Analysis Date2016-04-17 09:55:16
MD5ebe7aca51a3dc7ad04557016a791a832
SHA1a45bcdbea07ffcf52c4790b550204aa0de22cdf7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b6f949c9cd3b50788e2772a917ba3966 sha1: 1ab6ab3611e27e2bb41d8c023128b8523220083f size: 303616
Section.rdata md5: 76d14d0e4dee9f58ce3ba383236d0186 sha1: 888b1e0e45f7150bbdfdfc8849130d7e9272d904 size: 26112
Section.data md5: e2716021add48a7fa75deddb330f9ed9 sha1: 7938ccd2e7249a0ff6c43f8d23bf4e9f06876640 size: 21504
Section.reloc md5: 29f6cf87f5829d386175cc62a210e561 sha1: 5e58c4aa62ebbe20ecbbfb63cfc1820d7d76e703 size: 32768
Timestamp2014-06-29 21:59:08
PackerMicrosoft Visual C++ 8
PEhashdd77174741b06446e7656d62e0aeed6a886388be
IMPhash15f8d21789d5aa342a685bf32d14d4e6
AVCA (E-Trust Ino)Gen:Variant.Razy.15381
AVF-SecureGen:Variant.Razy.15381
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.15381
AVBullGuardGen:Variant.Razy.15381
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.SwizzorGen.Win32.1
AVEmsisoftGen:Variant.Razy.15381
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)W32/Nivdort.I.gen!Eldorado
AVAuthentiumW32/Nivdort.I.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.15381
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Razy.15381
AVFortinetW32/Bayrob.BJ!tr
AVSymantecNo Virus
AVGrisoft (avg)Generic_r.HZM
AVEset (nod32)Win32/Bayrob.BJ
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareGen:Variant.Razy.15381
AVTwisterNo Virus
AVAvira (antivir)No Virus
AVMcafeeTrojan-FHSQ!EBE7ACA51A3D
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\grnwqomzxwqv\barobhdyvg
Creates FileC:\WINDOWS\grnwqomzxwqv\barobhdyvg
Creates FileC:\grnwqomzxwqv\ne6ly1kx1amjvsdujwx.exe
Deletes FileC:\WINDOWS\grnwqomzxwqv\barobhdyvg
Creates ProcessC:\grnwqomzxwqv\ne6ly1kx1amjvsdujwx.exe

Process
↳ C:\grnwqomzxwqv\ne6ly1kx1amjvsdujwx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Update Search RPC Color iSCSI ➝
C:\grnwqomzxwqv\fibmvrq.exe
Creates FileC:\grnwqomzxwqv\wasjxksvhzgo
Creates FileC:\grnwqomzxwqv\barobhdyvg
Creates FileC:\WINDOWS\grnwqomzxwqv\barobhdyvg
Creates FilePIPE\lsarpc
Creates FileC:\grnwqomzxwqv\fibmvrq.exe
Deletes FileC:\WINDOWS\grnwqomzxwqv\barobhdyvg
Creates ProcessC:\grnwqomzxwqv\fibmvrq.exe
Creates ServiceDetection AutoConfig Propagation - C:\grnwqomzxwqv\fibmvrq.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1120

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1148

Process
↳ C:\grnwqomzxwqv\fibmvrq.exe

Creates FileC:\grnwqomzxwqv\vojqddcidjz.exe
Creates FileC:\grnwqomzxwqv\wasjxksvhzgo
Creates FileC:\grnwqomzxwqv\barobhdyvg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\grnwqomzxwqv\barobhdyvg
Creates File\Device\Afd\Endpoint
Creates FileC:\grnwqomzxwqv\rx2aflwtrrh
Deletes FileC:\WINDOWS\grnwqomzxwqv\barobhdyvg
Creates Processibumpdyndbmv "c:\grnwqomzxwqv\fibmvrq.exe"

Process
↳ C:\grnwqomzxwqv\fibmvrq.exe

Creates FileC:\grnwqomzxwqv\barobhdyvg
Creates FileC:\WINDOWS\grnwqomzxwqv\barobhdyvg
Deletes FileC:\WINDOWS\grnwqomzxwqv\barobhdyvg

Process
↳ ibumpdyndbmv "c:\grnwqomzxwqv\fibmvrq.exe"

Creates FileC:\grnwqomzxwqv\barobhdyvg
Creates FileC:\WINDOWS\grnwqomzxwqv\barobhdyvg
Deletes FileC:\WINDOWS\grnwqomzxwqv\barobhdyvg

Network Details:

DNSbreadabove.net
Type: A
195.22.28.196
DNSbreadabove.net
Type: A
195.22.28.197
DNSbreadabove.net
Type: A
195.22.28.198
DNSbreadabove.net
Type: A
195.22.28.199
DNSchiefshore.net
Type: A
192.64.119.9
DNScollegewritten.net
Type: A
192.64.119.10
DNScollegedollar.net
Type: A
192.64.119.11
DNSaloneshore.net
Type: A
208.100.26.234
DNSalonedollar.net
Type: A
208.100.26.234
DNSmorningdollar.net
Type: A
50.63.202.48
DNSthinkboard.net
Type: A
69.195.124.144
DNSchiefcharacter.net
Type: A
195.22.28.196
DNSchiefcharacter.net
Type: A
195.22.28.197
DNSchiefcharacter.net
Type: A
195.22.28.198
DNSchiefcharacter.net
Type: A
195.22.28.199
DNSchiefboard.net
Type: A
192.240.170.144
DNScollegeboard.net
Type: A
199.167.200.62
DNSaloneladder.net
Type: A
208.100.26.234
DNShistoryboard.net
Type: A
94.23.154.120
DNShistoryboard.net
Type: A
87.98.188.44
DNShistoryboard.net
Type: A
87.98.250.104
DNShistoryboard.net
Type: A
87.98.254.183
DNShistoryboard.net
Type: A
94.23.154.108
DNSclassboard.net
Type: A
64.85.171.16
DNScaptainshoulder.net
Type: A
DNSlargefinger.net
Type: A
DNScaptainfinger.net
Type: A
DNSrecorduntil.net
Type: A
DNSelectricuntil.net
Type: A
DNSrecordabove.net
Type: A
DNSelectricabove.net
Type: A
DNSrecordshoulder.net
Type: A
DNSelectricshoulder.net
Type: A
DNSrecordfinger.net
Type: A
DNSelectricfinger.net
Type: A
DNSstreetuntil.net
Type: A
DNStradeuntil.net
Type: A
DNSstreetabove.net
Type: A
DNStradeabove.net
Type: A
DNSstreetshoulder.net
Type: A
DNStradeshoulder.net
Type: A
DNSstreetfinger.net
Type: A
DNStradefinger.net
Type: A
DNSbetteruntil.net
Type: A
DNSgatheruntil.net
Type: A
DNSbetterabove.net
Type: A
DNSgatherabove.net
Type: A
DNSbettershoulder.net
Type: A
DNSgathershoulder.net
Type: A
DNSbetterfinger.net
Type: A
DNSgatherfinger.net
Type: A
DNSflieruntil.net
Type: A
DNSbreaduntil.net
Type: A
DNSflierabove.net
Type: A
DNSfliershoulder.net
Type: A
DNSbreadshoulder.net
Type: A
DNSflierfinger.net
Type: A
DNSbreadfinger.net
Type: A
DNSquietuntil.net
Type: A
DNSseasonuntil.net
Type: A
DNSquietabove.net
Type: A
DNSseasonabove.net
Type: A
DNSquietshoulder.net
Type: A
DNSseasonshoulder.net
Type: A
DNSquietfinger.net
Type: A
DNSseasonfinger.net
Type: A
DNSthinkshore.net
Type: A
DNSpresentshore.net
Type: A
DNSthinkwritten.net
Type: A
DNSpresentwritten.net
Type: A
DNSthinkdollar.net
Type: A
DNSpresentdollar.net
Type: A
DNSthinkrealize.net
Type: A
DNSpresentrealize.net
Type: A
DNScollegeshore.net
Type: A
DNSchiefwritten.net
Type: A
DNSchiefdollar.net
Type: A
DNSchiefrealize.net
Type: A
DNScollegerealize.net
Type: A
DNSoftenshore.net
Type: A
DNSoftenwritten.net
Type: A
DNSalonewritten.net
Type: A
DNSoftendollar.net
Type: A
DNSoftenrealize.net
Type: A
DNSalonerealize.net
Type: A
DNSmiddleshore.net
Type: A
DNStwelveshore.net
Type: A
DNSmiddlewritten.net
Type: A
DNStwelvewritten.net
Type: A
DNSmiddledollar.net
Type: A
DNStwelvedollar.net
Type: A
DNSmiddlerealize.net
Type: A
DNStwelverealize.net
Type: A
DNSrathershore.net
Type: A
DNSmorningshore.net
Type: A
DNSratherwritten.net
Type: A
DNSmorningwritten.net
Type: A
DNSratherdollar.net
Type: A
DNSratherrealize.net
Type: A
DNSmorningrealize.net
Type: A
DNSstrangeshore.net
Type: A
DNShistoryshore.net
Type: A
DNSstrangewritten.net
Type: A
DNShistorywritten.net
Type: A
DNSstrangedollar.net
Type: A
DNShistorydollar.net
Type: A
DNSstrangerealize.net
Type: A
DNShistoryrealize.net
Type: A
DNSamountshore.net
