Analysis Date2015-10-14 06:34:15
MD540ebe4d0ae0e7f10dbc47e39f7a7b92a
SHA1b8c7653291a129ded81563efabfe2711edc6baa9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f00066aac22b9377ea4f5b4f5fae9587 sha1: 7a0a4ddef884a3917cb34cc59df15f9d466672f2 size: 259072
Section.rdata md5: 6a7e8b5031d236a9a0c33395feeed79b sha1: 9b4be2248f23bedfcdff19204f375db923a4a162 size: 40960
Section.data md5: 7b0e224b16f7fb4d2013772764850545 sha1: 6b7a2b902dcf0f20670bef37f9d21a258ce48be7 size: 6656
Section.reloc md5: 89212766bec380fe4f76ca8332d7e0ab sha1: 4420594bd5534ceda85df39891224d3a90ffcb27 size: 17408
Timestamp2015-05-21 04:11:20
PackerMicrosoft Visual C++ ?.?
PEhash125405efbcace77838cee7756fa48d66d14d67a6
IMPhash2367f83b31e93f2fbb891c88fa9704cc
AVRisingno_virus
AVMcafeeTrojan-FGIJ!40EBE4D0AE0E
AVAvira (antivir)TR/Crypt.ZPACK.173660
AVTwisterno_virus
AVAd-AwareGen:Variant.Diley.1
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/Bayrob.Y
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Babrob.Y!tr
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004c2d921 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesTrojan.Bayrob.KVTGen
AVAuthentiumW32/Scar.V.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Diley.1
AVZillya!no_virus
AVKasperskyno_virus
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVClamAVno_virus
AVDr. WebTrojan.DownLoader13.62890
AVF-SecureGen:Variant.Diley.1
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\nlpferos\qzljve
Creates FileC:\nlpferos\qzljve
Creates FileC:\nlpferos\udyrq1l65ocxpvfwogy.exe
Deletes FileC:\WINDOWS\nlpferos\qzljve
Creates ProcessC:\nlpferos\udyrq1l65ocxpvfwogy.exe

Process
↳ C:\nlpferos\udyrq1l65ocxpvfwogy.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\File Update Proxy Reports Peer Counter KtmRm ➝
C:\nlpferos\qtflzvuuhx.exe
Creates FileC:\nlpferos\qtflzvuuhx.exe
Creates FileC:\WINDOWS\nlpferos\qzljve
Creates FileC:\nlpferos\bb8rwxbyfcl
Creates FilePIPE\lsarpc
Creates FileC:\nlpferos\qzljve
Deletes FileC:\WINDOWS\nlpferos\qzljve
Creates ProcessC:\nlpferos\qtflzvuuhx.exe
Creates ServiceAwareness Smart Ordering Connection - C:\nlpferos\qtflzvuuhx.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1848

Process
↳ Pid 1132

Process
↳ C:\nlpferos\qtflzvuuhx.exe

Creates FileC:\nlpferos\hlktwx85lu43
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\nlpferos\qzljve
Creates FileC:\nlpferos\bb8rwxbyfcl
Creates File\Device\Afd\Endpoint
Creates FileC:\nlpferos\qzljve
Creates FileC:\nlpferos\qepulhwymjk.exe
Deletes FileC:\WINDOWS\nlpferos\qzljve
Creates Processxslaklnlkfhf "c:\nlpferos\qtflzvuuhx.exe"

Process
↳ C:\nlpferos\qtflzvuuhx.exe

Creates FileC:\WINDOWS\nlpferos\qzljve
Creates FileC:\nlpferos\qzljve
Deletes FileC:\WINDOWS\nlpferos\qzljve

Process
↳ xslaklnlkfhf "c:\nlpferos\qtflzvuuhx.exe"

Creates FileC:\WINDOWS\nlpferos\qzljve
Creates FileC:\nlpferos\qzljve
Deletes FileC:\WINDOWS\nlpferos\qzljve

Network Details:

DNSmorningvalley.net
Type: A
220.73.130.99
DNSthinkdemand.net
Type: A
184.168.221.43
DNSchiefbring.net
Type: A
195.22.26.231
DNSchiefbring.net
Type: A
195.22.26.252
DNSchiefbring.net
Type: A
195.22.26.253
DNSchiefbring.net
Type: A
195.22.26.254
DNSratherlabor.net
Type: A
DNSmorninglabor.net
Type: A
DNSstrangesilver.net
Type: A
DNShistorysilver.net
Type: A
DNSstrangesister.net
Type: A
DNShistorysister.net
Type: A
DNSstrangevalley.net
Type: A
DNShistoryvalley.net
Type: A
DNSstrangelabor.net
Type: A
DNShistorylabor.net
Type: A
DNSamountsilver.net
Type: A
DNSweathersilver.net
Type: A
DNSamountsister.net
Type: A
DNSweathersister.net
Type: A
DNSamountvalley.net
Type: A
DNSweathervalley.net
Type: A
DNSamountlabor.net
Type: A
DNSweatherlabor.net
Type: A
DNSthicksilver.net
Type: A
DNSclasssilver.net
Type: A
DNSthicksister.net
Type: A
DNSclasssister.net
Type: A
DNSthickvalley.net
Type: A
DNSclassvalley.net
Type: A
DNSthicklabor.net
Type: A
DNSclasslabor.net
Type: A
DNSthinkbring.net
Type: A
DNSpresentbring.net
Type: A
DNSthinklisten.net
Type: A
DNSpresentlisten.net
Type: A
DNSpresentdemand.net
Type: A
DNSthinkshout.net
Type: A
DNSpresentshout.net
Type: A
DNScollegebring.net
Type: A
DNSchieflisten.net
Type: A
DNScollegelisten.net
Type: A
DNSchiefdemand.net
Type: A
DNScollegedemand.net
Type: A
DNSchiefshout.net
Type: A
DNScollegeshout.net
Type: A
DNSoftenbring.net
Type: A
DNSalonebring.net
Type: A
DNSoftenlisten.net
Type: A
DNSalonelisten.net
Type: A
DNSoftendemand.net
Type: A
DNSalonedemand.net
Type: A
DNSoftenshout.net
Type: A
DNSaloneshout.net
Type: A
DNSmiddlebring.net
Type: A
DNStwelvebring.net
Type: A
DNSmiddlelisten.net
Type: A
DNStwelvelisten.net
Type: A
DNSmiddledemand.net
Type: A
DNStwelvedemand.net
Type: A
DNSmiddleshout.net
Type: A
DNStwelveshout.net
Type: A
DNSratherbring.net
Type: A
DNSmorningbring.net
Type: A
DNSratherlisten.net
Type: A
DNSmorninglisten.net
Type: A
DNSratherdemand.net
Type: A
DNSmorningdemand.net
Type: A
DNSrathershout.net
Type: A
DNSmorningshout.net
Type: A
DNSstrangebring.net
Type: A
DNShistorybring.net
Type: A
DNSstrangelisten.net
Type: A
DNShistorylisten.net
Type: A
DNSstrangedemand.net
Type: A
DNShistorydemand.net
Type: A
DNSstrangeshout.net
Type: A
DNShistoryshout.net
Type: A
DNSamountbring.net
Type: A
DNSweatherbring.net
Type: A
DNSamountlisten.net
Type: A
DNSweatherlisten.net
Type: A
DNSamountdemand.net
Type: A
DNSweatherdemand.net
Type: A
DNSamountshout.net
Type: A
DNSweathershout.net
Type: A
DNSthickbring.net
Type: A
DNSclassbring.net
Type: A
HTTP GEThttp://morningvalley.net/index.php
User-Agent:
HTTP GEThttp://thinkdemand.net/index.php
User-Agent:
HTTP GEThttp://chiefbring.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 220.73.130.99:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.43:80
Flows TCP192.168.1.1:1033 ➝ 195.22.26.231:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f726e69 6e677661 6c6c6579 2e6e6574   orningvalley.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   68696e6b 64656d61 6e642e6e 65740d0a   hinkdemand.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   68696566 6272696e 672e6e65 740d0a0d   hiefbring.net...
0x00000050 (00080)   0a0a0d0a                              ....


Strings