Analysis Date2016-02-03 01:26:58
MD59ee803efb6ce3c8f97e184191cec5447
SHA18619a2541146702fdfe4e989a67736d0bab557d4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d03296f85282b8bf5848d77b8dadc694 sha1: 1523c7a529f990644dcd782b4699a8f0c452e2a9 size: 217600
Section.rdata md5: 357c179cb39c4871c446e290d10b8431 sha1: 9d0d30af9f45293461c32a8e98269246ee4083fb size: 18944
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 5cb72d2069514f0cda116ff4e11d493c sha1: 4822f0d4462b785b57af85bc98fe5e69c74b44b7 size: 40448
Timestamp2016-01-03 14:41:54
PEhashfb7c3b91db9969ac3a5989b4c8d62b31d138d3b3
IMPhash9c09e92005d2bc76297ded48266d6623
AVFortinetW32/Bayrob.AQ!tr
AVMicroWorld (escan)Gen:Variant.Kazy.784853
AVF-SecureGen:Variant.Razy.11545
AVMalwareBytesNo Virus
AVMcafeeTrojan-FHOH!9EE803EFB6CE
AVIkarusTrojan.Win32.Bayrob
AVTrend MicroNo Virus
AVDr. WebTrojan.DownLoader19.16750
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CW
AVAuthentiumW32/BayRob.D.gen!Eldorado
AVGrisoft (avg)Win32/Heur
AVTwisterNo Virus
AVBullGuardGen:Variant.Razy.11545
AVZillya!No Virus
AVFrisk (f-prot)W32/BayRob.D.gen!Eldorado
AVKasperskyTrojan.Win32.Bayrob.dqb
AVCAT (quickheal)No Virus
AVClamAVNo Virus
AVEset (nod32)Win32/Bayrob.AT.gen
AVAlwil (avast)Win32:Malware-gen
AVCA (E-Trust Ino)No Virus
AVBitDefenderGen:Variant.Razy.11545
AVEmsisoftGen:Variant.Razy.11545
AVSymantecTrojan.Bayrob!gen6
AVK7Trojan ( 004db0c61 )
AVAd-AwareGen:Variant.Razy.11545
AVAvira (antivir)TR/Crypt.Xpack.440395
AVArcabit (arcavir)Gen:Variant.Razy.11545
AVVirusBlokAda (vba32)No Virus
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\bvrghbtuclen\rmtdseupjg
Creates FileC:\bvrghbtuclen\nk3we1kg4kzrewvwlwta.exe
Creates FileC:\bvrghbtuclen\rmtdseupjg
Deletes FileC:\WINDOWS\bvrghbtuclen\rmtdseupjg
Creates ProcessC:\bvrghbtuclen\nk3we1kg4kzrewvwlwta.exe

Process
↳ C:\bvrghbtuclen\nk3we1kg4kzrewvwlwta.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Machine Auto-Discovery Windows CNG Locator ➝
C:\bvrghbtuclen\csicsjqxzbcv.exe
Creates FileC:\bvrghbtuclen\csicsjqxzbcv.exe
Creates FileC:\WINDOWS\bvrghbtuclen\rmtdseupjg
Creates FilePIPE\lsarpc
Creates FileC:\bvrghbtuclen\b4rvzi
Creates FileC:\bvrghbtuclen\rmtdseupjg
Deletes FileC:\WINDOWS\bvrghbtuclen\rmtdseupjg
Creates ProcessC:\bvrghbtuclen\csicsjqxzbcv.exe
Creates ServiceWMI Superfetch Engine - C:\bvrghbtuclen\csicsjqxzbcv.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1168

Process
↳ C:\bvrghbtuclen\csicsjqxzbcv.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\bvrghbtuclen\rmtdseupjg
Creates FileC:\bvrghbtuclen\c4nxmppsiy
Creates FileC:\bvrghbtuclen\cigmtniilyp.exe
Creates FileC:\bvrghbtuclen\b4rvzi
Creates File\Device\Afd\Endpoint
Creates FileC:\bvrghbtuclen\rmtdseupjg
Deletes FileC:\WINDOWS\bvrghbtuclen\rmtdseupjg
Creates Processfrmimahcbcuz "c:\bvrghbtuclen\csicsjqxzbcv.exe"

Process
↳ C:\bvrghbtuclen\csicsjqxzbcv.exe

Creates FileC:\WINDOWS\bvrghbtuclen\rmtdseupjg
Creates FileC:\bvrghbtuclen\rmtdseupjg
Deletes FileC:\WINDOWS\bvrghbtuclen\rmtdseupjg

Process
↳ frmimahcbcuz "c:\bvrghbtuclen\csicsjqxzbcv.exe"

Creates FileC:\WINDOWS\bvrghbtuclen\rmtdseupjg
Creates FileC:\bvrghbtuclen\rmtdseupjg
Deletes FileC:\WINDOWS\bvrghbtuclen\rmtdseupjg

