Analysis Date2016-01-29 07:32:53
MD5c08d2be5aca8991c2dabbafb69837518
SHA1b1cc8b1b47e9575ce902a003aa71c293a851eb34

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 17810b03c3f5d182a40f374e1569cf7b sha1: 1ea5faa438b33d733e8e74cdd4a781e7afa01320 size: 182272
Section.rdata md5: 99086435e1152799a9c3433e3f552ad6 sha1: 50e2bd632cb7a2fe72f23a513d47de987f63a643 size: 2560
Section.data md5: c0936d528b07e75917005e04767e2b75 sha1: 27027d94b3dc48fda492c82668eb6d02759cf073 size: 14848
Section.reloc md5: b369e41432794873a3e5d1cd89941b1f sha1: eb2a67258e2063cad263d874db0773201cb28279 size: 30208
Timestamp2014-04-20 21:33:29
PEhash4f004977dddf61c5326329bb46f3257998be0f53
IMPhash7084047b32499464cc4493e828877f0e
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHQT!C08D2BE5ACA8
AVAvira (antivir)No Virus
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.788903
AVAlwil (avast)Vupa [Cryp]
AVEset (nod32)Win32/Bayrob.BA
AVGrisoft (avg)Generic37.ACAG
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AT!tr
AVBitDefenderGen:Variant.Kazy.788903
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DA
AVMicroWorld (escan)Gen:Variant.Kazy.788903
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVEmsisoftGen:Variant.Kazy.788903
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Kazy.788903
AVArcabit (arcavir)Gen:Variant.Kazy.788903
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.9658
AVF-SecureGen:Variant.Kazy.788903

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\qnaqgzcaz\jge61l29wxevzeyer.exe
Creates FileC:\qnaqgzcaz\keqjdvcnvhn
Creates FileC:\WINDOWS\qnaqgzcaz\keqjdvcnvhn
Deletes FileC:\WINDOWS\qnaqgzcaz\keqjdvcnvhn
Creates ProcessC:\qnaqgzcaz\jge61l29wxevzeyer.exe

Process
↳ C:\qnaqgzcaz\jge61l29wxevzeyer.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Connections Redirector Manager Receiver ➝
C:\qnaqgzcaz\gndkkjd.exe
Creates FileC:\qnaqgzcaz\keqjdvcnvhn
Creates FileC:\qnaqgzcaz\gndkkjd.exe
Creates FileC:\qnaqgzcaz\esaxhy
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\qnaqgzcaz\keqjdvcnvhn
Deletes FileC:\WINDOWS\qnaqgzcaz\keqjdvcnvhn
Creates ProcessC:\qnaqgzcaz\gndkkjd.exe
Creates ServiceTime UserMode Acquisition WebClient - C:\qnaqgzcaz\gndkkjd.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1140

Process
↳ C:\qnaqgzcaz\gndkkjd.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\qnaqgzcaz\nzgqvyac6bfb
Creates FileC:\qnaqgzcaz\keqjdvcnvhn
Creates FileC:\qnaqgzcaz\esaxhy
Creates File\Device\Afd\Endpoint
Creates FileC:\qnaqgzcaz\vkenxpwu.exe
Creates FileC:\WINDOWS\qnaqgzcaz\keqjdvcnvhn
Deletes FileC:\WINDOWS\qnaqgzcaz\keqjdvcnvhn
Creates Processeymfbzcv3jhr "c:\qnaqgzcaz\gndkkjd.exe"

Process
↳ C:\qnaqgzcaz\gndkkjd.exe

Creates FileC:\qnaqgzcaz\keqjdvcnvhn
Creates FileC:\WINDOWS\qnaqgzcaz\keqjdvcnvhn
Deletes FileC:\WINDOWS\qnaqgzcaz\keqjdvcnvhn

Process
↳ eymfbzcv3jhr "c:\qnaqgzcaz\gndkkjd.exe"

Creates FileC:\qnaqgzcaz\keqjdvcnvhn
Creates FileC:\WINDOWS\qnaqgzcaz\keqjdvcnvhn
Deletes FileC:\WINDOWS\qnaqgzcaz\keqjdvcnvhn

Network Details:

DNSdoublefamous.net
Type: A
210.157.1.134
DNSfellowpower.net
Type: A
98.139.135.129
DNSbrokenfamous.net
Type: A
208.100.26.234
DNSbrokenpower.net
Type: A
72.167.131.57
DNSstillpower.net
Type: A
184.168.221.34
DNSdoctorletter.net
Type: A
162.255.119.251
DNSdoctordifferent.net
Type: A
184.168.221.43
DNSprettydifferent.net
Type: A
23.236.62.147
DNSstillsurprise.net
Type: A
98.139.135.129
DNSstrengthdifferent.net
Type: A
208.100.26.234
DNSmachineclean.net
Type: A
208.109.181.40
DNSrightclean.net
Type: A
66.175.213.119
DNSrightcourse.net
Type: A
72.167.191.69
DNSfamilyclean.net
Type: A
54.228.214.122
DNSfamilyclean.net
Type: A
54.247.165.51
DNSfamilyclean.net
Type: A
176.34.121.15
DNSfamilyclean.net
Type: A
176.34.232.209
DNSfamilyclean.net
Type: A
46.137.98.88
DNSfamilyclean.net
Type: A
54.75.224.248
DNSenglishpaint.net
Type: A
82.165.249.114
DNSenglishcourse.net
Type: A
50.63.202.2
DNSenglishwomen.net
Type: A
207.148.248.143
DNSdoublepower.net
Type: A
DNSfellowcountry.net
Type: A
DNSdoublecountry.net
Type: A
DNSbrokencentury.net
Type: A
DNSresultcentury.net
Type: A
DNSresultfamous.net
Type: A
DNSresultpower.net
Type: A
DNSbrokencountry.net
Type: A
DNSresultcountry.net
Type: A
DNSpreparecentury.net
Type: A
DNSdesirecentury.net
Type: A
DNSpreparefamous.net
Type: A
DNSdesirefamous.net
Type: A
DNSpreparepower.net
Type: A
DNSdesirepower.net
Type: A
DNSpreparecountry.net
Type: A
DNSdesirecountry.net
Type: A
DNSstrengthcentury.net
Type: A
DNSstillcentury.net
Type: A
DNSstrengthfamous.net
Type: A
DNSstillfamous.net
Type: A
DNSstrengthpower.net
Type: A
DNSstrengthcountry.net
Type: A
DNSstillcountry.net
Type: A
DNSmovementsurprise.net
Type: A
DNSoutsidesurprise.net
Type: A
DNSmovementbeside.net
Type: A
DNSoutsidebeside.net
Type: A
DNSmovementletter.net
Type: A
DNSoutsideletter.net
Type: A
DNSmovementdifferent.net
Type: A
DNSoutsidedifferent.net
Type: A
DNSbuildingsurprise.net
Type: A
DNSeveningsurprise.net
Type: A
DNSbuildingbeside.net
Type: A
DNSeveningbeside.net
Type: A
DNSbuildingletter.net
Type: A
DNSeveningletter.net
Type: A
DNSbuildingdifferent.net
Type: A
DNSeveningdifferent.net
Type: A
DNSstoresurprise.net
Type: A
DNSmightsurprise.net
Type: A
DNSstorebeside.net
Type: A
DNSmightbeside.net
Type: A
DNSstoreletter.net
Type: A
DNSmightletter.net
Type: A
DNSstoredifferent.net
Type: A
DNSmightdifferent.net
Type: A
DNSdoctorsurprise.net
Type: A
DNSprettysurprise.net
Type: A
DNSdoctorbeside.net
Type: A
DNSprettybeside.net
Type: A
DNSprettyletter.net
Type: A
DNSfellowsurprise.net
Type: A
DNSdoublesurprise.net
Type: A
DNSfellowbeside.net
Type: A
DNSdoublebeside.net
Type: A
DNSfellowletter.net
Type: A
DNSdoubleletter.net
Type: A
DNSfellowdifferent.net
Type: A
DNSdoubledifferent.net
Type: A
DNSbrokensurprise.net
Type: A
DNSresultsurprise.net
Type: A
DNSbrokenbeside.net
Type: A
DNSresultbeside.net
Type: A
DNSbrokenletter.net
Type: A
DNSresultletter.net
Type: A
DNSbrokendifferent.net
Type: A
DNSresultdifferent.net
Type: A
DNSpreparesurprise.net
Type: A
DNSdesiresurprise.net
Type: A
DNSpreparebeside.net
Type: A
DNSdesirebeside.net
Type: A
DNSprepareletter.net
Type: A
DNSdesireletter.net
Type: A
DNSpreparedifferent.net
Type: A
DNSdesiredifferent.net
Type: A
DNSstrengthsurprise.net
Type: A
DNSstrengthbeside.net
Type: A
DNSstillbeside.net
Type: A
DNSstrengthletter.net
Type: A
DNSstillletter.net
Type: A
DNSstilldifferent.net
Type: A
DNSexpectclean.net
Type: A
DNSbecauseclean.net
Type: A
DNSexpectpaint.net
Type: A
DNSbecausepaint.net
Type: A
DNSexpectcourse.net
