Analysis Date | 2015-10-10 15:39:02 |
---|---|
MD5 | 9f8cc22ed0c68c893892d3b1301b84f6 |
SHA1 | 8f035e3443c21b0ad43ad850c423d20941bc79f8 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 90500ff9d7c4b177992d67977fd488f0 sha1: 1f1f054948db04674d425b3be19c27190eb62c20 size: 285696 | |
Section | .rdata md5: f069dbd06d0069da02b6e2e8eab76e9c sha1: b2062e4b2e9f63641022837b198d9a53117d3026 size: 58368 | |
Section | .data md5: 37f1697dfe6eec3c160f92d1132e0cfd sha1: 97ab0ba3d27e299146946a8df0054379543dd134 size: 7168 | |
Section | .reloc md5: 77d5cb72c4a0b11d7575031618b3ea19 sha1: 0a65e2656dc698787ee149e57a5126885096a850 size: 19456 | |
Timestamp | 2015-05-11 06:55:47 | |
Packer | Microsoft Visual C++ 8 | |
PEhash | ad47074dff96cf52b6413150865194bc35a3a6e0 | |
IMPhash | 45d8e353a11987826bb39088998e28d3 | |
AV | Rising | Trojan.Win32.Bayrod.b |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Diley.1 |
AV | Dr. Web | Trojan.Bayrob.1 |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Diley.1 |
AV | BullGuard | Gen:Variant.Diley.1 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | TrojanSpy.Nivdort.OD4 |
AV | Trend Micro | no_virus |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Zillya! | Trojan.Bayrob.Win32.1640 |
AV | Emsisoft | Gen:Variant.Diley.1 |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/Nivdort.B.gen!Eldorado |
AV | MalwareBytes | Trojan.Agent.KVTGen |
AV | MicroWorld (escan) | Gen:Variant.Diley.1 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.AL |
AV | K7 | Trojan ( 004c3a4d1 ) |
AV | BitDefender | Gen:Variant.Diley.1 |
AV | Fortinet | W32/Bayrob.T!tr |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Eset (nod32) | Win32/Bayrob.W |
AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
AV | Ad-Aware | Gen:Variant.Diley.1 |
AV | Twister | no_virus |
AV | Avira (antivir) | TR/Spy.ZBot.xbbeomq |
AV | Mcafee | no_virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\ueanfnuxrjt\po2l1lqzdkfrttyoazf.exe |
---|---|
Creates File | C:\WINDOWS\ueanfnuxrjt\sti1nmerd |
Creates File | C:\ueanfnuxrjt\sti1nmerd |
Deletes File | C:\WINDOWS\ueanfnuxrjt\sti1nmerd |
Creates Process | C:\ueanfnuxrjt\po2l1lqzdkfrttyoazf.exe |
Process
↳ C:\ueanfnuxrjt\po2l1lqzdkfrttyoazf.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Intelligent Background Interface ➝ C:\ueanfnuxrjt\vtnbfcednv.exe |
---|---|
Creates File | C:\ueanfnuxrjt\vtnbfcednv.exe |
Creates File | PIPE\lsarpc |
Creates File | C:\WINDOWS\ueanfnuxrjt\sti1nmerd |
Creates File | C:\ueanfnuxrjt\ebqcnjrxhsxp |
Creates File | C:\ueanfnuxrjt\sti1nmerd |
Deletes File | C:\WINDOWS\ueanfnuxrjt\sti1nmerd |
Creates Process | C:\ueanfnuxrjt\vtnbfcednv.exe |
Creates Service | Redirector Credential Procedure PNRP PnP-X - C:\ueanfnuxrjt\vtnbfcednv.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 808
Process
↳ Pid 856
Process
↳ C:\WINDOWS\System32\svchost.exe
Process
↳ Pid 1212
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1848
Process
↳ Pid 1144
Process
↳ C:\ueanfnuxrjt\vtnbfcednv.exe
Creates File | pipe\net\NtControlPipe10 |
---|---|
Creates File | C:\ueanfnuxrjt\nmzdqxenu.exe |
Creates File | C:\WINDOWS\ueanfnuxrjt\sti1nmerd |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\ueanfnuxrjt\blocai4i |
Creates File | C:\ueanfnuxrjt\ebqcnjrxhsxp |
Creates File | C:\ueanfnuxrjt\sti1nmerd |
Deletes File | C:\WINDOWS\ueanfnuxrjt\sti1nmerd |
Creates Process | goxmuhujei8t "c:\ueanfnuxrjt\vtnbfcednv.exe" |
Process
↳ C:\ueanfnuxrjt\vtnbfcednv.exe
Creates File | C:\WINDOWS\ueanfnuxrjt\sti1nmerd |
---|---|
Creates File | C:\ueanfnuxrjt\sti1nmerd |
Deletes File | C:\WINDOWS\ueanfnuxrjt\sti1nmerd |
Process
↳ goxmuhujei8t "c:\ueanfnuxrjt\vtnbfcednv.exe"
Creates File | C:\WINDOWS\ueanfnuxrjt\sti1nmerd |
---|---|
Creates File | C:\ueanfnuxrjt\sti1nmerd |
Deletes File | C:\WINDOWS\ueanfnuxrjt\sti1nmerd |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2061 : close..Host: a 0x00000040 (00064) 6761696e 7374616e 696d616c 2e6e6574 gainstanimal.net 0x00000050 (00080) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2064 : close..Host: d 0x00000040 (00064) 65636964 6570726f 626c656d 2e6e6574 ecideproblem.net 0x00000050 (00080) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 61707461 696e6573 63617065 2e6e6574 aptainescape.net 0x00000050 (00080) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206c : close..Host: l 0x00000040 (00064) 61726765 616e696d 616c2e6e 65740d0a argeanimal.net.. 0x00000050 (00080) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 61707461 696e616e 696d616c 2e6e6574 aptainanimal.net 0x00000050 (00080) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2065 : close..Host: e 0x00000040 (00064) 6c656374 72696365 73636170 652e6e65 lectricescape.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 6c696572 65736361 70652e6e 65740d0a lierescape.net.. 0x00000050 (00080) 0d0a0a0d 0a .....
Strings