Analysis Date2016-04-16 04:27:48
MD5e8dffa713a620b1ab241bce850617def
SHA188977d5cffef0c23cb9a98f57336be63c6e2904f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dd5c857a56875c2de5b99ef89d31a6e7 sha1: d8d36153c25bd715f262d4e4eb5288d7e82c0c9c size: 192000
Section.rdata md5: db47b39d3993cb5b2d98c7231865170c sha1: 3a30085e8181328d3cb77a24c7b6d3465f1af00c size: 17920
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 2c9f9ae05995764d56b980b3f82aee71 sha1: 31279c1489e4d9351b7d69bc0a9ac49fc57f3ad7 size: 30720
Timestamp2016-01-06 17:09:07
PEhash45a420cf141d94c08afe9d8085949ed458cfd389
IMPhashba10ade37d332b9c2dfe1b8540477319
AVRisingNo Virus
AVCA (E-Trust Ino)Gen:Variant.Razy.12226
AVF-SecureGen:Variant.Razy.12226
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.12226
AVBullGuardGen:Variant.Razy.12226
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVEmsisoftGen:Variant.Razy.12226
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.12226
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DA
AVK7Trojan ( 004db0c61 )
AVBitDefenderGen:Variant.Razy.12226
AVFortinetW32/Bayrob.AQ!tr
AVSymantecTrojan.Bayrob!gen6
AVGrisoft (avg)Win32/Heur
AVEset (nod32)Win32/Bayrob.AT.gen
AVAlwil (avast)Win32:Trojan-gen
AVAlwil (avast)Trojan-gen
AVAd-AwareGen:Variant.Razy.12226
AVTwisterNo Virus
AVAvira (antivir)TR/Nivdort.jvey
AVMcafeeTrojan-FHPX!E8DFFA713A62

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\nzfmrlupitgs\uttegyepxtbn
Creates FileC:\nzfmrlupitgs\uttegyepxtbn
Creates FileC:\nzfmrlupitgs\js5133pimmnkwvjjoz.exe
Deletes FileC:\WINDOWS\nzfmrlupitgs\uttegyepxtbn
Creates ProcessC:\nzfmrlupitgs\js5133pimmnkwvjjoz.exe

Process
↳ C:\nzfmrlupitgs\js5133pimmnkwvjjoz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Framework Input Brightness Human Enumerator PC ➝
C:\nzfmrlupitgs\kdhcmhyp.exe
Creates FileC:\nzfmrlupitgs\kdhcmhyp.exe
Creates FileC:\nzfmrlupitgs\ovwc9gnkmi3
Creates FileC:\WINDOWS\nzfmrlupitgs\uttegyepxtbn
Creates FileC:\nzfmrlupitgs\uttegyepxtbn
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\nzfmrlupitgs\uttegyepxtbn
Creates ProcessC:\nzfmrlupitgs\kdhcmhyp.exe
Creates ServiceLink Shadow Modules Web Connection Remote - C:\nzfmrlupitgs\kdhcmhyp.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\JS5133PIMMNKWVJJOZ.EXE-36898B61.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\VXVEKEM.EXE-195C9606.pf
Creates FileC:\WINDOWS\Prefetch\88977D5CFFEF0C23CB9A98F57336B-35713D86.pf
Creates FileC:\WINDOWS\Prefetch\KDHCMHYP.EXE-22532E30.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ Pid 1328

Process
↳ Pid 1864

Process
↳ Pid 1208

Process
↳ C:\nzfmrlupitgs\kdhcmhyp.exe

Creates FileC:\nzfmrlupitgs\ovwc9gnkmi3
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\nzfmrlupitgs\uttegyepxtbn
Creates FileC:\nzfmrlupitgs\uttegyepxtbn
Creates FileC:\nzfmrlupitgs\yyj7yjgxww
Creates File\Device\Afd\Endpoint
Creates FileC:\nzfmrlupitgs\vxvekem.exe
Deletes FileC:\WINDOWS\nzfmrlupitgs\uttegyepxtbn
Creates Processlkmgmc7r0kjm "c:\nzfmrlupitgs\kdhcmhyp.exe"

