Analysis Date2015-12-12 20:05:50
MD508bc76654f1d6241e8f4f452a551d6b8
SHA19403183bb72ffb2df5d1eba8d5b1eb984aaf3d8b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ac78387d94011b57b5d164d990efa46c sha1: a9093cce435aaf51f973238b5a11e08fc508a421 size: 347136
Section.rdata md5: 01a39adc0acccb0734af42bedc6e4537 sha1: 65f43cba63c4d219cb2453729947af0ab1849f19 size: 57344
Section.data md5: d75dedc123023d091a4aeb0d1056e460 sha1: b6b84aacd0e77d5f9d215112bd3aacc85edf16dd size: 7680
Section.reloc md5: 14b646ba127c38739f2fbc91142ac067 sha1: d92c946ce4feff6490975ffa3d42516cd8eb73ca size: 27136
Timestamp2015-11-11 23:17:15
PackerMicrosoft Visual C++ 8
PEhash8c91e375a0e21bbaa304092a1d381135441e5259
IMPhash0766f11ac9fb2b35dec02aa0639d9b13
AVCA (E-Trust Ino)no_virus
AVRisingTrojan.Win32.Bayrod.b
AVMcafeeTrojan-FHOH!08BC76654F1D
AVAvira (antivir)TR/AD.Nivdort.Y.242
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.766982
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AA
AVGrisoft (avg)Win32/Cryptor
AVSymantecno_virus
AVFortinetW32/Bayrob.AA!tr
AVBitDefenderGen:Variant.Kazy.766982
AVK7Trojan ( 004d698a1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.766982
AVMalwareBytesno_virus
AVAuthentiumW32/Upatre.GJ.gen!Eldorado
AVFrisk (f-prot)W32/Upatre.GJ.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.766982
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVBullGuardGen:Variant.Kazy.766982
AVArcabit (arcavir)Gen:Variant.Kazy.766982
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.53125
AVF-SecureGen:Variant.Kazy.766982

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\rplbswbiyqxoci\rnjhbse4f
Creates FileC:\rplbswbiyqxoci\llw1md4enzdndrasmr.exe
Creates FileC:\rplbswbiyqxoci\rnjhbse4f
Deletes FileC:\WINDOWS\rplbswbiyqxoci\rnjhbse4f
Creates ProcessC:\rplbswbiyqxoci\llw1md4enzdndrasmr.exe

Process
↳ C:\rplbswbiyqxoci\llw1md4enzdndrasmr.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CardSpace Play Framework System Proxy ➝
C:\rplbswbiyqxoci\fmpnqvf.exe
Creates FileC:\WINDOWS\rplbswbiyqxoci\rnjhbse4f
Creates FileC:\rplbswbiyqxoci\sxprvy
Creates FilePIPE\lsarpc
Creates FileC:\rplbswbiyqxoci\fmpnqvf.exe
Creates FileC:\rplbswbiyqxoci\rnjhbse4f
Deletes FileC:\WINDOWS\rplbswbiyqxoci\rnjhbse4f
Creates ProcessC:\rplbswbiyqxoci\fmpnqvf.exe
Creates ServiceDesktop Thread Font Grouping Block Link - C:\rplbswbiyqxoci\fmpnqvf.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1120

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1880

Process
↳ Pid 1160

Process
↳ C:\rplbswbiyqxoci\fmpnqvf.exe

Creates FileC:\WINDOWS\rplbswbiyqxoci\rnjhbse4f
Creates Filepipe\net\NtControlPipe10
Creates FileC:\rplbswbiyqxoci\jyqqyhlha6z
Creates FileC:\rplbswbiyqxoci\sxprvy
Creates FileC:\rplbswbiyqxoci\zdoucbnq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\rplbswbiyqxoci\rnjhbse4f
Deletes FileC:\WINDOWS\rplbswbiyqxoci\rnjhbse4f
Creates Processsawgrdznkm3r "c:\rplbswbiyqxoci\fmpnqvf.exe"

Process
↳ C:\rplbswbiyqxoci\fmpnqvf.exe

Creates FileC:\WINDOWS\rplbswbiyqxoci\rnjhbse4f
Creates FileC:\rplbswbiyqxoci\rnjhbse4f
Deletes FileC:\WINDOWS\rplbswbiyqxoci\rnjhbse4f

Process
↳ sawgrdznkm3r "c:\rplbswbiyqxoci\fmpnqvf.exe"

Creates FileC:\WINDOWS\rplbswbiyqxoci\rnjhbse4f
Creates FileC:\rplbswbiyqxoci\rnjhbse4f
Deletes FileC:\WINDOWS\rplbswbiyqxoci\rnjhbse4f

Network Details:

