Analysis Date2015-08-22 07:33:02
MD576084e5c1e4df65e5b3d733db24ef870
SHA182b5839669eb810649925cfbbc56480ffa2d31de

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c94d52328d596863c7044545ab2e3136 sha1: dd0594045eca8fdf7ff7b9d50aa805b819ed2b31 size: 1289216
Section.rdata md5: 386d991d93744ecc16932c1256943249 sha1: ba5cdc7bfe3016eb0991ae891f84ff3ee1d27860 size: 314368
Section.data md5: 2e7ae6e38c4c3761751b2ba9de4f3833 sha1: 4c75573dd078e19443d380ced5d5a71ee33bd061 size: 8192
Section.reloc md5: 2f8a440460dcfc46f310cc3b7de46b62 sha1: 80b985a2dc5748d1cceb55cad4eae03602380f78 size: 172544
Timestamp2015-05-11 04:53:44
PackerVC8 -> Microsoft Corporation
PEhash00dd1ce2cb96fe5f9c54b6f6af1c097b6315ace4
IMPhashba6c4e18e003edea0b551aea72c28161
AVRisingno_virus
AVMcafeeTrojan-FGIJ!76084E5C1E4D
AVAvira (antivir)TR/Spy.Agent.1785344
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.611782
AVAlwil (avast)Dropper-OJQ [Drp]
AVEset (nod32)Win32/Bayrob.Z
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.X!tr
AVBitDefenderGen:Variant.Kazy.611782
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVMicroWorld (escan)Gen:Variant.Kazy.611782
AVMalwareBytesno_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.611782
AVZillya!no_virus
AVKasperskyBackdoor.Win32.SoxGrave.bsj
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.611782
AVArcabit (arcavir)Gen:Variant.Kazy.611782
AVCA (E-Trust Ino)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.5
AVF-SecureGen:Variant.Kazy.611782

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\pepnvr1nuylqggkn1gax.exe
Creates FileC:\WINDOWS\system32\ijbtunqtnvkz\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\pepnvr1nuylqggkn1gax.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\pepnvr1nuylqggkn1gax.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Tracking Engine PNRP Net.Tcp Search ➝
C:\WINDOWS\system32\fsezohq.exe
Creates FileC:\WINDOWS\system32\ijbtunqtnvkz\etc
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\fsezohq.exe
Creates FileC:\WINDOWS\system32\ijbtunqtnvkz\lck
Creates FileC:\WINDOWS\system32\ijbtunqtnvkz\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\fsezohq.exe
Creates ServiceTracking Resolution CNG Proxy Location Health - C:\WINDOWS\system32\fsezohq.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1852

Process
↳ Pid 1164

Process
↳ C:\WINDOWS\system32\fsezohq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\ijbtunqtnvkz\lck
Creates FileC:\WINDOWS\system32\ijbtunqtnvkz\tst
Creates FileC:\WINDOWS\system32\mkgcrrrsxmz.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\ijbtunqtnvkz\run
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\pepnvr1v6ulq.exe
Creates FileC:\WINDOWS\system32\ijbtunqtnvkz\rng
Creates FileC:\WINDOWS\system32\ijbtunqtnvkz\cfg
Creates ProcessC:\WINDOWS\TEMP\pepnvr1v6ulq.exe -r 45944 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\fsezohq.exe"

Process
↳ C:\WINDOWS\system32\fsezohq.exe

Creates FileC:\WINDOWS\system32\ijbtunqtnvkz\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\fsezohq.exe"

