Analysis Date2018-04-18 19:41:13
MD5195a7b51761b78225672016f1b1daff9
SHA17acbd9c396ff3d7f4e0a20a64ad39ba88546e089

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows
PEhash
AVArcabit (arcavir)Gen:Variant.Razy.12226
AVAuthentiumW32/BayRob.G.gen!Eldorado
AVGrisoft (avg)No Virus
AVAvira (antivir)TR/Nivdort.mgjuw
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVAd-AwareGen:Variant.Razy.12226
AVBitDefenderGen:Variant.Razy.12226
AVBullGuardError Scanning File
AVClamAVError Scanning File
AVDr. WebNo Virus
AVEmsisoftGen:Variant.Razy.12226
AVMicroWorld (escan)Gen:Variant.Razy.12226
AVCA (E-Trust Ino)Error Scanning File
AVFortinetW32/Bayrob.AQ!tr
AVFrisk (f-prot)W32/BayRob.G.gen!Eldorado
AVF-SecureGen:Variant.Razy.12226
AVIkarusError Scanning File
AVK7Trojan ( 004db0c61 )
AVKasperskyError Scanning File
AVMalwareBytesNo Virus
AVMcafeeTrojan-FHPX!195A7B51761B
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort
AVNANONo Virus
AVEset (nod32)Win32/Bayrob.AT.gen
AVPadvishNo Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecTrojan.Bayrob!gen6
AVTrend MicroNo Virus
AVTwisterNo Virus
AVVirusBlokAda (vba32)No Virus
AVWindows DefenderTrojanSpy:Win32/Nivdort
AVZillya!Error Scanning File

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\7acbd9c396ff3d7f4e0a20a64ad39ba88546e089.exe

Creates Mutex
Creates Mutex
Creates Mutex
Creates FileC:\Windows\lhedmsadzi\asxz2q
Creates FileC:\lhedmsadzi\asxz2q
Creates Filec:\Users\Phil\AppData\Local\Temp\7acbd9c396ff3d7f4e0a20a64ad39ba88546e089.exe
Creates FileC:\lhedmsadzi\stuzrqcjqttx4gbfzd.exe

Process
↳ C:\lhedmsadzi\stuzrqcjqttx4gbfzd.exe

Creates Mutex
Creates Mutex
Creates Mutex
Creates FileC:\Windows\lhedmsadzi\asxz2q
Creates FileC:\lhedmsadzi\asxz2q
Creates FileC:\lhedmsadzi\qa9tak4xdxgt
Creates FileC:\lhedmsadzi\run

Process
↳ C:\lhedmsadzi\qkknvxyny.exe

Creates Mutex
Creates Mutex
Creates Mutex
Creates FileC:\Windows\lhedmsadzi\asxz2q
Creates FileC:\lhedmsadzi\asxz2q
Creates FileC:\lhedmsadzi\qa9tak4xdxgt

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e646f 77737072 696e672e 6e65740d   indowspring.net.
0x00000050 (00080)   0a0d0a66 746e6373 692e636f 6d0d0a0d   ...ftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   65726861 70737375 63636573 732e6e65   erhapssuccess.ne
0x00000050 (00080)   740d0a0d 0a6e6373 692e636f 6d0d0a0d   t....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e646f 77737563 63657373 2e6e6574   indowsuccess.net
0x00000050 (00080)   0d0a0d0a 0a6e6373 692e636f 6d0d0a0d   .....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   65726861 70736261 6e6b6572 2e6e6574   erhapsbanker.net
0x00000050 (00080)   0d0a0d0a 0a6e6373 692e636f 6d0d0a0d   .....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e646f 7762616e 6b65722e 6e65740d   indowbanker.net.
0x00000050 (00080)   0a0d0a0a 0a6e6373 692e636f 6d0d0a0d   .....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e7465 72666f75 6e642e6e 65740d0a   interfound.net..
0x00000050 (00080)   0d0a0a0a 0a6e6373 692e636f 6d0d0a0d   .....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   75626a65 6374666f 756e642e 6e65740d   ubjectfound.net.
0x00000050 (00080)   0a0d0a0a 0a6e6373 692e636f 6d0d0a0d   .....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e7465 72737072 696e672e 6e65740d   interspring.net.
0x00000050 (00080)   0a0d0a0a 0a6e6373 692e636f 6d0d0a0d   .....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   75626a65 63747370 72696e67 2e6e6574   ubjectspring.net
0x00000050 (00080)   0d0a0d0a 0a6e6373 692e636f 6d0d0a0d   .....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e7465 72737563 63657373 2e6e6574   intersuccess.net
0x00000050 (00080)   0d0a0d0a 0a6e6373 692e636f 6d0d0a0d   .....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   75626a65 63747375 63636573 732e6e65   ubjectsuccess.ne
0x00000050 (00080)   740d0a0d 0a6e6373 692e636f 6d0d0a0d   t....ncsi.com...
0x00000060 (00096)   0a                                    .


Strings