Analysis Date2015-08-15 14:14:21
MD59d89a966698848e4cf260d9d2be91655
SHA1ba42672b4594285a121520b99ffdb5bd6f4f65bb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5bd4846c84fb339f1afa92b4efd433f0 sha1: 3b20d5e77013356235c2a25bb03b602094d8a38a size: 292864
Section.rdata md5: 0fcf082ce1602f31341b85fcca21f6c8 sha1: 70c11b6087f22a51f80bb819a51de7de8878d679 size: 44032
Section.data md5: ec6b0dfb54899d5f11a83e7d6f939248 sha1: 2291b7d53fb48ecdfb185e99618f639e570be529 size: 7168
Section.reloc md5: 043c64bccbd2304a4574ce2609493e9b sha1: 6085a0c099eba84e52bc9bde54ae1f36d26a161c size: 24576
Timestamp2015-05-21 03:43:29
PackerMicrosoft Visual C++ ?.?
PEhash581ec630d20d1ebca1b1a06c175e71f322bee46a
IMPhasha1d03aa205ce00579eead68dbf2937c6
AVCA (E-Trust Ino)no_virus
AVRising0x58edbb45
AVMcafeeRDN/Generic PWS.y
AVAvira (antivir)TR/Crypt.ZPACK.81617
AVTwisterno_virus
AVAd-AwareGen:Variant.Diley.1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.Z
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Babrob.Y!tr
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Scar.V.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Diley.1
AVZillya!no_virus
AVKasperskyTrojan.Win32.Scar.kkbj
AVTrend MicroTROJ_BAYROB.SM0
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVClamAVno_virus
AVDr. WebTrojan.DownLoader15.28892
AVF-SecureGen:Variant.Diley.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\tgdrzmmddeofmbs\leei6ihk
Creates FileC:\tgdrzmmddeofmbs\pff1leerpt0vcbnlq.exe
Creates FileC:\tgdrzmmddeofmbs\leei6ihk
Deletes FileC:\WINDOWS\tgdrzmmddeofmbs\leei6ihk
Creates ProcessC:\tgdrzmmddeofmbs\pff1leerpt0vcbnlq.exe

Process
↳ C:\tgdrzmmddeofmbs\pff1leerpt0vcbnlq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Brightness Link-Layer Studio Secure ➝
C:\tgdrzmmddeofmbs\bimnudvoy.exe
Creates FileC:\WINDOWS\tgdrzmmddeofmbs\leei6ihk
Creates FileC:\tgdrzmmddeofmbs\bimnudvoy.exe
Creates FileC:\tgdrzmmddeofmbs\qczhjwkxhz
Creates FilePIPE\lsarpc
Creates FileC:\tgdrzmmddeofmbs\leei6ihk
Deletes FileC:\WINDOWS\tgdrzmmddeofmbs\leei6ihk
Creates ProcessC:\tgdrzmmddeofmbs\bimnudvoy.exe
Creates ServiceDefender Removal Shell Mapper Profile - C:\tgdrzmmddeofmbs\bimnudvoy.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1144

Process
↳ C:\tgdrzmmddeofmbs\bimnudvoy.exe

Creates FileC:\tgdrzmmddeofmbs\yuqdalfng.exe
Creates FileC:\WINDOWS\tgdrzmmddeofmbs\leei6ihk
Creates Filepipe\net\NtControlPipe10
Creates FileC:\tgdrzmmddeofmbs\qczhjwkxhz
Creates File\Device\Afd\Endpoint
Creates FileC:\tgdrzmmddeofmbs\cjoiivdomv
Creates FileC:\tgdrzmmddeofmbs\leei6ihk
Deletes FileC:\WINDOWS\tgdrzmmddeofmbs\leei6ihk
Creates Processvs0uzuuhpoxf "c:\tgdrzmmddeofmbs\bimnudvoy.exe"

Process
↳ C:\tgdrzmmddeofmbs\bimnudvoy.exe

Creates FileC:\WINDOWS\tgdrzmmddeofmbs\leei6ihk
Creates FileC:\tgdrzmmddeofmbs\leei6ihk
Deletes FileC:\WINDOWS\tgdrzmmddeofmbs\leei6ihk

