Analysis Date | 2016-02-09 21:06:04 |
---|---|
MD5 | 3ec68505fb15e5a5486506346dfd5163 |
SHA1 | a15000a51369b5d5e9250a2cd3997a6dc5d3d8ec |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: af40c58724ed050ea7d5eb9264f1238a sha1: 6ab5d7f4448011beb5bfcd8087a7bead73fcff1a size: 190976 | |
Section | .rdata md5: 9c5f120c2dc1e82580247741930ebb09 sha1: cebcc60644ba1bf968dd3685708a447215897517 size: 16896 | |
Section | .data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512 | |
Section | .reloc md5: ecb36ffde386948773a6b2f226e388f9 sha1: 09c906b4bae1464b9dedbcd9fd092a13dcfbe5aa size: 30720 | |
Timestamp | 2016-01-06 17:07:35 | |
PEhash | a7431ffcebdca606a4f8eceece3eb62cd85ba899 | |
IMPhash | 5b8e0283f60ddbb03bc3f60e8db16fe5 | |
AV | CA (E-Trust Ino) | No Virus |
AV | Rising | No Virus |
AV | Mcafee | Trojan-FHPX!3EC68505FB15 |
AV | Avira (antivir) | No Virus |
AV | Twister | No Virus |
AV | Ad-Aware | Gen:Variant.Razy.12226 |
AV | Alwil (avast) | Win32:Malware-gen |
AV | Eset (nod32) | Win32/Bayrob.AT.gen |
AV | Grisoft (avg) | Win32/Heur |
AV | Symantec | Trojan.Bayrob!gen6 |
AV | Fortinet | W32/Bayrob.AQ!tr |
AV | BitDefender | Gen:Variant.Razy.12226 |
AV | K7 | Trojan ( 004db0c61 ) |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.DG |
AV | MicroWorld (escan) | Gen:Variant.Kazy.390560 |
AV | MalwareBytes | No Virus |
AV | Authentium | W32/Nivdort.G.gen!Eldorado |
AV | Emsisoft | Gen:Variant.Razy.12226 |
AV | Frisk (f-prot) | W32/Nivdort.G.gen!Eldorado |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Zillya! | No Virus |
AV | Kaspersky | Trojan.Win32.Bayrob.scf |
AV | Trend Micro | No Virus |
AV | VirusBlokAda (vba32) | No Virus |
AV | CAT (quickheal) | No Virus |
AV | BullGuard | Gen:Variant.Kazy.390560 |
AV | Arcabit (arcavir) | Gen:Variant.Razy.12226 |
AV | ClamAV | No Virus |
AV | Dr. Web | No Virus |
AV | F-Secure | Gen:Variant.Razy.12226 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\gmdraxsudq\tgbot1ojekdy |
---|---|
Creates File | C:\gmdraxsudq\ucyz1kuvikwag7lcnn.exe |
Creates File | C:\WINDOWS\gmdraxsudq\tgbot1ojekdy |
Deletes File | C:\WINDOWS\gmdraxsudq\tgbot1ojekdy |
Creates Process | C:\gmdraxsudq\ucyz1kuvikwag7lcnn.exe |
Process
↳ C:\gmdraxsudq\ucyz1kuvikwag7lcnn.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Mapper Human IP Event Disk ➝ C:\gmdraxsudq\rbelfpyoilr.exe |
---|---|
Creates File | C:\gmdraxsudq\tgbot1ojekdy |
Creates File | PIPE\lsarpc |
Creates File | C:\gmdraxsudq\kzu7btrlu7p |
Creates File | C:\WINDOWS\gmdraxsudq\tgbot1ojekdy |
Creates File | C:\gmdraxsudq\rbelfpyoilr.exe |
Deletes File | C:\WINDOWS\gmdraxsudq\tgbot1ojekdy |
Creates Process | C:\gmdraxsudq\rbelfpyoilr.exe |
Creates Service | TP Provider Desktop Coordinator Redirector - C:\gmdraxsudq\rbelfpyoilr.exe |
Process
↳ Pid 808
Process
↳ Pid 856
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1116
Process
↳ Pid 1212
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1880
Process
↳ Pid 1180
Process
↳ C:\gmdraxsudq\rbelfpyoilr.exe
Creates File | C:\gmdraxsudq\tgbot1ojekdy |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\gmdraxsudq\kzu7btrlu7p |
Creates File | C:\WINDOWS\gmdraxsudq\tgbot1ojekdy |
Creates File | C:\gmdraxsudq\gqpu8uwyuxim |
Creates File | C:\gmdraxsudq\vfbdvnykfryk.exe |
Deletes File | C:\WINDOWS\gmdraxsudq\tgbot1ojekdy |
Creates Process | wgnurmbb8bv5 "c:\gmdraxsudq\rbelfpyoilr.exe" |
Process
↳ C:\gmdraxsudq\rbelfpyoilr.exe
Creates File | C:\gmdraxsudq\tgbot1ojekdy |
---|---|
Creates File | C:\WINDOWS\gmdraxsudq\tgbot1ojekdy |
Deletes File | C:\WINDOWS\gmdraxsudq\tgbot1ojekdy |
Process
↳ wgnurmbb8bv5 "c:\gmdraxsudq\rbelfpyoilr.exe"
Creates File | C:\gmdraxsudq\tgbot1ojekdy |
---|---|
Creates File | C:\WINDOWS\gmdraxsudq\tgbot1ojekdy |
Deletes File | C:\WINDOWS\gmdraxsudq\tgbot1ojekdy |
Network Details:
Raw Pcap
Strings