Analysis | #totalhash

Analysis Date	2016-02-20 18:54:27
MD5	36b4984fe6236b2582f2296687663195
SHA1	a08c83542bebca58c2fdb4bc661dafff5b2c5eb8

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: e6662127ed9385db00e7da4052f3e6d6 sha1: 826116b835619a41db5c41cf573f8deda895f92c size: 527872
Section	.rdata md5: 125a11036e3e4a1e3212faacbdc6bbd4 sha1: 6e0cdd11f20a6b414096e7209007e93d6b4d70e8 size: 26112
Section	.data md5: dd88f8ed1fa76de73ba975becae11ec9 sha1: bb9ca75609e08c2cb1620c480f021769b250ece4 size: 20480
Section	.reloc md5: 8abf0809e25516dad316937afc6e86f4 sha1: e9ad153bb7cbf8844d2b904caa53295d1855744b size: 39424
Timestamp	2014-12-25 03:28:12
Packer	Microsoft Visual C++ 8
PEhash	c6f3c86599cb321189aa0efeff6481ac181d81e3
IMPhash	dcad10b10a538892f692a13979e318d8
AV	CA (E-Trust Ino)	Gen:Variant.Razy.13928
AV	F-Secure	Gen:Variant.Razy.13928
AV	Dr. Web	No Virus
AV	ClamAV	No Virus
AV	Arcabit (arcavir)	Gen:Variant.Razy.13928
AV	BullGuard	Gen:Variant.Razy.13928
AV	CAT (quickheal)	TrojanSpy.Nivdort.WR4
AV	VirusBlokAda (vba32)	No Virus
AV	Trend Micro	No Virus
AV	Kaspersky	Trojan.Win32.Generic
AV	Zillya!	Trojan.SwizzorGen.Win32.1
AV	Ikarus	Trojan.Bayrob
AV	Frisk (f-prot)	W32/Nivdort.E.gen!Eldorado
AV	Emsisoft	Gen:Variant.Razy.13928
AV	Authentium	W32/Nivdort.E.gen!Eldorado
AV	MalwareBytes	No Virus
AV	MicroWorld (escan)	Gen:Variant.Razy.13928
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.DI
AV	K7	Trojan ( 004dc2a31 )
AV	BitDefender	Gen:Variant.Razy.13928
AV	Fortinet	W32/Bayrob.BM!tr
AV	Symantec	No Virus
AV	Grisoft (avg)	Generic37.ANQS
AV	Eset (nod32)	Win32/Bayrob.BM
AV	Alwil (avast)	Win32:Malware-gen
AV	Rising	No Virus
AV	Ad-Aware	Gen:Variant.Razy.13928
AV	Twister	W32.Toolbar.CrossRider.AE.lfcr.mg
AV	Avira (antivir)	TR/Taranis.2112
AV	Mcafee	Trojan-FHSQ!36B4984FE623

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\rkyzbrdat\lxyq1k3jkjlod0osrla.exe
Creates File	C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm
Creates File	C:\rkyzbrdat\q9ngwtlrsvm
Deletes File	C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm
Creates Process	C:\rkyzbrdat\lxyq1k3jkjlod0osrla.exe

Process
↳ C:\rkyzbrdat\lxyq1k3jkjlod0osrla.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Base Cryptographic WMI Window ➝ C:\rkyzbrdat\zlumvgmctnz.exe
Creates File	C:\rkyzbrdat\zlumvgmctnz.exe
Creates File	C:\rkyzbrdat\dd0mgg
Creates File	PIPE\lsarpc
Creates File	C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm
Creates File	C:\rkyzbrdat\q9ngwtlrsvm
Deletes File	C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm
Creates Process	C:\rkyzbrdat\zlumvgmctnz.exe
Creates Service	Audio Registry Framework Visual - C:\rkyzbrdat\zlumvgmctnz.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1132

Process
↳ C:\rkyzbrdat\zlumvgmctnz.exe

Creates File	pipe\net\NtControlPipe10
Creates File	C:\rkyzbrdat\nqqrnfhz.exe
Creates File	C:\rkyzbrdat\dd0mgg
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm
Creates File	C:\rkyzbrdat\ggwcpuzyw
Creates File	C:\rkyzbrdat\q9ngwtlrsvm
Deletes File	C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm
Creates Process	irbjfcycfhre "c:\rkyzbrdat\zlumvgmctnz.exe"

Process
↳ C:\rkyzbrdat\zlumvgmctnz.exe

Creates File	C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm
Creates File	C:\rkyzbrdat\q9ngwtlrsvm
Deletes File	C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm

Process
↳ irbjfcycfhre "c:\rkyzbrdat\zlumvgmctnz.exe"

Creates File	C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm
Creates File	C:\rkyzbrdat\q9ngwtlrsvm
Deletes File	C:\WINDOWS\rkyzbrdat\q9ngwtlrsvm

