Analysis Date2016-02-03 01:28:25
MD5b0bed6fdac9e9766eaf330daf3c7b9d2
SHA19cd8258b459b1a1054eea41923ddf9423a44cd5c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f0d6c8343a2439c80df7d012499f4c18 sha1: 9de6be4fe5e9ebb36f22e30a7899a8d30e3ef5f4 size: 529408
Section.rdata md5: 8506d13cb0f7b70793598f2c1d36e100 sha1: f22596ff4aa80ab2819420cf59025aa0c3c83898 size: 26112
Section.data md5: 0579f8b0a39953c5b349939d4a209ed4 sha1: ff7bdbd14d920c570c7a34e78cab65cf73fc93e5 size: 20992
Section.reloc md5: e9c080db05fef880aa1995b3a2dd8bb3 sha1: 2db1954259eb662595fd657d4ff406b268ee7e93 size: 39424
Timestamp2014-11-19 16:44:28
PackerMicrosoft Visual C++ 8
PEhash6290aa65ac3626d840c2bba01d8660f931f3d41e
IMPhash5c6c81eba5e5b506c6bc113fd759867c
AVCA (E-Trust Ino)No Virus
AVRising0x59a3f320
AVMcafeeTrojan-FHSQ!B0BED6FDAC9E
AVAvira (antivir)TR/Taranis.2113
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAd-AwareGen:Variant.Zusy.141475
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.BM
AVGrisoft (avg)Generic37.AHZT
AVSymantecTrojan.Gen
AVFortinetW32/Bayrob.BM!tr
AVBitDefenderGen:Variant.Zusy.141475
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.141475
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVIkarusTrojan.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Zusy.141475
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Zusy.141475

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ntxahbzrs\nthx1lkhdnbaxbtiof.exe
Creates FileC:\WINDOWS\ntxahbzrs\s3bk5bricj
Creates FileC:\ntxahbzrs\s3bk5bricj
Deletes FileC:\WINDOWS\ntxahbzrs\s3bk5bricj
Creates ProcessC:\ntxahbzrs\nthx1lkhdnbaxbtiof.exe

Process
↳ C:\ntxahbzrs\nthx1lkhdnbaxbtiof.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\BitLocker Framework Keying ➝
C:\ntxahbzrs\bkmmlrlgyp.exe
Creates FileC:\ntxahbzrs\rqnyyasb
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\ntxahbzrs\s3bk5bricj
Creates FileC:\ntxahbzrs\bkmmlrlgyp.exe
Creates FileC:\ntxahbzrs\s3bk5bricj
Deletes FileC:\WINDOWS\ntxahbzrs\s3bk5bricj
Creates ProcessC:\ntxahbzrs\bkmmlrlgyp.exe
Creates ServiceHealth Background Tools Config Foundation - C:\ntxahbzrs\bkmmlrlgyp.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1848

Process
↳ Pid 1164

Process
↳ C:\ntxahbzrs\bkmmlrlgyp.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\ntxahbzrs\rqnyyasb
Creates FileC:\WINDOWS\ntxahbzrs\s3bk5bricj
Creates File\Device\Afd\Endpoint
Creates FileC:\ntxahbzrs\kibaduj
Creates FileC:\ntxahbzrs\ohmenlsorfdt.exe
Creates FileC:\ntxahbzrs\s3bk5bricj
Deletes FileC:\WINDOWS\ntxahbzrs\s3bk5bricj
Creates Processbxxlqwe1t0qp "c:\ntxahbzrs\bkmmlrlgyp.exe"

Process
↳ C:\ntxahbzrs\bkmmlrlgyp.exe

Creates FileC:\WINDOWS\ntxahbzrs\s3bk5bricj
Creates FileC:\ntxahbzrs\s3bk5bricj
Deletes FileC:\WINDOWS\ntxahbzrs\s3bk5bricj

Process
↳ bxxlqwe1t0qp "c:\ntxahbzrs\bkmmlrlgyp.exe"

