Analysis Date2015-10-12 16:37:15
MD5c6fa70a0a42e5e557905e30929fa6c3a
SHA19eeee16114dfc39c55a1f8e2e57ffbc7346f3e7d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2b2967d0986c36476a357405ae4b2845 sha1: 0767157c465eadee38940ebb6f94805755d9696e size: 258560
Section.rdata md5: 4ea28675dc99e856b621ef7ea6d68abc sha1: d57ac4b1f586c6d63c0fea148fc2932130e05d1b size: 40448
Section.data md5: 35f40db9f06db08f924e21dee38caa18 sha1: e92c4c1f57b06cb61110087f86f40194dd48908d size: 6656
Section.reloc md5: 6b24b17d7e1b6ce9760e65a2039609ff sha1: 91d918493c576a956958902fdd10bbc11a839e97 size: 17408
Timestamp2015-05-21 04:46:34
PackerMicrosoft Visual C++ ?.?
PEhash57d002ddb68ecf7d31f9458d6d2a99d8fa343b42
IMPhash3cf1c4f41ac0bb837d3e695dd8d1a78e
AVF-SecureGen:Variant.Diley.1
AVAd-AwareGen:Variant.Diley.1
AVVirusBlokAda (vba32)no_virus
AVAvira (antivir)TR/Crypt.ZPACK.174745
AVRisingno_virus
AVBullGuardGen:Variant.Diley.1
AVFrisk (f-prot)no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort
AVArcabit (arcavir)Gen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVClamAVno_virus
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesTrojan.Agent.KVTGen
AVKasperskyTrojan.Win32.Generic
AVAuthentiumW32/Scar.V.gen!Eldorado
AVEmsisoftGen:Variant.Diley.1
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVPadvishno_virus
AVDr. WebTrojan.DownLoader13.49802
AVCAT (quickheal)no_virus
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Diley.1
AVTwisterno_virus
AVCA (E-Trust Ino)no_virus
AVFortinetW32/Nivdor.A!tr
AVTrend Microno_virus
AVEset (nod32)Win32/Bayrob.Y
AVMcafeeRDN/Generic PWS.y
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\relettrrkaf\gbmtgc
Creates FileC:\WINDOWS\relettrrkaf\gbmtgc
Creates FileC:\relettrrkaf\jzr1ln3d12mujnqpww.exe
Deletes FileC:\WINDOWS\relettrrkaf\gbmtgc
Creates ProcessC:\relettrrkaf\jzr1ln3d12mujnqpww.exe

Process
↳ C:\relettrrkaf\jzr1ln3d12mujnqpww.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Interface Protected Alerts ➝
C:\relettrrkaf\nacrkykat.exe
Creates FileC:\relettrrkaf\hetusbvqu
Creates FileC:\relettrrkaf\nacrkykat.exe
Creates FilePIPE\lsarpc
Creates FileC:\relettrrkaf\gbmtgc
Creates FileC:\WINDOWS\relettrrkaf\gbmtgc
Deletes FileC:\WINDOWS\relettrrkaf\gbmtgc
Creates ProcessC:\relettrrkaf\nacrkykat.exe
Creates ServiceAuto Hardware Credential Browser Locator - C:\relettrrkaf\nacrkykat.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1876

Process
↳ Pid 1176

Process
↳ C:\relettrrkaf\nacrkykat.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\relettrrkaf\hetusbvqu
Creates FileC:\relettrrkaf\jggulupfdc.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\relettrrkaf\izjxvb
Creates FileC:\relettrrkaf\gbmtgc
Creates FileC:\WINDOWS\relettrrkaf\gbmtgc
Deletes FileC:\WINDOWS\relettrrkaf\gbmtgc
Creates Processoz5gvfybutin "c:\relettrrkaf\nacrkykat.exe"

Process
↳ C:\relettrrkaf\nacrkykat.exe

Creates FileC:\relettrrkaf\gbmtgc
Creates FileC:\WINDOWS\relettrrkaf\gbmtgc
Deletes FileC:\WINDOWS\relettrrkaf\gbmtgc

Process
↳ oz5gvfybutin "c:\relettrrkaf\nacrkykat.exe"

Creates FileC:\relettrrkaf\gbmtgc
Creates FileC:\WINDOWS\relettrrkaf\gbmtgc
Deletes FileC:\WINDOWS\relettrrkaf\gbmtgc

Network Details:

DNSthinkbeyond.net
Type: A
207.148.248.143
DNSpresentbeing.net
Type: A
69.16.192.64
DNSpresentbottom.net
Type: A
98.139.135.129
DNSchiefbeyond.net
Type: A
195.22.26.252
DNSchiefbeyond.net
Type: A
195.22.26.253
DNSchiefbeyond.net
Type: A
195.22.26.254
DNSchiefbeyond.net
Type: A
195.22.26.231
DNSchiefbeing.net
Type: A
72.52.4.90
DNSalonebeing.net
Type: A
98.139.135.129
DNStwelveforever.net
Type: A
157.166.173.157
DNSratherforever.net
Type: A
208.100.26.234
DNShistoryforever.net
Type: A
72.52.4.90
DNSweatherforever.net
Type: A
50.63.202.42
DNSclassbeyond.net
Type: A
50.63.202.50
DNSthinkflower.net
Type: A
194.117.254.31
DNSpresentflower.net
Type: A
54.64.68.178
DNScollegecorner.net
Type: A
68.94.84.52
DNSoftenflower.net
Type: A
72.52.4.90
DNSquietclose.net
Type: A
DNSseasonclose.net
Type: A
DNSpresentbeyond.net
Type: A
DNSthinkbeing.net
Type: A
DNSthinkforever.net
Type: A
DNSpresentforever.net
Type: A
DNSthinkbottom.net
Type: A
DNScollegebeyond.net
Type: A
DNScollegebeing.net
Type: A
DNSchiefforever.net
Type: A
DNScollegeforever.net
Type: A
DNSchiefbottom.net
Type: A
DNScollegebottom.net
Type: A
DNSoftenbeyond.net
Type: A
DNSalonebeyond.net
Type: A
DNSoftenbeing.net
Type: A
DNSoftenforever.net
Type: A
DNSaloneforever.net
Type: A
DNSoftenbottom.net
Type: A
DNSalonebottom.net
Type: A
DNSmiddlebeyond.net
Type: A
DNStwelvebeyond.net
Type: A
DNSmiddlebeing.net
Type: A
DNStwelvebeing.net
Type: A
DNSmiddleforever.net
Type: A
DNSmiddlebottom.net
Type: A
DNStwelvebottom.net
Type: A
DNSratherbeyond.net
Type: A
DNSmorningbeyond.net
Type: A
DNSratherbeing.net
Type: A
DNSmorningbeing.net
Type: A
DNSmorningforever.net
Type: A
DNSratherbottom.net
Type: A
DNSmorningbottom.net
Type: A
DNSstrangebeyond.net
Type: A
DNShistorybeyond.net
Type: A
DNSstrangebeing.net
Type: A
DNShistorybeing.net
Type: A
DNSstrangeforever.net
Type: A
DNSstrangebottom.net
Type: A
DNShistorybottom.net
Type: A
DNSamountbeyond.net
Type: A
DNSweatherbeyond.net
Type: A
DNSamountbeing.net
Type: A
DNSweatherbeing.net
Type: A
DNSamountforever.net
Type: A
DNSamountbottom.net
Type: A
DNSweatherbottom.net
Type: A
DNSthickbeyond.net
Type: A
DNSthickbeing.net
Type: A
DNSclassbeing.net
Type: A
DNSthickforever.net
Type: A
DNSclassforever.net
Type: A
DNSthickbottom.net
Type: A
DNSclassbottom.net
Type: A
DNSthinkminute.net
Type: A
DNSpresentminute.net
Type: A
DNSthinkspecial.net
Type: A
DNSpresentspecial.net
Type: A
DNSthinkcorner.net
Type: A
DNSpresentcorner.net
Type: A
DNSchiefflower.net
Type: A
DNScollegeflower.net
Type: A
DNSchiefminute.net
Type: A
DNScollegeminute.net
Type: A
DNSchiefspecial.net
Type: A
DNScollegespecial.net
Type: A
DNSchiefcorner.net
Type: A
DNSaloneflower.net
Type: A
DNSoftenminute.net
Type: A
HTTP GEThttp://thinkbeyond.net/index.php
User-Agent:
HTTP GEThttp://presentbeing.net/index.php
User-Agent:
HTTP GEThttp://presentbottom.net/index.php
User-Agent:
HTTP GEThttp://chiefbeyond.net/index.php
User-Agent:
HTTP GEThttp://chiefbeing.net/index.php
User-Agent:
HTTP GEThttp://alonebeing.net/index.php
User-Agent:
HTTP GEThttp://twelveforever.net/index.php
User-Agent:
HTTP GEThttp://ratherforever.net/index.php
User-Agent:
HTTP GEThttp://historyforever.net/index.php
User-Agent:
HTTP GEThttp://weatherforever.net/index.php
User-Agent:
HTTP GEThttp://classbeyond.net/index.php
User-Agent:
HTTP GEThttp://thinkflower.net/index.php
User-Agent:
HTTP GEThttp://presentflower.net/index.php
User-Agent:
HTTP GEThttp://collegecorner.net/index.php
User-Agent:
HTTP GEThttp://oftenflower.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1032 ➝ 69.16.192.64:80
Flows TCP192.168.1.1:1033 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1034 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1035 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1036 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1037 ➝ 157.166.173.157:80
Flows TCP192.168.1.1:1038 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1040 ➝ 50.63.202.42:80
Flows TCP192.168.1.1:1041 ➝ 50.63.202.50:80
Flows TCP192.168.1.1:1042 ➝ 194.117.254.31:80
Flows TCP192.168.1.1:1043 ➝ 54.64.68.178:80
Flows TCP192.168.1.1:1044 ➝ 68.94.84.52:80
Flows TCP192.168.1.1:1045 ➝ 72.52.4.90:80

Raw Pcap

Strings