DNSorderarticle.net
Type: A
192.185.48.176
DNSgentleangry.net
Type: A
98.139.135.129
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSanswerservice.net
Type: A
108.9.29.73
DNSglassservice.net
Type: A
207.148.248.143
DNSpleasantriver.net
Type: A
72.4.144.233
DNSleaderservice.net
Type: A
62.149.128.166
DNSleaderservice.net
Type: A
62.149.128.72
DNSleaderservice.net
Type: A
62.149.128.74
DNSleaderservice.net
Type: A
62.149.128.151
DNSleaderservice.net
Type: A
62.149.128.154
DNSleaderservice.net
Type: A
62.149.128.157
DNSleaderservice.net
Type: A
62.149.128.160
DNSleaderservice.net
Type: A
62.149.128.163
DNSleaderriver.net
Type: A
208.100.26.234
DNSgentleriver.net
Type: A
85.233.160.22
DNSrequirefifteen.net
Type: A
DNSorderangry.net
Type: A
DNSrequireangry.net
Type: A
DNSrequirearticle.net
Type: A
DNSleaderdried.net
Type: A
DNSheavendried.net
Type: A
DNSleaderfifteen.net
Type: A
DNSheavenfifteen.net
Type: A
DNSleaderangry.net
Type: A
DNSheavenangry.net
Type: A
DNSleaderarticle.net
Type: A
DNSheavenarticle.net
Type: A
DNSheavydried.net
Type: A
DNSgentledried.net
Type: A
DNSheavyfifteen.net
Type: A
DNSgentlefifteen.net
Type: A
DNSheavyangry.net
Type: A
DNSheavyarticle.net
Type: A
DNSgentlearticle.net
Type: A
DNSvariousdried.net
Type: A
DNSreturndried.net
Type: A
DNSvariousfifteen.net
Type: A
DNSreturnfifteen.net
Type: A
DNSvariousangry.net
Type: A
DNSreturnangry.net
Type: A
DNSvariousarticle.net
Type: A
DNSreturnarticle.net
Type: A
DNSdegreemister.net
Type: A
DNSforwardmister.net
Type: A
DNSdegreesuppose.net
Type: A
DNSforwardsuppose.net
Type: A
DNSdegreeservice.net
Type: A
DNSforwardservice.net
Type: A
DNSdegreeriver.net
Type: A
DNSforwardriver.net
Type: A
DNSanswermister.net
Type: A
DNSglassmister.net
Type: A
DNSanswersuppose.net
Type: A
DNSglasssuppose.net
Type: A
DNSanswerriver.net
Type: A
DNSglassriver.net
Type: A
DNSdifficultmister.net
Type: A
DNSheardmister.net
Type: A
DNSdifficultsuppose.net
Type: A
DNSheardsuppose.net
Type: A
DNSdifficultservice.net
Type: A
DNSheardservice.net
Type: A
DNSdifficultriver.net
Type: A
DNSheardriver.net
Type: A
DNSpleasantmister.net
Type: A
DNSnecessarymister.net
Type: A
DNSpleasantsuppose.net
Type: A
DNSnecessarysuppose.net
Type: A
DNSpleasantservice.net
Type: A
DNSnecessaryservice.net
Type: A
DNSnecessaryriver.net
Type: A
DNSordermister.net
Type: A
DNSrequiremister.net
Type: A
DNSordersuppose.net
Type: A
DNSrequiresuppose.net
Type: A
DNSorderservice.net
Type: A
DNSrequireservice.net
Type: A
DNSorderriver.net
Type: A
DNSrequireriver.net
Type: A
DNSleadermister.net
Type: A
DNSheavenmister.net
Type: A
DNSleadersuppose.net
Type: A
DNSheavensuppose.net
Type: A
DNSheavenservice.net
Type: A
DNSheavenriver.net
Type: A
DNSheavymister.net
Type: A
DNSgentlemister.net
Type: A
DNSheavysuppose.net
Type: A
DNSgentlesuppose.net
Type: A
DNSheavyservice.net
Type: A
DNSgentleservice.net
Type: A
DNSheavyriver.net
Type: A
HTTP GEThttp://orderarticle.net/index.php
User-Agent:
HTTP GEThttp://gentleangry.net/index.php
User-Agent:
HTTP GEThttp://forwardsuppose.net/index.php
User-Agent:
HTTP GEThttp://answerservice.net/index.php
User-Agent:
HTTP GEThttp://glassservice.net/index.php
User-Agent:
HTTP GEThttp://pleasantriver.net/index.php
User-Agent:
HTTP GEThttp://leaderservice.net/index.php
User-Agent:
HTTP GEThttp://leaderriver.net/index.php
User-Agent:
HTTP GEThttp://gentleriver.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 192.185.48.176:80
Flows TCP192.168.1.1:1032 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1033 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1034 ➝ 108.9.29.73:80
Flows TCP192.168.1.1:1035 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1036 ➝ 72.4.144.233:80
Flows TCP192.168.1.1:1037 ➝ 62.149.128.166:80
Flows TCP192.168.1.1:1038 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1039 ➝ 85.233.160.22:80

Raw Pcap

Strings