Process
↳ vs0uzuuhpoxf "c:\tgdrzmmddeofmbs\bimnudvoy.exe"

Creates FileC:\WINDOWS\tgdrzmmddeofmbs\leei6ihk
Creates FileC:\tgdrzmmddeofmbs\leei6ihk
Deletes FileC:\WINDOWS\tgdrzmmddeofmbs\leei6ihk

Network Details:

DNSrightcharge.net
Type: A
95.211.230.75
DNSpersonsingle.net
Type: A
DNSmachinesingle.net
Type: A
DNSpersoncharge.net
Type: A
DNSmachinecharge.net
Type: A
DNSpersondifference.net
Type: A
DNSmachinedifference.net
Type: A
DNSpersonevery.net
Type: A
DNSmachineevery.net
Type: A
DNSsuddensingle.net
Type: A
DNSforeignsingle.net
Type: A
DNSsuddencharge.net
Type: A
DNSforeigncharge.net
Type: A
DNSsuddendifference.net
Type: A
DNSforeigndifference.net
Type: A
DNSsuddenevery.net
Type: A
DNSforeignevery.net
Type: A
DNSwhethersingle.net
Type: A
DNSrightsingle.net
Type: A
DNSwhethercharge.net
Type: A
DNSwhetherdifference.net
Type: A
DNSrightdifference.net
Type: A
DNSwhetherevery.net
Type: A
DNSrightevery.net
Type: A
DNSfiguresingle.net
Type: A
DNSthoughsingle.net
Type: A
DNSfigurecharge.net
Type: A
DNSthoughcharge.net
Type: A
DNSfiguredifference.net
Type: A
DNSthoughdifference.net
Type: A
DNSfigureevery.net
Type: A
DNSthoughevery.net
Type: A
DNSpicturesingle.net
Type: A
DNScigarettesingle.net
Type: A
DNSpicturecharge.net
Type: A
DNScigarettecharge.net
Type: A
DNSpicturedifference.net
Type: A
DNScigarettedifference.net
Type: A
DNSpictureevery.net
Type: A
DNScigaretteevery.net
Type: A
DNSchildrensingle.net
Type: A
DNSfamilysingle.net
Type: A
DNSchildrencharge.net
Type: A
DNSfamilycharge.net
Type: A
DNSchildrendifference.net
Type: A
DNSfamilydifference.net
Type: A
DNSchildrenevery.net
Type: A
DNSfamilyevery.net
Type: A
DNSeithersingle.net
Type: A
DNSenglishsingle.net
Type: A
DNSeithercharge.net
Type: A
DNSenglishcharge.net
Type: A
DNSeitherdifference.net
Type: A
DNSenglishdifference.net
Type: A
DNSeitherevery.net
Type: A
DNSenglishevery.net
Type: A
DNSfreshshould.net
Type: A
DNSexperienceshould.net
Type: A
DNSfreshshort.net
Type: A
DNSexperienceshort.net
Type: A
DNSfreshopinion.net
Type: A
DNSexperienceopinion.net
Type: A
DNSfreshpromise.net
Type: A
DNSexperiencepromise.net
Type: A
DNSgentlemanshould.net
Type: A
DNSalreadyshould.net
Type: A
DNSgentlemanshort.net
Type: A
DNSalreadyshort.net
Type: A
DNSgentlemanopinion.net
Type: A
DNSalreadyopinion.net
Type: A
DNSgentlemanpromise.net
Type: A
DNSalreadypromise.net
Type: A
DNSfollowshould.net
Type: A
DNSmembershould.net
Type: A
DNSfollowshort.net
Type: A
DNSmembershort.net
Type: A
DNSfollowopinion.net
Type: A
DNSmemberopinion.net
Type: A
DNSfollowpromise.net
Type: A
DNSmemberpromise.net
Type: A
DNSbeginshould.net
Type: A
DNSknownshould.net
Type: A
DNSbeginshort.net
Type: A
DNSknownshort.net
Type: A
DNSbeginopinion.net
Type: A
HTTP GEThttp://rightcharge.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69676874 63686172 67652e6e 65740d0a   ightcharge.net..
0x00000050 (00080)   0d0a                                  ..


Strings