Analysis Date | 2015-08-19 09:53:31 |
---|---|
MD5 | 0b5d9c80e1a14f1c187e3f37da892de5 |
SHA1 | a24654e5bcc098a0a752274f258b16646b123229 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 05303107d4185070e28441de969ccb71 sha1: d5c6c715045acc1ed0a2ef6e911649e32f95d1e5 size: 523264 | |
Section | .rdata md5: 87646e496014bbd6bb2701fd120dd723 sha1: acafc5380281d5ea80956eac5e416d9218aca7f8 size: 81408 | |
Section | .data md5: c94e43ab8ae55ec1087849df39dc1cb0 sha1: e3d5eb7474539b695e3efcb61626716d538abbeb size: 7168 | |
Section | .reloc md5: 63513b9dd3eaafc15a8abe272b5e95bb sha1: 98b243e508dc1d1ca6e43d6aac5ba38bf9c6fddd size: 53760 | |
Timestamp | 2015-05-08 07:38:49 | |
Packer | Microsoft Visual C++ 8 | |
PEhash | 0909cf8c754a0f4c0d2e3bff67e36e7e47fd3161 | |
IMPhash | 1f96efe622529b037e60bed44c935b48 | |
AV | Rising | Trojan.Win32.Bayrod.a |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Kazy.609540 |
AV | Dr. Web | Trojan.Bayrob.1 |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Kazy.609540 |
AV | BullGuard | Gen:Variant.Kazy.609540 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | TrojanSpy.Nivdort.OD4 |
AV | Trend Micro | TROJ_BAYROB.SM0 |
AV | Kaspersky | Trojan.Win32.Scar.jgow |
AV | Zillya! | Trojan.Scar.Win32.88732 |
AV | Emsisoft | Gen:Variant.Kazy.609540 |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/Scar.R.gen!Eldorado |
AV | MalwareBytes | Trojan.Agent.KVTGen |
AV | MicroWorld (escan) | Gen:Variant.Kazy.609540 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.AF |
AV | K7 | Trojan ( 004c77f41 ) |
AV | BitDefender | Gen:Variant.Kazy.609540 |
AV | Fortinet | W32/Generic.AC.215362 |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Generic36.BKRC |
AV | Eset (nod32) | Win32/Bayrob.T |
AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
AV | Ad-Aware | Gen:Variant.Kazy.609540 |
AV | Twister | W32.Toolbar.CrossRider.AL.twvj.mg |
AV | Avira (antivir) | TR/Crypt.Xpack.272357 |
AV | Mcafee | Trojan-FGIJ!0B5D9C80E1A1 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\owhcsuwjcasg\mnadm1libwtat4gktg.exe |
---|---|
Creates File | C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc |
Creates File | C:\owhcsuwjcasg\b3ztly0gtgc |
Deletes File | C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc |
Creates Process | C:\owhcsuwjcasg\mnadm1libwtat4gktg.exe |
Process
↳ C:\owhcsuwjcasg\mnadm1libwtat4gktg.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Endpoint Debugger Log Windows Input ➝ C:\owhcsuwjcasg\diefuchm.exe |
---|---|
Creates File | C:\owhcsuwjcasg\vztqtdwxmwro |
Creates File | PIPE\lsarpc |
Creates File | C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc |
Creates File | C:\owhcsuwjcasg\diefuchm.exe |
Creates File | C:\owhcsuwjcasg\b3ztly0gtgc |
Deletes File | C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc |
Creates Process | C:\owhcsuwjcasg\diefuchm.exe |
Creates Service | Propagation Image Secure WebClient - C:\owhcsuwjcasg\diefuchm.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 800
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1844
Process
↳ Pid 1144
Process
↳ C:\owhcsuwjcasg\diefuchm.exe
Creates File | C:\owhcsuwjcasg\whdrgq9ab |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\owhcsuwjcasg\ivyuvxyopyyc.exe |
Creates File | C:\owhcsuwjcasg\vztqtdwxmwro |
Creates File | C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\owhcsuwjcasg\b3ztly0gtgc |
Deletes File | C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc |
Creates Process | yjmc5sbazy2k "c:\owhcsuwjcasg\diefuchm.exe" |
Process
↳ C:\owhcsuwjcasg\diefuchm.exe
Creates File | C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc |
---|---|
Creates File | C:\owhcsuwjcasg\b3ztly0gtgc |
Deletes File | C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc |
Process
↳ yjmc5sbazy2k "c:\owhcsuwjcasg\diefuchm.exe"
Creates File | C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc |
---|---|
Creates File | C:\owhcsuwjcasg\b3ztly0gtgc |
Deletes File | C:\WINDOWS\owhcsuwjcasg\b3ztly0gtgc |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206d : close..Host: m 0x00000040 (00064) 6f756e74 61696e73 7570706c 792e6e65 ountainsupply.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 696e646f 77737570 706c792e 6e65740d indowsupply.net. 0x00000050 (00080) 0a0d0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 77656574 6f666669 63652e6e 65740d0a weetoffice.net.. 0x00000050 (00080) 0d0a0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206d : close..Host: m 0x00000040 (00064) 61746572 69616c73 7570706c 792e6e65 aterialsupply.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206c : close..Host: l 0x00000040 (00064) 61756768 7374726f 6e672e6e 65740d0a aughstrong.net.. 0x00000050 (00080) 0d0a0a0d 0a .....
Strings