Analysis Date | 2016-04-16 04:27:38 |
---|---|
MD5 | 6fbfcee870e4aeb48db23ca4fed9f578 |
SHA1 | ad43193027ee9dce780d72bc96fed8336d334612 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: a9d5dd7f65f7dfbc212f48b9b1e04c37 sha1: a10886e5614c86ba4de7a494927797fce85df7c4 size: 679424 | |
Section | .rdata md5: dfcc3ae7dc2e3b56dd740ae6da018e92 sha1: c09417d99ccd3b1225229c221aa9a178c6fe1f86 size: 245760 | |
Section | .data md5: d500999b56a567010fcceee7187ea0b6 sha1: 079882adef3d0812cc7849e0986865528bb362a0 size: 5120 | |
Section | .reloc md5: f04d3b9970256316994ba4be23289455 sha1: 4f12ed08044ad56bdafa05cd961c3343a497365a size: 91648 | |
Timestamp | 2013-08-27 20:29:17 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | 4dc02d89a00650ae30162cfc7ad5a419989428ff | |
IMPhash | 49946c084e83af8f48efc93d89bdda1f | |
AV | Rising | No Virus |
AV | CA (E-Trust Ino) | Gen:Variant.Razy.14896 |
AV | F-Secure | Gen:Variant.Razy.14896 |
AV | Dr. Web | Trojan.DownLoader20.36257 |
AV | ClamAV | No Virus |
AV | Arcabit (arcavir) | Gen:Variant.Razy.14896 |
AV | BullGuard | Gen:Variant.Razy.14896 |
AV | VirusBlokAda (vba32) | No Virus |
AV | CAT (quickheal) | TrojanSpy.Nivdort.WR4 |
AV | Trend Micro | No Virus |
AV | Kaspersky | Trojan.Win32.Swizzor.e |
AV | Zillya! | Trojan.Swizzor.Win32.192813 |
AV | Emsisoft | Gen:Variant.Razy.14896 |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Frisk (f-prot) | No Virus |
AV | Authentium | W32/Trojan.DNNI-5313 |
AV | MalwareBytes | No Virus |
AV | MicroWorld (escan) | Gen:Variant.Razy.14896 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.DU |
AV | K7 | Trojan ( 004da8bd1 ) |
AV | BitDefender | Gen:Variant.Razy.14896 |
AV | Fortinet | W32/Bayrob.AQ!tr |
AV | Symantec | Trojan.Bayrob!gen7 |
AV | Grisoft (avg) | Crypt_c.ATHY |
AV | Eset (nod32) | Win32/Bayrob.BK |
AV | Alwil (avast) | Win32:Malware-gen |
AV | Alwil (avast) | Malware-gen |
AV | Ad-Aware | Gen:Variant.Razy.14896 |
AV | Twister | No Virus |
AV | Avira (antivir) | TR/Nivdort.hiyg |
AV | Mcafee | Trojan-FHVQ!6FBFCEE870E4 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\osrupivz916xmnrgustwrp1f.exe |
---|---|
Creates File | C:\WINDOWS\system32\tovdmuben\tst |
Creates File | PIPE\lsarpc |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\osrupivz916xmnrgustwrp1f.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\osrupivz916xmnrgustwrp1f.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Themes Source Secondary Power ➝ C:\WINDOWS\system32\twxixzugge.exe |
---|---|
Creates File | C:\WINDOWS\system32\tovdmuben\lck |
Creates File | C:\WINDOWS\system32\twxixzugge.exe |
Creates File | C:\WINDOWS\system32\tovdmuben\tst |
Creates File | PIPE\lsarpc |
Creates Process | C:\WINDOWS\system32\twxixzugge.exe |
Creates Service | KtmRm Service Microsoft User-mode - C:\WINDOWS\system32\twxixzugge.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Creates File | \Device\Afd\Endpoint |
---|
Process
↳ Pid 808
Process
↳ Pid 852
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | pipe\PCHFaultRepExecPipe |
---|
Process
↳ Pid 1208
Process
↳ Pid 1320
Process
↳ Pid 1860
Process
↳ Pid 1180
Process
↳ C:\WINDOWS\system32\twxixzugge.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1 |
---|---|
Creates File | C:\WINDOWS\system32\tovdmuben\rng |
Creates File | C:\WINDOWS\system32\tovdmuben\lck |
Creates File | C:\WINDOWS\system32\tovdmuben\tst |
Creates File | \Device\Afd\AsyncConnectHlp |
Creates File | C:\WINDOWS\system32\tovdmuben\run |
Creates File | C:\WINDOWS\system32\rsgkbxzdoogu.exe |
Creates File | pipe\net\NtControlPipe10 |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\TEMP\osrupivzify8gvrgu.exe |
Creates File | C:\WINDOWS\system32\tovdmuben\cfg |
Creates Process | WATCHDOGPROC "c:\windows\system32\twxixzugge.exe" |
Creates Process | C:\WINDOWS\TEMP\osrupivzify8gvrgu.exe -r 20535 tcp |
Process
↳ C:\WINDOWS\system32\twxixzugge.exe
Creates File | C:\WINDOWS\system32\tovdmuben\tst |
---|---|
Creates File | PIPE\lsarpc |
Process
↳ WATCHDOGPROC "c:\windows\system32\twxixzugge.exe"
Creates File | C:\WINDOWS\system32\tovdmuben\tst |
---|
Process
↳ C:\WINDOWS\TEMP\osrupivzify8gvrgu.exe -r 20535 tcp
Creates File | \Device\Afd\Endpoint |
---|---|
Winsock DNS | 239.255.255.250 |
Network Details:
DNS | riddenstorm.net Type: A 66.147.240.171 |
---|---|
DNS | wifeabout.net Type: A |
DNS | resultneedle.net Type: A |
DNS | ermintrudesymphony.net Type: A |
DNS | lordofthepings.ru Type: A |
HTTP GET | http://131.72.139.16/index.php User-Agent: |
HTTP GET | http://173.236.150.135:8080/index.php User-Agent: |
HTTP GET | http://185.106.120.168/index.php User-Agent: |
HTTP GET | http://riddenstorm.net/index.php User-Agent: |
Flows TCP | 192.168.1.1:1036 ➝ 131.72.139.16:80 |
Flows TCP | 192.168.1.1:1036 ➝ 131.72.139.16:80 |
Flows TCP | 192.168.1.1:1037 ➝ 173.236.150.135:8080 |
Flows TCP | 192.168.1.1:1038 ➝ 185.106.120.168:80 |
Flows TCP | 192.168.1.1:1040 ➝ 66.147.240.171:80 |
Raw Pcap
Strings