Analysis Date2016-05-05 05:15:40
MD57acb54f5c45176a412498e60ebd838bd
SHA16fbbd07b335010291834114ede0eb6987d11b40d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1971ca658fa03b3efbbc2ea09585828a sha1: 05a8f9d5d431e0705db392957e9eb5f472e1c381 size: 184320
Section.rdata md5: 221bb92a20165a54bddce39cef05ea1d sha1: 63b56966ef7094f97c7be4f276dd00b104e1abfb size: 2560
Section.data md5: c7583be9bcff9b4dd7842a26668b407f sha1: 769e20b0a2bef466407a8c8187b018878692dd0e size: 16384
Section.reloc md5: b5b7143d6d64547543a1ddba837eae97 sha1: 52d5e8aafdab8e5af7fb5067a139a463674724d8 size: 30720
Timestamp2014-06-11 06:51:29
PEhash7e69941d57396dfffeeb9c49d5410bc21a3ac38b
IMPhash3343bbedfb81cd0e47de3f9909e1e163
AVCA (E-Trust Ino)Gen:Variant.Razy.15676
AVF-SecureGen:Variant.Razy.15676
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.15676
AVBullGuardGen:Variant.Razy.15676
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVEmsisoftGen:Variant.Razy.15676
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.15676
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DE
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Razy.15676
AVFortinetW32/Bayrob.AQ!tr
AVSymantecTrojan.Bayrob!gen6
AVGrisoft (avg)Generic37.WIG
AVEset (nod32)Win32/Bayrob.BA
AVAlwil (avast)Vupa [Cryp]
AVAd-AwareGen:Variant.Razy.15676
AVTwisterNo Virus
AVAvira (antivir)No Virus
AVMcafeeTrojan-FHQT!7ACB54F5C451
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ylbjlwswo\k2zd1k8bhbhnzawdy.exe
Creates FileC:\ylbjlwswo\pisw3ubcs
Creates FileC:\WINDOWS\ylbjlwswo\pisw3ubcs
Deletes FileC:\WINDOWS\ylbjlwswo\pisw3ubcs
Creates ProcessC:\ylbjlwswo\k2zd1k8bhbhnzawdy.exe

Process
↳ C:\ylbjlwswo\k2zd1k8bhbhnzawdy.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Function Extender Browser ➝
C:\ylbjlwswo\jddtglwel.exe
Creates FileC:\ylbjlwswo\jddtglwel.exe
Creates FileC:\ylbjlwswo\rdfkyljj
Creates FilePIPE\lsarpc
Creates FileC:\ylbjlwswo\pisw3ubcs
Creates FileC:\WINDOWS\ylbjlwswo\pisw3ubcs
Deletes FileC:\WINDOWS\ylbjlwswo\pisw3ubcs
Creates ProcessC:\ylbjlwswo\jddtglwel.exe
Creates ServiceTablet Update WMI Office Secure Installer Video - C:\ylbjlwswo\jddtglwel.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1860

Process
↳ Pid 1124

Process
↳ C:\ylbjlwswo\jddtglwel.exe

Creates FileC:\ylbjlwswo\ccsebkqxw
Creates Filepipe\net\NtControlPipe10
Creates FileC:\ylbjlwswo\uyvyzxkkq.exe
Creates FileC:\ylbjlwswo\rdfkyljj
Creates FileC:\ylbjlwswo\pisw3ubcs
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\ylbjlwswo\pisw3ubcs
Deletes FileC:\WINDOWS\ylbjlwswo\pisw3ubcs
Creates Processgz2bv5lpzzxa "c:\ylbjlwswo\jddtglwel.exe"

Process
↳ C:\ylbjlwswo\jddtglwel.exe

Creates FileC:\ylbjlwswo\pisw3ubcs
Creates FileC:\WINDOWS\ylbjlwswo\pisw3ubcs
Deletes FileC:\WINDOWS\ylbjlwswo\pisw3ubcs

Process
↳ gz2bv5lpzzxa "c:\ylbjlwswo\jddtglwel.exe"

Creates FileC:\ylbjlwswo\pisw3ubcs
Creates FileC:\WINDOWS\ylbjlwswo\pisw3ubcs
Deletes FileC:\WINDOWS\ylbjlwswo\pisw3ubcs

Network Details:

