Analysis Date2015-10-11 13:29:47
MD59f1921a353fef9fe7e3b2e02f13f2080
SHA18074ec810b457916c69bfeabfa69ee65a5ade716

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 28a14c822f38376258fee6c76453a606 sha1: 1cd4857767148cefc196c34a5ff4312bebc4ae04 size: 323072
Section.rdata md5: ba44134f98721066e96a32d1a52e2b28 sha1: 52f58892ff4ba59f349838c3379de115f34e2f06 size: 60928
Section.data md5: 0ecb9cdda85bf8913e65d4a95f428e11 sha1: 2080f71193928a46a34897420b8fcb20139b42c9 size: 7680
Section.reloc md5: 2f8b798106ccad65bab6dc88e29a75c4 sha1: 246a60204578a8c2dc6d1a556ef0356ef6c75268 size: 27136
Timestamp2015-05-11 06:50:04
PackerMicrosoft Visual C++ 8
PEhash70385bd368dd54345a497de44e592b7540586121
IMPhash9920edfc10b1f5c729ccf66582fa6c80
AVRisingTrojan.Win32.Bayrod.b
AVMcafeePWS-FCCE!9F1921A353FE
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVTwisterW32.Bayrob.W.rrfs
AVAd-AwareGen:Variant.Kazy.611009
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.W
AVGrisoft (avg)Generic36.BLHE
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.T!tr
AVBitDefenderGen:Variant.Kazy.611009
AVK7Trojan ( 004c3a4d1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.611009
AVZillya!Trojan.Bayrob.Win32.1642
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.611009
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Kazy.611009
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\tdbtcwa\llvv1l2oaxvwukwy.exe
Creates FileC:\tdbtcwa\j9d2byvf0ndw
Creates FileC:\WINDOWS\tdbtcwa\j9d2byvf0ndw
Deletes FileC:\WINDOWS\tdbtcwa\j9d2byvf0ndw
Creates ProcessC:\tdbtcwa\llvv1l2oaxvwukwy.exe

Process
↳ C:\tdbtcwa\llvv1l2oaxvwukwy.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\List Transaction SPP SNMP Protected Net.Tcp ➝
C:\tdbtcwa\gnsuxzf.exe
Creates FileC:\tdbtcwa\j9d2byvf0ndw
Creates FileC:\tdbtcwa\gi9myqt
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\tdbtcwa\j9d2byvf0ndw
Creates FileC:\tdbtcwa\gnsuxzf.exe
Deletes FileC:\WINDOWS\tdbtcwa\j9d2byvf0ndw
Creates ProcessC:\tdbtcwa\gnsuxzf.exe
Creates ServiceShadow Call Compatibility DLL Engine - C:\tdbtcwa\gnsuxzf.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1872

Process
↳ Pid 1144

Process
↳ C:\tdbtcwa\gnsuxzf.exe

Creates FileC:\tdbtcwa\o9hlm1
Creates Filepipe\net\NtControlPipe10
Creates FileC:\tdbtcwa\nvmwrctsjzfi.exe
Creates FileC:\tdbtcwa\j9d2byvf0ndw
Creates FileC:\tdbtcwa\gi9myqt
Creates FileC:\WINDOWS\tdbtcwa\j9d2byvf0ndw
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\tdbtcwa\j9d2byvf0ndw
Creates Processmnglgwresumz "c:\tdbtcwa\gnsuxzf.exe"

Process
↳ C:\tdbtcwa\gnsuxzf.exe

Creates FileC:\tdbtcwa\j9d2byvf0ndw
Creates FileC:\WINDOWS\tdbtcwa\j9d2byvf0ndw
Deletes FileC:\WINDOWS\tdbtcwa\j9d2byvf0ndw

Process
↳ mnglgwresumz "c:\tdbtcwa\gnsuxzf.exe"

Creates FileC:\tdbtcwa\j9d2byvf0ndw
Creates FileC:\WINDOWS\tdbtcwa\j9d2byvf0ndw
Deletes FileC:\WINDOWS\tdbtcwa\j9d2byvf0ndw

Network Details:

