Analysis | #totalhash

Analysis Date	2015-10-10 15:39:02
MD5	9f8cc22ed0c68c893892d3b1301b84f6
SHA1	8f035e3443c21b0ad43ad850c423d20941bc79f8

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 90500ff9d7c4b177992d67977fd488f0 sha1: 1f1f054948db04674d425b3be19c27190eb62c20 size: 285696
Section	.rdata md5: f069dbd06d0069da02b6e2e8eab76e9c sha1: b2062e4b2e9f63641022837b198d9a53117d3026 size: 58368
Section	.data md5: 37f1697dfe6eec3c160f92d1132e0cfd sha1: 97ab0ba3d27e299146946a8df0054379543dd134 size: 7168
Section	.reloc md5: 77d5cb72c4a0b11d7575031618b3ea19 sha1: 0a65e2656dc698787ee149e57a5126885096a850 size: 19456
Timestamp	2015-05-11 06:55:47
Packer	Microsoft Visual C++ 8
PEhash	ad47074dff96cf52b6413150865194bc35a3a6e0
IMPhash	45d8e353a11987826bb39088998e28d3
AV	Rising	Trojan.Win32.Bayrod.b
AV	CA (E-Trust Ino)	no_virus
AV	F-Secure	Gen:Variant.Diley.1
AV	Dr. Web	Trojan.Bayrob.1
AV	ClamAV	no_virus
AV	Arcabit (arcavir)	Gen:Variant.Diley.1
AV	BullGuard	Gen:Variant.Diley.1
AV	Padvish	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	CAT (quickheal)	TrojanSpy.Nivdort.OD4
AV	Trend Micro	no_virus
AV	Kaspersky	Trojan.Win32.Generic
AV	Zillya!	Trojan.Bayrob.Win32.1640
AV	Emsisoft	Gen:Variant.Diley.1
AV	Ikarus	Trojan.Win32.Bayrob
AV	Frisk (f-prot)	no_virus
AV	Authentium	W32/Nivdort.B.gen!Eldorado
AV	MalwareBytes	Trojan.Agent.KVTGen
AV	MicroWorld (escan)	Gen:Variant.Diley.1
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.AL
AV	K7	Trojan ( 004c3a4d1 )
AV	BitDefender	Gen:Variant.Diley.1
AV	Fortinet	W32/Bayrob.T!tr
AV	Symantec	Downloader.Upatre!g15
AV	Grisoft (avg)	Win32/Cryptor
AV	Eset (nod32)	Win32/Bayrob.W
AV	Alwil (avast)	Malware-gen:Win32:Malware-gen
AV	Ad-Aware	Gen:Variant.Diley.1
AV	Twister	no_virus
AV	Avira (antivir)	TR/Spy.ZBot.xbbeomq
AV	Mcafee	no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\ueanfnuxrjt\po2l1lqzdkfrttyoazf.exe
Creates File	C:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates File	C:\ueanfnuxrjt\sti1nmerd
Deletes File	C:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates Process	C:\ueanfnuxrjt\po2l1lqzdkfrttyoazf.exe

Process
↳ C:\ueanfnuxrjt\po2l1lqzdkfrttyoazf.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Intelligent Background Interface ➝ C:\ueanfnuxrjt\vtnbfcednv.exe
Creates File	C:\ueanfnuxrjt\vtnbfcednv.exe
Creates File	PIPE\lsarpc
Creates File	C:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates File	C:\ueanfnuxrjt\ebqcnjrxhsxp
Creates File	C:\ueanfnuxrjt\sti1nmerd
Deletes File	C:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates Process	C:\ueanfnuxrjt\vtnbfcednv.exe
Creates Service	Redirector Credential Procedure PNRP PnP-X - C:\ueanfnuxrjt\vtnbfcednv.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1144

Process
↳ C:\ueanfnuxrjt\vtnbfcednv.exe

Creates File	pipe\net\NtControlPipe10
Creates File	C:\ueanfnuxrjt\nmzdqxenu.exe
Creates File	C:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates File	\Device\Afd\Endpoint
Creates File	C:\ueanfnuxrjt\blocai4i
Creates File	C:\ueanfnuxrjt\ebqcnjrxhsxp
Creates File	C:\ueanfnuxrjt\sti1nmerd
Deletes File	C:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates Process	goxmuhujei8t "c:\ueanfnuxrjt\vtnbfcednv.exe"

Process
↳ C:\ueanfnuxrjt\vtnbfcednv.exe

Creates File	C:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates File	C:\ueanfnuxrjt\sti1nmerd
Deletes File	C:\WINDOWS\ueanfnuxrjt\sti1nmerd

Process
↳ goxmuhujei8t "c:\ueanfnuxrjt\vtnbfcednv.exe"

Creates File	C:\WINDOWS\ueanfnuxrjt\sti1nmerd
Creates File	C:\ueanfnuxrjt\sti1nmerd
Deletes File	C:\WINDOWS\ueanfnuxrjt\sti1nmerd

Network Details:

