Analysis Date2016-04-21 18:30:13
MD5d4334a2c33e58c41f44383d593a4b28c
SHA19752bba81f9b81bc6184f4972c6245d34f1e1a98

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9269dbbd14ed3c34f21061f4db44907f sha1: 14a6630b912c5a3552e45ddd015bc0d80882e511 size: 527872
Section.rdata md5: 3ae7869b64924bc0e8b4b859dafe7c3e sha1: 6324d1ffe85a56697598801a4625ad1e85e1f04e size: 26112
Section.data md5: 77f85b37fb267bc466f51d5fb48495dc sha1: 7a1221550e5f3092e33ec24754c361f13cecd469 size: 19968
Section.reloc md5: 787b5e01c495e7650e4cdcae9fea6627 sha1: 1476fca57c2d11cbbac3037d64ff0ec9904e7871 size: 39424
Timestamp2014-05-21 22:17:47
PackerMicrosoft Visual C++ 8
PEhashe225fab7bdf803e38dc89e357596f3598a317d1a
IMPhash39b126c52e78d6dd3f11fd8a6b856adf
AVMcafeeTrojan-FHSQ!D4334A2C33E5
AVAvira (antivir)TR/Taranis.2112
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAd-AwareGen:Variant.Razy.13928
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.BM
AVGrisoft (avg)Generic37.AHGS
AVSymantecNo Virus
AVFortinetW32/Bayrob.BM!tr
AVBitDefenderGen:Variant.Razy.13928
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVMicroWorld (escan)Gen:Variant.Razy.13928
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVIkarusTrojan.Bayrob
AVEmsisoftGen:Variant.Razy.13928
AVZillya!Trojan.SwizzorGen.Win32.1
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Razy.13928
AVF-SecureGen:Variant.Razy.13928
AVArcabit (arcavir)Gen:Variant.Razy.13928
AVClamAVNo Virus
AVDr. WebNo Virus
AVRisingNo Virus
AVCA (E-Trust Ino)Gen:Variant.Razy.13928

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\tskbvdvt\x7jexzwraost
Creates FileC:\tskbvdvt\jh1x2jwmattpd0h.exe
Creates FileC:\tskbvdvt\x7jexzwraost
Deletes FileC:\WINDOWS\tskbvdvt\x7jexzwraost
Creates ProcessC:\tskbvdvt\jh1x2jwmattpd0h.exe

Process
↳ C:\tskbvdvt\jh1x2jwmattpd0h.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Base Scheduler Font Installer Alerts Human ➝
C:\tskbvdvt\ujjbhuxzpd.exe
Creates FileC:\WINDOWS\tskbvdvt\x7jexzwraost
Creates FilePIPE\lsarpc
Creates FileC:\tskbvdvt\x7jexzwraost
Creates FileC:\tskbvdvt\zsedjuhrzue
Creates FileC:\tskbvdvt\ujjbhuxzpd.exe
Deletes FileC:\WINDOWS\tskbvdvt\x7jexzwraost
Creates ProcessC:\tskbvdvt\ujjbhuxzpd.exe
Creates ServicePlay Configuration Store Transaction Human Audio - C:\tskbvdvt\ujjbhuxzpd.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1144

Process
↳ C:\tskbvdvt\ujjbhuxzpd.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\tskbvdvt\helatqzyl
Creates FileC:\WINDOWS\tskbvdvt\x7jexzwraost
Creates FileC:\tskbvdvt\zxwwzeza.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\tskbvdvt\x7jexzwraost
Creates FileC:\tskbvdvt\zsedjuhrzue
Deletes FileC:\WINDOWS\tskbvdvt\x7jexzwraost
Creates Processchhecxfjflyc "c:\tskbvdvt\ujjbhuxzpd.exe"

Process
↳ C:\tskbvdvt\ujjbhuxzpd.exe

Creates FileC:\WINDOWS\tskbvdvt\x7jexzwraost
Creates FileC:\tskbvdvt\x7jexzwraost
Deletes FileC:\WINDOWS\tskbvdvt\x7jexzwraost

Process
↳ chhecxfjflyc "c:\tskbvdvt\ujjbhuxzpd.exe"

Creates FileC:\WINDOWS\tskbvdvt\x7jexzwraost
Creates FileC:\tskbvdvt\x7jexzwraost
Deletes FileC:\WINDOWS\tskbvdvt\x7jexzwraost

Network Details:

DNSstreetcorner.net
Type: A
184.168.221.28
DNStradecorner.net
Type: A
207.148.248.143
DNSgathercorner.net
Type: A
54.169.86.95
DNSbreadflower.net
Type: A
195.22.28.196
DNSbreadflower.net
Type: A
195.22.28.198
DNSbreadflower.net
Type: A
195.22.28.199
DNSbreadflower.net
Type: A
195.22.28.197
DNSbreadcorner.net
Type: A
98.124.243.46
DNSseasonflower.net
Type: A
157.7.107.65
DNSquietcorner.net
Type: A
216.218.207.107
DNSstreetstranger.net
Type: A
208.100.26.234
DNSfliergoodbye.net
Type: A
208.91.197.241
DNSbreadgoodbye.net
Type: A
208.100.26.234
DNSagainstanimal.net
Type: A
195.22.28.199
DNSagainstanimal.net
Type: A
195.22.28.198
DNSagainstanimal.net
Type: A
195.22.28.197
DNSagainstanimal.net
Type: A
195.22.28.196
DNScaptainescape.net
Type: A
50.63.202.16
DNSlargeanimal.net
Type: A
52.70.175.181
DNScaptainanimal.net
Type: A
208.100.26.234
DNSelectricescape.net
Type: A
103.250.233.242
DNSdecidesilver.net
Type: A
208.100.26.234
DNSstreetspecial.net
Type: A
DNStradespecial.net
Type: A
DNSbetterflower.net
Type: A
DNSgatherflower.net
Type: A
DNSbetterminute.net
Type: A
DNSgatherminute.net
Type: A
DNSbetterspecial.net
Type: A
DNSgatherspecial.net
Type: A
DNSbettercorner.net
Type: A
DNSflierflower.net
Type: A
DNSflierminute.net
Type: A
DNSbreadminute.net
Type: A
DNSflierspecial.net
Type: A
DNSbreadspecial.net
Type: A
DNSfliercorner.net
Type: A
DNSquietflower.net
Type: A
DNSquietminute.net
Type: A
DNSseasonminute.net
Type: A
DNSquietspecial.net
Type: A
DNSseasonspecial.net
Type: A
DNSseasoncorner.net
Type: A
DNSagainstadvance.net
Type: A
DNSdoubtadvance.net
Type: A
DNSagainststranger.net
Type: A
DNSdoubtstranger.net
Type: A
DNSagainstgoodbye.net
Type: A
DNSdoubtgoodbye.net
Type: A
DNSagainstfortieth.net
Type: A
DNSdoubtfortieth.net
Type: A
DNSnightadvance.net
Type: A
DNSdecideadvance.net
Type: A
DNSnightstranger.net
Type: A
DNSdecidestranger.net
Type: A
DNSnightgoodbye.net
Type: A
DNSdecidegoodbye.net
Type: A
DNSnightfortieth.net
Type: A
DNSdecidefortieth.net
Type: A
DNSlargeadvance.net
Type: A
DNScaptainadvance.net
Type: A
DNSlargestranger.net
Type: A
DNScaptainstranger.net
Type: A
DNSlargegoodbye.net
Type: A
DNScaptaingoodbye.net
Type: A
DNSlargefortieth.net
Type: A
DNScaptainfortieth.net
Type: A
DNSrecordadvance.net
Type: A
DNSelectricadvance.net
Type: A
DNSrecordstranger.net
Type: A
DNSelectricstranger.net
Type: A
DNSrecordgoodbye.net
Type: A
DNSelectricgoodbye.net
Type: A
DNSrecordfortieth.net
Type: A
DNSelectricfortieth.net
Type: A
DNSstreetadvance.net
Type: A
DNStradeadvance.net
Type: A
DNStradestranger.net
Type: A
DNSstreetgoodbye.net
Type: A
DNStradegoodbye.net
Type: A
DNSstreetfortieth.net
Type: A
DNStradefortieth.net
Type: A
DNSbetteradvance.net
Type: A
DNSgatheradvance.net
Type: A
DNSbetterstranger.net
Type: A
DNSgatherstranger.net
Type: A
DNSbettergoodbye.net
Type: A
DNSgathergoodbye.net
Type: A
DNSbetterfortieth.net
Type: A
DNSgatherfortieth.net
Type: A
DNSflieradvance.net
Type: A
DNSbreadadvance.net
Type: A
DNSflierstranger.net
Type: A
DNSbreadstranger.net
Type: A
DNSflierfortieth.net
Type: A
DNSbreadfortieth.net
Type: A
DNSquietadvance.net
Type: A
DNSseasonadvance.net
Type: A
DNSquietstranger.net
Type: A
DNSseasonstranger.net
Type: A
DNSquietgoodbye.net
Type: A
DNSseasongoodbye.net
Type: A
DNSquietfortieth.net
Type: A
DNSseasonfortieth.net
Type: A
DNSagainstescape.net
Type: A
DNSdoubtescape.net
Type: A
DNSdoubtanimal.net
Type: A
DNSagainstproblem.net
Type: A
DNSdoubtproblem.net
