Analysis Date2015-11-22 19:28:48
MD5002a8a0ba991d1d377c000d3fb2ecc0a
SHA1897bada00d972f6b702c52291e0bec9ae67009ae

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6a04d94d67c3f07cd32c9ebf3bcc2b9d sha1: 5c870bef95e65494196ce401785cd490520f0847 size: 1278464
Section.rdata md5: 2346860c55b96737f73bce068b3909e5 sha1: 04b70e51350e445878b9203f9495c5e99954bd6f size: 305152
Section.data md5: 1b08a9401561f3f6e3fb4d118c236c40 sha1: 2c80d928a234ecbc838796f377265c00de2d521d size: 8192
Section.reloc md5: f59ce2dc61ac0dc4a9f2eade88b8ee7f sha1: 57e7f2ed5d4bbaf6957cb0f44f0356b66c13328c size: 168960
Timestamp2015-05-11 04:52:28
PackerVC8 -> Microsoft Corporation
PEhash410477ac6c8332dc5d6314b00a31cfebc3d24020
IMPhash183fe4a1705b3c107d6633c50eb8dc85
AVF-SecureGen:Variant.Diley.1
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVMalwareBytesno_virus
AVDr. WebTrojan.Bayrob.5
AVGrisoft (avg)Win32/Cryptor
AVMalwareBytesno_virus
AVEset (nod32)Win32/Bayrob.Y
AVMicroWorld (escan)Gen:Trojan.Heur.TP.RrW@bmSaukg
AVTrend Microno_virus
AVClamAVno_virus
AVTwisterno_virus
AVEset (nod32)Win32/Bayrob.Y
AVBitDefenderGen:Trojan.Heur.TP.RrW@bmSaukg
AVMicroWorld (escan)Gen:Trojan.Heur.TP.RrW@bmSaukg
AVAvira (antivir)TR/Crypt.Xpack.322217
AVAlwil (avast)Dropper-OJQ [Drp]
AVFortinetW32/Kryptik.EETB!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVIkarusTrojan.Win32.Bayrob
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVMcafeeTrojan-FGIJ!002A8A0BA991
AVAvira (antivir)TR/Crypt.Xpack.322217
AVAd-AwareGen:Variant.Diley.1
AVAlwil (avast)Dropper-OJQ [Drp]
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.EETB!tr
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVRisingno_virus
AVMcafeeTrojan-FGIJ!002A8A0BA991
AVTwisterno_virus
AVAd-AwareGen:Variant.Diley.1
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004c77f41 )
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Variant.Diley.1
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Diley.1
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\vqpukkxxlklfh\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\snvrgd1kmmmgebwlfkg.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\snvrgd1kmmmgebwlfkg.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\snvrgd1kmmmgebwlfkg.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Visual Interface Routing NetBIOS ➝
C:\WINDOWS\system32\bnouwicykd.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\vqpukkxxlklfh\tst
Creates FileC:\WINDOWS\system32\bnouwicykd.exe
Creates FileC:\WINDOWS\system32\vqpukkxxlklfh\lck
Creates FileC:\WINDOWS\system32\vqpukkxxlklfh\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\bnouwicykd.exe
Creates ServiceNetworking Builder Update Ordering WMI - C:\WINDOWS\system32\bnouwicykd.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1852

Process
↳ Pid 1148

Process
↳ C:\WINDOWS\system32\bnouwicykd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\vqpukkxxlklfh\cfg
Creates FileC:\WINDOWS\system32\vqpukkxxlklfh\lck
Creates FileC:\WINDOWS\system32\kswvdvogmwk.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\snvrgd1sh6mge.exe
Creates FileC:\WINDOWS\system32\vqpukkxxlklfh\tst
Creates FileC:\WINDOWS\system32\vqpukkxxlklfh\run
Creates FileC:\WINDOWS\system32\vqpukkxxlklfh\rng
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "c:\windows\system32\bnouwicykd.exe"
Creates ProcessC:\WINDOWS\TEMP\snvrgd1sh6mge.exe -r 41776 tcp

Process
↳ C:\WINDOWS\system32\bnouwicykd.exe

Creates FileC:\WINDOWS\system32\vqpukkxxlklfh\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\bnouwicykd.exe"

