Analysis Date | 2016-02-20 18:54:27 |
---|---|
MD5 | 36b4984fe6236b2582f2296687663195 |
SHA1 | a08c83542bebca58c2fdb4bc661dafff5b2c5eb8 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: e6662127ed9385db00e7da4052f3e6d6 sha1: 826116b835619a41db5c41cf573f8deda895f92c size: 527872 | |
Section | .rdata md5: 125a11036e3e4a1e3212faacbdc6bbd4 sha1: 6e0cdd11f20a6b414096e7209007e93d6b4d70e8 size: 26112 | |
Section | .data md5: dd88f8ed1fa76de73ba975becae11ec9 sha1: bb9ca75609e08c2cb1620c480f021769b250ece4 size: 20480 | |
Section | .reloc md5: 8abf0809e25516dad316937afc6e86f4 sha1: e9ad153bb7cbf8844d2b904caa53295d1855744b size: 39424 | |
Timestamp | 2014-12-25 03:28:12 | |
Packer | Microsoft Visual C++ 8 | |
PEhash | c6f3c86599cb321189aa0efeff6481ac181d81e3 | |
IMPhash | dcad10b10a538892f692a13979e318d8 | |
AV | CA (E-Trust Ino) | Gen:Variant.Razy.13928 |
AV | F-Secure | Gen:Variant.Razy.13928 |
AV | Dr. Web | No Virus |
AV | ClamAV | No Virus |
AV | Arcabit (arcavir) | Gen:Variant.Razy.13928 |
AV | BullGuard | Gen:Variant.Razy.13928 |
AV | CAT (quickheal) | TrojanSpy.Nivdort.WR4 |
AV | VirusBlokAda (vba32) | No Virus |
AV | Trend Micro | No Virus |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Zillya! | Trojan.SwizzorGen.Win32.1 |
AV | Ikarus | Trojan.Bayrob |
AV | Frisk (f-prot) | W32/Nivdort.E.gen!Eldorado |
AV | Emsisoft | Gen:Variant.Razy.13928 |
AV | Authentium | W32/Nivdort.E.gen!Eldorado |
AV | MalwareBytes | No Virus |
AV | MicroWorld (escan) | Gen:Variant.Razy.13928 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.DI |
AV | K7 | Trojan ( 004dc2a31 ) |
AV | BitDefender | Gen:Variant.Razy.13928 |
AV | Fortinet | W32/Bayrob.BM!tr |
AV | Symantec | No Virus |
AV | Grisoft (avg) | Generic37.ANQS |
AV | Eset (nod32) | Win32/Bayrob.BM |
AV | Alwil (avast) | Win32:Malware-gen |
AV | Rising | No Virus |
AV | Ad-Aware | Gen:Variant.Razy.13928 |
AV | Twister | W32.Toolbar.CrossRider.AE.lfcr.mg |
AV | Avira (antivir) | TR/Taranis.2112 |
AV | Mcafee | Trojan-FHSQ!36B4984FE623 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\rkyzbrdat\lxyq1k3jkjlod0osrla.exe |
---|---|
Creates File | C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm |
Creates File | C:\rkyzbrdat\q9ngwtlrsvm |
Deletes File | C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm |
Creates Process | C:\rkyzbrdat\lxyq1k3jkjlod0osrla.exe |
Process
↳ C:\rkyzbrdat\lxyq1k3jkjlod0osrla.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Base Cryptographic WMI Window ➝ C:\rkyzbrdat\zlumvgmctnz.exe |
---|---|
Creates File | C:\rkyzbrdat\zlumvgmctnz.exe |
Creates File | C:\rkyzbrdat\dd0mgg |
Creates File | PIPE\lsarpc |
Creates File | C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm |
Creates File | C:\rkyzbrdat\q9ngwtlrsvm |
Deletes File | C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm |
Creates Process | C:\rkyzbrdat\zlumvgmctnz.exe |
Creates Service | Audio Registry Framework Visual - C:\rkyzbrdat\zlumvgmctnz.exe |
Process
↳ Pid 800
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1108
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1856
Process
↳ Pid 1132
Process
↳ C:\rkyzbrdat\zlumvgmctnz.exe
Creates File | pipe\net\NtControlPipe10 |
---|---|
Creates File | C:\rkyzbrdat\nqqrnfhz.exe |
Creates File | C:\rkyzbrdat\dd0mgg |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm |
Creates File | C:\rkyzbrdat\ggwcpuzyw |
Creates File | C:\rkyzbrdat\q9ngwtlrsvm |
Deletes File | C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm |
Creates Process | irbjfcycfhre "c:\rkyzbrdat\zlumvgmctnz.exe" |
Process
↳ C:\rkyzbrdat\zlumvgmctnz.exe
Creates File | C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm |
---|---|
Creates File | C:\rkyzbrdat\q9ngwtlrsvm |
Deletes File | C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm |
Process
↳ irbjfcycfhre "c:\rkyzbrdat\zlumvgmctnz.exe"
Creates File | C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm |
---|---|
Creates File | C:\rkyzbrdat\q9ngwtlrsvm |
Deletes File | C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2062 : close..Host: b 0x00000040 (00064) 75696c64 696e6764 696e6e65 722e6e65 uildingdinner.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2062 : close..Host: b 0x00000040 (00064) 75696c64 696e6761 66726169 642e6e65 uildingafraid.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2062 : close..Host: b 0x00000040 (00064) 726f6b65 6e636972 636c652e 6e65740d rokencircle.net. 0x00000050 (00080) 0a0d0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206d : close..Host: m 0x00000040 (00064) 69676874 616e6765 722e6e65 740d0a0d ightanger.net... 0x00000050 (00080) 0a0d0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2064 : close..Host: d 0x00000040 (00064) 6f63746f 72616c77 6179732e 6e65740d octoralways.net. 0x00000050 (00080) 0a0d0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206f : close..Host: o 0x00000040 (00064) 75747369 64657363 686f6f6c 2e6e6574 utsideschool.net 0x00000050 (00080) 0d0a0d0a 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2062 : close..Host: b 0x00000040 (00064) 75696c64 696e6773 63686f6f 6c2e6e65 uildingschool.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2065 : close..Host: e 0x00000040 (00064) 76656e69 6e677363 686f6f6c 2e6e6574 veningschool.net 0x00000050 (00080) 0d0a0d0a 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2064 : close..Host: d 0x00000040 (00064) 6f63746f 72736368 6f6f6c2e 6e65740d octorschool.net. 0x00000050 (00080) 0a0d0a0a 0a .....
Strings