Analysis Date2016-01-31 05:51:00
MD5883d431b46983d0eb2932a3551f2b138
SHA1ba98b9febefd0874efc880cb49cbbdeec9cebbe6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f34f0fc5a659ab3b42e653663d9be7c4 sha1: 734869854ca3dc84b12d185f356de2759f856b50 size: 527360
Section.rdata md5: d600d8b44e6cf752a07f1a3125d12e29 sha1: c9d911bb786dd29b7d1db70c3558900a427d6859 size: 26112
Section.data md5: 0ad6c6bafe1c82c82db4bba4fb0fc501 sha1: 9fdc40790379ac154adfc0d4a95e69845968cbd4 size: 20480
Section.reloc md5: 7952f016a4cffd7ef893ea921d8845b9 sha1: bc9f5c5e86593dd57caf06e3d5b11f0c8fc13607 size: 39424
Timestamp2014-04-05 21:35:32
PackerMicrosoft Visual C++ 8
PEhash5a8ab2c5a7b6279f292be7cb676ce292f7427eea
IMPhash07e19ccd62d48d0684053d512ecbd3e4
AVCA (E-Trust Ino)No Virus
AVF-SecureGen:Variant.Zusy.141475
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVBullGuardGen:Variant.Zusy.141475
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Bayrob.dawr
AVZillya!No Virus
AVIkarusNo Virus
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.141475
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Zusy.141475
AVFortinetW32/Bayrob.BM!tr
AVSymantecNo Virus
AVGrisoft (avg)Generic37.ADQZ
AVEset (nod32)Win32/Bayrob.BM
AVAlwil (avast)Win32:Malware-gen
AVRisingNo Virus
AVAd-AwareGen:Variant.Zusy.141475
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAvira (antivir)TR/Boryab.614400.65
AVMcafeeTrojan-FHSQ!883D431B4698

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ceflreisv\gtvmlyfhddfv
Creates FileC:\ceflreisv\lrsis1k0hbedxz6cksl.exe
Creates FileC:\WINDOWS\ceflreisv\gtvmlyfhddfv
Deletes FileC:\WINDOWS\ceflreisv\gtvmlyfhddfv
Creates ProcessC:\ceflreisv\lrsis1k0hbedxz6cksl.exe

Process
↳ C:\ceflreisv\lrsis1k0hbedxz6cksl.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Shadow AutoConnect Secondary ➝
C:\ceflreisv\nckjauwbvr.exe
Creates FileC:\ceflreisv\gtvmlyfhddfv
Creates FileC:\ceflreisv\nckjauwbvr.exe
Creates FileC:\ceflreisv\mrnnra32cs
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\ceflreisv\gtvmlyfhddfv
Deletes FileC:\WINDOWS\ceflreisv\gtvmlyfhddfv
Creates ProcessC:\ceflreisv\nckjauwbvr.exe
Creates ServiceControls Remote Authentication Alerts Workstation - C:\ceflreisv\nckjauwbvr.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1152

Process
↳ C:\ceflreisv\nckjauwbvr.exe

Creates FileC:\ceflreisv\gtvmlyfhddfv
Creates Filepipe\net\NtControlPipe10
Creates FileC:\ceflreisv\bulwzcpwdz.exe
Creates FileC:\ceflreisv\mrnnra32cs
Creates FileC:\ceflreisv\vr4btxrbac
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\ceflreisv\gtvmlyfhddfv
Deletes FileC:\WINDOWS\ceflreisv\gtvmlyfhddfv
Creates Processjytczsc0bfig "c:\ceflreisv\nckjauwbvr.exe"

Process
↳ C:\ceflreisv\nckjauwbvr.exe

Creates FileC:\ceflreisv\gtvmlyfhddfv
Creates FileC:\WINDOWS\ceflreisv\gtvmlyfhddfv
Deletes FileC:\WINDOWS\ceflreisv\gtvmlyfhddfv

Process
↳ jytczsc0bfig "c:\ceflreisv\nckjauwbvr.exe"

Creates FileC:\ceflreisv\gtvmlyfhddfv
Creates FileC:\WINDOWS\ceflreisv\gtvmlyfhddfv
Deletes FileC:\WINDOWS\ceflreisv\gtvmlyfhddfv

Network Details:

