Analysis | #totalhash

Analysis Date	2015-08-19 09:53:31
MD5	0b5d9c80e1a14f1c187e3f37da892de5
SHA1	a24654e5bcc098a0a752274f258b16646b123229

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 05303107d4185070e28441de969ccb71 sha1: d5c6c715045acc1ed0a2ef6e911649e32f95d1e5 size: 523264
Section	.rdata md5: 87646e496014bbd6bb2701fd120dd723 sha1: acafc5380281d5ea80956eac5e416d9218aca7f8 size: 81408
Section	.data md5: c94e43ab8ae55ec1087849df39dc1cb0 sha1: e3d5eb7474539b695e3efcb61626716d538abbeb size: 7168
Section	.reloc md5: 63513b9dd3eaafc15a8abe272b5e95bb sha1: 98b243e508dc1d1ca6e43d6aac5ba38bf9c6fddd size: 53760
Timestamp	2015-05-08 07:38:49
Packer	Microsoft Visual C++ 8
PEhash	0909cf8c754a0f4c0d2e3bff67e36e7e47fd3161
IMPhash	1f96efe622529b037e60bed44c935b48
AV	Rising	Trojan.Win32.Bayrod.a
AV	CA (E-Trust Ino)	no_virus
AV	F-Secure	Gen:Variant.Kazy.609540
AV	Dr. Web	Trojan.Bayrob.1
AV	ClamAV	no_virus
AV	Arcabit (arcavir)	Gen:Variant.Kazy.609540
AV	BullGuard	Gen:Variant.Kazy.609540
AV	Padvish	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	CAT (quickheal)	TrojanSpy.Nivdort.OD4
AV	Trend Micro	TROJ_BAYROB.SM0
AV	Kaspersky	Trojan.Win32.Scar.jgow
AV	Zillya!	Trojan.Scar.Win32.88732
AV	Emsisoft	Gen:Variant.Kazy.609540
AV	Ikarus	Trojan.Win32.Bayrob
AV	Frisk (f-prot)	no_virus
AV	Authentium	W32/Scar.R.gen!Eldorado
AV	MalwareBytes	Trojan.Agent.KVTGen
AV	MicroWorld (escan)	Gen:Variant.Kazy.609540
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.AF
AV	K7	Trojan ( 004c77f41 )
AV	BitDefender	Gen:Variant.Kazy.609540
AV	Fortinet	W32/Generic.AC.215362
AV	Symantec	Downloader.Upatre!g15
AV	Grisoft (avg)	Generic36.BKRC
AV	Eset (nod32)	Win32/Bayrob.T
AV	Alwil (avast)	Malware-gen:Win32:Malware-gen
AV	Ad-Aware	Gen:Variant.Kazy.609540
AV	Twister	W32.Toolbar.CrossRider.AL.twvj.mg
AV	Avira (antivir)	TR/Crypt.Xpack.272357
AV	Mcafee	Trojan-FGIJ!0B5D9C80E1A1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\owhcsuwjcasg\mnadm1libwtat4gktg.exe
Creates File	C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc
Creates File	C:\owhcsuwjcasg\b3ztly0gtgc
Deletes File	C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc
Creates Process	C:\owhcsuwjcasg\mnadm1libwtat4gktg.exe

Process
↳ C:\owhcsuwjcasg\mnadm1libwtat4gktg.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Endpoint Debugger Log Windows Input ➝ C:\owhcsuwjcasg\diefuchm.exe
Creates File	C:\owhcsuwjcasg\vztqtdwxmwro
Creates File	PIPE\lsarpc
Creates File	C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc
Creates File	C:\owhcsuwjcasg\diefuchm.exe
Creates File	C:\owhcsuwjcasg\b3ztly0gtgc
Deletes File	C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc
Creates Process	C:\owhcsuwjcasg\diefuchm.exe
Creates Service	Propagation Image Secure WebClient - C:\owhcsuwjcasg\diefuchm.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1844

Process
↳ Pid 1144

Process
↳ C:\owhcsuwjcasg\diefuchm.exe

Creates File	C:\owhcsuwjcasg\whdrgq9ab
Creates File	pipe\net\NtControlPipe10
Creates File	C:\owhcsuwjcasg\ivyuvxyopyyc.exe
Creates File	C:\owhcsuwjcasg\vztqtdwxmwro
Creates File	C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc
Creates File	\Device\Afd\Endpoint
Creates File	C:\owhcsuwjcasg\b3ztly0gtgc
Deletes File	C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc
Creates Process	yjmc5sbazy2k "c:\owhcsuwjcasg\diefuchm.exe"

Process
↳ C:\owhcsuwjcasg\diefuchm.exe

Creates File	C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc
Creates File	C:\owhcsuwjcasg\b3ztly0gtgc
Deletes File	C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc

Process
↳ yjmc5sbazy2k "c:\owhcsuwjcasg\diefuchm.exe"