Network Details:

DNS	buildingdinner.net Type: A 195.22.28.199
DNS	buildingdinner.net Type: A 195.22.28.196
DNS	buildingdinner.net Type: A 195.22.28.197
DNS	buildingdinner.net Type: A 195.22.28.198
DNS	buildingafraid.net Type: A 195.22.28.198
DNS	buildingafraid.net Type: A 195.22.28.199
DNS	buildingafraid.net Type: A 195.22.28.196
DNS	buildingafraid.net Type: A 195.22.28.197
DNS	brokencircle.net Type: A 184.168.221.41
DNS	mightanger.net Type: A 208.100.26.234
DNS	doctoralways.net Type: A 195.22.28.198
DNS	doctoralways.net Type: A 195.22.28.199
DNS	doctoralways.net Type: A 195.22.28.196
DNS	doctoralways.net Type: A 195.22.28.197
DNS	fw.ename.net Type: A 198.148.92.56
DNS	fw.ename.net Type: A 198.148.92.57
DNS	fw.ename.net Type: A 198.148.92.58
DNS	buildingschool.net Type: A 72.167.232.36
DNS	eveningschool.net Type: A 50.63.202.50
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	movementmeasure.net Type: A
DNS	outsidemeasure.net Type: A
DNS	movementdinner.net Type: A
DNS	outsidedinner.net Type: A
DNS	movementafraid.net Type: A
DNS	outsideafraid.net Type: A
DNS	movementcircle.net Type: A
DNS	outsidecircle.net Type: A
DNS	buildingmeasure.net Type: A
DNS	eveningmeasure.net Type: A
DNS	eveningdinner.net Type: A
DNS	eveningafraid.net Type: A
DNS	buildingcircle.net Type: A
DNS	eveningcircle.net Type: A
DNS	storemeasure.net Type: A
DNS	mightmeasure.net Type: A
DNS	storedinner.net Type: A
DNS	mightdinner.net Type: A
DNS	storeafraid.net Type: A
DNS	mightafraid.net Type: A
DNS	storecircle.net Type: A
DNS	mightcircle.net Type: A
DNS	doctormeasure.net Type: A
DNS	prettymeasure.net Type: A
DNS	doctordinner.net Type: A
DNS	prettydinner.net Type: A
DNS	doctorafraid.net Type: A
DNS	prettyafraid.net Type: A
DNS	doctorcircle.net Type: A
DNS	prettycircle.net Type: A
DNS	fellowmeasure.net Type: A
DNS	doublemeasure.net Type: A
DNS	fellowdinner.net Type: A
DNS	doubledinner.net Type: A
DNS	fellowafraid.net Type: A
DNS	doubleafraid.net Type: A
DNS	fellowcircle.net Type: A
DNS	doublecircle.net Type: A
DNS	brokenmeasure.net Type: A
DNS	resultmeasure.net Type: A
DNS	brokendinner.net Type: A
DNS	resultdinner.net Type: A
DNS	brokenafraid.net Type: A
DNS	resultafraid.net Type: A
DNS	resultcircle.net Type: A
DNS	preparemeasure.net Type: A
DNS	desiremeasure.net Type: A
DNS	preparedinner.net Type: A
DNS	desiredinner.net Type: A
DNS	prepareafraid.net Type: A
DNS	desireafraid.net Type: A
DNS	preparecircle.net Type: A
DNS	desirecircle.net Type: A
DNS	strengthmeasure.net Type: A
DNS	stillmeasure.net Type: A
DNS	strengthdinner.net Type: A
DNS	stilldinner.net Type: A
DNS	strengthafraid.net Type: A
DNS	stillafraid.net Type: A
DNS	strengthcircle.net Type: A
DNS	stillcircle.net Type: A
DNS	movementwheat.net Type: A
DNS	outsidewheat.net Type: A
DNS	movementanger.net Type: A
DNS	outsideanger.net Type: A
DNS	movementalways.net Type: A
DNS	outsidealways.net Type: A
DNS	movementforest.net Type: A
DNS	outsideforest.net Type: A
DNS	buildingwheat.net Type: A
DNS	eveningwheat.net Type: A
DNS	buildinganger.net Type: A
DNS	eveninganger.net Type: A
DNS	buildingalways.net Type: A
DNS	eveningalways.net Type: A
DNS	buildingforest.net Type: A
DNS	eveningforest.net Type: A
DNS	storewheat.net Type: A
DNS	mightwheat.net Type: A
DNS	storeanger.net Type: A
DNS	storealways.net Type: A
DNS	mightalways.net Type: A
DNS	storeforest.net Type: A
DNS	mightforest.net Type: A
DNS	doctorwheat.net Type: A
DNS	prettywheat.net Type: A
DNS	doctoranger.net Type: A
DNS	prettyanger.net Type: A
DNS	prettyalways.net Type: A
DNS	doctorforest.net Type: A
DNS	prettyforest.net Type: A
DNS	fellowwheat.net Type: A
DNS	doublewheat.net Type: A
DNS	fellowanger.net Type: A
DNS	doubleanger.net Type: A
DNS	fellowalways.net Type: A
DNS	doublealways.net Type: A
DNS	fellowforest.net Type: A
DNS	doubleforest.net Type: A
