Analysis Date2015-10-13 11:29:59
MD57788f8fde24ca29e243c38c9ae3651b6
SHA1ad165a17884fbe0915ef68370d3f238168f17188

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b69c8d429d4d0928569e85c2310bef8d sha1: 015f14787023f860d23d67c75f39c2d13620635f size: 310784
Section.rdata md5: 05f4f9bf1cc70113f49c420d3aea1c85 sha1: 1de436b8f7d28624dda2ebbe4a909ae266c18ef7 size: 59904
Section.data md5: 4ab2aa69334de2f5f51491ed83ac7445 sha1: a709ddf0e83785b0a2225992896322d2d349902f size: 7168
Section.reloc md5: c6b5dd70c90a12c8bdb9c9dedb55b896 sha1: 6ed92a8f9e82ef1d7ee1ca03750ea8b17ff755f1 size: 24576
Timestamp2015-05-11 06:45:05
PackerMicrosoft Visual C++ 8
PEhash8e4f8cfb354f0dbf4c63b527d95ee216c53e9fe1
IMPhashfe19b4278927ab77a725a250b53ed543
AVRisingTrojan.Win32.Bayrod.b
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Diley.1
AVDr. WebTrojan.DownLoader13.14059
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVBullGuardGen:Variant.Diley.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Scar.jkkp
AVZillya!no_virus
AVEmsisoftGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVK7Trojan ( 004c3a4d1 )
AVBitDefenderGen:Variant.Diley.1
AVFortinetW32/Bayrob.T!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.V.gen
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Diley.1
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.185620
AVMcafeePWS-FCCE!7788F8FDE24C

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\ozvtaetwh\fsvvdkf
Creates FileC:\ozvtaetwh\fsvvdkf
Creates FileC:\ozvtaetwh\jjrql1jnwazl6tyketpti.exe
Deletes FileC:\WINDOWS\ozvtaetwh\fsvvdkf
Creates ProcessC:\ozvtaetwh\jjrql1jnwazl6tyketpti.exe

Process
↳ C:\ozvtaetwh\jjrql1jnwazl6tyketpti.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Secondary Class Host Tunneling AuthIP ➝
C:\ozvtaetwh\wjepekfs.exe
Creates FileC:\WINDOWS\ozvtaetwh\fsvvdkf
Creates FileC:\ozvtaetwh\fsvvdkf
Creates FileC:\ozvtaetwh\wjepekfs.exe
Creates FileC:\ozvtaetwh\vfpifxfkg
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\ozvtaetwh\fsvvdkf
Creates ProcessC:\ozvtaetwh\wjepekfs.exe
Creates ServiceUpgrade COM Publication Solutions - C:\ozvtaetwh\wjepekfs.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1168

Process
↳ C:\ozvtaetwh\wjepekfs.exe

Creates FileC:\ozvtaetwh\nhdxy9xir3
Creates FileC:\WINDOWS\ozvtaetwh\fsvvdkf
Creates Filepipe\net\NtControlPipe10
Creates FileC:\ozvtaetwh\fsvvdkf
Creates FileC:\ozvtaetwh\vfpifxfkg
Creates File\Device\Afd\Endpoint
Creates FileC:\ozvtaetwh\soywdqaz.exe
Deletes FileC:\WINDOWS\ozvtaetwh\fsvvdkf
Creates Processwrblzbhxuf4z "c:\ozvtaetwh\wjepekfs.exe"

Process
↳ C:\ozvtaetwh\wjepekfs.exe

Creates FileC:\WINDOWS\ozvtaetwh\fsvvdkf
Creates FileC:\ozvtaetwh\fsvvdkf
Deletes FileC:\WINDOWS\ozvtaetwh\fsvvdkf

Process
↳ wrblzbhxuf4z "c:\ozvtaetwh\wjepekfs.exe"

Creates FileC:\WINDOWS\ozvtaetwh\fsvvdkf
Creates FileC:\ozvtaetwh\fsvvdkf
Deletes FileC:\WINDOWS\ozvtaetwh\fsvvdkf

Network Details:

DNShistoryadvance.net
Type: A
195.22.26.252
DNShistoryadvance.net
Type: A
195.22.26.253
DNShistoryadvance.net
Type: A
195.22.26.254
DNShistoryadvance.net
Type: A
195.22.26.231
DNSstrangestranger.net
Type: A
98.139.135.129
DNScollegeproblem.net
Type: A
208.100.26.234
DNSstrangeanimal.net
Type: A
199.83.132.18
DNSstrangeanimal.net
Type: A
199.83.128.18
DNSmiddleadvance.net
Type: A
DNStwelveadvance.net
Type: A
DNSmiddlestranger.net
Type: A
DNStwelvestranger.net
Type: A
DNSmiddlegoodbye.net
Type: A
DNStwelvegoodbye.net
Type: A
DNSmiddlefortieth.net
Type: A
DNStwelvefortieth.net
Type: A
DNSratheradvance.net
Type: A
DNSmorningadvance.net
Type: A
DNSratherstranger.net
Type: A
DNSmorningstranger.net
Type: A
DNSrathergoodbye.net
Type: A
DNSmorninggoodbye.net
Type: A
DNSratherfortieth.net
Type: A
DNSmorningfortieth.net
Type: A
DNSstrangeadvance.net
Type: A
DNShistorystranger.net
Type: A
DNSstrangegoodbye.net
Type: A
DNShistorygoodbye.net
Type: A
DNSstrangefortieth.net
Type: A
DNShistoryfortieth.net
Type: A
DNSamountadvance.net
Type: A
DNSweatheradvance.net
Type: A
DNSamountstranger.net
Type: A
DNSweatherstranger.net
Type: A
DNSamountgoodbye.net
Type: A
DNSweathergoodbye.net
Type: A
DNSamountfortieth.net
Type: A
DNSweatherfortieth.net
Type: A
DNSthickadvance.net
Type: A
DNSclassadvance.net
Type: A
DNSthickstranger.net
Type: A
DNSclassstranger.net
Type: A
DNSthickgoodbye.net
Type: A
DNSclassgoodbye.net
Type: A
DNSthickfortieth.net
Type: A
DNSclassfortieth.net
Type: A
DNSthinkescape.net
Type: A
DNSpresentescape.net
Type: A
DNSthinkanimal.net
Type: A
DNSpresentanimal.net
Type: A
DNSthinkproblem.net
Type: A
DNSpresentproblem.net
Type: A
DNSthinkmodern.net
Type: A
DNSpresentmodern.net
Type: A
DNSchiefescape.net
Type: A
DNScollegeescape.net
Type: A
DNSchiefanimal.net
Type: A
DNScollegeanimal.net
Type: A
DNSchiefproblem.net
Type: A
DNSchiefmodern.net
Type: A
DNScollegemodern.net
Type: A
DNSoftenescape.net
Type: A
DNSaloneescape.net
Type: A
DNSoftenanimal.net
Type: A
DNSaloneanimal.net
Type: A
DNSoftenproblem.net
Type: A
DNSaloneproblem.net
Type: A
DNSoftenmodern.net
Type: A
DNSalonemodern.net
Type: A
DNSmiddleescape.net
Type: A
DNStwelveescape.net
Type: A
DNSmiddleanimal.net
Type: A
DNStwelveanimal.net
Type: A
DNSmiddleproblem.net
Type: A
DNStwelveproblem.net
Type: A
DNSmiddlemodern.net
Type: A
DNStwelvemodern.net
Type: A
DNSratherescape.net
Type: A
DNSmorningescape.net
Type: A
DNSratheranimal.net
Type: A
DNSmorninganimal.net
Type: A
DNSratherproblem.net
Type: A
DNSmorningproblem.net
Type: A
DNSrathermodern.net
Type: A
DNSmorningmodern.net
Type: A
DNSstrangeescape.net
Type: A
DNShistoryescape.net
Type: A
DNShistoryanimal.net
Type: A
DNSstrangeproblem.net
Type: A
HTTP GEThttp://historyadvance.net/index.php
User-Agent:
HTTP GEThttp://strangestranger.net/index.php
User-Agent:
HTTP GEThttp://collegeproblem.net/index.php
User-Agent:
HTTP GEThttp://strangeanimal.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1032 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 199.83.132.18:80

Raw Pcap

Strings