Network Details:

DNSmembersystem.net
Type: A
85.13.128.193
DNSfollowtrust.net
Type: A
68.178.232.100
DNScrowdneither.net
Type: A
195.22.28.199
DNScrowdneither.net
Type: A
195.22.28.198
DNScrowdneither.net
Type: A
195.22.28.197
DNScrowdneither.net
Type: A
195.22.28.196
DNSthoughtsystem.net
Type: A
213.171.195.105
DNSwatersystem.net
Type: A
199.59.243.120
DNSwatertrust.net
Type: A
208.91.197.27
DNSsmokesystem.net
Type: A
208.100.26.234
DNSsmoketrust.net
Type: A
98.139.135.129
DNSpartysystem.net
Type: A
82.165.73.79
DNScrowdfriend.net
Type: A
50.63.202.48
DNSwaterfriend.net
Type: A
69.64.147.242
DNSpartyfriend.net
Type: A
89.31.143.16
DNSfreshfuture.net
Type: A
66.39.68.24
DNSgentlemanearly.net
Type: A
208.100.26.234
DNSknownfuture.net
Type: A
94.127.112.93
DNSknownfuture.net
Type: A
94.127.112.92
DNScrowdfuture.net
Type: A
188.226.181.245
DNSexperiencehonor.net
Type: A
DNSfreshneither.net
Type: A
DNSexperienceneither.net
Type: A
DNSfreshsystem.net
Type: A
DNSexperiencesystem.net
Type: A
DNSfreshtrust.net
Type: A
DNSexperiencetrust.net
Type: A
DNSgentlemanhonor.net
Type: A
DNSalreadyhonor.net
Type: A
DNSgentlemanneither.net
Type: A
DNSalreadyneither.net
Type: A
DNSgentlemansystem.net
Type: A
DNSalreadysystem.net
Type: A
DNSgentlemantrust.net
Type: A
DNSalreadytrust.net
Type: A
DNSfollowhonor.net
Type: A
DNSmemberhonor.net
Type: A
DNSfollowneither.net
Type: A
DNSmemberneither.net
Type: A
DNSfollowsystem.net
Type: A
DNSmembertrust.net
Type: A
DNSbeginhonor.net
Type: A
DNSknownhonor.net
Type: A
DNSbeginneither.net
Type: A
DNSknownneither.net
Type: A
DNSbeginsystem.net
Type: A
DNSknownsystem.net
Type: A
DNSbegintrust.net
Type: A
DNSknowntrust.net
Type: A
DNSsummerhonor.net
Type: A
DNScrowdhonor.net
Type: A
DNSsummerneither.net
Type: A
DNSsummersystem.net
Type: A
DNScrowdsystem.net
Type: A
DNSsummertrust.net
Type: A
DNScrowdtrust.net
Type: A
DNSthoughthonor.net
Type: A
DNSwaterhonor.net
Type: A
DNSthoughtneither.net
Type: A
DNSwaterneither.net
Type: A
DNSthoughttrust.net
Type: A
DNSwomanhonor.net
Type: A
DNSsmokehonor.net
Type: A
DNSwomanneither.net
Type: A
DNSsmokeneither.net
Type: A
DNSwomansystem.net
Type: A
DNSwomantrust.net
Type: A
DNSpartyhonor.net
Type: A
DNSfighthonor.net
Type: A
DNSpartyneither.net
Type: A
DNSfightneither.net
Type: A
DNSfightsystem.net
Type: A
DNSpartytrust.net
Type: A
DNSfighttrust.net
Type: A
DNSfreshlaughter.net
Type: A
DNSexperiencelaughter.net
Type: A
DNSfreshfancy.net
Type: A
DNSexperiencefancy.net
Type: A
DNSfreshconsider.net
Type: A
DNSexperienceconsider.net
Type: A
DNSfreshfriend.net
Type: A
DNSexperiencefriend.net
Type: A
DNSgentlemanlaughter.net
Type: A
DNSalreadylaughter.net
Type: A
DNSgentlemanfancy.net
Type: A
DNSalreadyfancy.net
Type: A
DNSgentlemanconsider.net
Type: A
DNSalreadyconsider.net
Type: A
DNSgentlemanfriend.net
Type: A
DNSalreadyfriend.net
Type: A
DNSfollowlaughter.net
Type: A
DNSmemberlaughter.net
Type: A
DNSfollowfancy.net
Type: A
DNSmemberfancy.net
Type: A
DNSfollowconsider.net
Type: A
DNSmemberconsider.net
Type: A
DNSfollowfriend.net
Type: A
DNSmemberfriend.net
Type: A
DNSbeginlaughter.net
Type: A
DNSknownlaughter.net
Type: A
DNSbeginfancy.net
Type: A
DNSknownfancy.net
Type: A
DNSbeginconsider.net
Type: A
DNSknownconsider.net
Type: A
DNSbeginfriend.net
Type: A
DNSknownfriend.net
Type: A
DNSsummerlaughter.net
Type: A