Type: A
DNSweathershore.net
Type: A
DNSamountwritten.net
Type: A
DNSweatherwritten.net
Type: A
DNSamountdollar.net
Type: A
DNSweatherdollar.net
Type: A
DNSamountrealize.net
Type: A
DNSweatherrealize.net
Type: A
DNSthickshore.net
Type: A
DNSclassshore.net
Type: A
DNSthickwritten.net
Type: A
DNSclasswritten.net
Type: A
DNSthickdollar.net
Type: A
DNSclassdollar.net
Type: A
DNSthickrealize.net
Type: A
DNSclassrealize.net
Type: A
DNSthinkcharacter.net
Type: A
DNSpresentcharacter.net
Type: A
DNSthinkladder.net
Type: A
DNSpresentladder.net
Type: A
DNSpresentboard.net
Type: A
DNSthinkenter.net
Type: A
DNSpresententer.net
Type: A
DNScollegecharacter.net
Type: A
DNSchiefladder.net
Type: A
DNScollegeladder.net
Type: A
DNSchiefenter.net
Type: A
DNScollegeenter.net
Type: A
DNSoftencharacter.net
Type: A
DNSalonecharacter.net
Type: A
DNSoftenladder.net
Type: A
DNSoftenboard.net
Type: A
DNSaloneboard.net
Type: A
DNSoftenenter.net
Type: A
DNSaloneenter.net
Type: A
DNSmiddlecharacter.net
Type: A
DNStwelvecharacter.net
Type: A
DNSmiddleladder.net
Type: A
DNStwelveladder.net
Type: A
DNSmiddleboard.net
Type: A
DNStwelveboard.net
Type: A
DNSmiddleenter.net
Type: A
DNStwelveenter.net
Type: A
DNSrathercharacter.net
Type: A
DNSmorningcharacter.net
Type: A
DNSratherladder.net
Type: A
DNSmorningladder.net
Type: A
DNSratherboard.net
Type: A
DNSmorningboard.net
Type: A
DNSratherenter.net
Type: A
DNSmorningenter.net
Type: A
DNSstrangecharacter.net
Type: A
DNShistorycharacter.net
Type: A
DNSstrangeladder.net
Type: A
DNShistoryladder.net
Type: A
DNSstrangeboard.net
Type: A
DNSstrangeenter.net
Type: A
DNShistoryenter.net
Type: A
DNSamountcharacter.net
Type: A
DNSweathercharacter.net
Type: A
DNSamountladder.net
Type: A
DNSweatherladder.net
Type: A
DNSamountboard.net
Type: A
DNSweatherboard.net
Type: A
DNSamountenter.net
Type: A
DNSweatherenter.net
Type: A
DNSthickcharacter.net
Type: A
DNSclasscharacter.net
Type: A
DNSthickladder.net
Type: A
DNSclassladder.net
Type: A
DNSthickboard.net
Type: A
DNSthickenter.net
Type: A
HTTP GEThttp://breadabove.net/index.php
User-Agent:
HTTP GEThttp://chiefshore.net/index.php
User-Agent:
HTTP GEThttp://collegewritten.net/index.php
User-Agent:
HTTP GEThttp://collegedollar.net/index.php
User-Agent:
HTTP GEThttp://aloneshore.net/index.php
User-Agent:
HTTP GEThttp://alonedollar.net/index.php
User-Agent:
HTTP GEThttp://morningdollar.net/index.php
User-Agent:
HTTP GEThttp://thinkboard.net/index.php
User-Agent:
HTTP GEThttp://chiefcharacter.net/index.php
User-Agent:
HTTP GEThttp://chiefboard.net/index.php
User-Agent:
HTTP GEThttp://collegeboard.net/index.php
User-Agent:
HTTP GEThttp://aloneladder.net/index.php
User-Agent:
HTTP GEThttp://historyboard.net/index.php
User-Agent:
HTTP GEThttp://classboard.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1032 ➝ 192.64.119.9:80
Flows TCP192.168.1.1:1033 ➝ 192.64.119.10:80
Flows TCP192.168.1.1:1034 ➝ 192.64.119.11:80
Flows TCP192.168.1.1:1035 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1036 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.48:80
Flows TCP192.168.1.1:1038 ➝ 69.195.124.144:80
Flows TCP192.168.1.1:1039 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1040 ➝ 192.240.170.144:80
Flows TCP192.168.1.1:1041 ➝ 199.167.200.62:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1043 ➝ 94.23.154.120:80
Flows TCP192.168.1.1:1044 ➝ 64.85.171.16:80

Raw Pcap

Strings