Creates File	C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc
Creates File	C:\owhcsuwjcasg\b3ztly0gtgc
Deletes File	C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc

Network Details:

DNS	mountainsupply.net Type: A 67.18.199.2
DNS	windowsupply.net Type: A 173.236.172.44
DNS	sweetoffice.net Type: A 162.213.251.173
DNS	materialsupply.net Type: A 184.168.221.36
DNS	laughstrong.net Type: A 50.21.189.209
DNS	motherarrive.net Type: A
DNS	possiblesupply.net Type: A
DNS	mountaindistance.net Type: A
DNS	possibledistance.net Type: A
DNS	mountainoffice.net Type: A
DNS	possibleoffice.net Type: A
DNS	mountainarrive.net Type: A
DNS	possiblearrive.net Type: A
DNS	perhapssupply.net Type: A
DNS	perhapsdistance.net Type: A
DNS	windowdistance.net Type: A
DNS	perhapsoffice.net Type: A
DNS	windowoffice.net Type: A
DNS	perhapsarrive.net Type: A
DNS	windowarrive.net Type: A
DNS	wintersupply.net Type: A
DNS	subjectsupply.net Type: A
DNS	winterdistance.net Type: A
DNS	subjectdistance.net Type: A
DNS	winteroffice.net Type: A
DNS	subjectoffice.net Type: A
DNS	winterarrive.net Type: A
DNS	subjectarrive.net Type: A
DNS	finishsupply.net Type: A
DNS	leavesupply.net Type: A
DNS	finishdistance.net Type: A
DNS	leavedistance.net Type: A
DNS	finishoffice.net Type: A
DNS	leaveoffice.net Type: A
DNS	finisharrive.net Type: A
DNS	leavearrive.net Type: A
DNS	sweetsupply.net Type: A
DNS	probablysupply.net Type: A
DNS	sweetdistance.net Type: A
DNS	probablydistance.net Type: A
DNS	probablyoffice.net Type: A
DNS	sweetarrive.net Type: A
DNS	probablyarrive.net Type: A
DNS	severalsupply.net Type: A
DNS	severaldistance.net Type: A
DNS	materialdistance.net Type: A
DNS	severaloffice.net Type: A
DNS	materialoffice.net Type: A
DNS	severalarrive.net Type: A
DNS	materialarrive.net Type: A
DNS	severastrong.net Type: A
DNS	severatrouble.net Type: A
DNS	laughtrouble.net Type: A
DNS	severapresident.net Type: A
DNS	laughpresident.net Type: A
DNS	severacaught.net Type: A
DNS	laughcaught.net Type: A
DNS	simplestrong.net Type: A
DNS	motherstrong.net Type: A
DNS	simpletrouble.net Type: A
DNS	mothertrouble.net Type: A
DNS	simplepresident.net Type: A
DNS	motherpresident.net Type: A
DNS	simplecaught.net Type: A
DNS	mothercaught.net Type: A
DNS	mountainstrong.net Type: A
DNS	possiblestrong.net Type: A
DNS	mountaintrouble.net Type: A
DNS	possibletrouble.net Type: A
DNS	mountainpresident.net Type: A
DNS	possiblepresident.net Type: A
DNS	mountaincaught.net Type: A
DNS	possiblecaught.net Type: A
DNS	perhapsstrong.net Type: A
DNS	windowstrong.net Type: A
DNS	perhapstrouble.net Type: A
DNS	windowtrouble.net Type: A
DNS	perhapspresident.net Type: A
DNS	windowpresident.net Type: A
DNS	perhapscaught.net Type: A
DNS	windowcaught.net Type: A
DNS	winterstrong.net Type: A
DNS	subjectstrong.net Type: A
DNS	wintertrouble.net Type: A
DNS	subjecttrouble.net Type: A
HTTP GET	http://mountainsupply.net/index.php User-Agent:
HTTP GET	http://windowsupply.net/index.php User-Agent:
HTTP GET	http://sweetoffice.net/index.php User-Agent:
HTTP GET	http://materialsupply.net/index.php User-Agent:
HTTP GET	http://laughstrong.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 67.18.199.2:80
Flows TCP	192.168.1.1:1032 ➝ 173.236.172.44:80
Flows TCP	192.168.1.1:1033 ➝ 162.213.251.173:80
Flows TCP	192.168.1.1:1034 ➝ 184.168.221.36:80
Flows TCP	192.168.1.1:1035 ➝ 50.21.189.209:80

Raw Pcap

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e73 7570706c 792e6e65   ountainsupply.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e646f 77737570 706c792e 6e65740d   indowsupply.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 6f666669 63652e6e 65740d0a   weetoffice.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61746572 69616c73 7570706c 792e6e65   aterialsupply.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61756768 7374726f 6e672e6e 65740d0a   aughstrong.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

Strings