DNSenglishexplain.net
Type: A
208.100.26.234
DNSrightpeople.net
Type: A
114.141.197.235
DNSpicturepeople.net
Type: A
207.148.248.143
DNSfamilyready.net
Type: A
96.30.52.60
DNSfamilybrown.net
Type: A
83.170.69.51
DNSfamilypeople.net
Type: A
72.52.226.92
DNSrightnation.net
Type: A
204.13.232.236
DNSfamilynation.net
Type: A
184.168.221.78
DNSpersonpower.net
Type: A
146.0.42.19
DNSmachinepower.net
Type: A
64.73.31.53
DNSrightpower.net
Type: A
69.64.147.249
DNSenglishinstead.net
Type: A
DNSeitherexplain.net
Type: A
DNSeitherbright.net
Type: A
DNSenglishbright.net
Type: A
DNSeitherinside.net
Type: A
DNSenglishinside.net
Type: A
DNSexpectready.net
Type: A
DNSbecauseready.net
Type: A
DNSexpectbrown.net
Type: A
DNSbecausebrown.net
Type: A
DNSexpectpeople.net
Type: A
DNSbecausepeople.net
Type: A
DNSexpectdaughter.net
Type: A
DNSbecausedaughter.net
Type: A
DNSpersonready.net
Type: A
DNSmachineready.net
Type: A
DNSpersonbrown.net
Type: A
DNSmachinebrown.net
Type: A
DNSpersonpeople.net
Type: A
DNSmachinepeople.net
Type: A
DNSpersondaughter.net
Type: A
DNSmachinedaughter.net
Type: A
DNSsuddenready.net
Type: A
DNSforeignready.net
Type: A
DNSsuddenbrown.net
Type: A
DNSforeignbrown.net
Type: A
DNSsuddenpeople.net
Type: A
DNSforeignpeople.net
Type: A
DNSsuddendaughter.net
Type: A
DNSforeigndaughter.net
Type: A
DNSwhetherready.net
Type: A
DNSrightready.net
Type: A
DNSwhetherbrown.net
Type: A
DNSrightbrown.net
Type: A
DNSwhetherpeople.net
Type: A
DNSwhetherdaughter.net
Type: A
DNSrightdaughter.net
Type: A
DNSfigureready.net
Type: A
DNSthoughready.net
Type: A
DNSfigurebrown.net
Type: A
DNSthoughbrown.net
Type: A
DNSfigurepeople.net
Type: A
DNSthoughpeople.net
Type: A
DNSfiguredaughter.net
Type: A
DNSthoughdaughter.net
Type: A
DNSpictureready.net
Type: A
DNScigaretteready.net
Type: A
DNSpicturebrown.net
Type: A
DNScigarettebrown.net
Type: A
DNScigarettepeople.net
Type: A
DNSpicturedaughter.net
Type: A
DNScigarettedaughter.net
Type: A
DNSchildrenready.net
Type: A
DNSchildrenbrown.net
Type: A
DNSchildrenpeople.net
Type: A
DNSchildrendaughter.net
Type: A
DNSfamilydaughter.net
Type: A
DNSeitherready.net
Type: A
DNSenglishready.net
Type: A
DNSeitherbrown.net
Type: A
DNSenglishbrown.net
Type: A
DNSeitherpeople.net
Type: A
DNSenglishpeople.net
Type: A
DNSeitherdaughter.net
Type: A
DNSenglishdaughter.net
Type: A
DNSexpectnation.net
Type: A
DNSbecausenation.net
Type: A
DNSexpectsoldier.net
Type: A
DNSbecausesoldier.net
Type: A
DNSexpectplease.net
Type: A
DNSbecauseplease.net
Type: A
DNSexpectcondition.net
Type: A
DNSbecausecondition.net
Type: A
DNSpersonnation.net
Type: A
DNSmachinenation.net
Type: A
DNSpersonsoldier.net
Type: A
DNSmachinesoldier.net
Type: A
DNSpersonplease.net
Type: A
DNSmachineplease.net
Type: A
DNSpersoncondition.net
Type: A
DNSmachinecondition.net
Type: A
DNSsuddennation.net
Type: A
DNSforeignnation.net
Type: A
DNSsuddensoldier.net
Type: A
DNSforeignsoldier.net
Type: A
DNSsuddenplease.net
Type: A
DNSforeignplease.net
Type: A
DNSsuddencondition.net
Type: A
DNSforeigncondition.net
Type: A
DNSwhethernation.net
Type: A
DNSwhethersoldier.net