DNS	againstanimal.net Type: A 195.22.26.231
DNS	againstanimal.net Type: A 195.22.26.252
DNS	againstanimal.net Type: A 195.22.26.253
DNS	againstanimal.net Type: A 195.22.26.254
DNS	decideproblem.net Type: A 72.52.4.90
DNS	captainescape.net Type: A 50.63.202.16
DNS	largeanimal.net Type: A 54.235.159.97
DNS	captainanimal.net Type: A 208.100.26.234
DNS	electricescape.net Type: A 103.250.233.242
DNS	flierescape.net Type: A 72.52.4.90
DNS	doubtanimal.net Type: A
DNS	againstproblem.net Type: A
DNS	doubtproblem.net Type: A
DNS	againstmodern.net Type: A
DNS	doubtmodern.net Type: A
DNS	nightescape.net Type: A
DNS	decideescape.net Type: A
DNS	nightanimal.net Type: A
DNS	decideanimal.net Type: A
DNS	nightproblem.net Type: A
DNS	nightmodern.net Type: A
DNS	decidemodern.net Type: A
DNS	largeescape.net Type: A
DNS	largeproblem.net Type: A
DNS	captainproblem.net Type: A
DNS	largemodern.net Type: A
DNS	captainmodern.net Type: A
DNS	recordescape.net Type: A
DNS	recordanimal.net Type: A
DNS	electricanimal.net Type: A
DNS	recordproblem.net Type: A
DNS	electricproblem.net Type: A
DNS	recordmodern.net Type: A
DNS	electricmodern.net Type: A
DNS	streetescape.net Type: A
DNS	tradeescape.net Type: A
DNS	streetanimal.net Type: A
DNS	tradeanimal.net Type: A
DNS	streetproblem.net Type: A
DNS	tradeproblem.net Type: A
DNS	streetmodern.net Type: A
DNS	trademodern.net Type: A
DNS	betterescape.net Type: A
DNS	gatherescape.net Type: A
DNS	betteranimal.net Type: A
DNS	gatheranimal.net Type: A
DNS	betterproblem.net Type: A
DNS	gatherproblem.net Type: A
DNS	bettermodern.net Type: A
DNS	gathermodern.net Type: A
DNS	breadescape.net Type: A
DNS	flieranimal.net Type: A
DNS	breadanimal.net Type: A
DNS	flierproblem.net Type: A
DNS	breadproblem.net Type: A
DNS	fliermodern.net Type: A
DNS	breadmodern.net Type: A
DNS	quietescape.net Type: A
DNS	seasonescape.net Type: A
DNS	quietanimal.net Type: A
DNS	seasonanimal.net Type: A
DNS	quietproblem.net Type: A
DNS	seasonproblem.net Type: A
DNS	quietmodern.net Type: A
DNS	seasonmodern.net Type: A
DNS	againstsilver.net Type: A
DNS	doubtsilver.net Type: A
DNS	againstsister.net Type: A
DNS	doubtsister.net Type: A
DNS	againstvalley.net Type: A
DNS	doubtvalley.net Type: A
DNS	againstlabor.net Type: A
DNS	doubtlabor.net Type: A
DNS	nightsilver.net Type: A
DNS	decidesilver.net Type: A
DNS	nightsister.net Type: A
DNS	decidesister.net Type: A
DNS	nightvalley.net Type: A
DNS	decidevalley.net Type: A
DNS	nightlabor.net Type: A
DNS	decidelabor.net Type: A
DNS	largesilver.net Type: A
DNS	captainsilver.net Type: A
DNS	largesister.net Type: A
DNS	captainsister.net Type: A
DNS	largevalley.net Type: A
DNS	captainvalley.net Type: A
DNS	largelabor.net Type: A
HTTP GET	http://againstanimal.net/index.php User-Agent:
HTTP GET	http://decideproblem.net/index.php User-Agent:
HTTP GET	http://captainescape.net/index.php User-Agent:
HTTP GET	http://largeanimal.net/index.php User-Agent:
HTTP GET	http://captainanimal.net/index.php User-Agent:
HTTP GET	http://electricescape.net/index.php User-Agent:
HTTP GET	http://flierescape.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 195.22.26.231:80
Flows TCP	192.168.1.1:1032 ➝ 72.52.4.90:80
Flows TCP	192.168.1.1:1033 ➝ 50.63.202.16:80
Flows TCP	192.168.1.1:1034 ➝ 54.235.159.97:80
Flows TCP	192.168.1.1:1035 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1036 ➝ 103.250.233.242:80
Flows TCP	192.168.1.1:1037 ➝ 72.52.4.90:80

Raw Pcap

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2061   : close..Host: a
0x00000040 (00064)   6761696e 7374616e 696d616c 2e6e6574   gainstanimal.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   65636964 6570726f 626c656d 2e6e6574   ecideproblem.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e6573 63617065 2e6e6574   aptainescape.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61726765 616e696d 616c2e6e 65740d0a   argeanimal.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e616e 696d616c 2e6e6574   aptainanimal.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6c656374 72696365 73636170 652e6e65   lectricescape.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6c696572 65736361 70652e6e 65740d0a   lierescape.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

Strings