Type: A
DNSagainstmodern.net
Type: A
DNSdoubtmodern.net
Type: A
DNSnightescape.net
Type: A
DNSdecideescape.net
Type: A
DNSnightanimal.net
Type: A
DNSdecideanimal.net
Type: A
DNSnightproblem.net
Type: A
DNSdecideproblem.net
Type: A
DNSnightmodern.net
Type: A
DNSdecidemodern.net
Type: A
DNSlargeescape.net
Type: A
DNSlargeproblem.net
Type: A
DNScaptainproblem.net
Type: A
DNSlargemodern.net
Type: A
DNScaptainmodern.net
Type: A
DNSrecordescape.net
Type: A
DNSrecordanimal.net
Type: A
DNSelectricanimal.net
Type: A
DNSrecordproblem.net
Type: A
DNSelectricproblem.net
Type: A
DNSrecordmodern.net
Type: A
DNSelectricmodern.net
Type: A
DNSstreetescape.net
Type: A
DNStradeescape.net
Type: A
DNSstreetanimal.net
Type: A
DNStradeanimal.net
Type: A
DNSstreetproblem.net
Type: A
DNStradeproblem.net
Type: A
DNSstreetmodern.net
Type: A
DNStrademodern.net
Type: A
DNSbetterescape.net
Type: A
DNSgatherescape.net
Type: A
DNSbetteranimal.net
Type: A
DNSgatheranimal.net
Type: A
DNSbetterproblem.net
Type: A
DNSgatherproblem.net
Type: A
DNSbettermodern.net
Type: A
DNSgathermodern.net
Type: A
DNSflierescape.net
Type: A
DNSbreadescape.net
Type: A
DNSflieranimal.net
Type: A
DNSbreadanimal.net
Type: A
DNSflierproblem.net
Type: A
DNSbreadproblem.net
Type: A
DNSfliermodern.net
Type: A
DNSbreadmodern.net
Type: A
DNSquietescape.net
Type: A
DNSseasonescape.net
Type: A
DNSquietanimal.net
Type: A
DNSseasonanimal.net
Type: A
DNSquietproblem.net
Type: A
DNSseasonproblem.net
Type: A
DNSquietmodern.net
Type: A
DNSseasonmodern.net
Type: A
DNSagainstsilver.net
Type: A
DNSdoubtsilver.net
Type: A
DNSagainstsister.net
Type: A
DNSdoubtsister.net
Type: A
DNSagainstvalley.net
Type: A
DNSdoubtvalley.net
Type: A
DNSagainstlabor.net
Type: A
DNSdoubtlabor.net
Type: A
DNSnightsilver.net
Type: A
DNSnightsister.net
Type: A
DNSdecidesister.net
Type: A
DNSnightvalley.net
Type: A
DNSdecidevalley.net
Type: A
HTTP GEThttp://streetcorner.net/index.php
User-Agent:
HTTP GEThttp://tradecorner.net/index.php
User-Agent:
HTTP GEThttp://gathercorner.net/index.php
User-Agent:
HTTP GEThttp://breadflower.net/index.php
User-Agent:
HTTP GEThttp://breadcorner.net/index.php
User-Agent:
HTTP GEThttp://seasonflower.net/index.php
User-Agent:
HTTP GEThttp://quietcorner.net/index.php
User-Agent:
HTTP GEThttp://streetstranger.net/index.php
User-Agent:
HTTP GEThttp://fliergoodbye.net/index.php
User-Agent:
HTTP GEThttp://breadgoodbye.net/index.php
User-Agent:
HTTP GEThttp://againstanimal.net/index.php
User-Agent:
HTTP GEThttp://captainescape.net/index.php
User-Agent:
HTTP GEThttp://largeanimal.net/index.php
User-Agent:
HTTP GEThttp://captainanimal.net/index.php
User-Agent:
HTTP GEThttp://electricescape.net/index.php
User-Agent:
HTTP GEThttp://decidesilver.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 184.168.221.28:80
Flows TCP192.168.1.1:1032 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1033 ➝ 54.169.86.95:80
Flows TCP192.168.1.1:1034 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1035 ➝ 98.124.243.46:80
Flows TCP192.168.1.1:1036 ➝ 157.7.107.65:80
Flows TCP192.168.1.1:1037 ➝ 216.218.207.107:80
Flows TCP192.168.1.1:1038 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1041 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1042 ➝ 50.63.202.16:80
Flows TCP192.168.1.1:1043 ➝ 52.70.175.181:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1045 ➝ 103.250.233.242:80
Flows TCP192.168.1.1:1046 ➝ 208.100.26.234:80

Raw Pcap

Strings