Analysis Date2016-03-09 19:53:42
MD5536d9bc2f2cf54d2f8f21c71109067d6
SHA1ac5f30db505f29ed2833bb8e207b85ec841f18c2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d698e1b7e661ce08b426c6e66bb237ef sha1: ed3a16d135e08c50c5081362bdb7272f9c7a818e size: 652800
Section.rdata md5: 5e92c9e5a4cfc1f8db7fb5b50b6ca429 sha1: 4cc90a24c77f25aa14aa5dc25dc910bc779cd337 size: 236032
Section.data md5: 615e61d8cf69b06cdf6715487921a5ee sha1: f7ed8ad28f353e60af3a6dfbf5a34c3e9b9f97e4 size: 5120
Section.reloc md5: e1c8ef2889c288fcd5320f748585bf62 sha1: 0b0cab04d4dde261e0c00fd42d696d20918aed2a size: 89088
Timestamp2013-06-04 10:53:11
PackerMicrosoft Visual C++ ?.?
PEhash513fafe20d2917f806d3f427e4dbdb8f9ac6f21d
IMPhash256362af3a6ecf98858e6aa2d4a36c74
AVRisingNo Virus
AVMcafeeTrojan-FHSI!536D9BC2F2CF
AVAvira (antivir)TR/Taranis.2063
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.14896
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.BK
AVGrisoft (avg)Crypt_c.APRO
AVSymantecNo Virus
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Razy.14896
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Razy.14896
AVMalwareBytesNo Virus
AVAuthentiumW32/Trojan.SSUJ-6679
AVEmsisoftGen:Variant.Razy.14896
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Swizzor.e
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Razy.14896
AVArcabit (arcavir)Gen:Variant.Razy.14896
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.6637
AVF-SecureGen:Variant.Razy.14896
AVCA (E-Trust Ino)Gen:Variant.Razy.14896

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\llagjodjzthf\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\mrxhuc79m8izj9xbjmhx8fth.exe
Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\mrxhuc79m8izj9xbjmhx8fth.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\mrxhuc79m8izj9xbjmhx8fth.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Net.Tcp Controls User Identity Config ➝
C:\WINDOWS\system32\blxzqtbzu.exe
Creates FileC:\WINDOWS\system32\blxzqtbzu.exe
Creates FileC:\WINDOWS\system32\llagjodjzthf\lck
Creates FileC:\WINDOWS\system32\llagjodjzthf\tst
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\blxzqtbzu.exe
Creates ServiceNetwork Human Launcher Connectivity - C:\WINDOWS\system32\blxzqtbzu.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1860

Process
↳ Pid 1096

Process
↳ C:\WINDOWS\system32\blxzqtbzu.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\mrxhuc793186tzxb.exe
Creates FileC:\WINDOWS\system32\llagjodjzthf\lck
Creates FileC:\WINDOWS\system32\llagjodjzthf\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\llagjodjzthf\tst
Creates FileC:\WINDOWS\system32\llagjodjzthf\run
Creates FileC:\WINDOWS\system32\llagjodjzthf\cfg
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\yfoprdvqwo.exe
Creates ProcessC:\WINDOWS\TEMP\mrxhuc793186tzxb.exe -r 26333 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\blxzqtbzu.exe"

Process
↳ C:\WINDOWS\system32\blxzqtbzu.exe

Creates FileC:\WINDOWS\system32\llagjodjzthf\tst
Creates FilePIPE\lsarpc

Process
↳ WATCHDOGPROC "c:\windows\system32\blxzqtbzu.exe"

