Analysis Date2016-04-16 04:26:01
MD5cfa7b210e8ea9141cbd174d0ee2e98ae
SHA190404a07fa833da7e394c7414afdf725d8f88202

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b6f68a003d9c9a3c8530a5741dd9dd43 sha1: b866ec303f41e0f36d9530cc94bb774716e97916 size: 316416
Section.rdata md5: fd408cadda85424d7c2b1cccd13563d8 sha1: d6cd91b83b52bcb3a8d23efe3d771d6e8925ea1a size: 55296
Section.data md5: f4e6ae59dbd808bbb3746e3156ae178c sha1: 3fa24eded2d21930377d1c10b5976e69f7ae0c9d size: 7168
Section.reloc md5: 23efa0b6f26e603c3d063db2bd3b3537 sha1: d7b55f7c7de48bba706e667ab2fd8bd7a03a239e size: 20992
Timestamp2015-11-11 23:19:00
PackerMicrosoft Visual C++ 8
PEhashbf378f494aef6a733afeac2659d749620d32c2bc
IMPhash0766f11ac9fb2b35dec02aa0639d9b13
AVRisingTrojan.Win32.Bayrod.b
AVCA (E-Trust Ino)Gen:Variant.Razy.15522
AVF-SecureGen:Variant.Razy.15522
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.15522
AVBullGuardGen:Variant.Razy.15522
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVEmsisoftGen:Variant.Razy.15522
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.D.gen!Eldorado
AVAuthentiumW32/Nivdort.D.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.15522
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CD
AVK7Trojan ( 004da8bd1 )
AVBitDefenderGen:Variant.Razy.15522
AVFortinetW32/Bayrob.BM!tr
AVSymantecTrojan.Bayrob!gen6
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.AA
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareGen:Variant.Razy.15522
AVTwisterNo Virus
AVAvira (antivir)TR/Crypt.ZPACK.uvtz
AVMcafeeGeneric-FAWY!CFA7B210E8EA

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\khsaexyp\cskmmbowraai
Creates FileC:\WINDOWS\khsaexyp\cskmmbowraai
Creates FileC:\khsaexyp\bssm1jcmnsphlzbbkxhq.exe
Deletes FileC:\WINDOWS\khsaexyp\cskmmbowraai
Creates ProcessC:\khsaexyp\bssm1jcmnsphlzbbkxhq.exe

Process
↳ C:\khsaexyp\bssm1jcmnsphlzbbkxhq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Netlogon Virtual Awareness WinHTTP Policy ➝
C:\khsaexyp\pldyomkef.exe
Creates FileC:\khsaexyp\pldyomkef.exe
Creates FileC:\khsaexyp\cskmmbowraai
Creates FileC:\WINDOWS\khsaexyp\cskmmbowraai
Creates FileC:\khsaexyp\xpto5x
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\khsaexyp\cskmmbowraai
Creates ProcessC:\khsaexyp\pldyomkef.exe
Creates ServiceBackup Profile Adapter Interface Endpoint Server - C:\khsaexyp\pldyomkef.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1860

Process
↳ Pid 1052

Process
↳ C:\khsaexyp\pldyomkef.exe

Creates FileC:\khsaexyp\cskmmbowraai
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\khsaexyp\cskmmbowraai
Creates FileC:\khsaexyp\xpto5x
Creates File\Device\Afd\Endpoint
Creates FileC:\khsaexyp\cpzvditt.exe
Creates FileC:\khsaexyp\drqihysla37k
Deletes FileC:\WINDOWS\khsaexyp\cskmmbowraai
Creates Processiy1qzusnnxth "c:\khsaexyp\pldyomkef.exe"

Process
↳ C:\khsaexyp\pldyomkef.exe

Creates FileC:\khsaexyp\cskmmbowraai
Creates FileC:\WINDOWS\khsaexyp\cskmmbowraai
Deletes FileC:\WINDOWS\khsaexyp\cskmmbowraai

Process
↳ iy1qzusnnxth "c:\khsaexyp\pldyomkef.exe"

Creates FileC:\khsaexyp\cskmmbowraai
Creates FileC:\WINDOWS\khsaexyp\cskmmbowraai
Deletes FileC:\WINDOWS\khsaexyp\cskmmbowraai

Network Details:

