Analysis Date2015-10-10 15:39:02
MD59f8cc22ed0c68c893892d3b1301b84f6
SHA18f035e3443c21b0ad43ad850c423d20941bc79f8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 90500ff9d7c4b177992d67977fd488f0 sha1: 1f1f054948db04674d425b3be19c27190eb62c20 size: 285696
Section.rdata md5: f069dbd06d0069da02b6e2e8eab76e9c sha1: b2062e4b2e9f63641022837b198d9a53117d3026 size: 58368
Section.data md5: 37f1697dfe6eec3c160f92d1132e0cfd sha1: 97ab0ba3d27e299146946a8df0054379543dd134 size: 7168
Section.reloc md5: 77d5cb72c4a0b11d7575031618b3ea19 sha1: 0a65e2656dc698787ee149e57a5126885096a850 size: 19456
Timestamp2015-05-11 06:55:47
PackerMicrosoft Visual C++ 8
PEhashad47074dff96cf52b6413150865194bc35a3a6e0
IMPhash45d8e353a11987826bb39088998e28d3
AVRisingTrojan.Win32.Bayrod.b
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Diley.1
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVBullGuardGen:Variant.Diley.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Bayrob.Win32.1640
AVEmsisoftGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVK7Trojan ( 004c3a4d1 )
AVBitDefenderGen:Variant.Diley.1
AVFortinetW32/Bayrob.T!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.W
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Diley.1
AVTwisterno_virus
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVMcafeeno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ueanfnuxrjt\po2l1lqzdkfrttyoazf.exe
Creates FileC:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates FileC:\ueanfnuxrjt\sti1nmerd
Deletes FileC:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates ProcessC:\ueanfnuxrjt\po2l1lqzdkfrttyoazf.exe

Process
↳ C:\ueanfnuxrjt\po2l1lqzdkfrttyoazf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Intelligent Background Interface ➝
C:\ueanfnuxrjt\vtnbfcednv.exe
Creates FileC:\ueanfnuxrjt\vtnbfcednv.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates FileC:\ueanfnuxrjt\ebqcnjrxhsxp
Creates FileC:\ueanfnuxrjt\sti1nmerd
Deletes FileC:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates ProcessC:\ueanfnuxrjt\vtnbfcednv.exe
Creates ServiceRedirector Credential Procedure PNRP PnP-X - C:\ueanfnuxrjt\vtnbfcednv.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1144

Process
↳ C:\ueanfnuxrjt\vtnbfcednv.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\ueanfnuxrjt\nmzdqxenu.exe
Creates FileC:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates File\Device\Afd\Endpoint
Creates FileC:\ueanfnuxrjt\blocai4i
Creates FileC:\ueanfnuxrjt\ebqcnjrxhsxp
Creates FileC:\ueanfnuxrjt\sti1nmerd
Deletes FileC:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates Processgoxmuhujei8t "c:\ueanfnuxrjt\vtnbfcednv.exe"

Process
↳ C:\ueanfnuxrjt\vtnbfcednv.exe

Creates FileC:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates FileC:\ueanfnuxrjt\sti1nmerd
Deletes FileC:\WINDOWS\ueanfnuxrjt\sti1nmerd

Process
↳ goxmuhujei8t "c:\ueanfnuxrjt\vtnbfcednv.exe"

Creates FileC:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates FileC:\ueanfnuxrjt\sti1nmerd
Deletes FileC:\WINDOWS\ueanfnuxrjt\sti1nmerd

Network Details:

DNSagainstanimal.net
Type: A
195.22.26.231
DNSagainstanimal.net
Type: A
195.22.26.252
DNSagainstanimal.net
Type: A
195.22.26.253
DNSagainstanimal.net
Type: A
195.22.26.254
DNSdecideproblem.net
Type: A
72.52.4.90
DNScaptainescape.net
Type: A
50.63.202.16
DNSlargeanimal.net
Type: A
54.235.159.97
DNScaptainanimal.net
Type: A
208.100.26.234
DNSelectricescape.net
Type: A
103.250.233.242
DNSflierescape.net
Type: A
72.52.4.90
DNSdoubtanimal.net
Type: A
DNSagainstproblem.net
Type: A
DNSdoubtproblem.net
Type: A
DNSagainstmodern.net
Type: A
DNSdoubtmodern.net
Type: A
DNSnightescape.net
Type: A
DNSdecideescape.net
Type: A
DNSnightanimal.net
Type: A
DNSdecideanimal.net
Type: A
DNSnightproblem.net
Type: A
DNSnightmodern.net
Type: A
DNSdecidemodern.net
Type: A
DNSlargeescape.net
Type: A
DNSlargeproblem.net
Type: A
DNScaptainproblem.net
Type: A
DNSlargemodern.net
Type: A
DNScaptainmodern.net
Type: A
DNSrecordescape.net
Type: A
DNSrecordanimal.net
Type: A
DNSelectricanimal.net
Type: A
DNSrecordproblem.net
Type: A
DNSelectricproblem.net
Type: A
DNSrecordmodern.net
Type: A
DNSelectricmodern.net
Type: A
DNSstreetescape.net
Type: A
DNStradeescape.net
Type: A
DNSstreetanimal.net
Type: A
DNStradeanimal.net
Type: A
DNSstreetproblem.net
Type: A
DNStradeproblem.net
Type: A
DNSstreetmodern.net
Type: A
DNStrademodern.net
Type: A
DNSbetterescape.net
Type: A
DNSgatherescape.net
Type: A
DNSbetteranimal.net
Type: A
DNSgatheranimal.net
Type: A
DNSbetterproblem.net
Type: A
DNSgatherproblem.net
Type: A
DNSbettermodern.net
Type: A
DNSgathermodern.net
Type: A
DNSbreadescape.net
Type: A
DNSflieranimal.net
Type: A
DNSbreadanimal.net
Type: A
DNSflierproblem.net
Type: A
DNSbreadproblem.net
Type: A
DNSfliermodern.net
Type: A
DNSbreadmodern.net
Type: A
DNSquietescape.net
Type: A
DNSseasonescape.net
Type: A
DNSquietanimal.net
Type: A
DNSseasonanimal.net
Type: A
DNSquietproblem.net
Type: A
DNSseasonproblem.net
Type: A
DNSquietmodern.net
Type: A
DNSseasonmodern.net
Type: A
DNSagainstsilver.net
Type: A
DNSdoubtsilver.net
Type: A
DNSagainstsister.net
Type: A
DNSdoubtsister.net
Type: A
DNSagainstvalley.net
Type: A
DNSdoubtvalley.net
Type: A
DNSagainstlabor.net
Type: A
DNSdoubtlabor.net
Type: A
DNSnightsilver.net
Type: A
DNSdecidesilver.net
Type: A
DNSnightsister.net
Type: A
DNSdecidesister.net
Type: A
DNSnightvalley.net
Type: A
DNSdecidevalley.net
Type: A
DNSnightlabor.net
Type: A
DNSdecidelabor.net
Type: A
DNSlargesilver.net
Type: A
DNScaptainsilver.net
Type: A
DNSlargesister.net
Type: A
DNScaptainsister.net
Type: A
DNSlargevalley.net
Type: A
DNScaptainvalley.net
Type: A
DNSlargelabor.net
Type: A
HTTP GEThttp://againstanimal.net/index.php
User-Agent:
HTTP GEThttp://decideproblem.net/index.php
User-Agent:
HTTP GEThttp://captainescape.net/index.php
User-Agent:
HTTP GEThttp://largeanimal.net/index.php
User-Agent:
HTTP GEThttp://captainanimal.net/index.php
User-Agent:
HTTP GEThttp://electricescape.net/index.php
User-Agent:
HTTP GEThttp://flierescape.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1032 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1033 ➝ 50.63.202.16:80
Flows TCP192.168.1.1:1034 ➝ 54.235.159.97:80
Flows TCP192.168.1.1:1035 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1036 ➝ 103.250.233.242:80
Flows TCP192.168.1.1:1037 ➝ 72.52.4.90:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2061   : close..Host: a
0x00000040 (00064)   6761696e 7374616e 696d616c 2e6e6574   gainstanimal.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   65636964 6570726f 626c656d 2e6e6574   ecideproblem.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e6573 63617065 2e6e6574   aptainescape.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61726765 616e696d 616c2e6e 65740d0a   argeanimal.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e616e 696d616c 2e6e6574   aptainanimal.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6c656374 72696365 73636170 652e6e65   lectricescape.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6c696572 65736361 70652e6e 65740d0a   lierescape.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....


Strings