Analysis Date2015-11-16 21:01:44
MD5c7068154909dd04756d8c07d0a5d721d
SHA170ea5e343f7cc021a7741169c458625a2d1a45fa

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 049639968e7bfea2e3d7d47ce411e648 sha1: d0018771e3bf231d7cdde9e73714219c595127f9 size: 326656
Section.rdata md5: 36c54a565d4e6414d514da3d5c83943a sha1: ce7ab99ba2a19e419c6f19f9d8e98b5fb13d67a1 size: 60928
Section.data md5: aff473054d6cfecc52a5934e20c473d2 sha1: 9a7fda30b0d698ff24c979d607406fda5b6f8284 size: 7680
Section.reloc md5: 0f81592386890ff81ad5fef0cf9c2d98 sha1: 147caf501cc0f6a5cc4269c07c30c50483ac31bb size: 27648
Timestamp2015-05-11 07:10:01
PackerMicrosoft Visual C++ 8
PEhash243cd91248f31b13d92bbaf6abfb9e4aeee8768f
IMPhash8947c4d117cc35585da87aaaaa644712
AVRisingTrojan.Win32.Bayrod.b
AVMcafeePWS-FCCE!C7068154909D
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVTwisterTrojan.Scar.jsgr.dsco
AVAd-AwareGen:Variant.Zusy.141475
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.W
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.T!tr
AVBitDefenderGen:Variant.Zusy.141475
AVK7Trojan ( 004c3a4d1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Zusy.141475
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.141475
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Zusy.141475
AVCA (E-Trust Ino)no_virus
AVRisingTrojan.Win32.Bayrod.b
AVMcafeePWS-FCCE!C7068154909D
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVTwisterTrojan.Scar.jsgr.dsco
AVAd-AwareGen:Variant.Zusy.141475
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.W
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.T!tr
AVBitDefenderGen:Variant.Zusy.141475
AVK7Trojan ( 004c3a4d1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\dyhycjvznrjv\sbljdz
Creates FileC:\dyhycjvznrjv\sbljdz
Creates FileC:\dyhycjvznrjv\sqxt8beik28kdi.exe
Deletes FileC:\WINDOWS\dyhycjvznrjv\sbljdz
Creates ProcessC:\dyhycjvznrjv\sqxt8beik28kdi.exe

Process
↳ C:\dyhycjvznrjv\sqxt8beik28kdi.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Tools Telephony Information Redirector ➝
C:\dyhycjvznrjv\khtgpikh.exe
Creates FileC:\dyhycjvznrjv\khtgpikh.exe
Creates FileC:\dyhycjvznrjv\utcgxpqcrr
Creates FileC:\WINDOWS\dyhycjvznrjv\sbljdz
Creates FilePIPE\lsarpc
Creates FileC:\dyhycjvznrjv\sbljdz
Deletes FileC:\WINDOWS\dyhycjvznrjv\sbljdz
Creates ProcessC:\dyhycjvznrjv\khtgpikh.exe
Creates ServiceRegistrar Error User Tools - C:\dyhycjvznrjv\khtgpikh.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\SQXT8BEIK28KDI.EXE-1AF7ED7B.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\70EA5E343F7CC021A7741169C4586-386A43FC.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\KHTGPIKH.EXE-39297EE0.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\UQKLNBL.EXE-06734438.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1208

Process
↳ Pid 1296

Process
↳ Pid 1856

Process
↳ Pid 1196

Process
↳ C:\dyhycjvznrjv\khtgpikh.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\dyhycjvznrjv\utcgxpqcrr
Creates FileC:\WINDOWS\dyhycjvznrjv\sbljdz
Creates FileC:\dyhycjvznrjv\uqklnbl.exe
Creates FileC:\dyhycjvznrjv\ay9jfbjk6lf
Creates File\Device\Afd\Endpoint
Creates FileC:\dyhycjvznrjv\sbljdz
Deletes FileC:\WINDOWS\dyhycjvznrjv\sbljdz
Creates Processqiy6jrldsizr "c:\dyhycjvznrjv\khtgpikh.exe"

Process
↳ C:\dyhycjvznrjv\khtgpikh.exe

Creates FileC:\WINDOWS\dyhycjvznrjv\sbljdz
Creates FileC:\dyhycjvznrjv\sbljdz
Deletes FileC:\WINDOWS\dyhycjvznrjv\sbljdz