DNSrecordlisten.net
Type: A
72.52.4.90
DNSrecorddemand.net
Type: A
50.63.202.50
DNSbetterbring.net
Type: A
195.22.26.254
DNSbetterbring.net
Type: A
195.22.26.231
DNSbetterbring.net
Type: A
195.22.26.252
DNSbetterbring.net
Type: A
195.22.26.253
DNSbetterlisten.net
Type: A
97.74.144.153
DNSquietdemand.net
Type: A
208.100.26.234
DNSseasondemand.net
Type: A
72.52.4.90
DNSnightstation.net
Type: A
69.163.242.16
DNSelectricstation.net
Type: A
50.63.202.37
DNSstreetstation.net
Type: A
72.52.4.90
DNStradestation.net
Type: A
65.211.211.21
DNScaptaindemand.net
Type: A
DNSlargeshout.net
Type: A
DNScaptainshout.net
Type: A
DNSrecordbring.net
Type: A
DNSelectricbring.net
Type: A
DNSelectriclisten.net
Type: A
DNSelectricdemand.net
Type: A
DNSrecordshout.net
Type: A
DNSelectricshout.net
Type: A
DNSstreetbring.net
Type: A
DNStradebring.net
Type: A
DNSstreetlisten.net
Type: A
DNStradelisten.net
Type: A
DNSstreetdemand.net
Type: A
DNStradedemand.net
Type: A
DNSstreetshout.net
Type: A
DNStradeshout.net
Type: A
DNSgatherbring.net
Type: A
DNSgatherlisten.net
Type: A
DNSbetterdemand.net
Type: A
DNSgatherdemand.net
Type: A
DNSbettershout.net
Type: A
DNSgathershout.net
Type: A
DNSflierbring.net
Type: A
DNSbreadbring.net
Type: A
DNSflierlisten.net
Type: A
DNSbreadlisten.net
Type: A
DNSflierdemand.net
Type: A
DNSbreaddemand.net
Type: A
DNSfliershout.net
Type: A
DNSbreadshout.net
Type: A
DNSquietbring.net
Type: A
DNSseasonbring.net
Type: A
DNSquietlisten.net
Type: A
DNSseasonlisten.net
Type: A
DNSquietshout.net
Type: A
DNSseasonshout.net
Type: A
DNSagainststation.net
Type: A
DNSdoubtstation.net
Type: A
DNSagainstthird.net
Type: A
DNSdoubtthird.net
Type: A
DNSagainstobject.net
Type: A
DNSdoubtobject.net
Type: A
DNSagainstchildhood.net
Type: A
DNSdoubtchildhood.net
Type: A
DNSdecidestation.net
Type: A
DNSnightthird.net
Type: A
DNSdecidethird.net
Type: A
DNSnightobject.net
Type: A
DNSdecideobject.net
Type: A
DNSnightchildhood.net
Type: A
DNSdecidechildhood.net
Type: A
DNSlargestation.net
Type: A
DNScaptainstation.net
Type: A
DNSlargethird.net
Type: A
DNScaptainthird.net
Type: A
DNSlargeobject.net
Type: A
DNScaptainobject.net
Type: A
DNSlargechildhood.net
Type: A
DNScaptainchildhood.net
Type: A
DNSrecordstation.net
Type: A
DNSrecordthird.net
Type: A
DNSelectricthird.net
Type: A
DNSrecordobject.net
Type: A
DNSelectricobject.net
Type: A
DNSrecordchildhood.net
Type: A
DNSelectricchildhood.net
Type: A
DNSstreetthird.net
Type: A
DNStradethird.net
Type: A
DNSstreetobject.net
Type: A
DNStradeobject.net
Type: A
DNSstreetchildhood.net
Type: A
DNStradechildhood.net
Type: A
DNSbetterstation.net
Type: A
DNSgatherstation.net
Type: A
HTTP GEThttp://recordlisten.net/index.php
User-Agent:
HTTP GEThttp://recorddemand.net/index.php
User-Agent:
HTTP GEThttp://betterbring.net/index.php
User-Agent:
HTTP GEThttp://betterlisten.net/index.php
User-Agent:
HTTP GEThttp://quietdemand.net/index.php
User-Agent:
HTTP GEThttp://seasondemand.net/index.php
User-Agent:
HTTP GEThttp://nightstation.net/index.php
User-Agent:
HTTP GEThttp://electricstation.net/index.php
User-Agent:
HTTP GEThttp://streetstation.net/index.php
User-Agent:
HTTP GEThttp://tradestation.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1032 ➝ 50.63.202.50:80
Flows TCP192.168.1.1:1033 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1034 ➝ 97.74.144.153:80
Flows TCP192.168.1.1:1035 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1036 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1037 ➝ 69.163.242.16:80
Flows TCP192.168.1.1:1038 ➝ 50.63.202.37:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1040 ➝ 65.211.211.21:80

Raw Pcap

Strings