DNSlittlecountry.net
Type: A
84.16.80.74
DNSchairfamous.net
Type: A
208.100.26.234
DNSeffortcountry.net
Type: A
195.22.28.196
DNSeffortcountry.net
Type: A
195.22.28.198
DNSeffortcountry.net
Type: A
195.22.28.197
DNSeffortcountry.net
Type: A
195.22.28.199
DNSremembercentury.net
Type: A
208.100.26.234
DNSlittleletter.net
Type: A
50.63.202.53
DNSthroughdifferent.net
Type: A
208.100.26.234
DNSdegreeclean.net
Type: A
195.22.28.198
DNSdegreeclean.net
Type: A
195.22.28.199
DNSdegreeclean.net
Type: A
195.22.28.196
DNSdegreeclean.net
Type: A
195.22.28.197
DNSglasspaint.net
Type: A
172.99.81.163
DNSglasscourse.net
Type: A
208.100.26.234
DNSdestroypower.net
Type: A
DNSlittlepower.net
Type: A
DNSdestroycountry.net
Type: A
DNSriddencentury.net
Type: A
DNSbelongcentury.net
Type: A
DNSriddenfamous.net
Type: A
DNSbelongfamous.net
Type: A
DNSriddenpower.net
Type: A
DNSbelongpower.net
Type: A
DNSriddencountry.net
Type: A
DNSbelongcountry.net
Type: A
DNSchaircentury.net
Type: A
DNSthosecentury.net
Type: A
DNSthosefamous.net
Type: A
DNSchairpower.net
Type: A
DNSthosepower.net
Type: A
DNSchaircountry.net
Type: A
DNSthosecountry.net
Type: A
DNSwithincentury.net
Type: A
DNSsuffercentury.net
Type: A
DNSwithinfamous.net
Type: A
DNSsufferfamous.net
Type: A
DNSwithinpower.net
Type: A
DNSsufferpower.net
Type: A
DNSwithincountry.net
Type: A
DNSsuffercountry.net
Type: A
DNSeffortcentury.net
Type: A
DNSthroughcentury.net
Type: A
DNSeffortfamous.net
Type: A
DNSthroughfamous.net
Type: A
DNSeffortpower.net
Type: A
DNSthroughpower.net
Type: A
DNSthroughcountry.net
Type: A
DNSforgetcentury.net
Type: A
DNSincreasecentury.net
Type: A
DNSforgetfamous.net
Type: A
DNSincreasefamous.net
Type: A
DNSforgetpower.net
Type: A
DNSincreasepower.net
Type: A
DNSforgetcountry.net
Type: A
DNSincreasecountry.net
Type: A
DNSwouldcentury.net
Type: A
DNSwouldfamous.net
Type: A
DNSrememberfamous.net
Type: A
DNSwouldpower.net
Type: A
DNSrememberpower.net
Type: A
DNSwouldcountry.net
Type: A
DNSremembercountry.net
Type: A
DNSjourneysurprise.net
Type: A
DNShusbandsurprise.net
Type: A
DNSjourneybeside.net
Type: A
DNShusbandbeside.net
Type: A
DNSjourneyletter.net
Type: A
DNShusbandletter.net
Type: A
DNSjourneydifferent.net
Type: A
DNShusbanddifferent.net
Type: A
DNSdestroysurprise.net
Type: A
DNSlittlesurprise.net
Type: A
DNSdestroybeside.net
Type: A
DNSlittlebeside.net
Type: A
DNSdestroyletter.net
Type: A
DNSdestroydifferent.net
Type: A
DNSlittledifferent.net
Type: A
DNSriddensurprise.net
Type: A
DNSbelongsurprise.net
Type: A
DNSriddenbeside.net
Type: A
DNSbelongbeside.net
Type: A
DNSriddenletter.net
Type: A
DNSbelongletter.net
Type: A
DNSriddendifferent.net
Type: A
DNSbelongdifferent.net
Type: A
DNSchairsurprise.net
Type: A
DNSthosesurprise.net
Type: A
DNSchairbeside.net
Type: A
DNSthosebeside.net
Type: A
DNSchairletter.net
Type: A
DNSthoseletter.net
Type: A
DNSchairdifferent.net
Type: A
DNSthosedifferent.net
Type: A
DNSwithinsurprise.net
Type: A
DNSsuffersurprise.net
Type: A
DNSwithinbeside.net
Type: A
DNSsufferbeside.net
Type: A
DNSwithinletter.net
