Analysis Date2016-04-16 04:27:38
MD56fbfcee870e4aeb48db23ca4fed9f578
SHA1ad43193027ee9dce780d72bc96fed8336d334612

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a9d5dd7f65f7dfbc212f48b9b1e04c37 sha1: a10886e5614c86ba4de7a494927797fce85df7c4 size: 679424
Section.rdata md5: dfcc3ae7dc2e3b56dd740ae6da018e92 sha1: c09417d99ccd3b1225229c221aa9a178c6fe1f86 size: 245760
Section.data md5: d500999b56a567010fcceee7187ea0b6 sha1: 079882adef3d0812cc7849e0986865528bb362a0 size: 5120
Section.reloc md5: f04d3b9970256316994ba4be23289455 sha1: 4f12ed08044ad56bdafa05cd961c3343a497365a size: 91648
Timestamp2013-08-27 20:29:17
PackerMicrosoft Visual C++ ?.?
PEhash4dc02d89a00650ae30162cfc7ad5a419989428ff
IMPhash49946c084e83af8f48efc93d89bdda1f
AVRisingNo Virus
AVCA (E-Trust Ino)Gen:Variant.Razy.14896
AVF-SecureGen:Variant.Razy.14896
AVDr. WebTrojan.DownLoader20.36257
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.14896
AVBullGuardGen:Variant.Razy.14896
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Swizzor.e
AVZillya!Trojan.Swizzor.Win32.192813
AVEmsisoftGen:Variant.Razy.14896
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)No Virus
AVAuthentiumW32/Trojan.DNNI-5313
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.14896
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DU
AVK7Trojan ( 004da8bd1 )
AVBitDefenderGen:Variant.Razy.14896
AVFortinetW32/Bayrob.AQ!tr
AVSymantecTrojan.Bayrob!gen7
AVGrisoft (avg)Crypt_c.ATHY
AVEset (nod32)Win32/Bayrob.BK
AVAlwil (avast)Win32:Malware-gen
AVAlwil (avast)Malware-gen
AVAd-AwareGen:Variant.Razy.14896
AVTwisterNo Virus
AVAvira (antivir)TR/Nivdort.hiyg
AVMcafeeTrojan-FHVQ!6FBFCEE870E4

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\osrupivz916xmnrgustwrp1f.exe
Creates FileC:\WINDOWS\system32\tovdmuben\tst
Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\osrupivz916xmnrgustwrp1f.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\osrupivz916xmnrgustwrp1f.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Themes Source Secondary Power ➝
C:\WINDOWS\system32\twxixzugge.exe
Creates FileC:\WINDOWS\system32\tovdmuben\lck
Creates FileC:\WINDOWS\system32\twxixzugge.exe
Creates FileC:\WINDOWS\system32\tovdmuben\tst
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\twxixzugge.exe
Creates ServiceKtmRm Service Microsoft User-mode - C:\WINDOWS\system32\twxixzugge.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates File\Device\Afd\Endpoint

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1208

Process
↳ Pid 1320

Process
↳ Pid 1860

Process
↳ Pid 1180

Process
↳ C:\WINDOWS\system32\twxixzugge.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\tovdmuben\rng
Creates FileC:\WINDOWS\system32\tovdmuben\lck
Creates FileC:\WINDOWS\system32\tovdmuben\tst
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\WINDOWS\system32\tovdmuben\run
Creates FileC:\WINDOWS\system32\rsgkbxzdoogu.exe
Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\osrupivzify8gvrgu.exe
Creates FileC:\WINDOWS\system32\tovdmuben\cfg
Creates ProcessWATCHDOGPROC "c:\windows\system32\twxixzugge.exe"
Creates ProcessC:\WINDOWS\TEMP\osrupivzify8gvrgu.exe -r 20535 tcp

Process
↳ C:\WINDOWS\system32\twxixzugge.exe

Creates FileC:\WINDOWS\system32\tovdmuben\tst
Creates FilePIPE\lsarpc

Process
↳ WATCHDOGPROC "c:\windows\system32\twxixzugge.exe"

Creates FileC:\WINDOWS\system32\tovdmuben\tst

Process
↳ C:\WINDOWS\TEMP\osrupivzify8gvrgu.exe -r 20535 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSriddenstorm.net
Type: A
66.147.240.171
DNSwifeabout.net
Type: A
DNSresultneedle.net
Type: A
DNSermintrudesymphony.net
Type: A
DNSlordofthepings.ru
Type: A
HTTP GEThttp://131.72.139.16/index.php
User-Agent:
HTTP GEThttp://173.236.150.135:8080/index.php
User-Agent:
HTTP GEThttp://185.106.120.168/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 131.72.139.16:80
Flows TCP192.168.1.1:1036 ➝ 131.72.139.16:80
Flows TCP192.168.1.1:1037 ➝ 173.236.150.135:8080
Flows TCP192.168.1.1:1038 ➝ 185.106.120.168:80
Flows TCP192.168.1.1:1040 ➝ 66.147.240.171:80

Raw Pcap

Strings