Analysis | #totalhash

Analysis Date	2015-08-12 04:54:40
MD5	fe2299fe799c05cfec3a1fbe422b38bd
SHA1	9f99d2e1cf62adcffb7233cab5f763e59ddc2cbf

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: b574e58e179a3f758109f64179906126 sha1: 0084cd23272ae8d7114e6b68a4d1eea45c7084a8 size: 303616
Section	.rdata md5: a40c77c7589b1ee0a64bab5240e9de49 sha1: 00631f10acac66cda0ecfc7a8c90cef37e1b943b size: 59392
Section	.data md5: f84d7307540b17335e69c6bffe96364e sha1: 7dc76d6aaa881b4f829a05eb3ff08e9cbf15f352 size: 7168
Section	.reloc md5: 82eadbb6cbc2c2fb2f68b01b105748c9 sha1: 14820eb11f50316da54f6d360c2808ed410a662a size: 23040
Timestamp	2015-05-11 07:15:14
Packer	Microsoft Visual C++ 8
PEhash	24abbe98722b716a86b78778a347f07312d56d3c
IMPhash	4be0dbfaa5e16ca8ca77e64920eadca0
AV	CA (E-Trust Ino)	no_virus
AV	F-Secure	Gen:Variant.Diley.1
AV	Dr. Web	Trojan.Bayrob.1
AV	ClamAV	no_virus
AV	Arcabit (arcavir)	Gen:Variant.Diley.1
AV	BullGuard	Gen:Variant.Diley.1
AV	Padvish	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	CAT (quickheal)	TrojanSpy.Nivdort.OD4
AV	Trend Micro	TROJ_BAYROB.SM0
AV	Kaspersky	Trojan.Win32.Scar.jhhg
AV	Zillya!	no_virus
AV	Emsisoft	Gen:Variant.Diley.1
AV	Ikarus	Trojan.Win32.Bayrob
AV	Frisk (f-prot)	no_virus
AV	Authentium	W32/Nivdort.B.gen!Eldorado
AV	MalwareBytes	Trojan.Agent.KVTGen
AV	MicroWorld (escan)	Gen:Variant.Diley.1
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.AY
AV	K7	Trojan ( 004c3a4d1 )
AV	BitDefender	Gen:Variant.Diley.1
AV	Fortinet	W32/Bayrob.T!tr
AV	Symantec	Downloader.Upatre!g15
AV	Grisoft (avg)	Generic36.BLHK
AV	Eset (nod32)	Win32/Bayrob.W
AV	Alwil (avast)	Malware-gen:Win32:Malware-gen
AV	Ad-Aware	Gen:Variant.Diley.1
AV	Twister	no_virus
AV	Avira (antivir)	TR/Spy.ZBot.xbbeomq
AV	Mcafee	PWS-FCCE!FE2299FE799C
AV	Rising	Trojan.Win32.Bayrod.b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\squxick\bivaqjlyrqv
Creates File	C:\WINDOWS\squxick\bivaqjlyrqv
Creates File	C:\squxick\vywom1ldjgoc3tjlovnsh.exe
Deletes File	C:\WINDOWS\squxick\bivaqjlyrqv
Creates Process	C:\squxick\vywom1ldjgoc3tjlovnsh.exe

Process
↳ C:\squxick\vywom1ldjgoc3tjlovnsh.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Spooler Service Interface SNMP ➝ C:\squxick\gzbqlur.exe
Creates File	C:\squxick\bivaqjlyrqv
Creates File	C:\squxick\gzbqlur.exe
Creates File	PIPE\lsarpc
Creates File	C:\squxick\uyudl0a
Creates File	C:\WINDOWS\squxick\bivaqjlyrqv
Deletes File	C:\WINDOWS\squxick\bivaqjlyrqv
Creates Process	C:\squxick\gzbqlur.exe
Creates Service	DHCP KtmRm Builder Presentation IP - C:\squxick\gzbqlur.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1916

Process
↳ Pid 1200

Process
↳ C:\squxick\gzbqlur.exe

Creates File	C:\squxick\omep5bgdtue
Creates File	C:\squxick\bivaqjlyrqv
Creates File	pipe\net\NtControlPipe10
Creates File	C:\squxick\ccokwoasyxg.exe
Creates File	\Device\Afd\Endpoint
Creates File	C:\squxick\uyudl0a
Creates File	C:\WINDOWS\squxick\bivaqjlyrqv
Deletes File	C:\WINDOWS\squxick\bivaqjlyrqv
Creates Process	vqdlga8exzla "c:\squxick\gzbqlur.exe"