Process
↳ qiy6jrldsizr "c:\dyhycjvznrjv\khtgpikh.exe"

Creates FileC:\WINDOWS\dyhycjvznrjv\sbljdz
Creates FileC:\dyhycjvznrjv\sbljdz
Deletes FileC:\WINDOWS\dyhycjvznrjv\sbljdz

Network Details:

DNShusbandthrown.net
Type: A
95.211.230.75
DNSdestroystorm.net
Type: A
216.239.138.86
DNSlittlestorm.net
Type: A
184.168.221.49
DNSriddenstorm.net
Type: A
66.147.240.171
DNSlittlealthough.net
Type: A
208.100.26.234
DNSjourneythrown.net
Type: A
DNSdestroyhunger.net
Type: A
DNSlittlehunger.net
Type: A
DNSdestroytraining.net
Type: A
DNSlittletraining.net
Type: A
DNSdestroythrown.net
Type: A
DNSlittlethrown.net
Type: A
DNSriddenhunger.net
Type: A
DNSbelonghunger.net
Type: A
DNSriddentraining.net
Type: A
DNSbelongtraining.net
Type: A
DNSbelongstorm.net
Type: A
DNSriddenthrown.net
Type: A
DNSbelongthrown.net
Type: A
DNSchairhunger.net
Type: A
DNSthosehunger.net
Type: A
DNSchairtraining.net
Type: A
DNSthosetraining.net
Type: A
DNSchairstorm.net
Type: A
DNSthosestorm.net
Type: A
DNSchairthrown.net
Type: A
DNSthosethrown.net
Type: A
DNSwithinhunger.net
Type: A
DNSsufferhunger.net
Type: A
DNSwithintraining.net
Type: A
DNSsuffertraining.net
Type: A
DNSwithinstorm.net
Type: A
DNSsufferstorm.net
Type: A
DNSwithinthrown.net
Type: A
DNSsufferthrown.net
Type: A
DNSefforthunger.net
Type: A
DNSthroughhunger.net
Type: A
DNSefforttraining.net
Type: A
DNSthroughtraining.net
Type: A
DNSeffortstorm.net
Type: A
DNSthroughstorm.net
Type: A
DNSeffortthrown.net
Type: A
DNSthroughthrown.net
Type: A
DNSforgethunger.net
Type: A
DNSincreasehunger.net
Type: A
DNSforgettraining.net
Type: A
DNSincreasetraining.net
Type: A
DNSforgetstorm.net
Type: A
DNSincreasestorm.net
Type: A
DNSforgetthrown.net
Type: A
DNSincreasethrown.net
Type: A
DNSwouldhunger.net
Type: A
DNSrememberhunger.net
Type: A
DNSwouldtraining.net
Type: A
DNSremembertraining.net
Type: A
DNSwouldstorm.net
Type: A
DNSrememberstorm.net
Type: A
DNSwouldthrown.net
Type: A
DNSrememberthrown.net
Type: A
DNSjourneychoose.net
Type: A
DNShusbandchoose.net
Type: A
DNSjourneyalthough.net
Type: A
DNShusbandalthough.net
Type: A
DNSjourneyperiod.net
Type: A
DNShusbandperiod.net
Type: A
DNSjourneyhowever.net
Type: A
DNShusbandhowever.net
Type: A
DNSdestroychoose.net
Type: A
DNSlittlechoose.net
Type: A
DNSdestroyalthough.net
Type: A
DNSdestroyperiod.net
Type: A
DNSlittleperiod.net
Type: A
DNSdestroyhowever.net
Type: A
DNSlittlehowever.net
Type: A
DNSriddenchoose.net
Type: A
DNSbelongchoose.net
Type: A
DNSriddenalthough.net
Type: A
DNSbelongalthough.net
Type: A
DNSriddenperiod.net
Type: A
DNSbelongperiod.net
Type: A
DNSriddenhowever.net
Type: A
DNSbelonghowever.net
Type: A
DNSchairchoose.net
Type: A
DNSthosechoose.net
Type: A
DNSchairalthough.net
Type: A
HTTP GEThttp://husbandthrown.net/index.php
User-Agent:
HTTP GEThttp://destroystorm.net/index.php
User-Agent:
HTTP GEThttp://littlestorm.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://littlealthough.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.49:80
Flows TCP192.168.1.1:1034 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1035 ➝ 208.100.26.234:80

Raw Pcap

Strings