Type: A
DNSrightsoldier.net
Type: A
DNSwhetherplease.net
Type: A
DNSrightplease.net
Type: A
DNSwhethercondition.net
Type: A
DNSrightcondition.net
Type: A
DNSfigurenation.net
Type: A
DNSthoughnation.net
Type: A
DNSfiguresoldier.net
Type: A
DNSthoughsoldier.net
Type: A
DNSfigureplease.net
Type: A
DNSthoughplease.net
Type: A
DNSfigurecondition.net
Type: A
DNSthoughcondition.net
Type: A
DNSpicturenation.net
Type: A
DNScigarettenation.net
Type: A
DNSpicturesoldier.net
Type: A
DNScigarettesoldier.net
Type: A
DNSpictureplease.net
Type: A
DNScigaretteplease.net
Type: A
DNSpicturecondition.net
Type: A
DNScigarettecondition.net
Type: A
DNSchildrennation.net
Type: A
DNSchildrensoldier.net
Type: A
DNSfamilysoldier.net
Type: A
DNSchildrenplease.net
Type: A
DNSfamilyplease.net
Type: A
DNSchildrencondition.net
Type: A
DNSfamilycondition.net
Type: A
DNSeithernation.net
Type: A
DNSenglishnation.net
Type: A
DNSeithersoldier.net
Type: A
DNSenglishsoldier.net
Type: A
DNSeitherplease.net
Type: A
DNSenglishplease.net
Type: A
DNSeithercondition.net
Type: A
DNSenglishcondition.net
Type: A
DNSexpectcentury.net
Type: A
DNSbecausecentury.net
Type: A
DNSexpectfamous.net
Type: A
DNSbecausefamous.net
Type: A
DNSexpectpower.net
Type: A
DNSbecausepower.net
Type: A
DNSexpectcountry.net
Type: A
DNSbecausecountry.net
Type: A
DNSpersoncentury.net
Type: A
DNSmachinecentury.net
Type: A
DNSpersonfamous.net
Type: A
DNSmachinefamous.net
Type: A
DNSpersoncountry.net
Type: A
DNSmachinecountry.net
Type: A
DNSsuddencentury.net
Type: A
DNSforeigncentury.net
Type: A
DNSsuddenfamous.net
Type: A
DNSforeignfamous.net
Type: A
DNSsuddenpower.net
Type: A
DNSforeignpower.net
Type: A
DNSsuddencountry.net
Type: A
DNSforeigncountry.net
Type: A
DNSwhethercentury.net
Type: A
DNSrightcentury.net
Type: A
DNSwhetherfamous.net
Type: A
DNSrightfamous.net
Type: A
DNSwhetherpower.net
Type: A
DNSwhethercountry.net
Type: A
DNSrightcountry.net
Type: A
DNSfigurecentury.net
Type: A
DNSthoughcentury.net
Type: A
DNSfigurefamous.net
Type: A
HTTP GEThttp://englishexplain.net/index.php
User-Agent:
HTTP GEThttp://rightpeople.net/index.php
User-Agent:
HTTP GEThttp://picturepeople.net/index.php
User-Agent:
HTTP GEThttp://familyready.net/index.php
User-Agent:
HTTP GEThttp://familybrown.net/index.php
User-Agent:
HTTP GEThttp://familypeople.net/index.php
User-Agent:
HTTP GEThttp://rightnation.net/index.php
User-Agent:
HTTP GEThttp://familynation.net/index.php
User-Agent:
HTTP GEThttp://personpower.net/index.php
User-Agent:
HTTP GEThttp://machinepower.net/index.php
User-Agent:
HTTP GEThttp://rightpower.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 114.141.197.235:80
Flows TCP192.168.1.1:1033 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1034 ➝ 96.30.52.60:80
Flows TCP192.168.1.1:1035 ➝ 83.170.69.51:80
Flows TCP192.168.1.1:1036 ➝ 72.52.226.92:80
Flows TCP192.168.1.1:1037 ➝ 204.13.232.236:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.78:80
Flows TCP192.168.1.1:1039 ➝ 146.0.42.19:80
Flows TCP192.168.1.1:1040 ➝ 64.73.31.53:80
Flows TCP192.168.1.1:1041 ➝ 69.64.147.249:80

Raw Pcap

Strings