Analysis Date2016-02-04 22:57:45
MD5bae0423cd54f0c5891d58a07bfa64ff3
SHA166b2ad02a59a225973cc9920eac66169314a6a7e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ba7ad32f0884d65ed5f588a4512d725d sha1: d399ddb7f122422af3160a9f46a7322cd87d805c size: 306688
Section.rdata md5: 778d1367f2d47c78cb75cd79e2abcfa7 sha1: d3c69d3d6191891cd9e24545b9b5768c3ecb51ec size: 26112
Section.data md5: 48ef04062f25a4fe77ef82644063100b sha1: d15c33e224d8c448a77ba8ea975297032b1762f8 size: 19968
Section.reloc md5: c0ab7a66b5a00326367e8dce61276b61 sha1: 0f76d135f7456522efbdfebd470b4aeb1ce3fa2e size: 33280
Timestamp2014-02-23 07:26:51
PackerMicrosoft Visual C++ 8
PEhasha13d4b24e75d0083778adaea555a00112f69c0ab
IMPhash959df6d2bf43840fd0a66c1a9f2d9201
AVF-SecureGen:Variant.Zusy.141475
AVAd-AwareGen:Variant.Zusy.141475
AVGrisoft (avg)Generic37.ADAX
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVIkarusTrojan-Spy.Win32.Nivdort
AVAvira (antivir)TR/Taranis.2082
AVK7Trojan ( 004dc2a31 )
AVClamAVNo Virus
AVKasperskyTrojan.Win32.Swizzor.e
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVMalwareBytesNo Virus
AVDr. WebTrojan.DownLoader19.10824
AVMcafeeTrojan-FHSQ!BAE0423CD54F
AVBitDefenderGen:Variant.Zusy.141475
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVEmsisoftGen:Variant.Zusy.141475
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVAlwil (avast)Win32:Malware-gen
AVRisingNo Virus
AVEset (nod32)Win32/Bayrob.BJ
AVBullGuardGen:Variant.Zusy.141475
AVSymantecNo Virus
AVFortinetW32/Bayrob.BJ!tr
AVTrend MicroNo Virus
AVAuthentiumW32/Nivdort.I.gen!Eldorado
AVTwisterNo Virus
AVFrisk (f-prot)W32/Nivdort.I.gen!Eldorado
AVVirusBlokAda (vba32)No Virus
AVCA (E-Trust Ino)No Virus
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\idxkpznthbzlkog\zwikq9n
Creates FileC:\idxkpznthbzlkog\l8npv1m7xxiovbwelfug.exe
Creates FileC:\idxkpznthbzlkog\zwikq9n
Deletes FileC:\WINDOWS\idxkpznthbzlkog\zwikq9n
Creates ProcessC:\idxkpznthbzlkog\l8npv1m7xxiovbwelfug.exe

Process
↳ C:\idxkpznthbzlkog\l8npv1m7xxiovbwelfug.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Card Extensible Connection SSDP Disk ➝
C:\idxkpznthbzlkog\ueoiusvdbger.exe
Creates FileC:\WINDOWS\idxkpznthbzlkog\zwikq9n
Creates FilePIPE\lsarpc
Creates FileC:\idxkpznthbzlkog\rht8dfgi2kl
Creates FileC:\idxkpznthbzlkog\ueoiusvdbger.exe
Creates FileC:\idxkpznthbzlkog\zwikq9n
Deletes FileC:\WINDOWS\idxkpznthbzlkog\zwikq9n
Creates ProcessC:\idxkpznthbzlkog\ueoiusvdbger.exe
Creates ServiceScheduler Superfetch Logs Port Protocol - C:\idxkpznthbzlkog\ueoiusvdbger.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1136

Process
↳ C:\idxkpznthbzlkog\ueoiusvdbger.exe

Creates FileC:\idxkpznthbzlkog\jynbilmfvzpt
Creates FileC:\WINDOWS\idxkpznthbzlkog\zwikq9n
Creates Filepipe\net\NtControlPipe10
Creates FileC:\idxkpznthbzlkog\nsiumkvkvgca.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\idxkpznthbzlkog\rht8dfgi2kl
Creates FileC:\idxkpznthbzlkog\zwikq9n
Deletes FileC:\WINDOWS\idxkpznthbzlkog\zwikq9n
Creates Processtefanbavmrtx "c:\idxkpznthbzlkog\ueoiusvdbger.exe"