Creates FileC:\WINDOWS\ntxahbzrs\s3bk5bricj
Creates FileC:\ntxahbzrs\s3bk5bricj
Deletes FileC:\WINDOWS\ntxahbzrs\s3bk5bricj

Network Details:

DNSmembersystem.net
Type: A
85.13.128.193
DNSfollowtrust.net
Type: A
68.178.232.100
DNScrowdneither.net
Type: A
195.22.28.196
DNScrowdneither.net
Type: A
195.22.28.197
DNScrowdneither.net
Type: A
195.22.28.198
DNScrowdneither.net
Type: A
195.22.28.199
DNSthoughtsystem.net
Type: A
213.171.195.105
DNSwatersystem.net
Type: A
199.59.243.120
DNSwatertrust.net
Type: A
208.91.197.27
DNSsmokesystem.net
Type: A
208.100.26.234
DNSsmoketrust.net
Type: A
98.139.135.129
DNSpartysystem.net
Type: A
82.165.73.79
DNScrowdfriend.net
Type: A
50.63.202.48
DNSwaterfriend.net
Type: A
69.64.147.242
DNSpartyfriend.net
Type: A
89.31.143.16
DNSfreshfuture.net
Type: A
66.39.68.24
DNSgentlemanearly.net
Type: A
208.100.26.234
DNSgentlemanhonor.net
Type: A
DNSalreadyhonor.net
Type: A
DNSgentlemanneither.net
Type: A
DNSalreadyneither.net
Type: A
DNSgentlemansystem.net
Type: A
DNSalreadysystem.net
Type: A
DNSgentlemantrust.net
Type: A
DNSalreadytrust.net
Type: A
DNSfollowhonor.net
Type: A
DNSmemberhonor.net
Type: A
DNSfollowneither.net
Type: A
DNSmemberneither.net
Type: A
DNSfollowsystem.net
Type: A
DNSmembertrust.net
Type: A
DNSbeginhonor.net
Type: A
DNSknownhonor.net
Type: A
DNSbeginneither.net
Type: A
DNSknownneither.net
Type: A
DNSbeginsystem.net
Type: A
DNSknownsystem.net
Type: A
DNSbegintrust.net
Type: A
DNSknowntrust.net
Type: A
DNSsummerhonor.net
Type: A
DNScrowdhonor.net
Type: A
DNSsummerneither.net
Type: A
DNSsummersystem.net
Type: A
DNScrowdsystem.net
Type: A
DNSsummertrust.net
Type: A
DNScrowdtrust.net
Type: A
DNSthoughthonor.net
Type: A
DNSwaterhonor.net
Type: A
DNSthoughtneither.net
Type: A
DNSwaterneither.net
Type: A
DNSthoughttrust.net
Type: A
DNSwomanhonor.net
Type: A
DNSsmokehonor.net
Type: A
DNSwomanneither.net
Type: A
DNSsmokeneither.net
Type: A
DNSwomansystem.net
Type: A
DNSwomantrust.net
Type: A
DNSpartyhonor.net
Type: A
DNSfighthonor.net
Type: A
DNSpartyneither.net
Type: A
DNSfightneither.net
Type: A
DNSfightsystem.net
Type: A
DNSpartytrust.net
Type: A
DNSfighttrust.net
Type: A
DNSfreshlaughter.net
Type: A
DNSexperiencelaughter.net
Type: A
DNSfreshfancy.net
Type: A
DNSexperiencefancy.net
Type: A
DNSfreshconsider.net
Type: A
DNSexperienceconsider.net
Type: A
DNSfreshfriend.net
Type: A
DNSexperiencefriend.net
Type: A
DNSgentlemanlaughter.net
Type: A
DNSalreadylaughter.net
Type: A
DNSgentlemanfancy.net
Type: A
DNSalreadyfancy.net
Type: A
DNSgentlemanconsider.net
Type: A
DNSalreadyconsider.net
Type: A
DNSgentlemanfriend.net
Type: A
DNSalreadyfriend.net
Type: A
DNSfollowlaughter.net
Type: A
DNSmemberlaughter.net
Type: A
DNSfollowfancy.net
Type: A
DNSmemberfancy.net
