Analysis Date2016-01-28 15:31:08
MD54d7870fe1d7eabf26c05b96b7b89cc40
SHA1a39f2c5ebe13465ba769bcd73f964977b7728b3d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b83aa87b437c1eb58ba018a4346b9570 sha1: ddaf70ae9afabc0f134efecd66a01052ca534b76 size: 602112
Section.rdata md5: 3bc88f40b1427cb823a3dbc7f16eff04 sha1: 7d56dcd87bff23d07e990484dae3f4ffb94677be size: 67072
Section.data md5: fb3f3a8a0e4479421da1099fe1ee1b6e sha1: f5b386254b5ffabb1ab75e8c53a1b92a977df6bd size: 4096
Timestamp2015-12-18 05:17:23
PackerMicrosoft Visual C++ ?.?
PEhashf4f1e2fbd2af89e23e656816fb208b397fea53ff
IMPhashbfec832e69ac212ba375a7cc5f0b7c47
AVRisingNo Virus
AVMcafeeTrojan-FHOH!4D7870FE1D7E
AVAvira (antivir)TR/Nivdort.A.7768
AVTwisterW32.Bayrob.AM.ddlk
AVAd-AwareGen:Variant.Kazy.782531
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AM
AVGrisoft (avg)Generic37.FWO
AVSymantecTrojan.Bayrob!gen6
AVFortinetNo Virus
AVBitDefenderGen:Variant.Kazy.782531
AVK7Trojan ( 004d9a071 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.782531
AVMalwareBytesTrojan.Bayrob.Generic
AVAuthentiumW32/Trojan.GG.gen!Eldorado
AVFrisk (f-prot)W32/Trojan.GG.gen!Eldorado
AVIkarusTrojan.Inject
AVEmsisoftGen:Variant.Kazy.782531
AVZillya!Trojan.Agent.Win32.620699
AVKasperskyTrojan.Win32.Agent.ihpl
AVTrend MicroTROJ_BAYROB.SM4
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)Trojan.Agent
AVBullGuardGen:Variant.Kazy.782531
AVArcabit (arcavir)Gen:Variant.Kazy.782531
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader18.22398
AVF-SecureGen:Variant.Kazy.782531
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\dihhwcrtluww\ybg1m2pmgbatzfw.exe
Creates FileC:\dihhwcrtluww\ba84nkdh
Creates FileC:\WINDOWS\dihhwcrtluww\ba84nkdh
Deletes FileC:\WINDOWS\dihhwcrtluww\ba84nkdh
Creates ProcessC:\dihhwcrtluww\ybg1m2pmgbatzfw.exe

Process
↳ C:\dihhwcrtluww\ybg1m2pmgbatzfw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Thread Wired Tracking Plug ➝
C:\dihhwcrtluww\debtdkcofkc.exe
Creates FileC:\dihhwcrtluww\debtdkcofkc.exe
Creates FileC:\dihhwcrtluww\ba84nkdh
Creates FileC:\WINDOWS\dihhwcrtluww\ba84nkdh
Creates FilePIPE\lsarpc
Creates FileC:\dihhwcrtluww\hf2ezrq
Deletes FileC:\WINDOWS\dihhwcrtluww\ba84nkdh
Creates ProcessC:\dihhwcrtluww\debtdkcofkc.exe
Creates ServiceAssistant Modules Proxy Link-Layer - C:\dihhwcrtluww\debtdkcofkc.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1136

Process
↳ C:\dihhwcrtluww\debtdkcofkc.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\dihhwcrtluww\ba84nkdh
Creates FileC:\WINDOWS\dihhwcrtluww\ba84nkdh
Creates FileC:\dihhwcrtluww\ly5zlqs1
Creates File\Device\Afd\Endpoint
Creates FileC:\dihhwcrtluww\hf2ezrq
Creates FileC:\dihhwcrtluww\ditdrqfjxiy.exe
Deletes FileC:\WINDOWS\dihhwcrtluww\ba84nkdh
Creates Processboddyrtpqrbj "c:\dihhwcrtluww\debtdkcofkc.exe"
Creates Processboddyrtpqrbj "c:\dihhwcrtluww\debtdkcofkc.exe"
Creates Processboddyrtpqrbj "c:\dihhwcrtluww\debtdkcofkc.exe"