Creates FileC:\WINDOWS\system32\llagjodjzthf\tst

Process
↳ C:\WINDOWS\TEMP\mrxhuc793186tzxb.exe -r 26333 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSriddenstorm.net
Type: A
66.147.240.171
DNSsimonettedwerryhouse.net
Type: A
98.139.135.129
DNSfeararms.net
Type: A
195.22.26.248
DNSfearstone.net
Type: A
184.168.221.38
DNSwestside.net
Type: A
98.124.199.108
DNStableside.net
Type: A
184.168.221.50
DNSleadside.net
Type: A
50.63.202.13
DNSpointstone.net
Type: A
108.61.26.20
DNSpointside.net
Type: A
67.210.126.130
DNScallside.net
Type: A
50.63.202.25
DNSwellthere.net
Type: A
208.100.26.234
DNSwellstone.net
Type: A
209.237.152.15
DNSwellside.net
Type: A
203.189.105.181
DNSringstone.net
Type: A
38.113.1.102
DNSdoubleobject.net
Type: A
DNSbrokenthird.net
Type: A
DNSmightspecial.net
Type: A
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
DNSaloneneighbor.net
Type: A
DNSgentleangry.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSseasonstrong.net
Type: A
DNSoftensurprise.net
Type: A
DNSchiefanother.net
Type: A
DNSmorningduring.net
Type: A
DNSwifeabout.net
Type: A
DNScasestep.net
Type: A
DNSliarhold.net
Type: A
DNSnonesecond.net
Type: A
DNSliarsecond.net
Type: A
DNSnoneocean.net
Type: A
DNSliarocean.net
Type: A
DNSnonehave.net
Type: A
DNSliarhave.net
Type: A
DNSwellhold.net
Type: A
DNSnosehold.net
Type: A
DNSwellsecond.net
Type: A
DNSnosesecond.net
Type: A
DNSwellocean.net
Type: A
DNSnoseocean.net
Type: A
DNSwellhave.net
Type: A
DNSnosehave.net
Type: A
DNSringhold.net
Type: A
DNSfavorhold.net
Type: A
DNSringsecond.net
Type: A
DNSfavorsecond.net
Type: A
DNSringocean.net
Type: A
DNSfavorocean.net
Type: A
DNSringhave.net
Type: A
DNSfavorhave.net
Type: A
DNSsorrythere.net
Type: A
DNSfiftythere.net
Type: A
DNSsorryarms.net
Type: A
DNSfiftyarms.net
Type: A
DNSsorrystone.net
Type: A
DNSfiftystone.net
Type: A
DNSsorryside.net
Type: A
DNSfiftyside.net
Type: A
DNStheirthere.net
Type: A
DNSlikrthere.net
Type: A
DNStheirarms.net
Type: A
DNSlikrarms.net
Type: A
DNStheirstone.net
Type: A
DNSlikrstone.net
Type: A
DNStheirside.net
Type: A
DNSlikrside.net
Type: A
DNSfearthere.net
Type: A
DNSwestthere.net
Type: A
DNSwestarms.net
Type: A
DNSweststone.net
Type: A
DNSfearside.net
Type: A
DNStablethere.net
Type: A
DNSleadthere.net
Type: A
DNStablearms.net
Type: A
DNSleadarms.net
Type: A
DNStablestone.net
Type: A
DNSleadstone.net
Type: A
DNSpointthere.net
Type: A
DNScallthere.net
Type: A
DNSpointarms.net
Type: A
DNScallarms.net
Type: A
DNScallstone.net
Type: A
DNSnonethere.net
Type: A
DNSliarthere.net
Type: A
DNSnonearms.net
Type: A
DNSliararms.net
Type: A
DNSnonestone.net
Type: A
DNSliarstone.net
Type: A
DNSnoneside.net
Type: A
DNSliarside.net
Type: A
DNSnosethere.net
Type: A
DNSwellarms.net
Type: A
DNSnosearms.net
Type: A
DNSnosestone.net
Type: A
DNSnoseside.net
Type: A
DNSringthere.net
Type: A
DNSfavorthere.net
Type: A
DNSringarms.net
Type: A
DNSfavorarms.net
Type: A
DNSfavorstone.net
Type: A
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
HTTP GEThttp://feararms.net/index.php
User-Agent:
HTTP GEThttp://fearstone.net/index.php
User-Agent:
HTTP GEThttp://westside.net/index.php
User-Agent:
HTTP GEThttp://tableside.net/index.php
User-Agent:
HTTP GEThttp://leadside.net/index.php
User-Agent:
HTTP GEThttp://pointstone.net/index.php
User-Agent:
HTTP GEThttp://pointside.net/index.php
User-Agent:
HTTP GEThttp://callside.net/index.php
