Analysis Date2015-08-19 04:30:56
MD56587e80e81da812ad1c9c26ffac83673
SHA17cbe698d63f4800de81980b18e95207c0d5218c5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3c7892cc063b915ff83dbe18ed95cb9d sha1: 565583722801a0f8632aefa13b318d8d8a58bcc6 size: 288256
Section.rdata md5: cbfa4dfb4548fcfa002d38aeb35b7351 sha1: 9b8f739207e0efaaf98be90ef59a33a8be6b7ad4 size: 44032
Section.data md5: 95347c9c32015322e2c85e041f59c776 sha1: 8337ad3934beb5eaaacabc7ac1d3193e1d92d49d size: 6656
Section.reloc md5: 6d853a1404bc67009520078ca541017b sha1: 8958559a84f90664231ecc3b5ae0d60582bd5bd9 size: 23552
Timestamp2015-05-21 03:44:14
PackerMicrosoft Visual C++ ?.?
PEhash77e2e255f28dd6f2c0aa4571b554dfda440d7152
IMPhash1bbcbaa4fe1b0e36f4ee7c38bb5cb4b3
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Diley.1
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVBullGuardGen:Variant.Diley.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.r4
AVTrend MicroTROJ_BAYROB.SM0
AVKasperskyno_virus
AVZillya!no_virus
AVEmsisoftGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.V.gen!Eldorado
AVMalwareBytesTrojan.Bayrob.KVTGen
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Diley.1
AVFortinetW32/Babrob.Y!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Y
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Diley.1
AVTwisterno_virus
AVAvira (antivir)no_virus
AVMcafeeTrojan-FGIJ!6587E80E81DA

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ohieabzh\n11lg5mycnvaewz.exe
Creates FileC:\WINDOWS\ohieabzh\csgltxz
Creates FileC:\ohieabzh\csgltxz
Deletes FileC:\WINDOWS\ohieabzh\csgltxz
Creates ProcessC:\ohieabzh\n11lg5mycnvaewz.exe

Process
↳ C:\ohieabzh\n11lg5mycnvaewz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Port Card Offline Counter Credential ➝
C:\ohieabzh\kjlzbcmmqjq.exe
Creates FilePIPE\lsarpc
Creates FileC:\ohieabzh\pp5vxqm
Creates FileC:\WINDOWS\ohieabzh\csgltxz
Creates FileC:\ohieabzh\kjlzbcmmqjq.exe
Creates FileC:\ohieabzh\csgltxz
Deletes FileC:\WINDOWS\ohieabzh\csgltxz
Creates ProcessC:\ohieabzh\kjlzbcmmqjq.exe
Creates ServiceLocator Alerts PC NGEN Server Counter Location - C:\ohieabzh\kjlzbcmmqjq.exe

Process
↳ Pid 800

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1132

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1856

Process
↳ Pid 1056

Process
↳ C:\ohieabzh\kjlzbcmmqjq.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\ohieabzh\rqbkzsqiu0
Creates FileC:\ohieabzh\pp5vxqm
Creates FileC:\WINDOWS\ohieabzh\csgltxz
Creates File\Device\Afd\Endpoint
Creates FileC:\ohieabzh\csgltxz
Creates FileC:\ohieabzh\rninkuigw.exe
Deletes FileC:\WINDOWS\ohieabzh\csgltxz
Creates Processjicerluiitah "c:\ohieabzh\kjlzbcmmqjq.exe"

Process
↳ C:\ohieabzh\kjlzbcmmqjq.exe

Creates FileC:\WINDOWS\ohieabzh\csgltxz
Creates FileC:\ohieabzh\csgltxz
Deletes FileC:\WINDOWS\ohieabzh\csgltxz

Process
↳ jicerluiitah "c:\ohieabzh\kjlzbcmmqjq.exe"

Creates FileC:\WINDOWS\ohieabzh\csgltxz
Creates FileC:\ohieabzh\csgltxz
Deletes FileC:\WINDOWS\ohieabzh\csgltxz

Network Details:

DNSfinishshort.net
Type: A
95.211.230.75
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSprobablyshort.net
Type: A
208.91.197.241
DNSsweetpromise.net
Type: A
69.64.147.249
DNSmaterialopinion.net
Type: A
195.22.26.231
DNSmaterialopinion.net
Type: A
195.22.26.252
DNSmaterialopinion.net
Type: A
195.22.26.253
DNSmaterialopinion.net
Type: A
195.22.26.254
DNSsimpleoffice.net
Type: A
50.63.202.104
DNSmountainsupply.net
Type: A
67.18.199.2
DNSwindowsupply.net
Type: A
173.236.172.44
DNSsweetoffice.net
Type: A
162.213.251.173
DNSmaterialsupply.net
Type: A
184.168.221.36
DNSleaveshort.net
Type: A
DNSfinishopinion.net
Type: A
DNSleaveopinion.net
Type: A
DNSfinishpromise.net
Type: A
DNSleavepromise.net
Type: A
DNSsweetshould.net
Type: A
DNSprobablyshould.net
Type: A
DNSsweetshort.net
Type: A
DNSsweetopinion.net
Type: A
DNSprobablyopinion.net
Type: A
DNSprobablypromise.net
Type: A
DNSseveralshould.net
Type: A
DNSmaterialshould.net
Type: A
DNSseveralshort.net
Type: A
DNSmaterialshort.net
Type: A
DNSseveralopinion.net
Type: A
DNSseveralpromise.net
Type: A
DNSmaterialpromise.net
Type: A
DNSseverasupply.net
Type: A
DNSlaughsupply.net
Type: A
DNSseveradistance.net
Type: A
DNSlaughdistance.net
Type: A
DNSseveraoffice.net
Type: A
DNSlaughoffice.net
Type: A
DNSseveraarrive.net
Type: A
DNSlaugharrive.net
Type: A
DNSsimplesupply.net
Type: A
DNSmothersupply.net
Type: A
DNSsimpledistance.net
Type: A
DNSmotherdistance.net
Type: A
DNSmotheroffice.net
Type: A
DNSsimplearrive.net
Type: A
DNSmotherarrive.net
Type: A
DNSpossiblesupply.net
Type: A
DNSmountaindistance.net
Type: A
DNSpossibledistance.net
Type: A
DNSmountainoffice.net
Type: A
DNSpossibleoffice.net
Type: A
DNSmountainarrive.net
Type: A
DNSpossiblearrive.net
Type: A
DNSperhapssupply.net
Type: A
DNSperhapsdistance.net
Type: A
DNSwindowdistance.net
Type: A
DNSperhapsoffice.net
Type: A
DNSwindowoffice.net
Type: A
DNSperhapsarrive.net
Type: A
DNSwindowarrive.net
Type: A
DNSwintersupply.net
Type: A
DNSsubjectsupply.net
Type: A
DNSwinterdistance.net
Type: A
DNSsubjectdistance.net
Type: A
DNSwinteroffice.net
Type: A
DNSsubjectoffice.net
Type: A
DNSwinterarrive.net
Type: A
DNSsubjectarrive.net
Type: A
DNSfinishsupply.net
Type: A
DNSleavesupply.net
Type: A
DNSfinishdistance.net
Type: A
DNSleavedistance.net
Type: A
DNSfinishoffice.net
Type: A
DNSleaveoffice.net
Type: A
DNSfinisharrive.net
Type: A
DNSleavearrive.net
Type: A
DNSsweetsupply.net
Type: A
DNSprobablysupply.net
Type: A
DNSsweetdistance.net
Type: A
DNSprobablydistance.net
Type: A
DNSprobablyoffice.net
Type: A
DNSsweetarrive.net
Type: A
DNSprobablyarrive.net
Type: A
DNSseveralsupply.net
Type: A
DNSseveraldistance.net
Type: A
DNSmaterialdistance.net
Type: A
DNSseveraloffice.net
Type: A
DNSmaterialoffice.net
Type: A
DNSseveralarrive.net
Type: A
HTTP GEThttp://finishshort.net/index.php
User-Agent:
HTTP GEThttp://sweetshort.net/index.php
User-Agent:
HTTP GEThttp://probablyshort.net/index.php
User-Agent:
HTTP GEThttp://sweetpromise.net/index.php
User-Agent:
HTTP GEThttp://materialopinion.net/index.php
User-Agent:
HTTP GEThttp://simpleoffice.net/index.php
User-Agent:
HTTP GEThttp://mountainsupply.net/index.php
User-Agent:
HTTP GEThttp://windowsupply.net/index.php
User-Agent:
HTTP GEThttp://sweetoffice.net/index.php
User-Agent:
HTTP GEThttp://materialsupply.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1034 ➝ 69.64.147.249:80
Flows TCP192.168.1.1:1035 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1036 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1037 ➝ 67.18.199.2:80
Flows TCP192.168.1.1:1038 ➝ 173.236.172.44:80
Flows TCP192.168.1.1:1039 ➝ 162.213.251.173:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.36:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   696e6973 6873686f 72742e6e 65740d0a   inishshort.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 73686f72 742e6e65 740d0a0d   weetshort.net...
0x00000050 (00080)   0a0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   726f6261 626c7973 686f7274 2e6e6574   robablyshort.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 70726f6d 6973652e 6e65740d   weetpromise.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61746572 69616c6f 70696e69 6f6e2e6e   aterialopinion.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d706c 656f6666 6963652e 6e65740d   impleoffice.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e73 7570706c 792e6e65   ountainsupply.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e646f 77737570 706c792e 6e65740d   indowsupply.net.
0x00000050 (00080)   0a0d0a0d 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 6f666669 63652e6e 65740d0a   weetoffice.net..
0x00000050 (00080)   0d0a0a0d 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61746572 69616c73 7570706c 792e6e65   aterialsupply.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....


Strings