Process
↳ C:\squxick\gzbqlur.exe

Creates File	C:\squxick\bivaqjlyrqv
Creates File	C:\WINDOWS\squxick\bivaqjlyrqv
Deletes File	C:\WINDOWS\squxick\bivaqjlyrqv

Process
↳ vqdlga8exzla "c:\squxick\gzbqlur.exe"

Creates File	C:\squxick\bivaqjlyrqv
Creates File	C:\WINDOWS\squxick\bivaqjlyrqv
Deletes File	C:\WINDOWS\squxick\bivaqjlyrqv

Network Details:

DNS	fellowsingle.net Type: A 95.211.230.75
DNS	mightchoose.net Type: A
DNS	storealthough.net Type: A
DNS	mightalthough.net Type: A
DNS	storeperiod.net Type: A
DNS	mightperiod.net Type: A
DNS	storehowever.net Type: A
DNS	mighthowever.net Type: A
DNS	doctorchoose.net Type: A
DNS	prettychoose.net Type: A
DNS	doctoralthough.net Type: A
DNS	prettyalthough.net Type: A
DNS	doctorperiod.net Type: A
DNS	prettyperiod.net Type: A
DNS	doctorhowever.net Type: A
DNS	prettyhowever.net Type: A
DNS	fellowchoose.net Type: A
DNS	doublechoose.net Type: A
DNS	fellowalthough.net Type: A
DNS	doublealthough.net Type: A
DNS	fellowperiod.net Type: A
DNS	doubleperiod.net Type: A
DNS	fellowhowever.net Type: A
DNS	doublehowever.net Type: A
DNS	brokenchoose.net Type: A
DNS	resultchoose.net Type: A
DNS	brokenalthough.net Type: A
DNS	resultalthough.net Type: A
DNS	brokenperiod.net Type: A
DNS	resultperiod.net Type: A
DNS	brokenhowever.net Type: A
DNS	resulthowever.net Type: A
DNS	preparechoose.net Type: A
DNS	desirechoose.net Type: A
DNS	preparealthough.net Type: A
DNS	desirealthough.net Type: A
DNS	prepareperiod.net Type: A
DNS	desireperiod.net Type: A
DNS	preparehowever.net Type: A
DNS	desirehowever.net Type: A
DNS	strengthchoose.net Type: A
DNS	stillchoose.net Type: A
DNS	strengthalthough.net Type: A
DNS	stillalthough.net Type: A
DNS	strengthperiod.net Type: A
DNS	stillperiod.net Type: A
DNS	strengthhowever.net Type: A
DNS	stillhowever.net Type: A
DNS	movementsingle.net Type: A
DNS	outsidesingle.net Type: A
DNS	movementcharge.net Type: A
DNS	outsidecharge.net Type: A
DNS	movementdifference.net Type: A
DNS	outsidedifference.net Type: A
DNS	movementevery.net Type: A
DNS	outsideevery.net Type: A
DNS	buildingsingle.net Type: A
DNS	eveningsingle.net Type: A
DNS	buildingcharge.net Type: A
DNS	eveningcharge.net Type: A
DNS	buildingdifference.net Type: A
DNS	eveningdifference.net Type: A
DNS	buildingevery.net Type: A
DNS	eveningevery.net Type: A
DNS	storesingle.net Type: A
DNS	mightsingle.net Type: A
DNS	storecharge.net Type: A
DNS	mightcharge.net Type: A
DNS	storedifference.net Type: A
DNS	mightdifference.net Type: A
DNS	storeevery.net Type: A
DNS	mightevery.net Type: A
DNS	doctorsingle.net Type: A
DNS	prettysingle.net Type: A
DNS	doctorcharge.net Type: A
DNS	prettycharge.net Type: A
DNS	doctordifference.net Type: A
DNS	prettydifference.net Type: A
DNS	doctorevery.net Type: A
DNS	prettyevery.net Type: A
DNS	doublesingle.net Type: A
DNS	fellowcharge.net Type: A
DNS	doublecharge.net Type: A
DNS	fellowdifference.net Type: A
DNS	doubledifference.net Type: A
HTTP GET	http://fellowsingle.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 95.211.230.75:80

Raw Pcap

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   656c6c6f 7773696e 676c652e 6e65740d   ellowsingle.net.
0x00000050 (00080)   0a0d0a                                ...

Strings