Type: A
DNSbecausecourse.net
Type: A
DNSexpectwomen.net
Type: A
DNSbecausewomen.net
Type: A
DNSpersonclean.net
Type: A
DNSpersonpaint.net
Type: A
DNSmachinepaint.net
Type: A
DNSpersoncourse.net
Type: A
DNSmachinecourse.net
Type: A
DNSpersonwomen.net
Type: A
DNSmachinewomen.net
Type: A
DNSsuddenclean.net
Type: A
DNSforeignclean.net
Type: A
DNSsuddenpaint.net
Type: A
DNSforeignpaint.net
Type: A
DNSsuddencourse.net
Type: A
DNSforeigncourse.net
Type: A
DNSsuddenwomen.net
Type: A
DNSforeignwomen.net
Type: A
DNSwhetherclean.net
Type: A
DNSwhetherpaint.net
Type: A
DNSrightpaint.net
Type: A
DNSwhethercourse.net
Type: A
DNSwhetherwomen.net
Type: A
DNSrightwomen.net
Type: A
DNSfigureclean.net
Type: A
DNSthoughclean.net
Type: A
DNSfigurepaint.net
Type: A
DNSthoughpaint.net
Type: A
DNSfigurecourse.net
Type: A
DNSthoughcourse.net
Type: A
DNSfigurewomen.net
Type: A
DNSthoughwomen.net
Type: A
DNSpictureclean.net
Type: A
DNScigaretteclean.net
Type: A
DNSpicturepaint.net
Type: A
DNScigarettepaint.net
Type: A
DNSpicturecourse.net
Type: A
DNScigarettecourse.net
Type: A
DNSpicturewomen.net
Type: A
DNScigarettewomen.net
Type: A
DNSchildrenclean.net
Type: A
DNSchildrenpaint.net
Type: A
DNSfamilypaint.net
Type: A
DNSchildrencourse.net
Type: A
DNSfamilycourse.net
Type: A
DNSchildrenwomen.net
Type: A
DNSfamilywomen.net
Type: A
DNSeitherclean.net
Type: A
DNSenglishclean.net
Type: A
DNSeitherpaint.net
Type: A
DNSeithercourse.net
Type: A
DNSeitherwomen.net
Type: A
DNSexpectstream.net
Type: A
DNSbecausestream.net
Type: A
DNSexpectnothing.net
Type: A
DNSbecausenothing.net
Type: A
DNSexpectbottle.net
Type: A
DNSbecausebottle.net
Type: A
DNSexpectdivide.net
Type: A
DNSbecausedivide.net
Type: A
DNSpersonstream.net
Type: A
DNSmachinestream.net
Type: A
DNSpersonnothing.net
Type: A
DNSmachinenothing.net
Type: A
DNSpersonbottle.net
Type: A
HTTP GEThttp://doublefamous.net/index.php
User-Agent:
HTTP GEThttp://fellowpower.net/index.php
User-Agent:
HTTP GEThttp://brokenfamous.net/index.php
User-Agent:
HTTP GEThttp://brokenpower.net/index.php
User-Agent:
HTTP GEThttp://stillpower.net/index.php
User-Agent:
HTTP GEThttp://doctorletter.net/index.php
User-Agent:
HTTP GEThttp://doctordifferent.net/index.php
User-Agent:
HTTP GEThttp://prettydifferent.net/index.php
User-Agent:
HTTP GEThttp://stillsurprise.net/index.php
User-Agent:
HTTP GEThttp://strengthdifferent.net/index.php
User-Agent:
HTTP GEThttp://machineclean.net/index.php
User-Agent:
HTTP GEThttp://rightclean.net/index.php
User-Agent:
HTTP GEThttp://rightcourse.net/index.php
User-Agent:
HTTP GEThttp://familyclean.net/index.php
User-Agent:
HTTP GEThttp://englishpaint.net/index.php
User-Agent:
HTTP GEThttp://englishcourse.net/index.php
User-Agent:
HTTP GEThttp://englishwomen.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 210.157.1.134:80
Flows TCP192.168.1.1:1032 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 72.167.131.57:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.34:80
Flows TCP192.168.1.1:1036 ➝ 162.255.119.251:80
Flows TCP192.168.1.1:1037 ➝ 184.168.221.43:80
Flows TCP192.168.1.1:1038 ➝ 23.236.62.147:80
Flows TCP192.168.1.1:1039 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1041 ➝ 208.109.181.40:80
Flows TCP192.168.1.1:1042 ➝ 66.175.213.119:80
Flows TCP192.168.1.1:1043 ➝ 72.167.191.69:80
Flows TCP192.168.1.1:1044 ➝ 54.228.214.122:80
Flows TCP192.168.1.1:1045 ➝ 82.165.249.114:80
Flows TCP192.168.1.1:1046 ➝ 50.63.202.2:80
Flows TCP192.168.1.1:1047 ➝ 207.148.248.143:80

Raw Pcap



Strings