Analysis | #totalhash

Analysis Date	2016-02-09 21:15:33
MD5	ac56628e63f85ecc8a4a403131d555da
SHA1	bd06e5d304ad775a3f7d1aaaaa1bc6af1bae9d8e

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 3d93cfcad5f70ae8b3eafc5b1f8c80e6 sha1: 00a07dc0b28e846641ecc8c5975991e5a389da56 size: 190976
Section	.rdata md5: 28d960a0ca0fcc2d5603d3e12bed5d4c sha1: 6fb025679be2f1cc3e9c7b0af1bb8eb1f7352282 size: 16896
Section	.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section	.reloc md5: ecb36ffde386948773a6b2f226e388f9 sha1: 09c906b4bae1464b9dedbcd9fd092a13dcfbe5aa size: 30720
Timestamp	2016-01-06 17:07:35
PEhash	a7431ffcebdca606a4f8eceece3eb62cd85ba899
IMPhash	5b8e0283f60ddbb03bc3f60e8db16fe5
AV	CA (E-Trust Ino)	No Virus
AV	Rising	No Virus
AV	Mcafee	Trojan-FHPX!AC56628E63F8
AV	Avira (antivir)	No Virus
AV	Twister	No Virus
AV	Ad-Aware	Gen:Variant.Razy.12226
AV	Alwil (avast)	Win32:Malware-gen
AV	Eset (nod32)	Win32/Bayrob.AT.gen
AV	Grisoft (avg)	Win32/Heur
AV	Symantec	Trojan.Bayrob!gen6
AV	Fortinet	W32/Bayrob.AQ!tr
AV	BitDefender	Gen:Variant.Razy.12226
AV	K7	Trojan ( 004db0c61 )
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.DG
AV	MicroWorld (escan)	Gen:Variant.Kazy.390560
AV	MalwareBytes	No Virus
AV	Authentium	W32/Nivdort.G.gen!Eldorado
AV	Emsisoft	Gen:Variant.Razy.12226
AV	Frisk (f-prot)	W32/Nivdort.G.gen!Eldorado
AV	Ikarus	Trojan.Win32.Bayrob
AV	Zillya!	No Virus
AV	Kaspersky	Trojan.Win32.Bayrob.scf
AV	Trend Micro	No Virus
AV	VirusBlokAda (vba32)	No Virus
AV	CAT (quickheal)	No Virus
AV	BullGuard	Gen:Variant.Kazy.390560
AV	Arcabit (arcavir)	Gen:Variant.Razy.12226
AV	ClamAV	No Virus
AV	Dr. Web	No Virus
AV	F-Secure	Gen:Variant.Razy.12226

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\pmbznhte\ggzyfq
Creates File	C:\WINDOWS\pmbznhte\ggzyfq
Creates File	C:\pmbznhte\h11oa1ld3iahsqdtjxyvi.exe
Deletes File	C:\WINDOWS\pmbznhte\ggzyfq
Creates Process	C:\pmbznhte\h11oa1ld3iahsqdtjxyvi.exe

Process
↳ C:\pmbznhte\h11oa1ld3iahsqdtjxyvi.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Workstation Collector Intelligent Auto-Discovery ➝ C:\pmbznhte\udnmage.exe
Creates File	C:\pmbznhte\tokd5dmu1
Creates File	C:\pmbznhte\ggzyfq
Creates File	C:\WINDOWS\pmbznhte\ggzyfq
Creates File	C:\pmbznhte\udnmage.exe
Creates File	PIPE\lsarpc
Deletes File	C:\WINDOWS\pmbznhte\ggzyfq
Creates Process	C:\pmbznhte\udnmage.exe
Creates Service	Time Image Update PNRP Registrar Web WinHTTP - C:\pmbznhte\udnmage.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	pipe\PCHFaultRepExecPipe

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1180

Process
↳ C:\pmbznhte\udnmage.exe

Creates File	C:\pmbznhte\gcmawfsvluxj
Creates File	pipe\net\NtControlPipe10
Creates File	C:\pmbznhte\tokd5dmu1
Creates File	C:\pmbznhte\ggzyfq
Creates File	C:\WINDOWS\pmbznhte\ggzyfq
Creates File	\Device\Afd\Endpoint
Creates File	C:\pmbznhte\nikgllmi.exe
Deletes File	C:\WINDOWS\pmbznhte\ggzyfq
Creates Process	v6oyuamibljo "c:\pmbznhte\udnmage.exe"

Process
↳ C:\pmbznhte\udnmage.exe

Creates File	C:\pmbznhte\ggzyfq
Creates File	C:\WINDOWS\pmbznhte\ggzyfq
Deletes File	C:\WINDOWS\pmbznhte\ggzyfq

Process
↳ v6oyuamibljo "c:\pmbznhte\udnmage.exe"

Creates File	C:\pmbznhte\ggzyfq
Creates File	C:\WINDOWS\pmbznhte\ggzyfq
Deletes File	C:\WINDOWS\pmbznhte\ggzyfq

Network Details:

DNS	crowdnation.net Type: A 167.114.213.199
DNS	crowdnation.net Type: A 107.191.99.114
DNS	crowdnation.net Type: A 107.161.23.204
DNS	crowdcondition.net Type: A 195.22.28.196
DNS	crowdcondition.net Type: A 195.22.28.199
DNS	crowdcondition.net Type: A 195.22.28.198
DNS	crowdcondition.net Type: A 195.22.28.197
DNS	smokenation.net Type: A 195.22.28.196
DNS	smokenation.net Type: A 195.22.28.199
DNS	smokenation.net Type: A 195.22.28.198
DNS	smokenation.net Type: A 195.22.28.197
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	partynation.net Type: A 72.52.4.91
DNS	freshpower.net Type: A 195.149.84.100
DNS	freshpower.net Type: A 195.149.84.101
DNS	memberfamous.net Type: A 208.100.26.234
DNS	alreadysoldier.net Type: A
DNS	gentlemanplease.net Type: A
DNS	alreadyplease.net Type: A
DNS	gentlemancondition.net Type: A
DNS	alreadycondition.net Type: A
DNS	follownation.net Type: A
DNS	membernation.net Type: A
DNS	followsoldier.net Type: A
DNS	membersoldier.net Type: A
DNS	followplease.net Type: A
DNS	memberplease.net Type: A
DNS	followcondition.net Type: A
DNS	membercondition.net Type: A
DNS	beginnation.net Type: A
DNS	knownnation.net Type: A
DNS	beginsoldier.net Type: A
DNS	knownsoldier.net Type: A
DNS	beginplease.net Type: A
DNS	knownplease.net Type: A
DNS	begincondition.net Type: A
DNS	knowncondition.net Type: A
DNS	summernation.net Type: A
DNS	summersoldier.net Type: A
DNS	crowdsoldier.net Type: A
DNS	summerplease.net Type: A
DNS	crowdplease.net Type: A
DNS	summercondition.net Type: A
DNS	thoughtnation.net Type: A
DNS	waternation.net Type: A
DNS	thoughtsoldier.net Type: A
DNS	watersoldier.net Type: A
DNS	thoughtplease.net Type: A
DNS	waterplease.net Type: A
DNS	thoughtcondition.net Type: A
DNS	watercondition.net Type: A
DNS	womannation.net Type: A
DNS	womansoldier.net Type: A
DNS	smokesoldier.net Type: A
DNS	womanplease.net Type: A
DNS	smokeplease.net Type: A
DNS	womancondition.net Type: A
DNS	smokecondition.net Type: A
DNS	fightnation.net Type: A
DNS	partysoldier.net Type: A
DNS	fightsoldier.net Type: A
DNS	partyplease.net Type: A
DNS	fightplease.net Type: A
DNS	partycondition.net Type: A
DNS	fightcondition.net Type: A
DNS	freshcentury.net Type: A
DNS	experiencecentury.net Type: A
DNS	freshfamous.net Type: A
DNS	experiencefamous.net Type: A
DNS	experiencepower.net Type: A
DNS	freshcountry.net Type: A
DNS	experiencecountry.net Type: A
DNS	gentlemancentury.net Type: A
DNS	alreadycentury.net Type: A
DNS	gentlemanfamous.net Type: A
DNS	alreadyfamous.net Type: A
DNS	gentlemanpower.net Type: A
DNS	alreadypower.net Type: A
DNS	gentlemancountry.net Type: A
DNS	alreadycountry.net Type: A
DNS	followcentury.net Type: A
DNS	membercentury.net Type: A
DNS	followfamous.net Type: A
DNS	followpower.net Type: A
DNS	memberpower.net Type: A
DNS	followcountry.net Type: A
DNS	membercountry.net Type: A
DNS	begincentury.net Type: A
DNS	knowncentury.net Type: A
DNS	beginfamous.net Type: A
DNS	knownfamous.net Type: A
DNS	beginpower.net Type: A
DNS	knownpower.net Type: A
DNS	begincountry.net Type: A
DNS	knowncountry.net Type: A
DNS	summercentury.net Type: A
DNS	crowdcentury.net Type: A
DNS	summerfamous.net Type: A
DNS	crowdfamous.net Type: A
HTTP GET	http://crowdnation.net/index.php User-Agent:
HTTP GET	http://crowdcondition.net/index.php User-Agent:
HTTP GET	http://smokenation.net/index.php User-Agent:
HTTP GET	http://smokecondition.net/index.php User-Agent:
HTTP GET	http://partynation.net/index.php User-Agent:
HTTP GET	http://freshpower.net/index.php User-Agent:
HTTP GET	http://memberfamous.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 167.114.213.199:80
Flows TCP	192.168.1.1:1032 ➝ 195.22.28.196:80
Flows TCP	192.168.1.1:1033 ➝ 195.22.28.196:80
Flows TCP	192.168.1.1:1034 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1035 ➝ 72.52.4.91:80
Flows TCP	192.168.1.1:1036 ➝ 195.149.84.100:80
Flows TCP	192.168.1.1:1037 ➝ 208.100.26.234:80

Raw Pcap

Strings