Process
↳ C:\dihhwcrtluww\debtdkcofkc.exe

Creates FileC:\dihhwcrtluww\ba84nkdh
Creates FileC:\WINDOWS\dihhwcrtluww\ba84nkdh
Deletes FileC:\WINDOWS\dihhwcrtluww\ba84nkdh

Process
↳ c:\dihhwcrtluww\debtdkcofkc.exe

Creates FileC:\dihhwcrtluww\ba84nkdh
Creates FileC:\WINDOWS\dihhwcrtluww\ba84nkdh
Deletes FileC:\WINDOWS\dihhwcrtluww\ba84nkdh

Process
↳ c:\dihhwcrtluww\debtdkcofkc.exe

Creates FileC:\dihhwcrtluww\ba84nkdh
Creates FileC:\WINDOWS\dihhwcrtluww\ba84nkdh
Deletes FileC:\WINDOWS\dihhwcrtluww\ba84nkdh

Process
↳ boddyrtpqrbj "c:\dihhwcrtluww\debtdkcofkc.exe"

Creates FileC:\dihhwcrtluww\ba84nkdh
Creates FileC:\WINDOWS\dihhwcrtluww\ba84nkdh
Deletes FileC:\WINDOWS\dihhwcrtluww\ba84nkdh
Creates Processc:\dihhwcrtluww\debtdkcofkc.exe

Process
↳ boddyrtpqrbj "c:\dihhwcrtluww\debtdkcofkc.exe"

Creates FileC:\dihhwcrtluww\ba84nkdh
Creates FileC:\WINDOWS\dihhwcrtluww\ba84nkdh
Deletes FileC:\WINDOWS\dihhwcrtluww\ba84nkdh
Creates Processc:\dihhwcrtluww\debtdkcofkc.exe

Process
↳ boddyrtpqrbj "c:\dihhwcrtluww\debtdkcofkc.exe"

Creates FileC:\dihhwcrtluww\ba84nkdh
Creates FileC:\WINDOWS\dihhwcrtluww\ba84nkdh
Deletes FileC:\WINDOWS\dihhwcrtluww\ba84nkdh

Network Details:

DNSbuildingnation.net
Type: A
195.22.28.198
DNSbuildingnation.net
Type: A
195.22.28.197
DNSbuildingnation.net
Type: A
195.22.28.196
DNSbuildingnation.net
Type: A
195.22.28.199
DNSeveningcondition.net
Type: A
98.139.135.129
DNSmightplease.net
Type: A
208.100.26.234
DNSprettysoldier.net
Type: A
184.168.221.52
DNSprettyplease.net
Type: A
207.148.248.143
DNSbrokennation.net
Type: A
208.91.197.27
DNSresultnation.net
Type: A
208.91.197.27
DNSbrokensoldier.net
Type: A
173.236.158.114
DNSbuildingpower.net
Type: A
188.40.84.184
DNSprettypower.net
Type: A
208.91.197.23
DNSdoublefamous.net
Type: A
210.157.1.134
DNSfellowpower.net
Type: A
98.139.135.129
DNSbrokenfamous.net
Type: A
208.100.26.234
DNSbrokenpower.net
Type: A
72.167.131.57
DNSstillpower.net
Type: A
184.168.221.34
DNSresultdaughter.net
Type: A
DNSprepareready.net
Type: A
DNSdesireready.net
Type: A
DNSpreparebrown.net
Type: A
DNSdesirebrown.net
Type: A
DNSpreparepeople.net
Type: A
DNSdesirepeople.net
Type: A
DNSpreparedaughter.net
Type: A
DNSdesiredaughter.net
Type: A
DNSstrengthready.net
Type: A
DNSstillready.net
Type: A
DNSstrengthbrown.net
Type: A
DNSstillbrown.net
Type: A
DNSstrengthpeople.net
Type: A
DNSstillpeople.net
Type: A
DNSstrengthdaughter.net
Type: A
DNSstilldaughter.net
Type: A
DNSmovementnation.net
Type: A
DNSoutsidenation.net
Type: A
DNSmovementsoldier.net
Type: A
DNSoutsidesoldier.net
Type: A
DNSmovementplease.net
Type: A
DNSoutsideplease.net
Type: A
DNSmovementcondition.net
Type: A
DNSoutsidecondition.net
Type: A
DNSeveningnation.net
Type: A
DNSbuildingsoldier.net
Type: A
DNSeveningsoldier.net
Type: A
DNSbuildingplease.net
Type: A
DNSeveningplease.net
Type: A
DNSbuildingcondition.net
Type: A
DNSstorenation.net
Type: A
DNSmightnation.net
Type: A
DNSstoresoldier.net
Type: A
DNSmightsoldier.net
Type: A
DNSstoreplease.net
Type: A
DNSstorecondition.net
Type: A
DNSmightcondition.net
Type: A
DNSdoctornation.net
Type: A
DNSprettynation.net
Type: A
DNSdoctorsoldier.net
Type: A
DNSdoctorplease.net
Type: A
DNSdoctorcondition.net
Type: A
DNSprettycondition.net
Type: A
DNSfellownation.net
Type: A
DNSdoublenation.net
Type: A
DNSfellowsoldier.net
Type: A
DNSdoublesoldier.net
Type: A
DNSfellowplease.net
Type: A
DNSdoubleplease.net
Type: A
DNSfellowcondition.net
Type: A
DNSdoublecondition.net
Type: A
DNSresultsoldier.net
Type: A
DNSbrokenplease.net
Type: A
DNSresultplease.net
Type: A
DNSbrokencondition.net
Type: A
DNSresultcondition.net
Type: A
DNSpreparenation.net
Type: A
DNSdesirenation.net
Type: A
DNSpreparesoldier.net
Type: A
DNSdesiresoldier.net
Type: A
DNSprepareplease.net
Type: A
DNSdesireplease.net
Type: A
DNSpreparecondition.net
Type: A
DNSdesirecondition.net
Type: A
DNSstrengthnation.net
Type: A
DNSstillnation.net
Type: A
DNSstrengthsoldier.net
Type: A
DNSstillsoldier.net
Type: A
DNSstrengthplease.net
Type: A
DNSstillplease.net
Type: A
DNSstrengthcondition.net
Type: A
DNSstillcondition.net
Type: A
DNSmovementcentury.net
Type: A
DNSoutsidecentury.net
Type: A
DNSmovementfamous.net
Type: A
DNSoutsidefamous.net
Type: A
DNSmovementpower.net
Type: A
DNSoutsidepower.net
Type: A
DNSmovementcountry.net
Type: A
DNSoutsidecountry.net
Type: A
DNSbuildingcentury.net
Type: A
DNSeveningcentury.net
Type: A
DNSbuildingfamous.net
Type: A
DNSeveningfamous.net
Type: A
DNSeveningpower.net
Type: A
DNSbuildingcountry.net
Type: A
DNSeveningcountry.net
