Analysis Date2016-02-24 07:26:41
MD52e7df51c03e9ea682b55488bbee5d3c6
SHA1bc2c912f1a66fd2e56f67543da4ae33024901458

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1458a77902a9402114f06f465fba074d sha1: 36b9a6c7d0f3ee8382cb7bdb6c44b61304e1420b size: 220160
Section.rdata md5: bb98a8407c20c1d26cabb2ed43b5bcf9 sha1: 9681de0b02c3d11bfaf30c0767477508b5e6f759 size: 18432
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 9cfe5329de1aa0d0fde21ca1f498289e sha1: 2359bb7017f2ce3728ccb32e73ff944253fa3279 size: 41472
Timestamp2016-01-03 13:58:46
PEhash6e72e57d7f4a1bc575d30e1d0dd1c0c7f55e3605
IMPhashcf4214bb49ab1df2fd1a464ad4e5539c
AVFortinetW32/Bayrob.AQ!tr
AVMicroWorld (escan)Gen:Variant.Razy.11545
AVF-SecureGen:Variant.Razy.11545
AVMalwareBytesNo Virus
AVMcafeeTrojan-FHOH!2E7DF51C03E9
AVIkarusTrojan.Win32.Bayrob
AVTrend MicroNo Virus
AVDr. WebNo Virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DD
AVAuthentiumW32/BayRob.D.gen!Eldorado
AVGrisoft (avg)Win32/Heur
AVTwisterNo Virus
AVBullGuardGen:Variant.Razy.11545
AVZillya!No Virus
AVFrisk (f-prot)W32/BayRob.D.gen!Eldorado
AVKasperskyTrojan.Win32.Generic
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVClamAVNo Virus
AVEset (nod32)Win32/Bayrob.AT.gen
AVAlwil (avast)Win32:Malware-gen
AVCA (E-Trust Ino)Gen:Variant.Razy.11545
AVBitDefenderGen:Variant.Razy.11545
AVEmsisoftGen:Variant.Razy.11545
AVSymantecTrojan.Bayrob!gen6
AVK7Trojan ( 004db0c61 )
AVAd-AwareGen:Variant.Razy.11545
AVAvira (antivir)TR/Nivdort.A.29268
AVArcabit (arcavir)Gen:Variant.Razy.11545
AVVirusBlokAda (vba32)No Virus
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\bvzifnducsnfxm\prkgvffxk
Creates FileC:\bvzifnducsnfxm\vt1kd2ip9zvl1kd.exe
Creates FileC:\WINDOWS\bvzifnducsnfxm\prkgvffxk
Deletes FileC:\WINDOWS\bvzifnducsnfxm\prkgvffxk
Creates ProcessC:\bvzifnducsnfxm\vt1kd2ip9zvl1kd.exe

Process
↳ C:\bvzifnducsnfxm\vt1kd2ip9zvl1kd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Print Keying iSCSI Adapter ➝
C:\bvzifnducsnfxm\mqfcwhp.exe
Creates FileC:\bvzifnducsnfxm\prkgvffxk
Creates FileC:\bvzifnducsnfxm\ekixlw
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\bvzifnducsnfxm\prkgvffxk
Creates FileC:\bvzifnducsnfxm\mqfcwhp.exe
Deletes FileC:\WINDOWS\bvzifnducsnfxm\prkgvffxk
Creates ProcessC:\bvzifnducsnfxm\mqfcwhp.exe
Creates ServiceStore Counter Panel Encrypting Wired - C:\bvzifnducsnfxm\mqfcwhp.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1852

Process
↳ Pid 1140

Process
↳ C:\bvzifnducsnfxm\mqfcwhp.exe

Creates FileC:\bvzifnducsnfxm\btcrudiqkv.exe
Creates FileC:\bvzifnducsnfxm\prkgvffxk
Creates Filepipe\net\NtControlPipe10
Creates FileC:\bvzifnducsnfxm\ekixlw
Creates FileC:\bvzifnducsnfxm\be0tm35ti1
Creates FileC:\WINDOWS\bvzifnducsnfxm\prkgvffxk
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\bvzifnducsnfxm\prkgvffxk
Creates Processy4ydb8vyv4db "c:\bvzifnducsnfxm\mqfcwhp.exe"

Process
↳ C:\bvzifnducsnfxm\mqfcwhp.exe

Creates FileC:\bvzifnducsnfxm\prkgvffxk
Creates FileC:\WINDOWS\bvzifnducsnfxm\prkgvffxk
Deletes FileC:\WINDOWS\bvzifnducsnfxm\prkgvffxk

Process
↳ y4ydb8vyv4db "c:\bvzifnducsnfxm\mqfcwhp.exe"

Creates FileC:\bvzifnducsnfxm\prkgvffxk
Creates FileC:\WINDOWS\bvzifnducsnfxm\prkgvffxk
Deletes FileC:\WINDOWS\bvzifnducsnfxm\prkgvffxk