DNScrowdlaughter.net
Type: A
DNSsummerfancy.net
Type: A
DNScrowdfancy.net
Type: A
DNSsummerconsider.net
Type: A
DNScrowdconsider.net
Type: A
DNSsummerfriend.net
Type: A
DNSthoughtlaughter.net
Type: A
DNSwaterlaughter.net
Type: A
DNSthoughtfancy.net
Type: A
DNSwaterfancy.net
Type: A
DNSthoughtconsider.net
Type: A
DNSwaterconsider.net
Type: A
DNSthoughtfriend.net
Type: A
DNSwomanlaughter.net
Type: A
DNSsmokelaughter.net
Type: A
DNSwomanfancy.net
Type: A
DNSsmokefancy.net
Type: A
DNSwomanconsider.net
Type: A
DNSsmokeconsider.net
Type: A
DNSwomanfriend.net
Type: A
DNSsmokefriend.net
Type: A
DNSpartylaughter.net
Type: A
DNSfightlaughter.net
Type: A
DNSpartyfancy.net
Type: A
DNSfightfancy.net
Type: A
DNSpartyconsider.net
Type: A
DNSfightconsider.net
Type: A
DNSfightfriend.net
Type: A
DNSfreshsmell.net
Type: A
DNSexperiencesmell.net
Type: A
DNSfreshearly.net
Type: A
DNSexperienceearly.net
Type: A
DNSfreshsafety.net
Type: A
DNSexperiencesafety.net
Type: A
DNSexperiencefuture.net
Type: A
DNSgentlemansmell.net
Type: A
DNSalreadysmell.net
Type: A
DNSalreadyearly.net
Type: A
DNSgentlemansafety.net
Type: A
DNSalreadysafety.net
Type: A
DNSgentlemanfuture.net
Type: A
DNSalreadyfuture.net
Type: A
DNSfollowsmell.net
Type: A
DNSmembersmell.net
Type: A
DNSfollowearly.net
Type: A
DNSmemberearly.net
Type: A
DNSfollowsafety.net
Type: A
DNSmembersafety.net
Type: A
DNSfollowfuture.net
Type: A
DNSmemberfuture.net
Type: A
DNSbeginsmell.net
Type: A
DNSknownsmell.net
Type: A
DNSbeginearly.net
Type: A
DNSknownearly.net
Type: A
DNSbeginsafety.net
Type: A
DNSknownsafety.net
Type: A
DNSbeginfuture.net
Type: A
DNSsummersmell.net
Type: A
DNScrowdsmell.net
Type: A
DNSsummerearly.net
Type: A
DNScrowdearly.net
Type: A
DNSsummersafety.net
Type: A
DNScrowdsafety.net
Type: A
DNSsummerfuture.net
Type: A
DNSthoughtsmell.net
Type: A
DNSwatersmell.net
Type: A
DNSthoughtearly.net
Type: A
HTTP GEThttp://membersystem.net/index.php
User-Agent:
HTTP GEThttp://followtrust.net/index.php
User-Agent:
HTTP GEThttp://crowdneither.net/index.php
User-Agent:
HTTP GEThttp://thoughtsystem.net/index.php
User-Agent:
HTTP GEThttp://watersystem.net/index.php
User-Agent:
HTTP GEThttp://watertrust.net/index.php
User-Agent:
HTTP GEThttp://smokesystem.net/index.php
User-Agent:
HTTP GEThttp://smoketrust.net/index.php
User-Agent:
HTTP GEThttp://partysystem.net/index.php
User-Agent:
HTTP GEThttp://crowdfriend.net/index.php
User-Agent:
HTTP GEThttp://waterfriend.net/index.php
User-Agent:
HTTP GEThttp://partyfriend.net/index.php
User-Agent:
HTTP GEThttp://freshfuture.net/index.php
User-Agent:
HTTP GEThttp://gentlemanearly.net/index.php
User-Agent:
HTTP GEThttp://knownfuture.net/index.php
User-Agent:
HTTP GEThttp://crowdfuture.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 85.13.128.193:80
Flows TCP192.168.1.1:1032 ➝ 68.178.232.100:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1034 ➝ 213.171.195.105:80
Flows TCP192.168.1.1:1035 ➝ 199.59.243.120:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 82.165.73.79:80
Flows TCP192.168.1.1:1040 ➝ 50.63.202.48:80
Flows TCP192.168.1.1:1041 ➝ 69.64.147.242:80
Flows TCP192.168.1.1:1042 ➝ 89.31.143.16:80
Flows TCP192.168.1.1:1043 ➝ 66.39.68.24:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1045 ➝ 94.127.112.93:80
Flows TCP192.168.1.1:1046 ➝ 188.226.181.245:80

Raw Pcap



Strings