Analysis Date2015-08-19 13:19:41
MD5ddd77b16c3897903898f21208aa9989a
SHA185c57a62e4d7c7d36f9ed25283b7b9976c5c2d0c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 04bdcdf9d3933904c8699ca63f5e75ab sha1: ff5d8b23895856a787df7e839e8402f7be4fc136 size: 309760
Section.rdata md5: bde5ed7b21c6e8fd8a34cd246f7cf591 sha1: 6eaf5e6bd9a3d0a189f2af2ac34cbccf03d9e648 size: 59392
Section.data md5: d55e29a2f2296297789040d1eed321aa sha1: c321e82990b4d39a81a42b765f1ea2570a53cbd5 size: 7168
Section.reloc md5: 1af75c4c5798cc3822c7c1a0b93b91b8 sha1: fe86bfcb175e04c907b7965013a3268304eff6c5 size: 24576
Timestamp2015-05-11 06:13:59
PackerMicrosoft Visual C++ 8
PEhash1da0835131ae7560395286c4c4bd147632f24b92
IMPhasha31da00d3bd47ceb76d60c9e02a77a56
AVRisingTrojan.Win32.Bayrod.b
AVMcafeePWS-FCCE!DDD77B16C389
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.611009
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.V.gen
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.T!tr
AVBitDefenderGen:Variant.Kazy.611009
AVK7Trojan ( 004c3a4d1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AF
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.611009
AVZillya!Trojan.Scar.Win32.92527
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_BAYROB.SM0
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.611009
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVClamAVno_virus
AVDr. WebTrojan.DownLoader13.20073
AVF-SecureGen:Variant.Kazy.611009
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\yqctsdxemmfzat\vp1md4ocigqybyhf.exe
Creates FileC:\yqctsdxemmfzat\lvyg3pialdy
Creates FileC:\WINDOWS\yqctsdxemmfzat\lvyg3pialdy
Deletes FileC:\WINDOWS\yqctsdxemmfzat\lvyg3pialdy
Creates ProcessC:\yqctsdxemmfzat\vp1md4ocigqybyhf.exe

Process
↳ C:\yqctsdxemmfzat\vp1md4ocigqybyhf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Panel VC Intelligent Tools ➝
C:\yqctsdxemmfzat\ipamoopto.exe
Creates FilePIPE\lsarpc
Creates FileC:\yqctsdxemmfzat\lvyg3pialdy
Creates FileC:\yqctsdxemmfzat\ipamoopto.exe
Creates FileC:\yqctsdxemmfzat\r5ysilmlhsns
Creates FileC:\WINDOWS\yqctsdxemmfzat\lvyg3pialdy
Deletes FileC:\WINDOWS\yqctsdxemmfzat\lvyg3pialdy
Creates ProcessC:\yqctsdxemmfzat\ipamoopto.exe
Creates ServiceRegistry Parental Cryptographic Helper - C:\yqctsdxemmfzat\ipamoopto.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1168

Process
↳ C:\yqctsdxemmfzat\ipamoopto.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\yqctsdxemmfzat\eukgddzpv
Creates FileC:\yqctsdxemmfzat\pyxgfualgllu.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\yqctsdxemmfzat\lvyg3pialdy
Creates FileC:\yqctsdxemmfzat\r5ysilmlhsns
Creates FileC:\WINDOWS\yqctsdxemmfzat\lvyg3pialdy
Deletes FileC:\WINDOWS\yqctsdxemmfzat\lvyg3pialdy
Creates Processgw83aksdxszi "c:\yqctsdxemmfzat\ipamoopto.exe"

Process
↳ C:\yqctsdxemmfzat\ipamoopto.exe

Creates FileC:\yqctsdxemmfzat\lvyg3pialdy
Creates FileC:\WINDOWS\yqctsdxemmfzat\lvyg3pialdy
Deletes FileC:\WINDOWS\yqctsdxemmfzat\lvyg3pialdy

Process
↳ gw83aksdxszi "c:\yqctsdxemmfzat\ipamoopto.exe"

Creates FileC:\yqctsdxemmfzat\lvyg3pialdy
Creates FileC:\WINDOWS\yqctsdxemmfzat\lvyg3pialdy
Deletes FileC:\WINDOWS\yqctsdxemmfzat\lvyg3pialdy

Network Details:

DNSsweetoffice.net
Type: A
162.213.251.173
DNSmaterialsupply.net
Type: A
184.168.221.36
DNSlaughstrong.net
Type: A
50.21.189.209
DNSfinishstrong.net
Type: A
50.63.202.14
DNSsweettrouble.net
Type: A
50.31.0.103
DNSsubjectoffice.net
Type: A
DNSwinterarrive.net
Type: A
DNSsubjectarrive.net
Type: A
DNSfinishsupply.net
Type: A
DNSleavesupply.net
Type: A
DNSfinishdistance.net
Type: A
DNSleavedistance.net
Type: A
DNSfinishoffice.net
Type: A
DNSleaveoffice.net
Type: A
DNSfinisharrive.net
Type: A
DNSleavearrive.net
Type: A
DNSsweetsupply.net
Type: A
DNSprobablysupply.net
Type: A
DNSsweetdistance.net
Type: A
DNSprobablydistance.net
Type: A
DNSprobablyoffice.net
Type: A
DNSsweetarrive.net
Type: A
DNSprobablyarrive.net
Type: A
DNSseveralsupply.net
Type: A
DNSseveraldistance.net
Type: A
DNSmaterialdistance.net
Type: A
DNSseveraloffice.net
Type: A
DNSmaterialoffice.net
Type: A
DNSseveralarrive.net
Type: A
DNSmaterialarrive.net
Type: A
DNSseverastrong.net
Type: A
DNSseveratrouble.net
Type: A
DNSlaughtrouble.net
Type: A
DNSseverapresident.net
Type: A
DNSlaughpresident.net
Type: A
DNSseveracaught.net
Type: A
DNSlaughcaught.net
Type: A
DNSsimplestrong.net
Type: A
DNSmotherstrong.net
Type: A
DNSsimpletrouble.net
Type: A
DNSmothertrouble.net
Type: A
DNSsimplepresident.net
Type: A
DNSmotherpresident.net
Type: A
DNSsimplecaught.net
Type: A
DNSmothercaught.net
Type: A
DNSmountainstrong.net
Type: A
DNSpossiblestrong.net
Type: A
DNSmountaintrouble.net
Type: A
DNSpossibletrouble.net
Type: A
DNSmountainpresident.net
Type: A
DNSpossiblepresident.net
Type: A
DNSmountaincaught.net
Type: A
DNSpossiblecaught.net
Type: A
DNSperhapsstrong.net
Type: A
DNSwindowstrong.net
Type: A
DNSperhapstrouble.net
Type: A
DNSwindowtrouble.net
Type: A
DNSperhapspresident.net
Type: A
DNSwindowpresident.net
Type: A
DNSperhapscaught.net
Type: A
DNSwindowcaught.net
Type: A
DNSwinterstrong.net
Type: A
DNSsubjectstrong.net
Type: A
DNSwintertrouble.net
Type: A
DNSsubjecttrouble.net
Type: A
DNSwinterpresident.net
Type: A
DNSsubjectpresident.net
Type: A
DNSwintercaught.net
Type: A
DNSsubjectcaught.net
Type: A
DNSleavestrong.net
Type: A
DNSfinishtrouble.net
Type: A
DNSleavetrouble.net
Type: A
DNSfinishpresident.net
Type: A
DNSleavepresident.net
Type: A
DNSfinishcaught.net
Type: A
DNSleavecaught.net
Type: A
DNSsweetstrong.net
Type: A
DNSprobablystrong.net
Type: A
DNSprobablytrouble.net
Type: A
DNSsweetpresident.net
Type: A
DNSprobablypresident.net
Type: A
DNSsweetcaught.net
Type: A
DNSprobablycaught.net
Type: A
DNSseveralstrong.net
Type: A
DNSmaterialstrong.net
Type: A
HTTP GEThttp://sweetoffice.net/index.php
User-Agent:
HTTP GEThttp://materialsupply.net/index.php
User-Agent:
HTTP GEThttp://laughstrong.net/index.php
User-Agent:
HTTP GEThttp://finishstrong.net/index.php
User-Agent:
HTTP GEThttp://sweettrouble.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 162.213.251.173:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1033 ➝ 50.21.189.209:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.14:80
Flows TCP192.168.1.1:1035 ➝ 50.31.0.103:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 6f666669 63652e6e 65740d0a   weetoffice.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61746572 69616c73 7570706c 792e6e65   aterialsupply.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61756768 7374726f 6e672e6e 65740d0a   aughstrong.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   696e6973 68737472 6f6e672e 6e65740d   inishstrong.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 74726f75 626c652e 6e65740d   weettrouble.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....


Strings