Process
↳ C:\idxkpznthbzlkog\ueoiusvdbger.exe

Creates FileC:\WINDOWS\idxkpznthbzlkog\zwikq9n
Creates FileC:\idxkpznthbzlkog\zwikq9n
Deletes FileC:\WINDOWS\idxkpznthbzlkog\zwikq9n

Process
↳ tefanbavmrtx "c:\idxkpznthbzlkog\ueoiusvdbger.exe"

Creates FileC:\WINDOWS\idxkpznthbzlkog\zwikq9n
Creates FileC:\idxkpznthbzlkog\zwikq9n
Deletes FileC:\WINDOWS\idxkpznthbzlkog\zwikq9n

Network Details:

DNSfinishduring.net
Type: A
195.22.28.197
DNSfinishduring.net
Type: A
195.22.28.198
DNSfinishduring.net
Type: A
195.22.28.199
DNSfinishduring.net
Type: A
195.22.28.196
DNSsweetindeed.net
Type: A
208.91.197.46
DNSlaughnorth.net
Type: A
208.100.26.234
DNSmothergeneral.net
Type: A
98.139.135.129
DNSmothernorth.net
Type: A
87.98.231.5
DNSseveraindeed.net
Type: A
DNSlaughindeed.net
Type: A
DNSseveraduring.net
Type: A
DNSlaughduring.net
Type: A
DNSsimplelength.net
Type: A
DNSmotherlength.net
Type: A
DNSsimplenotice.net
Type: A
DNSmothernotice.net
Type: A
DNSsimpleindeed.net
Type: A
DNSmotherindeed.net
Type: A
DNSsimpleduring.net
Type: A
DNSmotherduring.net
Type: A
DNSmountainlength.net
Type: A
DNSpossiblelength.net
Type: A
DNSmountainnotice.net
Type: A
DNSpossiblenotice.net
Type: A
DNSmountainindeed.net
Type: A
DNSpossibleindeed.net
Type: A
DNSmountainduring.net
Type: A
DNSpossibleduring.net
Type: A
DNSperhapslength.net
Type: A
DNSwindowlength.net
Type: A
DNSperhapsnotice.net
Type: A
DNSwindownotice.net
Type: A
DNSperhapsindeed.net
Type: A
DNSwindowindeed.net
Type: A
DNSperhapsduring.net
Type: A
DNSwindowduring.net
Type: A
DNSwinterlength.net
Type: A
DNSsubjectlength.net
Type: A
DNSwinternotice.net
Type: A
DNSsubjectnotice.net
Type: A
DNSwinterindeed.net
Type: A
DNSsubjectindeed.net
Type: A
DNSwinterduring.net
Type: A
DNSsubjectduring.net
Type: A
DNSfinishlength.net
Type: A
DNSleavelength.net
Type: A
DNSfinishnotice.net
Type: A
DNSleavenotice.net
Type: A
DNSfinishindeed.net
Type: A
DNSleaveindeed.net
Type: A
DNSleaveduring.net
Type: A
DNSsweetlength.net
Type: A
DNSprobablylength.net
Type: A
DNSsweetnotice.net
Type: A
DNSprobablynotice.net
Type: A
DNSprobablyindeed.net
Type: A
DNSsweetduring.net
Type: A
DNSprobablyduring.net
Type: A
DNSseverallength.net
Type: A
DNSmateriallength.net
Type: A
DNSseveralnotice.net
Type: A
DNSmaterialnotice.net
Type: A
DNSseveralindeed.net
Type: A
DNSmaterialindeed.net
Type: A
DNSseveralduring.net
Type: A
DNSmaterialduring.net
Type: A
DNSseveraclear.net
Type: A
DNSlaughclear.net
Type: A
DNSseverageneral.net
Type: A
DNSlaughgeneral.net
Type: A
DNSseverainclude.net
Type: A
DNSlaughinclude.net
Type: A
DNSseveranorth.net
Type: A
DNSsimpleclear.net
Type: A
DNSmotherclear.net
Type: A
DNSsimplegeneral.net
Type: A
DNSsimpleinclude.net
Type: A
DNSmotherinclude.net
Type: A
DNSsimplenorth.net
Type: A
DNSmountainclear.net
Type: A
DNSpossibleclear.net
Type: A
DNSmountaingeneral.net
Type: A
DNSpossiblegeneral.net
Type: A
DNSmountaininclude.net
Type: A
DNSpossibleinclude.net
Type: A