Network Details:

DNSrightforest.net
Type: A
98.130.238.135
DNSpersonschool.net
Type: A
165.160.13.20
DNSpersonschool.net
Type: A
165.160.15.20
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSforeignquestion.net
Type: A
195.22.28.197
DNSforeignquestion.net
Type: A
195.22.28.198
DNSforeignquestion.net
Type: A
195.22.28.199
DNSforeignquestion.net
Type: A
195.22.28.196
DNSrightschool.net
Type: A
176.37.12.45
DNSrightquestion.net
Type: A
208.91.197.27
DNSfigurewhile.net
Type: A
208.100.26.234
DNSfamilyschool.net
Type: A
141.8.225.124
DNSenglishschool.net
Type: A
69.172.201.208
DNSenglishquestion.net
Type: A
85.25.201.249
DNSsuddenstorm.net
Type: A
199.116.78.152
DNSrighttraining.net
Type: A
50.63.202.68
DNScigarettehunger.net
Type: A
195.22.28.198
DNScigarettehunger.net
Type: A
195.22.28.199
DNScigarettehunger.net
Type: A
195.22.28.196
DNScigarettehunger.net
Type: A
195.22.28.197
DNSpicturestorm.net
Type: A
80.67.28.202
DNSfamilytraining.net
Type: A
199.34.228.55
DNSsuddenwheat.net
Type: A
DNSforeignwheat.net
Type: A
DNSsuddenanger.net
Type: A
DNSforeignanger.net
Type: A
DNSsuddenalways.net
Type: A
DNSforeignalways.net
Type: A
DNSsuddenforest.net
Type: A
DNSforeignforest.net
Type: A
DNSwhetherwheat.net
Type: A
DNSrightwheat.net
Type: A
DNSwhetheranger.net
Type: A
DNSrightanger.net
Type: A
DNSwhetheralways.net
Type: A
DNSrightalways.net
Type: A
DNSwhetherforest.net
Type: A
DNSfigurewheat.net
Type: A
DNSthoughwheat.net
Type: A
DNSfigureanger.net
Type: A
DNSthoughanger.net
Type: A
DNSfigurealways.net
Type: A
DNSthoughalways.net
Type: A
DNSfigureforest.net
Type: A
DNSthoughforest.net
Type: A
DNSpicturewheat.net
Type: A
DNScigarettewheat.net
Type: A
DNSpictureanger.net
Type: A
DNScigaretteanger.net
Type: A
DNSpicturealways.net
Type: A
DNScigarettealways.net
Type: A
DNSpictureforest.net
Type: A
DNScigaretteforest.net
Type: A
DNSchildrenwheat.net
Type: A
DNSfamilywheat.net
Type: A
DNSchildrenanger.net
Type: A
DNSfamilyanger.net
Type: A
DNSchildrenalways.net
Type: A
DNSfamilyalways.net
Type: A
DNSchildrenforest.net
Type: A
DNSfamilyforest.net
Type: A
DNSeitherwheat.net
Type: A
DNSenglishwheat.net
Type: A
DNSeitheranger.net
Type: A
DNSenglishanger.net
Type: A
DNSeitheralways.net
Type: A
DNSenglishalways.net
Type: A
DNSeitherforest.net
Type: A
DNSenglishforest.net
Type: A
DNSexpectschool.net
Type: A
DNSbecauseschool.net
Type: A
DNSexpectwhile.net
Type: A
DNSbecausewhile.net
Type: A
DNSexpectquestion.net
Type: A
DNSbecausequestion.net
Type: A
DNSexpecttherefore.net
Type: A
DNSbecausetherefore.net
Type: A
DNSmachineschool.net
Type: A
DNSpersonwhile.net
Type: A
DNSmachinewhile.net
Type: A
DNSpersonquestion.net
Type: A
DNSmachinequestion.net
Type: A
DNSpersontherefore.net
Type: A
DNSmachinetherefore.net
Type: A
DNSsuddenschool.net
Type: A
DNSforeignschool.net
Type: A
DNSsuddenwhile.net
Type: A
DNSforeignwhile.net
Type: A
DNSsuddenquestion.net
Type: A
DNSsuddentherefore.net
Type: A
DNSforeigntherefore.net
Type: A
DNSwhetherschool.net
Type: A
DNSwhetherwhile.net
Type: A
DNSrightwhile.net
Type: A
DNSwhetherquestion.net
Type: A
DNSwhethertherefore.net
Type: A
DNSrighttherefore.net
Type: A
DNSfigureschool.net
Type: A
DNSthoughschool.net
Type: A
DNSthoughwhile.net
Type: A
DNSfigurequestion.net
Type: A
DNSthoughquestion.net
Type: A
DNSfiguretherefore.net
Type: A
DNSthoughtherefore.net
Type: A
DNSpictureschool.net
Type: A
DNScigaretteschool.net
Type: A
DNSpicturewhile.net
Type: A
DNScigarettewhile.net
Type: A
DNSpicturequestion.net
Type: A
DNScigarettequestion.net