DNSseasonprobable.net
Type: A
195.22.28.196
DNSseasonprobable.net
Type: A
195.22.28.199
DNSseasonprobable.net
Type: A
195.22.28.198
DNSseasonprobable.net
Type: A
195.22.28.197
DNSagainstwelcome.net
Type: A
195.22.28.196
DNSagainstwelcome.net
Type: A
195.22.28.199
DNSagainstwelcome.net
Type: A
195.22.28.198
DNSagainstwelcome.net
Type: A
195.22.28.197
DNSlargeproud.net
Type: A
208.100.26.234
DNStradearound.net
Type: A
50.63.202.36
DNStradeproud.net
Type: A
50.63.202.34
DNSstreetcomplete.net
Type: A
192.64.119.236
DNSgatheraround.net
Type: A
199.59.243.120
DNSagainstnature.net
Type: A
50.87.144.164
DNSbetterprobable.net
Type: A
DNSgatherprobable.net
Type: A
DNSflierwagon.net
Type: A
DNSbreadwagon.net
Type: A
DNSflierwithout.net
Type: A
DNSbreadwithout.net
Type: A
DNSflierkitchen.net
Type: A
DNSbreadkitchen.net
Type: A
DNSflierprobable.net
Type: A
DNSbreadprobable.net
Type: A
DNSquietwagon.net
Type: A
DNSseasonwagon.net
Type: A
DNSquietwithout.net
Type: A
DNSseasonwithout.net
Type: A
DNSquietkitchen.net
Type: A
DNSseasonkitchen.net
Type: A
DNSquietprobable.net
Type: A
DNSdoubtwelcome.net
Type: A
DNSagainstaround.net
Type: A
DNSdoubtaround.net
Type: A
DNSagainstproud.net
Type: A
DNSdoubtproud.net
Type: A
DNSagainstcomplete.net
Type: A
DNSdoubtcomplete.net
Type: A
DNSnightwelcome.net
Type: A
DNSdecidewelcome.net
Type: A
DNSnightaround.net
Type: A
DNSdecidearound.net
Type: A
DNSnightproud.net
Type: A
DNSdecideproud.net
Type: A
DNSnightcomplete.net
Type: A
DNSdecidecomplete.net
Type: A
DNSlargewelcome.net
Type: A
DNScaptainwelcome.net
Type: A
DNSlargearound.net
Type: A
DNScaptainaround.net
Type: A
DNScaptainproud.net
Type: A
DNSlargecomplete.net
Type: A
DNScaptaincomplete.net
Type: A
DNSrecordwelcome.net
Type: A
DNSelectricwelcome.net
Type: A
DNSrecordaround.net
Type: A
DNSelectricaround.net
Type: A
DNSrecordproud.net
Type: A
DNSelectricproud.net
Type: A
DNSrecordcomplete.net
Type: A
DNSelectriccomplete.net
Type: A
DNSstreetwelcome.net
Type: A
DNStradewelcome.net
Type: A
DNSstreetaround.net
Type: A
DNSstreetproud.net
Type: A
DNStradecomplete.net
Type: A
DNSbetterwelcome.net
Type: A
DNSgatherwelcome.net
Type: A
DNSbetteraround.net
Type: A
DNSbetterproud.net
Type: A
DNSgatherproud.net
Type: A
DNSbettercomplete.net
Type: A
DNSgathercomplete.net
Type: A
DNSflierwelcome.net
Type: A
DNSbreadwelcome.net
Type: A
DNSflieraround.net
Type: A
DNSbreadaround.net
Type: A
DNSflierproud.net
Type: A
DNSbreadproud.net
Type: A
DNSfliercomplete.net
Type: A
DNSbreadcomplete.net
Type: A
DNSquietwelcome.net
Type: A
DNSseasonwelcome.net
Type: A
DNSquietaround.net
Type: A
DNSseasonaround.net
Type: A
DNSquietproud.net
Type: A
DNSseasonproud.net
Type: A
DNSquietcomplete.net
Type: A
DNSseasoncomplete.net
Type: A
DNSdoubtnature.net
Type: A
DNSagainstneedle.net
Type: A
HTTP GEThttp://seasonprobable.net/index.php
User-Agent:
HTTP GEThttp://againstwelcome.net/index.php
User-Agent:
HTTP GEThttp://largeproud.net/index.php
User-Agent:
HTTP GEThttp://tradearound.net/index.php
User-Agent:
HTTP GEThttp://tradeproud.net/index.php
User-Agent:
HTTP GEThttp://streetcomplete.net/index.php
User-Agent:
HTTP GEThttp://gatheraround.net/index.php
User-Agent:
HTTP GEThttp://againstnature.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.36:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.34:80
Flows TCP192.168.1.1:1036 ➝ 192.64.119.236:80
Flows TCP192.168.1.1:1037 ➝ 199.59.243.120:80
Flows TCP192.168.1.1:1038 ➝ 50.87.144.164:80

Raw Pcap

Strings