSbetterfortieth.net
Type: A
DNSgatherfortieth.net
Type: A
DNSflieradvance.net
Type: A
DNSbreadadvance.net
Type: A
DNSflierstranger.net
Type: A
DNSbreadstranger.net
Type: A
DNSflierfortieth.net
Type: A
DNSbreadfortieth.net
Type: A
DNSquietadvance.net
Type: A
DNSseasonadvance.net
Type: A
DNSquietstranger.net
Type: A
DNSseasonstranger.net
Type: A
DNSquietgoodbye.net
Type: A
DNSseasongoodbye.net
Type: A
DNSquietfortieth.net
Type: A
DNSseasonfortieth.net
Type: A
DNSagainstescape.net
Type: A
DNSdoubtescape.net
Type: A
DNSdoubtanimal.net
Type: A
DNSagainstproblem.net
Type: A
DNSdoubtproblem.net
Type: A
DNSagainstmodern.net
Type: A
DNSdoubtmodern.net
Type: A
DNSnightescape.net
Type: A
DNSdecideescape.net
Type: A
DNSnightanimal.net
Type: A
DNSdecideanimal.net
Type: A
DNSnightproblem.net
Type: A
DNSdecideproblem.net
Type: A
DNSnightmodern.net
Type: A
DNSdecidemodern.net
Type: A
DNSlargeescape.net
Type: A
DNSlargeproblem.net
Type: A
DNScaptainproblem.net
Type: A
DNSlargemodern.net
Type: A
DNScaptainmodern.net
Type: A
DNSrecordescape.net
Type: A
DNSrecordanimal.net
Type: A
DNSelectricanimal.net
Type: A
DNSrecordproblem.net
Type: A
DNSelectricproblem.net
Type: A
DNSrecordmodern.net
Type: A
DNSelectricmodern.net
Type: A
DNSstreetescape.net
Type: A
DNStradeescape.net
Type: A
DNSstreetanimal.net
Type: A
DNStradeanimal.net
Type: A
DNSstreetproblem.net
Type: A
DNStradeproblem.net
Type: A
DNSstreetmodern.net
Type: A
DNStrademodern.net
Type: A
DNSbetterescape.net
Type: A
DNSgatherescape.net
Type: A
DNSbetteranimal.net
Type: A
DNSgatheranimal.net
Type: A
DNSbetterproblem.net
Type: A
HTTP GEThttp://nightflower.net/index.php
User-Agent:
HTTP GEThttp://decidespecial.net/index.php
User-Agent:
HTTP GEThttp://streetflower.net/index.php
User-Agent:
HTTP GEThttp://trademinute.net/index.php
User-Agent:
HTTP GEThttp://streetcorner.net/index.php
User-Agent:
HTTP GEThttp://tradecorner.net/index.php
User-Agent:
HTTP GEThttp://gathercorner.net/index.php
User-Agent:
HTTP GEThttp://breadflower.net/index.php
User-Agent:
HTTP GEThttp://breadcorner.net/index.php
User-Agent:
HTTP GEThttp://seasonflower.net/index.php
User-Agent:
HTTP GEThttp://quietcorner.net/index.php
User-Agent:
HTTP GEThttp://streetstranger.net/index.php
User-Agent:
HTTP GEThttp://fliergoodbye.net/index.php
User-Agent:
HTTP GEThttp://breadgoodbye.net/index.php
User-Agent:
HTTP GEThttp://againstanimal.net/index.php
User-Agent:
HTTP GEThttp://captainescape.net/index.php
User-Agent:
HTTP GEThttp://largeanimal.net/index.php
User-Agent:
HTTP GEThttp://captainanimal.net/index.php
User-Agent:
HTTP GEThttp://electricescape.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1032 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1033 ➝ 46.101.57.37:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.51:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.28:80
Flows TCP192.168.1.1:1036 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1037 ➝ 54.169.86.95:80
Flows TCP192.168.1.1:1038 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1039 ➝ 98.124.243.46:80
Flows TCP192.168.1.1:1040 ➝ 157.7.107.65:80
Flows TCP192.168.1.1:1041 ➝ 216.218.207.107:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1045 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1046 ➝ 50.63.202.16:80
Flows TCP192.168.1.1:1047 ➝ 52.70.175.181:80
Flows TCP192.168.1.1:1048 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1049 ➝ 103.250.233.242:80

Raw Pcap

Strings