DNSmountainnorth.net
Type: A
DNSpossiblenorth.net
Type: A
DNSperhapsclear.net
Type: A
DNSwindowclear.net
Type: A
DNSperhapsgeneral.net
Type: A
DNSwindowgeneral.net
Type: A
DNSperhapsinclude.net
Type: A
DNSwindowinclude.net
Type: A
DNSperhapsnorth.net
Type: A
DNSwindownorth.net
Type: A
DNSwinterclear.net
Type: A
DNSsubjectclear.net
Type: A
DNSwintergeneral.net
Type: A
DNSsubjectgeneral.net
Type: A
DNSwinterinclude.net
Type: A
DNSsubjectinclude.net
Type: A
DNSwinternorth.net
Type: A
DNSsubjectnorth.net
Type: A
DNSfinishclear.net
Type: A
DNSleaveclear.net
Type: A
DNSfinishgeneral.net
Type: A
DNSleavegeneral.net
Type: A
DNSfinishinclude.net
Type: A
DNSleaveinclude.net
Type: A
DNSfinishnorth.net
Type: A
DNSleavenorth.net
Type: A
DNSsweetclear.net
Type: A
DNSprobablyclear.net
Type: A
DNSsweetgeneral.net
Type: A
DNSprobablygeneral.net
Type: A
DNSsweetinclude.net
Type: A
DNSprobablyinclude.net
Type: A
DNSsweetnorth.net
Type: A
DNSprobablynorth.net
Type: A
DNSseveralclear.net
Type: A
DNSmaterialclear.net
Type: A
DNSseveralgeneral.net
Type: A
DNSmaterialgeneral.net
Type: A
DNSseveralinclude.net
Type: A
DNSmaterialinclude.net
Type: A
DNSseveralnorth.net
Type: A
DNSmaterialnorth.net
Type: A
DNSseverabranch.net
Type: A
DNSlaughbranch.net
Type: A
DNSseverabelieve.net
Type: A
DNSlaughbelieve.net
Type: A
DNSseverareceive.net
Type: A
DNSlaughreceive.net
Type: A
DNSseveraquarter.net
Type: A
DNSlaughquarter.net
Type: A
DNSsimplebranch.net
Type: A
DNSmotherbranch.net
Type: A
DNSsimplebelieve.net
Type: A
DNSmotherbelieve.net
Type: A
DNSsimplereceive.net
Type: A
DNSmotherreceive.net
Type: A
DNSsimplequarter.net
Type: A
DNSmotherquarter.net
Type: A
DNSmountainbranch.net
Type: A
DNSpossiblebranch.net
Type: A
DNSmountainbelieve.net
Type: A
DNSpossiblebelieve.net
Type: A
DNSmountainreceive.net
Type: A
DNSpossiblereceive.net
Type: A
DNSmountainquarter.net
Type: A
DNSpossiblequarter.net
Type: A
DNSperhapsbranch.net
Type: A
DNSwindowbranch.net
Type: A
DNSperhapsbelieve.net
Type: A
DNSwindowbelieve.net
Type: A
DNSperhapsreceive.net
Type: A
DNSwindowreceive.net
Type: A
DNSperhapsquarter.net
Type: A
DNSwindowquarter.net
Type: A
DNSwinterbranch.net
Type: A
DNSsubjectbranch.net
Type: A
DNSwinterbelieve.net
Type: A
DNSsubjectbelieve.net
Type: A
DNSwinterreceive.net
Type: A
DNSsubjectreceive.net
Type: A
DNSwinterquarter.net
Type: A
DNSsubjectquarter.net
Type: A
DNSfinishbranch.net
Type: A
DNSleavebranch.net
Type: A
DNSfinishbelieve.net
Type: A
DNSleavebelieve.net
Type: A
DNSfinishreceive.net
Type: A
DNSleavereceive.net
Type: A
HTTP GEThttp://finishduring.net/index.php
User-Agent:
HTTP GEThttp://sweetindeed.net/index.php
User-Agent:
HTTP GEThttp://laughnorth.net/index.php
User-Agent:
HTTP GEThttp://mothergeneral.net/index.php
User-Agent:
HTTP GEThttp://mothernorth.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1032 ➝ 208.91.197.46:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1035 ➝ 87.98.231.5:80

Raw Pcap

Strings