User-Agent:
HTTP GEThttp://wellthere.net/index.php
User-Agent:
HTTP GEThttp://wellstone.net/index.php
User-Agent:
HTTP GEThttp://wellside.net/index.php
User-Agent:
HTTP GEThttp://ringstone.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
Flows TCP192.168.1.1:1032 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.38:80
Flows TCP192.168.1.1:1041 ➝ 98.124.199.108:80
Flows TCP192.168.1.1:1042 ➝ 184.168.221.50:80
Flows TCP192.168.1.1:1043 ➝ 50.63.202.13:80
Flows TCP192.168.1.1:1044 ➝ 108.61.26.20:80
Flows TCP192.168.1.1:1045 ➝ 67.210.126.130:80
Flows TCP192.168.1.1:1046 ➝ 50.63.202.25:80
Flows TCP192.168.1.1:1047 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1048 ➝ 209.237.152.15:80
Flows TCP192.168.1.1:1049 ➝ 203.189.105.181:80
Flows TCP192.168.1.1:1050 ➝ 38.113.1.102:80
Flows TCP192.168.1.1:1051 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1052 ➝ 98.139.135.129:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69646465 6e73746f 726d2e6e 65740d0a   iddenstorm.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d6f6e 65747465 64776572 7279686f   imonettedwerryho
0x00000050 (00080)   7573652e 6e65740d 0a0d0a              use.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   65617261 726d732e 6e65740d 0a0d0a6f   eararms.net....o
0x00000050 (00080)   7573652e 6e65740d 0a0d0a              use.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   65617273 746f6e65 2e6e6574 0d0a0d0a   earstone.net....
0x00000050 (00080)   7573652e 6e65740d 0a0d0a              use.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   65737473 6964652e 6e65740d 0a0d0a0a   estside.net.....
0x00000050 (00080)   7573652e 6e65740d 0a0d0a              use.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   61626c65 73696465 2e6e6574 0d0a0d0a   ableside.net....
0x00000050 (00080)   7573652e 6e65740d 0a0d0a              use.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   65616473 6964652e 6e65740d 0a0d0a0a   eadside.net.....
0x00000050 (00080)   7573652e 6e65740d 0a0d0a              use.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6f696e74 73746f6e 652e6e65 740d0a0d   ointstone.net...
0x00000050 (00080)   0a73652e 6e65740d 0a0d0a              .se.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6f696e74 73696465 2e6e6574 0d0a0d0a   ointside.net....
0x00000050 (00080)   0a73652e 6e65740d 0a0d0a              .se.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   616c6c73 6964652e 6e65740d 0a0d0a0a   allside.net.....
0x00000050 (00080)   0a73652e 6e65740d 0a0d0a              .se.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   656c6c74 68657265 2e6e6574 0d0a0d0a   ellthere.net....
0x00000050 (00080)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   656c6c73 746f6e65 2e6e6574 0d0a0d0a   ellstone.net....
0x00000050 (00080)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   656c6c73 6964652e 6e65740d 0a0d0a0a   ellside.net.....
0x00000050 (00080)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   696e6773 746f6e65 2e6e6574 0d0a0d0a   ingstone.net....
0x00000050 (00080)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69646465 6e73746f 726d2e6e 65740d0a   iddenstorm.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d6f6e 65747465 64776572 7279686f   imonettedwerryho
0x00000050 (00080)   7573652e 6e65740d 0a0d0a              use.net....


Strings