Process
↳ C:\nzfmrlupitgs\kdhcmhyp.exe

Creates FileC:\WINDOWS\nzfmrlupitgs\uttegyepxtbn
Creates FileC:\nzfmrlupitgs\uttegyepxtbn
Deletes FileC:\WINDOWS\nzfmrlupitgs\uttegyepxtbn

Process
↳ lkmgmc7r0kjm "c:\nzfmrlupitgs\kdhcmhyp.exe"

Creates FileC:\WINDOWS\nzfmrlupitgs\uttegyepxtbn
Creates FileC:\nzfmrlupitgs\uttegyepxtbn
Deletes FileC:\WINDOWS\nzfmrlupitgs\uttegyepxtbn

Network Details:

DNSseasonprobable.net
Type: A
195.22.28.196
DNSseasonprobable.net
Type: A
195.22.28.199
DNSseasonprobable.net
Type: A
195.22.28.198
DNSseasonprobable.net
Type: A
195.22.28.197
DNSagainstwelcome.net
Type: A
195.22.28.196
DNSagainstwelcome.net
Type: A
195.22.28.199
DNSagainstwelcome.net
Type: A
195.22.28.198
DNSagainstwelcome.net
Type: A
195.22.28.197
DNSlargeproud.net
Type: A
208.100.26.234
DNStradearound.net
Type: A
50.63.202.36
DNStradeproud.net
Type: A
50.63.202.34
DNSstreetcomplete.net
Type: A
192.64.119.236
DNSgatheraround.net
Type: A
199.59.243.120
DNSagainstnature.net
Type: A
50.87.144.164
DNScaptainneedle.net
Type: A
5.2.189.251
DNSlargeenough.net
Type: A
184.168.221.43
DNScaptainenough.net
Type: A
195.22.28.197
DNScaptainenough.net
Type: A
195.22.28.196
DNScaptainenough.net
Type: A
195.22.28.199
DNScaptainenough.net
Type: A
195.22.28.198
DNSelectricneedle.net
Type: A
70.32.83.79
DNSbetternature.net
Type: A
72.52.4.91
DNSgathernature.net
Type: A
208.100.26.234
DNSgatherprobable.net
Type: A
DNSflierwagon.net
Type: A
DNSbreadwagon.net
Type: A
DNSflierwithout.net
Type: A
DNSbreadwithout.net
Type: A
DNSflierkitchen.net
Type: A
DNSbreadkitchen.net
Type: A
DNSflierprobable.net
Type: A
DNSbreadprobable.net
Type: A
DNSquietwagon.net
Type: A
DNSseasonwagon.net
Type: A
DNSquietwithout.net
Type: A
DNSseasonwithout.net
Type: A
DNSquietkitchen.net
Type: A
DNSseasonkitchen.net
Type: A
DNSquietprobable.net
Type: A
DNSdoubtwelcome.net
Type: A
DNSagainstaround.net
Type: A
DNSdoubtaround.net
Type: A
DNSagainstproud.net
Type: A
DNSdoubtproud.net
Type: A
DNSagainstcomplete.net
Type: A
DNSdoubtcomplete.net
Type: A
DNSnightwelcome.net
Type: A
DNSdecidewelcome.net
Type: A
DNSnightaround.net
Type: A
DNSdecidearound.net
Type: A
DNSnightproud.net
Type: A
DNSdecideproud.net
Type: A
DNSnightcomplete.net
Type: A
DNSdecidecomplete.net
Type: A
DNSlargewelcome.net
Type: A
DNScaptainwelcome.net
Type: A
DNSlargearound.net
Type: A
DNScaptainaround.net
Type: A
DNScaptainproud.net
Type: A
DNSlargecomplete.net
Type: A
DNScaptaincomplete.net
Type: A
DNSrecordwelcome.net
Type: A
DNSelectricwelcome.net
Type: A
DNSrecordaround.net
Type: A
DNSelectricaround.net
Type: A
DNSrecordproud.net
Type: A
DNSelectricproud.net
Type: A
DNSrecordcomplete.net
Type: A
DNSelectriccomplete.net
Type: A
DNSstreetwelcome.net
Type: A
DNStradewelcome.net
Type: A
DNSstreetaround.net
Type: A
DNSstreetproud.net
Type: A
DNStradecomplete.net
Type: A
DNSbetterwelcome.net
Type: A
DNSgatherwelcome.net
Type: A
DNSbetteraround.net
Type: A
DNSbetterproud.net
Type: A
DNSgatherproud.net
Type: A
DNSbettercomplete.net
Type: A