Type: A
DNSpicturetherefore.net
Type: A
DNScigarettetherefore.net
Type: A
DNSchildrenschool.net
Type: A
DNSchildrenwhile.net
Type: A
DNSfamilywhile.net
Type: A
DNSchildrenquestion.net
Type: A
DNSfamilyquestion.net
Type: A
DNSchildrentherefore.net
Type: A
DNSfamilytherefore.net
Type: A
DNSeitherschool.net
Type: A
DNSeitherwhile.net
Type: A
DNSenglishwhile.net
Type: A
DNSeitherquestion.net
Type: A
DNSeithertherefore.net
Type: A
DNSenglishtherefore.net
Type: A
DNSexpecthunger.net
Type: A
DNSbecausehunger.net
Type: A
DNSexpecttraining.net
Type: A
DNSbecausetraining.net
Type: A
DNSexpectstorm.net
Type: A
DNSbecausestorm.net
Type: A
DNSexpectthrown.net
Type: A
DNSbecausethrown.net
Type: A
DNSpersonhunger.net
Type: A
DNSmachinehunger.net
Type: A
DNSpersontraining.net
Type: A
DNSmachinetraining.net
Type: A
DNSpersonstorm.net
Type: A
DNSmachinestorm.net
Type: A
DNSpersonthrown.net
Type: A
DNSmachinethrown.net
Type: A
DNSsuddenhunger.net
Type: A
DNSforeignhunger.net
Type: A
DNSsuddentraining.net
Type: A
DNSforeigntraining.net
Type: A
DNSforeignstorm.net
Type: A
DNSsuddenthrown.net
Type: A
DNSforeignthrown.net
Type: A
DNSwhetherhunger.net
Type: A
DNSrighthunger.net
Type: A
DNSwhethertraining.net
Type: A
DNSwhetherstorm.net
Type: A
DNSrightstorm.net
Type: A
DNSwhetherthrown.net
Type: A
DNSrightthrown.net
Type: A
DNSfigurehunger.net
Type: A
DNSthoughhunger.net
Type: A
DNSfiguretraining.net
Type: A
DNSthoughtraining.net
Type: A
DNSfigurestorm.net
Type: A
DNSthoughstorm.net
Type: A
DNSfigurethrown.net
Type: A
DNSthoughthrown.net
Type: A
DNSpicturehunger.net
Type: A
DNSpicturetraining.net
Type: A
DNScigarettetraining.net
Type: A
DNScigarettestorm.net
Type: A
DNSpicturethrown.net
Type: A
DNScigarettethrown.net
Type: A
DNSchildrenhunger.net
Type: A
DNSfamilyhunger.net
Type: A
DNSchildrentraining.net
Type: A
DNSchildrenstorm.net
Type: A
DNSfamilystorm.net
Type: A
DNSchildrenthrown.net
Type: A
DNSfamilythrown.net
Type: A
DNSeitherhunger.net
Type: A
DNSenglishhunger.net
Type: A
HTTP GEThttp://rightforest.net/index.php
User-Agent:
HTTP GEThttp://personschool.net/index.php
User-Agent:
HTTP GEThttp://machinequestion.net/index.php
User-Agent:
HTTP GEThttp://foreignquestion.net/index.php
User-Agent:
HTTP GEThttp://rightschool.net/index.php
User-Agent:
HTTP GEThttp://rightquestion.net/index.php
User-Agent:
HTTP GEThttp://figurewhile.net/index.php
User-Agent:
HTTP GEThttp://familyschool.net/index.php
User-Agent:
HTTP GEThttp://englishschool.net/index.php
User-Agent:
HTTP GEThttp://englishquestion.net/index.php
User-Agent:
HTTP GEThttp://suddenstorm.net/index.php
User-Agent:
HTTP GEThttp://righttraining.net/index.php
User-Agent:
HTTP GEThttp://cigarettehunger.net/index.php
User-Agent:
HTTP GEThttp://picturestorm.net/index.php
User-Agent:
HTTP GEThttp://familytraining.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 98.130.238.135:80
Flows TCP192.168.1.1:1032 ➝ 165.160.13.20:80
Flows TCP192.168.1.1:1033 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1034 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1035 ➝ 176.37.12.45:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 141.8.225.124:80
Flows TCP192.168.1.1:1039 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1040 ➝ 85.25.201.249:80
Flows TCP192.168.1.1:1041 ➝ 199.116.78.152:80
Flows TCP192.168.1.1:1042 ➝ 50.63.202.68:80
Flows TCP192.168.1.1:1043 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1044 ➝ 80.67.28.202:80
Flows TCP192.168.1.1:1045 ➝ 199.34.228.55:80

Raw Pcap



Strings