| Analysis Date | 2016-04-16 04:27:38 |
|---|---|
| MD5 | 6fbfcee870e4aeb48db23ca4fed9f578 |
| SHA1 | ad43193027ee9dce780d72bc96fed8336d334612 |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: a9d5dd7f65f7dfbc212f48b9b1e04c37 sha1: a10886e5614c86ba4de7a494927797fce85df7c4 size: 679424 | |
| Section | .rdata md5: dfcc3ae7dc2e3b56dd740ae6da018e92 sha1: c09417d99ccd3b1225229c221aa9a178c6fe1f86 size: 245760 | |
| Section | .data md5: d500999b56a567010fcceee7187ea0b6 sha1: 079882adef3d0812cc7849e0986865528bb362a0 size: 5120 | |
| Section | .reloc md5: f04d3b9970256316994ba4be23289455 sha1: 4f12ed08044ad56bdafa05cd961c3343a497365a size: 91648 | |
| Timestamp | 2013-08-27 20:29:17 | |
| Packer | Microsoft Visual C++ ?.? | |
| PEhash | 4dc02d89a00650ae30162cfc7ad5a419989428ff | |
| IMPhash | 49946c084e83af8f48efc93d89bdda1f | |
| AV | Rising | No Virus |
| AV | CA (E-Trust Ino) | Gen:Variant.Razy.14896 |
| AV | F-Secure | Gen:Variant.Razy.14896 |
| AV | Dr. Web | Trojan.DownLoader20.36257 |
| AV | ClamAV | No Virus |
| AV | Arcabit (arcavir) | Gen:Variant.Razy.14896 |
| AV | BullGuard | Gen:Variant.Razy.14896 |
| AV | VirusBlokAda (vba32) | No Virus |
| AV | CAT (quickheal) | TrojanSpy.Nivdort.WR4 |
| AV | Trend Micro | No Virus |
| AV | Kaspersky | Trojan.Win32.Swizzor.e |
| AV | Zillya! | Trojan.Swizzor.Win32.192813 |
| AV | Emsisoft | Gen:Variant.Razy.14896 |
| AV | Ikarus | Trojan.Win32.Bayrob |
| AV | Frisk (f-prot) | No Virus |
| AV | Authentium | W32/Trojan.DNNI-5313 |
| AV | MalwareBytes | No Virus |
| AV | MicroWorld (escan) | Gen:Variant.Razy.14896 |
| AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.DU |
| AV | K7 | Trojan ( 004da8bd1 ) |
| AV | BitDefender | Gen:Variant.Razy.14896 |
| AV | Fortinet | W32/Bayrob.AQ!tr |
| AV | Symantec | Trojan.Bayrob!gen7 |
| AV | Grisoft (avg) | Crypt_c.ATHY |
| AV | Eset (nod32) | Win32/Bayrob.BK |
| AV | Alwil (avast) | Win32:Malware-gen |
| AV | Alwil (avast) | Malware-gen |
| AV | Ad-Aware | Gen:Variant.Razy.14896 |
| AV | Twister | No Virus |
| AV | Avira (antivir) | TR/Nivdort.hiyg |
| AV | Mcafee | Trojan-FHVQ!6FBFCEE870E4 |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\osrupivz916xmnrgustwrp1f.exe |
|---|---|
| Creates File | C:\WINDOWS\system32\tovdmuben\tst |
| Creates File | PIPE\lsarpc |
| Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\osrupivz916xmnrgustwrp1f.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\osrupivz916xmnrgustwrp1f.exe
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Themes Source Secondary Power ➝ C:\WINDOWS\system32\twxixzugge.exe |
|---|---|
| Creates File | C:\WINDOWS\system32\tovdmuben\lck |
| Creates File | C:\WINDOWS\system32\twxixzugge.exe |
| Creates File | C:\WINDOWS\system32\tovdmuben\tst |
| Creates File | PIPE\lsarpc |
| Creates Process | C:\WINDOWS\system32\twxixzugge.exe |
| Creates Service | KtmRm Service Microsoft User-mode - C:\WINDOWS\system32\twxixzugge.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
| Creates File | \Device\Afd\Endpoint |
|---|
Process
↳ Pid 808
Process
↳ Pid 852
Process
↳ C:\WINDOWS\System32\svchost.exe
| Creates File | pipe\PCHFaultRepExecPipe |
|---|
Process
↳ Pid 1208
Process
↳ Pid 1320
Process
↳ Pid 1860
Process
↳ Pid 1180
Process
↳ C:\WINDOWS\system32\twxixzugge.exe
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1 |
|---|---|
| Creates File | C:\WINDOWS\system32\tovdmuben\rng |
| Creates File | C:\WINDOWS\system32\tovdmuben\lck |
| Creates File | C:\WINDOWS\system32\tovdmuben\tst |
| Creates File | \Device\Afd\AsyncConnectHlp |
| Creates File | C:\WINDOWS\system32\tovdmuben\run |
| Creates File | C:\WINDOWS\system32\rsgkbxzdoogu.exe |
| Creates File | pipe\net\NtControlPipe10 |
| Creates File | \Device\Afd\Endpoint |
| Creates File | C:\WINDOWS\TEMP\osrupivzify8gvrgu.exe |
| Creates File | C:\WINDOWS\system32\tovdmuben\cfg |
| Creates Process | WATCHDOGPROC "c:\windows\system32\twxixzugge.exe" |
| Creates Process | C:\WINDOWS\TEMP\osrupivzify8gvrgu.exe -r 20535 tcp |
Process
↳ C:\WINDOWS\system32\twxixzugge.exe
| Creates File | C:\WINDOWS\system32\tovdmuben\tst |
|---|---|
| Creates File | PIPE\lsarpc |
Process
↳ WATCHDOGPROC "c:\windows\system32\twxixzugge.exe"
| Creates File | C:\WINDOWS\system32\tovdmuben\tst |
|---|
Process
↳ C:\WINDOWS\TEMP\osrupivzify8gvrgu.exe -r 20535 tcp
| Creates File | \Device\Afd\Endpoint |
|---|---|
| Winsock DNS | 239.255.255.250 |
Network Details:
| DNS | riddenstorm.net Type: A 66.147.240.171 |
|---|---|
| DNS | wifeabout.net Type: A |
| DNS | resultneedle.net Type: A |
| DNS | ermintrudesymphony.net Type: A |
| DNS | lordofthepings.ru Type: A |
| HTTP GET | http://131.72.139.16/index.php User-Agent: |
| HTTP GET | http://173.236.150.135:8080/index.php User-Agent: |
| HTTP GET | http://185.106.120.168/index.php User-Agent: |
| HTTP GET | http://riddenstorm.net/index.php User-Agent: |
| Flows TCP | 192.168.1.1:1036 ➝ 131.72.139.16:80 |
| Flows TCP | 192.168.1.1:1036 ➝ 131.72.139.16:80 |
| Flows TCP | 192.168.1.1:1037 ➝ 173.236.150.135:8080 |
| Flows TCP | 192.168.1.1:1038 ➝ 185.106.120.168:80 |
| Flows TCP | 192.168.1.1:1040 ➝ 66.147.240.171:80 |
Raw Pcap
Strings