Type: A
DNSstorecentury.net
Type: A
DNSmightcentury.net
Type: A
DNSstorefamous.net
Type: A
DNSmightfamous.net
Type: A
DNSstorepower.net
Type: A
DNSmightpower.net
Type: A
DNSstorecountry.net
Type: A
DNSmightcountry.net
Type: A
DNSdoctorcentury.net
Type: A
DNSprettycentury.net
Type: A
DNSdoctorfamous.net
Type: A
DNSprettyfamous.net
Type: A
DNSdoctorpower.net
Type: A
DNSdoctorcountry.net
Type: A
DNSprettycountry.net
Type: A
DNSfellowcentury.net
Type: A
DNSdoublecentury.net
Type: A
DNSfellowfamous.net
Type: A
DNSdoublepower.net
Type: A
DNSfellowcountry.net
Type: A
DNSdoublecountry.net
Type: A
DNSbrokencentury.net
Type: A
DNSresultcentury.net
Type: A
DNSresultfamous.net
Type: A
DNSresultpower.net
Type: A
DNSbrokencountry.net
Type: A
DNSresultcountry.net
Type: A
DNSpreparecentury.net
Type: A
DNSdesirecentury.net
Type: A
DNSpreparefamous.net
Type: A
DNSdesirefamous.net
Type: A
DNSpreparepower.net
Type: A
DNSdesirepower.net
Type: A
DNSpreparecountry.net
Type: A
DNSdesirecountry.net
Type: A
DNSstrengthcentury.net
Type: A
DNSstillcentury.net
Type: A
DNSstrengthfamous.net
Type: A
DNSstillfamous.net
Type: A
DNSstrengthpower.net
Type: A
DNSstrengthcountry.net
Type: A
DNSstillcountry.net
Type: A
DNSmovementsurprise.net
Type: A
DNSoutsidesurprise.net
Type: A
DNSmovementbeside.net
Type: A
DNSoutsidebeside.net
Type: A
DNSmovementletter.net
Type: A
DNSoutsideletter.net
Type: A
DNSmovementdifferent.net
Type: A
DNSoutsidedifferent.net
Type: A
DNSbuildingsurprise.net
Type: A
DNSeveningsurprise.net
Type: A
DNSbuildingbeside.net
Type: A
DNSeveningbeside.net
Type: A
DNSbuildingletter.net
Type: A
DNSeveningletter.net
Type: A
DNSbuildingdifferent.net
Type: A
DNSeveningdifferent.net
Type: A
DNSstoresurprise.net
Type: A
DNSmightsurprise.net
Type: A
DNSstorebeside.net
Type: A
DNSmightbeside.net
Type: A
DNSstoreletter.net
Type: A
DNSmightletter.net
Type: A
DNSstoredifferent.net
Type: A
DNSmightdifferent.net
Type: A
DNSdoctorsurprise.net
Type: A
HTTP GEThttp://buildingnation.net/index.php
User-Agent:
HTTP GEThttp://eveningcondition.net/index.php
User-Agent:
HTTP GEThttp://mightplease.net/index.php
User-Agent:
HTTP GEThttp://prettysoldier.net/index.php
User-Agent:
HTTP GEThttp://prettyplease.net/index.php
User-Agent:
HTTP GEThttp://brokennation.net/index.php
User-Agent:
HTTP GEThttp://resultnation.net/index.php
User-Agent:
HTTP GEThttp://brokensoldier.net/index.php
User-Agent:
HTTP GEThttp://buildingpower.net/index.php
User-Agent:
HTTP GEThttp://prettypower.net/index.php
User-Agent:
HTTP GEThttp://doublefamous.net/index.php
User-Agent:
HTTP GEThttp://fellowpower.net/index.php
User-Agent:
HTTP GEThttp://brokenfamous.net/index.php
User-Agent:
HTTP GEThttp://brokenpower.net/index.php
User-Agent:
HTTP GEThttp://stillpower.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1032 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.52:80
Flows TCP192.168.1.1:1035 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1038 ➝ 173.236.158.114:80
Flows TCP192.168.1.1:1039 ➝ 188.40.84.184:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.23:80
Flows TCP192.168.1.1:1041 ➝ 210.157.1.134:80
Flows TCP192.168.1.1:1042 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1043 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1044 ➝ 72.167.131.57:80
Flows TCP192.168.1.1:1045 ➝ 184.168.221.34:80

Raw Pcap

Strings