Creates FileC:\WINDOWS\system32\ijbtunqtnvkz\tst

Process
↳ C:\WINDOWS\TEMP\pepnvr1v6ulq.exe -r 45944 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSlongcross.net
Type: A
88.208.252.175
DNSlifecross.net
Type: A
50.63.87.9
DNSshallcross.net
Type: A
91.222.8.96
DNSdeepshade.net
Type: A
50.63.202.53
DNSalongthrew.net
Type: A
95.211.230.75
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSalongrise.net
Type: A
DNSdecemberrise.net
Type: A
DNSalongnoise.net
Type: A
DNSdecembernoise.net
Type: A
DNSalongpull.net
Type: A
DNSdecemberpull.net
Type: A
DNSlongthrew.net
Type: A
DNSsoilthrew.net
Type: A
DNSsoilcross.net
Type: A
DNSlongshade.net
Type: A
DNSsoilshade.net
Type: A
DNSlongfloor.net
Type: A
DNSsoilfloor.net
Type: A
DNSwheelthrew.net
Type: A
DNSsaidthrew.net
Type: A
DNSwheelcross.net
Type: A
DNSsaidcross.net
Type: A
DNSwheelshade.net
Type: A
DNSsaidshade.net
Type: A
DNSwheelfloor.net
Type: A
DNSsaidfloor.net
Type: A
DNSstickthrew.net
Type: A
DNSballthrew.net
Type: A
DNSstickcross.net
Type: A
DNSballcross.net
Type: A
DNSstickshade.net
Type: A
DNSballshade.net
Type: A
DNSstickfloor.net
Type: A
DNSballfloor.net
Type: A
DNSenemythrew.net
Type: A
DNSlifethrew.net
Type: A
DNSenemycross.net
Type: A
DNSenemyshade.net
Type: A
DNSlifeshade.net
Type: A
DNSenemyfloor.net
Type: A
DNSlifefloor.net
Type: A
DNSmouththrew.net
Type: A
DNStillthrew.net
Type: A
DNSmouthcross.net
Type: A
DNStillcross.net
Type: A
DNSmouthshade.net
Type: A
DNStillshade.net
Type: A
DNSmouthfloor.net
Type: A
DNStillfloor.net
Type: A
DNSshallthrew.net
Type: A
DNSdeepthrew.net
Type: A
DNSdeepcross.net
Type: A
DNSshallshade.net
Type: A
DNSshallfloor.net
Type: A
DNSdeepfloor.net
Type: A
DNSpushthrew.net
Type: A
DNSfridaythrew.net
Type: A
DNSpushcross.net
Type: A
DNSfridaycross.net
Type: A
DNSpushshade.net
Type: A
DNSfridayshade.net
Type: A
DNSpushfloor.net
Type: A
DNSfridayfloor.net
Type: A
DNSdecemberthrew.net
Type: A
DNSalongcross.net
Type: A
DNSdecembercross.net
Type: A
DNSalongshade.net
Type: A
DNSdecembershade.net
Type: A
DNSalongfloor.net
Type: A
DNSdecemberfloor.net
Type: A
DNSlongusual.net
Type: A
DNSsoilusual.net
Type: A
DNSlongcould.net
Type: A
DNSsoilcould.net
Type: A
DNSlongteach.net
Type: A
DNSsoilteach.net
Type: A
DNSlonggrave.net
Type: A
DNSsoilgrave.net
Type: A
DNSwheelusual.net
Type: A
DNSsaidusual.net
Type: A
DNSwheelcould.net
Type: A
DNSsaidcould.net
Type: A
DNSwheelteach.net
Type: A
DNSsaidteach.net
Type: A
DNSwheelgrave.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://longcross.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://lifecross.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://shallcross.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://deepshade.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://alongthrew.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://longcross.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://lifecross.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://shallcross.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://deepshade.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
HTTP GEThttp://alongthrew.net/index.php?method=validate&mode=sox&v=050&sox=4f2e0002&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 88.208.252.175:80
Flows TCP192.168.1.1:1051 ➝ 50.63.87.9:80
Flows TCP192.168.1.1:1052 ➝ 91.222.8.96:80
Flows TCP192.168.1.1:1053 ➝ 50.63.202.53:80
Flows TCP192.168.1.1:1054 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1055 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1066 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1067 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1068 ➝ 88.208.252.175:80
Flows TCP192.168.1.1:1069 ➝ 50.63.87.9:80
Flows TCP192.168.1.1:1070 ➝ 91.222.8.96:80
Flows TCP192.168.1.1:1071 ➝ 50.63.202.53:80
Flows TCP192.168.1.1:1072 ➝ 95.211.230.75:80

Raw Pcap

Strings