DNS	brokenwheat.net Type: A
DNS	resultwheat.net Type: A
DNS	brokenanger.net Type: A
DNS	resultanger.net Type: A
DNS	brokenalways.net Type: A
DNS	resultalways.net Type: A
DNS	brokenforest.net Type: A
DNS	resultforest.net Type: A
DNS	preparewheat.net Type: A
DNS	desirewheat.net Type: A
DNS	prepareanger.net Type: A
DNS	desireanger.net Type: A
DNS	preparealways.net Type: A
DNS	desirealways.net Type: A
DNS	prepareforest.net Type: A
DNS	desireforest.net Type: A
DNS	strengthwheat.net Type: A
DNS	stillwheat.net Type: A
DNS	strengthanger.net Type: A
DNS	stillanger.net Type: A
DNS	strengthalways.net Type: A
DNS	stillalways.net Type: A
DNS	strengthforest.net Type: A
DNS	stillforest.net Type: A
DNS	movementschool.net Type: A
DNS	outsideschool.net Type: A
DNS	movementwhile.net Type: A
DNS	outsidewhile.net Type: A
DNS	movementquestion.net Type: A
DNS	outsidequestion.net Type: A
DNS	movementtherefore.net Type: A
DNS	outsidetherefore.net Type: A
DNS	buildingwhile.net Type: A
DNS	eveningwhile.net Type: A
DNS	buildingquestion.net Type: A
DNS	eveningquestion.net Type: A
DNS	buildingtherefore.net Type: A
DNS	eveningtherefore.net Type: A
DNS	storeschool.net Type: A
DNS	mightschool.net Type: A
DNS	storewhile.net Type: A
DNS	mightwhile.net Type: A
DNS	storequestion.net Type: A
DNS	mightquestion.net Type: A
DNS	storetherefore.net Type: A
DNS	mighttherefore.net Type: A
DNS	doctorschool.net Type: A
DNS	prettyschool.net Type: A
DNS	doctorwhile.net Type: A
DNS	prettywhile.net Type: A
DNS	doctorquestion.net Type: A
DNS	prettyquestion.net Type: A
DNS	doctortherefore.net Type: A
DNS	prettytherefore.net Type: A
DNS	fellowschool.net Type: A
DNS	doubleschool.net Type: A
DNS	fellowwhile.net Type: A
DNS	doublewhile.net Type: A
DNS	fellowquestion.net Type: A
DNS	doublequestion.net Type: A
DNS	fellowtherefore.net Type: A
DNS	doubletherefore.net Type: A
DNS	brokenschool.net Type: A
DNS	resultschool.net Type: A
HTTP GET	http://buildingdinner.net/index.php User-Agent:
HTTP GET	http://buildingafraid.net/index.php User-Agent:
HTTP GET	http://brokencircle.net/index.php User-Agent:
HTTP GET	http://mightanger.net/index.php User-Agent:
HTTP GET	http://doctoralways.net/index.php User-Agent:
HTTP GET	http://outsideschool.net/index.php User-Agent:
HTTP GET	http://buildingschool.net/index.php User-Agent:
HTTP GET	http://eveningschool.net/index.php User-Agent:
HTTP GET	http://doctorschool.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 195.22.28.199:80
Flows TCP	192.168.1.1:1032 ➝ 195.22.28.198:80
Flows TCP	192.168.1.1:1033 ➝ 184.168.221.41:80
Flows TCP	192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1035 ➝ 195.22.28.198:80
Flows TCP	192.168.1.1:1036 ➝ 198.148.92.56:80
Flows TCP	192.168.1.1:1037 ➝ 72.167.232.36:80
Flows TCP	192.168.1.1:1038 ➝ 50.63.202.50:80
Flows TCP	192.168.1.1:1039 ➝ 8.5.1.16:80

Raw Pcap

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6764 696e6e65 722e6e65   uildingdinner.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6761 66726169 642e6e65   uildingafraid.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e636972 636c652e 6e65740d   rokencircle.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   69676874 616e6765 722e6e65 740d0a0d   ightanger.net...
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72616c77 6179732e 6e65740d   octoralways.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64657363 686f6f6c 2e6e6574   utsideschool.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6773 63686f6f 6c2e6e65   uildingschool.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   76656e69 6e677363 686f6f6c 2e6e6574   veningschool.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72736368 6f6f6c2e 6e65740d   octorschool.net.
0x00000050 (00080)   0a0d0a0a 0a                           .....

Strings