Analysis Date2015-10-11 21:06:45
MD5941e011a6b97fa4bdf91d35246a46e35
SHA1a61757726a3986cc8b59089ccaa1cab8a719214d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e2c49560cb658d9851574218427b1241 sha1: 006e3691afe6b2c66373e40556423e330d9c3a84 size: 263168
Section.rdata md5: d86002e160e6c273880a780d1a129588 sha1: 76c64d8fff726f975acceb092adacaeb8b5bab4f size: 41984
Section.data md5: 162221cd906a89ba7f82801804efe61e sha1: 096c615c1d50f13c47c24f7808b28284e07d13dd size: 7168
Section.reloc md5: 91f07884f597960662f5f091303abe17 sha1: eaaf8b8f9e0cc379a4070071e6bd8051aad270bd size: 18432
Timestamp2015-05-21 04:45:58
PackerMicrosoft Visual C++ ?.?
PEhash48470445022c3028987b30c017f9fa0674d388e3
IMPhashc146122ba5026b1e3b54fccf49ca5cf4
AVArcabit (arcavir)Gen:Variant.Diley.1
AVFortinetW32/Babrob.Y!tr
AVAuthentiumW32/Scar.V.gen!Eldorado
AVGrisoft (avg)Win32/Cryptor
AVAvira (antivir)TR/Crypt.ZPACK.172617
AVTrend Microno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVClamAVno_virus
AVEmsisoftGen:Variant.Diley.1
AVKasperskyTrojan.Win32.Generic
AVBullGuardGen:Variant.Diley.1
AVDr. WebTrojan.DownLoader13.22313
AVFrisk (f-prot)no_virus
AVPadvishno_virus
AVMalwareBytesTrojan.Bayrob.KVTGen
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVTwisterno_virus
AVMicroWorld (escan)Gen:Variant.Diley.1
AVK7Trojan ( 004c77f41 )
AVF-SecureGen:Variant.Diley.1
AVMcafeeTrojan-FGIJ!941E011A6B97
AVCAT (quickheal)no_virus
AVEset (nod32)Win32/Bayrob.Y
AVSymantecDownloader.Upatre!g15
AVBitDefenderGen:Variant.Diley.1
AVCA (E-Trust Ino)no_virus
AVAd-AwareGen:Variant.Diley.1
AVZillya!no_virus
AVRisingno_virus
AVVirusBlokAda (vba32)no_virus
AVIkarusTrojan.Win32.Bayrob

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\gwyqwmzsy\di85t2bglp6
Creates FileC:\gwyqwmzsy\di85t2bglp6
Creates FileC:\gwyqwmzsy\allvq1ldjlbfeilaso1d.exe
Deletes FileC:\WINDOWS\gwyqwmzsy\di85t2bglp6
Creates ProcessC:\gwyqwmzsy\allvq1ldjlbfeilaso1d.exe

Process
↳ C:\gwyqwmzsy\allvq1ldjlbfeilaso1d.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Volume Modules Net.Tcp NGEN Group ➝
C:\gwyqwmzsy\illczlzu.exe
Creates FileC:\WINDOWS\gwyqwmzsy\di85t2bglp6
Creates FileC:\gwyqwmzsy\ujsecvpk6pg
Creates FileC:\gwyqwmzsy\illczlzu.exe
Creates FilePIPE\lsarpc
Creates FileC:\gwyqwmzsy\di85t2bglp6
Deletes FileC:\WINDOWS\gwyqwmzsy\di85t2bglp6
Creates ProcessC:\gwyqwmzsy\illczlzu.exe
Creates ServiceAccounts Session Level WebClient Host - C:\gwyqwmzsy\illczlzu.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1856

Process
↳ Pid 1128

Process
↳ C:\gwyqwmzsy\illczlzu.exe

Creates FileC:\gwyqwmzsy\hnef89
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\gwyqwmzsy\di85t2bglp6
Creates FileC:\gwyqwmzsy\ujsecvpk6pg
Creates FileC:\gwyqwmzsy\xykcvsug.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\gwyqwmzsy\di85t2bglp6
Deletes FileC:\WINDOWS\gwyqwmzsy\di85t2bglp6
Creates Processolwxqnomtx7b "c:\gwyqwmzsy\illczlzu.exe"

Process
↳ C:\gwyqwmzsy\illczlzu.exe

Creates FileC:\WINDOWS\gwyqwmzsy\di85t2bglp6
Creates FileC:\gwyqwmzsy\di85t2bglp6
Deletes FileC:\WINDOWS\gwyqwmzsy\di85t2bglp6

Process
↳ olwxqnomtx7b "c:\gwyqwmzsy\illczlzu.exe"

Creates FileC:\WINDOWS\gwyqwmzsy\di85t2bglp6
Creates FileC:\gwyqwmzsy\di85t2bglp6
Deletes FileC:\WINDOWS\gwyqwmzsy\di85t2bglp6

Network Details:

DNSnightstation.net
Type: A
69.163.242.16
DNSelectricstation.net
Type: A
50.63.202.37
DNSstreetstation.net
Type: A
72.52.4.90
DNStradestation.net
Type: A
65.211.211.21
DNSdoubttravel.net
Type: A
72.52.4.90
DNSnightspace.net
Type: A
91.250.101.43
DNSlargespace.net
Type: A
62.22.102.59
DNScaptainspace.net
Type: A
208.100.26.234
DNScaptaintravel.net
Type: A
184.168.221.96
DNSdoubtchildhood.net
Type: A
DNSdecidestation.net
Type: A
DNSnightthird.net
Type: A
DNSdecidethird.net
Type: A
DNSnightobject.net
Type: A
DNSdecideobject.net
Type: A
DNSnightchildhood.net
Type: A
DNSdecidechildhood.net
Type: A
DNSlargestation.net
Type: A
DNScaptainstation.net
Type: A
DNSlargethird.net
Type: A
DNScaptainthird.net
Type: A
DNSlargeobject.net
Type: A
DNScaptainobject.net
Type: A
DNSlargechildhood.net
Type: A
DNScaptainchildhood.net
Type: A
DNSrecordstation.net
Type: A
DNSrecordthird.net
Type: A
DNSelectricthird.net
Type: A
DNSrecordobject.net
Type: A
DNSelectricobject.net
Type: A
DNSrecordchildhood.net
Type: A
DNSelectricchildhood.net
Type: A
DNSstreetthird.net
Type: A
DNStradethird.net
Type: A
DNSstreetobject.net
Type: A
DNStradeobject.net
Type: A
DNSstreetchildhood.net
Type: A
DNStradechildhood.net
Type: A
DNSbetterstation.net
Type: A
DNSgatherstation.net
Type: A
DNSbetterthird.net
Type: A
DNSgatherthird.net
Type: A
DNSbetterobject.net
Type: A
DNSgatherobject.net
Type: A
DNSbetterchildhood.net
Type: A
DNSgatherchildhood.net
Type: A
DNSflierstation.net
Type: A
DNSbreadstation.net
Type: A
DNSflierthird.net
Type: A
DNSbreadthird.net
Type: A
DNSflierobject.net
Type: A
DNSbreadobject.net
Type: A
DNSflierchildhood.net
Type: A
DNSbreadchildhood.net
Type: A
DNSquietstation.net
Type: A
DNSseasonstation.net
Type: A
DNSquietthird.net
Type: A
DNSseasonthird.net
Type: A
DNSquietobject.net
Type: A
DNSseasonobject.net
Type: A
DNSquietchildhood.net
Type: A
DNSseasonchildhood.net
Type: A
DNSagainstspace.net
Type: A
DNSdoubtspace.net
Type: A
DNSagainsttravel.net
Type: A
DNSagainstyellow.net
Type: A
DNSdoubtyellow.net
Type: A
DNSagainstclose.net
Type: A
DNSdoubtclose.net
Type: A
DNSdecidespace.net
Type: A
DNSnighttravel.net
Type: A
DNSdecidetravel.net
Type: A
DNSnightyellow.net
Type: A
DNSdecideyellow.net
Type: A
DNSnightclose.net
Type: A
DNSdecideclose.net
Type: A
DNSlargetravel.net
Type: A
DNSlargeyellow.net
Type: A
DNScaptainyellow.net
Type: A
DNSlargeclose.net
Type: A
DNScaptainclose.net
Type: A
DNSrecordspace.net
Type: A
DNSelectricspace.net
Type: A
DNSrecordtravel.net
Type: A
DNSelectrictravel.net
Type: A
HTTP GEThttp://nightstation.net/index.php
User-Agent:
HTTP GEThttp://electricstation.net/index.php
User-Agent:
HTTP GEThttp://streetstation.net/index.php
User-Agent:
HTTP GEThttp://tradestation.net/index.php
User-Agent:
HTTP GEThttp://doubttravel.net/index.php
User-Agent:
HTTP GEThttp://nightspace.net/index.php
User-Agent:
HTTP GEThttp://largespace.net/index.php
User-Agent:
HTTP GEThttp://captainspace.net/index.php
User-Agent:
HTTP GEThttp://captaintravel.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 69.163.242.16:80
Flows TCP192.168.1.1:1032 ➝ 50.63.202.37:80
Flows TCP192.168.1.1:1033 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1034 ➝ 65.211.211.21:80
Flows TCP192.168.1.1:1035 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1036 ➝ 91.250.101.43:80
Flows TCP192.168.1.1:1037 ➝ 62.22.102.59:80
Flows TCP192.168.1.1:1038 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1039 ➝ 184.168.221.96:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   69676874 73746174 696f6e2e 6e65740d   ightstation.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6c656374 72696373 74617469 6f6e2e6e   lectricstation.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74726565 74737461 74696f6e 2e6e6574   treetstation.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   72616465 73746174 696f6e2e 6e65740d   radestation.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f756274 74726176 656c2e6e 65740d0a   oubttravel.net..
0x00000050 (00080)   0d0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   69676874 73706163 652e6e65 740d0a0d   ightspace.net...
0x00000050 (00080)   0a0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61726765 73706163 652e6e65 740d0a0d   argespace.net...
0x00000050 (00080)   0a0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e7370 6163652e 6e65740d   aptainspace.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e7472 6176656c 2e6e6574   aptaintravel.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......


Strings