Analysis | #totalhash

Analysis Date	2016-02-09 21:06:04
MD5	3ec68505fb15e5a5486506346dfd5163
SHA1	a15000a51369b5d5e9250a2cd3997a6dc5d3d8ec

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: af40c58724ed050ea7d5eb9264f1238a sha1: 6ab5d7f4448011beb5bfcd8087a7bead73fcff1a size: 190976
Section	.rdata md5: 9c5f120c2dc1e82580247741930ebb09 sha1: cebcc60644ba1bf968dd3685708a447215897517 size: 16896
Section	.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section	.reloc md5: ecb36ffde386948773a6b2f226e388f9 sha1: 09c906b4bae1464b9dedbcd9fd092a13dcfbe5aa size: 30720
Timestamp	2016-01-06 17:07:35
PEhash	a7431ffcebdca606a4f8eceece3eb62cd85ba899
IMPhash	5b8e0283f60ddbb03bc3f60e8db16fe5
AV	CA (E-Trust Ino)	No Virus
AV	Rising	No Virus
AV	Mcafee	Trojan-FHPX!3EC68505FB15
AV	Avira (antivir)	No Virus
AV	Twister	No Virus
AV	Ad-Aware	Gen:Variant.Razy.12226
AV	Alwil (avast)	Win32:Malware-gen
AV	Eset (nod32)	Win32/Bayrob.AT.gen
AV	Grisoft (avg)	Win32/Heur
AV	Symantec	Trojan.Bayrob!gen6
AV	Fortinet	W32/Bayrob.AQ!tr
AV	BitDefender	Gen:Variant.Razy.12226
AV	K7	Trojan ( 004db0c61 )
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.DG
AV	MicroWorld (escan)	Gen:Variant.Kazy.390560
AV	MalwareBytes	No Virus
AV	Authentium	W32/Nivdort.G.gen!Eldorado
AV	Emsisoft	Gen:Variant.Razy.12226
AV	Frisk (f-prot)	W32/Nivdort.G.gen!Eldorado
AV	Ikarus	Trojan.Win32.Bayrob
AV	Zillya!	No Virus
AV	Kaspersky	Trojan.Win32.Bayrob.scf
AV	Trend Micro	No Virus
AV	VirusBlokAda (vba32)	No Virus
AV	CAT (quickheal)	No Virus
AV	BullGuard	Gen:Variant.Kazy.390560
AV	Arcabit (arcavir)	Gen:Variant.Razy.12226
AV	ClamAV	No Virus
AV	Dr. Web	No Virus
AV	F-Secure	Gen:Variant.Razy.12226

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\gmdraxsudq\tgbot1ojekdy
Creates File	C:\gmdraxsudq\ucyz1kuvikwag7lcnn.exe
Creates File	C:\WINDOWS\gmdraxsudq\tgbot1ojekdy
Deletes File	C:\WINDOWS\gmdraxsudq\tgbot1ojekdy
Creates Process	C:\gmdraxsudq\ucyz1kuvikwag7lcnn.exe

Process
↳ C:\gmdraxsudq\ucyz1kuvikwag7lcnn.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Mapper Human IP Event Disk ➝ C:\gmdraxsudq\rbelfpyoilr.exe
Creates File	C:\gmdraxsudq\tgbot1ojekdy
Creates File	PIPE\lsarpc
Creates File	C:\gmdraxsudq\kzu7btrlu7p
Creates File	C:\WINDOWS\gmdraxsudq\tgbot1ojekdy
Creates File	C:\gmdraxsudq\rbelfpyoilr.exe
Deletes File	C:\WINDOWS\gmdraxsudq\tgbot1ojekdy
Creates Process	C:\gmdraxsudq\rbelfpyoilr.exe
Creates Service	TP Provider Desktop Coordinator Redirector - C:\gmdraxsudq\rbelfpyoilr.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1880

Process
↳ Pid 1180

Process
↳ C:\gmdraxsudq\rbelfpyoilr.exe

Creates File	C:\gmdraxsudq\tgbot1ojekdy
Creates File	pipe\net\NtControlPipe10
Creates File	\Device\Afd\Endpoint
Creates File	C:\gmdraxsudq\kzu7btrlu7p
Creates File	C:\WINDOWS\gmdraxsudq\tgbot1ojekdy
Creates File	C:\gmdraxsudq\gqpu8uwyuxim
Creates File	C:\gmdraxsudq\vfbdvnykfryk.exe
Deletes File	C:\WINDOWS\gmdraxsudq\tgbot1ojekdy
Creates Process	wgnurmbb8bv5 "c:\gmdraxsudq\rbelfpyoilr.exe"

Process
↳ C:\gmdraxsudq\rbelfpyoilr.exe

Creates File	C:\gmdraxsudq\tgbot1ojekdy
Creates File	C:\WINDOWS\gmdraxsudq\tgbot1ojekdy
Deletes File	C:\WINDOWS\gmdraxsudq\tgbot1ojekdy

Process
↳ wgnurmbb8bv5 "c:\gmdraxsudq\rbelfpyoilr.exe"

Creates File	C:\gmdraxsudq\tgbot1ojekdy
Creates File	C:\WINDOWS\gmdraxsudq\tgbot1ojekdy
Deletes File	C:\WINDOWS\gmdraxsudq\tgbot1ojekdy

Network Details:

DNS	crowdnation.net Type: A 107.191.99.114
DNS	crowdnation.net Type: A 107.161.23.204
DNS	crowdnation.net Type: A 167.114.213.199
DNS	crowdcondition.net Type: A 195.22.28.196
DNS	crowdcondition.net Type: A 195.22.28.197
DNS	crowdcondition.net Type: A 195.22.28.198
DNS	crowdcondition.net Type: A 195.22.28.199
DNS	smokenation.net Type: A 195.22.28.196
DNS	smokenation.net Type: A 195.22.28.197
DNS	smokenation.net Type: A 195.22.28.198
DNS	smokenation.net Type: A 195.22.28.199
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	partynation.net Type: A 72.52.4.91
DNS	freshpower.net Type: A 195.149.84.101
DNS	freshpower.net Type: A 195.149.84.100
DNS	memberfamous.net Type: A 208.100.26.234
DNS	crowdpower.net Type: A 162.244.253.117
DNS	thoughtpower.net Type: A 23.229.204.192
DNS	waterpower.net Type: A 69.172.201.208
DNS	membersoldier.net Type: A
DNS	followplease.net Type: A
DNS	memberplease.net Type: A
DNS	followcondition.net Type: A
DNS	membercondition.net Type: A
DNS	beginnation.net Type: A
DNS	knownnation.net Type: A
DNS	beginsoldier.net Type: A
DNS	knownsoldier.net Type: A
DNS	beginplease.net Type: A
DNS	knownplease.net Type: A
DNS	begincondition.net Type: A
DNS	knowncondition.net Type: A
DNS	summernation.net Type: A
DNS	summersoldier.net Type: A
DNS	crowdsoldier.net Type: A
DNS	summerplease.net Type: A
DNS	crowdplease.net Type: A
DNS	summercondition.net Type: A
DNS	thoughtnation.net Type: A
DNS	waternation.net Type: A
DNS	thoughtsoldier.net Type: A
DNS	watersoldier.net Type: A
DNS	thoughtplease.net Type: A
DNS	waterplease.net Type: A
DNS	thoughtcondition.net Type: A
DNS	watercondition.net Type: A
DNS	womannation.net Type: A
DNS	womansoldier.net Type: A
DNS	smokesoldier.net Type: A
DNS	womanplease.net Type: A
DNS	smokeplease.net Type: A
DNS	womancondition.net Type: A
DNS	smokecondition.net Type: A
DNS	fightnation.net Type: A
DNS	partysoldier.net Type: A
DNS	fightsoldier.net Type: A
DNS	partyplease.net Type: A
DNS	fightplease.net Type: A
DNS	partycondition.net Type: A
DNS	fightcondition.net Type: A
DNS	freshcentury.net Type: A
DNS	experiencecentury.net Type: A
DNS	freshfamous.net Type: A
DNS	experiencefamous.net Type: A
DNS	experiencepower.net Type: A
DNS	freshcountry.net Type: A
DNS	experiencecountry.net Type: A
DNS	gentlemancentury.net Type: A
DNS	alreadycentury.net Type: A
DNS	gentlemanfamous.net Type: A
DNS	alreadyfamous.net Type: A
DNS	gentlemanpower.net Type: A
DNS	alreadypower.net Type: A
DNS	gentlemancountry.net Type: A
DNS	alreadycountry.net Type: A
DNS	followcentury.net Type: A
DNS	membercentury.net Type: A
DNS	followfamous.net Type: A
DNS	followpower.net Type: A
DNS	memberpower.net Type: A
DNS	followcountry.net Type: A
DNS	membercountry.net Type: A
DNS	begincentury.net Type: A
DNS	knowncentury.net Type: A
DNS	beginfamous.net Type: A
DNS	knownfamous.net Type: A
DNS	beginpower.net Type: A
DNS	knownpower.net Type: A
DNS	begincountry.net Type: A
DNS	knowncountry.net Type: A
DNS	summercentury.net Type: A
DNS	crowdcentury.net Type: A
DNS	summerfamous.net Type: A
DNS	crowdfamous.net Type: A
DNS	summerpower.net Type: A
DNS	summercountry.net Type: A
DNS	crowdcountry.net Type: A
DNS	thoughtcentury.net Type: A
DNS	watercentury.net Type: A
DNS	thoughtfamous.net Type: A
DNS	waterfamous.net Type: A
DNS	thoughtcountry.net Type: A
DNS	watercountry.net Type: A
HTTP GET	http://crowdnation.net/index.php User-Agent:
HTTP GET	http://crowdcondition.net/index.php User-Agent:
HTTP GET	http://smokenation.net/index.php User-Agent:
HTTP GET	http://smokecondition.net/index.php User-Agent:
HTTP GET	http://partynation.net/index.php User-Agent:
HTTP GET	http://freshpower.net/index.php User-Agent:
HTTP GET	http://memberfamous.net/index.php User-Agent:
HTTP GET	http://crowdpower.net/index.php User-Agent:
HTTP GET	http://thoughtpower.net/index.php User-Agent:
HTTP GET	http://waterpower.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 107.191.99.114:80
Flows TCP	192.168.1.1:1032 ➝ 195.22.28.196:80
Flows TCP	192.168.1.1:1033 ➝ 195.22.28.196:80
Flows TCP	192.168.1.1:1034 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1035 ➝ 72.52.4.91:80
Flows TCP	192.168.1.1:1036 ➝ 195.149.84.101:80
Flows TCP	192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1038 ➝ 162.244.253.117:80
Flows TCP	192.168.1.1:1039 ➝ 23.229.204.192:80
Flows TCP	192.168.1.1:1040 ➝ 69.172.201.208:80

Raw Pcap

Strings