Type: A
DNSfollowconsider.net
Type: A
DNSmemberconsider.net
Type: A
DNSfollowfriend.net
Type: A
DNSmemberfriend.net
Type: A
DNSbeginlaughter.net
Type: A
DNSknownlaughter.net
Type: A
DNSbeginfancy.net
Type: A
DNSknownfancy.net
Type: A
DNSbeginconsider.net
Type: A
DNSknownconsider.net
Type: A
DNSbeginfriend.net
Type: A
DNSknownfriend.net
Type: A
DNSsummerlaughter.net
Type: A
DNScrowdlaughter.net
Type: A
DNSsummerfancy.net
Type: A
DNScrowdfancy.net
Type: A
DNSsummerconsider.net
Type: A
DNScrowdconsider.net
Type: A
DNSsummerfriend.net
Type: A
DNSthoughtlaughter.net
Type: A
DNSwaterlaughter.net
Type: A
DNSthoughtfancy.net
Type: A
DNSwaterfancy.net
Type: A
DNSthoughtconsider.net
Type: A
DNSwaterconsider.net
Type: A
DNSthoughtfriend.net
Type: A
DNSwomanlaughter.net
Type: A
DNSsmokelaughter.net
Type: A
DNSwomanfancy.net
Type: A
DNSsmokefancy.net
Type: A
DNSwomanconsider.net
Type: A
DNSsmokeconsider.net
Type: A
DNSwomanfriend.net
Type: A
DNSsmokefriend.net
Type: A
DNSpartylaughter.net
Type: A
DNSfightlaughter.net
Type: A
DNSpartyfancy.net
Type: A
DNSfightfancy.net
Type: A
DNSpartyconsider.net
Type: A
DNSfightconsider.net
Type: A
DNSfightfriend.net
Type: A
DNSfreshsmell.net
Type: A
DNSexperiencesmell.net
Type: A
DNSfreshearly.net
Type: A
DNSexperienceearly.net
Type: A
DNSfreshsafety.net
Type: A
DNSexperiencesafety.net
Type: A
DNSexperiencefuture.net
Type: A
DNSgentlemansmell.net
Type: A
DNSalreadysmell.net
Type: A
DNSalreadyearly.net
Type: A
HTTP GEThttp://membersystem.net/index.php
User-Agent:
HTTP GEThttp://followtrust.net/index.php
User-Agent:
HTTP GEThttp://crowdneither.net/index.php
User-Agent:
HTTP GEThttp://thoughtsystem.net/index.php
User-Agent:
HTTP GEThttp://watersystem.net/index.php
User-Agent:
HTTP GEThttp://watertrust.net/index.php
User-Agent:
HTTP GEThttp://smokesystem.net/index.php
User-Agent:
HTTP GEThttp://smoketrust.net/index.php
User-Agent:
HTTP GEThttp://partysystem.net/index.php
User-Agent:
HTTP GEThttp://crowdfriend.net/index.php
User-Agent:
HTTP GEThttp://waterfriend.net/index.php
User-Agent:
HTTP GEThttp://partyfriend.net/index.php
User-Agent:
HTTP GEThttp://freshfuture.net/index.php
User-Agent:
HTTP GEThttp://gentlemanearly.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 85.13.128.193:80
Flows TCP192.168.1.1:1032 ➝ 68.178.232.100:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1034 ➝ 213.171.195.105:80
Flows TCP192.168.1.1:1035 ➝ 199.59.243.120:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 82.165.73.79:80
Flows TCP192.168.1.1:1040 ➝ 50.63.202.48:80
Flows TCP192.168.1.1:1041 ➝ 69.64.147.242:80
Flows TCP192.168.1.1:1042 ➝ 89.31.143.16:80
Flows TCP192.168.1.1:1043 ➝ 66.39.68.24:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80

Raw Pcap

Strings