DNSgathercomplete.net
Type: A
DNSflierwelcome.net
Type: A
DNSbreadwelcome.net
Type: A
DNSflieraround.net
Type: A
DNSbreadaround.net
Type: A
DNSflierproud.net
Type: A
DNSbreadproud.net
Type: A
DNSfliercomplete.net
Type: A
DNSbreadcomplete.net
Type: A
DNSquietwelcome.net
Type: A
DNSseasonwelcome.net
Type: A
DNSquietaround.net
Type: A
DNSseasonaround.net
Type: A
DNSquietproud.net
Type: A
DNSseasonproud.net
Type: A
DNSquietcomplete.net
Type: A
DNSseasoncomplete.net
Type: A
DNSdoubtnature.net
Type: A
DNSagainstneedle.net
Type: A
DNSdoubtneedle.net
Type: A
DNSagainstenough.net
Type: A
DNSdoubtenough.net
Type: A
DNSagainstgovern.net
Type: A
DNSdoubtgovern.net
Type: A
DNSnightnature.net
Type: A
DNSdecidenature.net
Type: A
DNSnightneedle.net
Type: A
DNSdecideneedle.net
Type: A
DNSnightenough.net
Type: A
DNSdecideenough.net
Type: A
DNSnightgovern.net
Type: A
DNSdecidegovern.net
Type: A
DNSlargenature.net
Type: A
DNScaptainnature.net
Type: A
DNSlargeneedle.net
Type: A
DNSlargegovern.net
Type: A
DNScaptaingovern.net
Type: A
DNSrecordnature.net
Type: A
DNSelectricnature.net
Type: A
DNSrecordneedle.net
Type: A
DNSrecordenough.net
Type: A
DNSelectricenough.net
Type: A
DNSrecordgovern.net
Type: A
DNSelectricgovern.net
Type: A
DNSstreetnature.net
Type: A
DNStradenature.net
Type: A
DNSstreetneedle.net
Type: A
DNStradeneedle.net
Type: A
DNSstreetenough.net
Type: A
DNStradeenough.net
Type: A
DNSstreetgovern.net
Type: A
DNStradegovern.net
Type: A
DNSbetterneedle.net
Type: A
DNSgatherneedle.net
Type: A
DNSbetterenough.net
Type: A
DNSgatherenough.net
Type: A
DNSbettergovern.net
Type: A
DNSgathergovern.net
Type: A
DNSfliernature.net
Type: A
DNSbreadnature.net
Type: A
DNSflierneedle.net
Type: A
HTTP GEThttp://seasonprobable.net/index.php
User-Agent:
HTTP GEThttp://againstwelcome.net/index.php
User-Agent:
HTTP GEThttp://largeproud.net/index.php
User-Agent:
HTTP GEThttp://tradearound.net/index.php
User-Agent:
HTTP GEThttp://tradeproud.net/index.php
User-Agent:
HTTP GEThttp://streetcomplete.net/index.php
User-Agent:
HTTP GEThttp://gatheraround.net/index.php
User-Agent:
HTTP GEThttp://againstnature.net/index.php
User-Agent:
HTTP GEThttp://captainneedle.net/index.php
User-Agent:
HTTP GEThttp://largeenough.net/index.php
User-Agent:
HTTP GEThttp://captainenough.net/index.php
User-Agent:
HTTP GEThttp://electricneedle.net/index.php
User-Agent:
HTTP GEThttp://betternature.net/index.php
User-Agent:
HTTP GEThttp://gathernature.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.36:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.34:80
Flows TCP192.168.1.1:1036 ➝ 192.64.119.236:80
Flows TCP192.168.1.1:1037 ➝ 199.59.243.120:80
Flows TCP192.168.1.1:1038 ➝ 50.87.144.164:80
Flows TCP192.168.1.1:1039 ➝ 5.2.189.251:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.43:80
Flows TCP192.168.1.1:1041 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1042 ➝ 70.32.83.79:80
Flows TCP192.168.1.1:1043 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80

Raw Pcap

Strings