Type: A
DNSsufferletter.net
Type: A
DNSwithindifferent.net
Type: A
DNSsufferdifferent.net
Type: A
DNSeffortsurprise.net
Type: A
DNSthroughsurprise.net
Type: A
DNSeffortbeside.net
Type: A
DNSthroughbeside.net
Type: A
DNSeffortletter.net
Type: A
DNSthroughletter.net
Type: A
DNSeffortdifferent.net
Type: A
DNSforgetsurprise.net
Type: A
DNSincreasesurprise.net
Type: A
DNSforgetbeside.net
Type: A
DNSincreasebeside.net
Type: A
DNSforgetletter.net
Type: A
DNSincreaseletter.net
Type: A
DNSforgetdifferent.net
Type: A
DNSincreasedifferent.net
Type: A
DNSwouldsurprise.net
Type: A
DNSremembersurprise.net
Type: A
DNSwouldbeside.net
Type: A
DNSrememberbeside.net
Type: A
DNSwouldletter.net
Type: A
DNSrememberletter.net
Type: A
DNSwoulddifferent.net
Type: A
DNSrememberdifferent.net
Type: A
DNSforwardclean.net
Type: A
DNSdegreepaint.net
Type: A
DNSforwardpaint.net
Type: A
DNSdegreecourse.net
Type: A
DNSforwardcourse.net
Type: A
DNSdegreewomen.net
Type: A
DNSforwardwomen.net
Type: A
DNSanswerclean.net
Type: A
DNSglassclean.net
Type: A
DNSanswerpaint.net
Type: A
DNSanswercourse.net
Type: A
DNSanswerwomen.net
Type: A
DNSglasswomen.net
Type: A
DNSdifficultclean.net
Type: A
DNSheardclean.net
Type: A
DNSdifficultpaint.net
Type: A
DNSheardpaint.net
Type: A
DNSdifficultcourse.net
Type: A
DNSheardcourse.net
Type: A
DNSdifficultwomen.net
Type: A
DNSheardwomen.net
Type: A
DNSpleasantclean.net
Type: A
DNSnecessaryclean.net
Type: A
DNSpleasantpaint.net
Type: A
DNSnecessarypaint.net
Type: A
DNSpleasantcourse.net
Type: A
DNSnecessarycourse.net
Type: A
DNSpleasantwomen.net
Type: A
DNSnecessarywomen.net
Type: A
DNSorderclean.net
Type: A
DNSrequireclean.net
Type: A
DNSorderpaint.net
Type: A
DNSrequirepaint.net
Type: A
DNSordercourse.net
Type: A
DNSrequirecourse.net
Type: A
DNSorderwomen.net
Type: A
DNSrequirewomen.net
Type: A
DNSleaderclean.net
Type: A
DNSheavenclean.net
Type: A
DNSleaderpaint.net
Type: A
DNSheavenpaint.net
Type: A
DNSleadercourse.net
Type: A
DNSheavencourse.net
Type: A
DNSleaderwomen.net
Type: A
DNSheavenwomen.net
Type: A
DNSheavyclean.net
Type: A
DNSgentleclean.net
Type: A
DNSheavypaint.net
Type: A
DNSgentlepaint.net
Type: A
DNSheavycourse.net
Type: A
DNSgentlecourse.net
Type: A
HTTP GEThttp://littlecountry.net/index.php
User-Agent:
HTTP GEThttp://chairfamous.net/index.php
User-Agent:
HTTP GEThttp://effortcountry.net/index.php
User-Agent:
HTTP GEThttp://remembercentury.net/index.php
User-Agent:
HTTP GEThttp://littleletter.net/index.php
User-Agent:
HTTP GEThttp://throughdifferent.net/index.php
User-Agent:
HTTP GEThttp://degreeclean.net/index.php
User-Agent:
HTTP GEThttp://glasspaint.net/index.php
User-Agent:
HTTP GEThttp://glasscourse.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 84.16.80.74:80
Flows TCP192.168.1.1:1032 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.53:80
Flows TCP192.168.1.1:1036 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1037 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1038 ➝ 172.99.81.163:80
Flows TCP192.168.1.1:1039 ➝ 208.100.26.234:80

Raw Pcap

Strings