Analysis Date | 2015-08-12 04:54:40 |
---|---|
MD5 | fe2299fe799c05cfec3a1fbe422b38bd |
SHA1 | 9f99d2e1cf62adcffb7233cab5f763e59ddc2cbf |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: b574e58e179a3f758109f64179906126 sha1: 0084cd23272ae8d7114e6b68a4d1eea45c7084a8 size: 303616 | |
Section | .rdata md5: a40c77c7589b1ee0a64bab5240e9de49 sha1: 00631f10acac66cda0ecfc7a8c90cef37e1b943b size: 59392 | |
Section | .data md5: f84d7307540b17335e69c6bffe96364e sha1: 7dc76d6aaa881b4f829a05eb3ff08e9cbf15f352 size: 7168 | |
Section | .reloc md5: 82eadbb6cbc2c2fb2f68b01b105748c9 sha1: 14820eb11f50316da54f6d360c2808ed410a662a size: 23040 | |
Timestamp | 2015-05-11 07:15:14 | |
Packer | Microsoft Visual C++ 8 | |
PEhash | 24abbe98722b716a86b78778a347f07312d56d3c | |
IMPhash | 4be0dbfaa5e16ca8ca77e64920eadca0 | |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Diley.1 |
AV | Dr. Web | Trojan.Bayrob.1 |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Diley.1 |
AV | BullGuard | Gen:Variant.Diley.1 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | TrojanSpy.Nivdort.OD4 |
AV | Trend Micro | TROJ_BAYROB.SM0 |
AV | Kaspersky | Trojan.Win32.Scar.jhhg |
AV | Zillya! | no_virus |
AV | Emsisoft | Gen:Variant.Diley.1 |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/Nivdort.B.gen!Eldorado |
AV | MalwareBytes | Trojan.Agent.KVTGen |
AV | MicroWorld (escan) | Gen:Variant.Diley.1 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.AY |
AV | K7 | Trojan ( 004c3a4d1 ) |
AV | BitDefender | Gen:Variant.Diley.1 |
AV | Fortinet | W32/Bayrob.T!tr |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Generic36.BLHK |
AV | Eset (nod32) | Win32/Bayrob.W |
AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
AV | Ad-Aware | Gen:Variant.Diley.1 |
AV | Twister | no_virus |
AV | Avira (antivir) | TR/Spy.ZBot.xbbeomq |
AV | Mcafee | PWS-FCCE!FE2299FE799C |
AV | Rising | Trojan.Win32.Bayrod.b |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\squxick\bivaqjlyrqv |
---|---|
Creates File | C:\WINDOWS\squxick\bivaqjlyrqv |
Creates File | C:\squxick\vywom1ldjgoc3tjlovnsh.exe |
Deletes File | C:\WINDOWS\squxick\bivaqjlyrqv |
Creates Process | C:\squxick\vywom1ldjgoc3tjlovnsh.exe |
Process
↳ C:\squxick\vywom1ldjgoc3tjlovnsh.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Spooler Service Interface SNMP ➝ C:\squxick\gzbqlur.exe |
---|---|
Creates File | C:\squxick\bivaqjlyrqv |
Creates File | C:\squxick\gzbqlur.exe |
Creates File | PIPE\lsarpc |
Creates File | C:\squxick\uyudl0a |
Creates File | C:\WINDOWS\squxick\bivaqjlyrqv |
Deletes File | C:\WINDOWS\squxick\bivaqjlyrqv |
Creates Process | C:\squxick\gzbqlur.exe |
Creates Service | DHCP KtmRm Builder Presentation IP - C:\squxick\gzbqlur.exe |
Process
↳ Pid 804
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1108
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1916
Process
↳ Pid 1200
Process
↳ C:\squxick\gzbqlur.exe
Creates File | C:\squxick\omep5bgdtue |
---|---|
Creates File | C:\squxick\bivaqjlyrqv |
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\squxick\ccokwoasyxg.exe |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\squxick\uyudl0a |
Creates File | C:\WINDOWS\squxick\bivaqjlyrqv |
Deletes File | C:\WINDOWS\squxick\bivaqjlyrqv |
Creates Process | vqdlga8exzla "c:\squxick\gzbqlur.exe" |
Process
↳ C:\squxick\gzbqlur.exe
Creates File | C:\squxick\bivaqjlyrqv |
---|---|
Creates File | C:\WINDOWS\squxick\bivaqjlyrqv |
Deletes File | C:\WINDOWS\squxick\bivaqjlyrqv |
Process
↳ vqdlga8exzla "c:\squxick\gzbqlur.exe"
Creates File | C:\squxick\bivaqjlyrqv |
---|---|
Creates File | C:\WINDOWS\squxick\bivaqjlyrqv |
Deletes File | C:\WINDOWS\squxick\bivaqjlyrqv |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 656c6c6f 7773696e 676c652e 6e65740d ellowsingle.net. 0x00000050 (00080) 0a0d0a ...
Strings