Creates FileC:\WINDOWS\system32\vqpukkxxlklfh\tst

Process
↳ C:\WINDOWS\TEMP\snvrgd1sh6mge.exe -r 41776 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSgroupsound.net
Type: A
69.172.201.208
DNSvisitlift.net
Type: A
50.63.202.45
DNSvisitgreen.net
Type: A
208.100.26.234
DNSfairgreen.net
Type: A
72.52.4.119
DNSwatchsound.net
Type: A
95.211.230.75
DNSfairsound.net
Type: A
157.7.200.171
DNSdreamlift.net
Type: A
98.191.83.85
DNSthisgreen.net
Type: A
95.211.230.75
DNSdreamsound.net
Type: A
207.148.248.143
DNSthissound.net
Type: A
66.6.44.4
DNSdreamhand.net
Type: A
74.220.219.141
DNSarivehappy.net
Type: A
195.22.28.196
DNSarivehappy.net
Type: A
195.22.28.199
DNSarivehappy.net
Type: A
195.22.28.198
DNSarivehappy.net
Type: A
195.22.28.197
DNSgrouppage.net
Type: A
64.74.223.44
DNSvisitsince.net
Type: A
192.64.119.99
DNSwatchhappy.net
Type: A
50.63.202.49
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSdreamhappy.net
Type: A
121.78.93.42
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSequalsound.net
Type: A
DNSequalhand.net
Type: A
DNSgrouphand.net
Type: A
DNSspokelift.net
Type: A
DNSspokegreen.net
Type: A
DNSspokesound.net
Type: A
DNSvisitsound.net
Type: A
DNSspokehand.net
Type: A
DNSvisithand.net
Type: A
DNSwatchlift.net
Type: A
DNSfairlift.net
Type: A
DNSwatchgreen.net
Type: A
DNSwatchhand.net
Type: A
DNSfairhand.net
Type: A
DNSthislift.net
Type: A
DNSdreamgreen.net
Type: A
DNSthishand.net
Type: A
DNSsouthhappy.net
Type: A
DNSariveheat.net
Type: A
DNSsouthheat.net
Type: A
DNSarivesince.net
Type: A
DNSsouthsince.net
Type: A
DNSarivepage.net
Type: A
DNSsouthpage.net
Type: A
DNSuponhappy.net
Type: A
DNSwhichhappy.net
Type: A
DNSuponheat.net
Type: A
DNSwhichheat.net
Type: A
DNSuponsince.net
Type: A
DNSwhichsince.net
Type: A
DNSuponpage.net
Type: A
DNSwhichpage.net
Type: A
DNSspothappy.net
Type: A
DNSsalthappy.net
Type: A
DNSspotheat.net
Type: A
DNSsaltheat.net
Type: A
DNSspotsince.net
Type: A
DNSsaltsince.net
Type: A
DNSspotpage.net
Type: A
DNSsaltpage.net
Type: A
DNSgladhappy.net
Type: A
DNStakenhappy.net
Type: A
DNSgladheat.net
Type: A
DNStakenheat.net
Type: A
DNSgladsince.net
Type: A
DNStakensince.net
Type: A
DNSgladpage.net
Type: A
DNStakenpage.net
Type: A
DNSequalhappy.net
Type: A
DNSgrouphappy.net
Type: A
DNSequalheat.net
Type: A
DNSgroupheat.net
Type: A
DNSequalsince.net
Type: A
DNSgroupsince.net
Type: A
DNSequalpage.net
Type: A
DNSspokehappy.net
Type: A
DNSvisithappy.net
Type: A
DNSspokeheat.net
Type: A
DNSvisitheat.net
Type: A
DNSspokesince.net
Type: A
DNSspokepage.net
Type: A
DNSvisitpage.net
Type: A
DNSfairhappy.net
Type: A
DNSwatchheat.net
Type: A
DNSfairheat.net
Type: A
DNSwatchsince.net
Type: A
DNSfairsince.net
Type: A
DNSwatchpage.net
Type: A
DNSfairpage.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://groupsound.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://visitlift.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://visitgreen.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://fairgreen.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://watchsound.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://fairsound.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://dreamlift.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://thisgreen.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://dreamsound.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://thissound.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://dreamhand.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://arivehappy.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://grouppage.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://visitsince.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://watchhappy.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://watchsince.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://dreamhappy.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1051 ➝ 50.63.202.45:80
Flows TCP192.168.1.1:1052 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1053 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1054 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1055 ➝ 157.7.200.171:80
Flows TCP192.168.1.1:1056 ➝ 98.191.83.85:80
Flows TCP192.168.1.1:1057 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1058 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1059 ➝ 66.6.44.4:80
Flows TCP192.168.1.1:1060 ➝ 74.220.219.141:80
Flows TCP192.168.1.1:1061 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1062 ➝ 64.74.223.44:80
Flows TCP192.168.1.1:1063 ➝ 192.64.119.99:80
Flows TCP192.168.1.1:1064 ➝ 50.63.202.49:80
Flows TCP192.168.1.1:1065 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1066 ➝ 121.78.93.42:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1069 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1070 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1071 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1072 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1073 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1074 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1075 ➝ 208.91.197.241:80

Raw Pcap

Strings