Analysis Date2015-10-06 03:05:12
MD5dbb74d583f773d9a9ab32b1c0ee63b95
SHA1be4f4d47146d2db71184458eaba532de6fc08044

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8c22969efad19313d3c99d77ba9a61a9 sha1: 3627b5615a10c434001edb1bd4b71e501739cfb7 size: 305664
Section.rdata md5: fafccf3baa5b1370de6bb086606c57d9 sha1: ead4254ea96db19a5022ed170dd530a48bcece5f size: 58880
Section.data md5: b6cf2f1175da219a7c71f22504155a98 sha1: bf43ef8f92643fbaeb8a87ca517a056c1e2932a0 size: 7168
Section.reloc md5: 8d6464730815f074bc3da37bf4067d6f sha1: cabe15de819c810df11f6ab64182e1d00dd27c99 size: 23552
Timestamp2015-05-11 06:10:31
PackerMicrosoft Visual C++ 8
PEhashea5e70df3bb4680021f9165f41ed9ca9cd3f5289
IMPhash254e377a30ec168b4579aa25dbed9553
AVCA (E-Trust Ino)no_virus
AVRisingTrojan.Win32.Bayrod.b
AVMcafeeRDN/Generic.dx!dsn
AVAvira (antivir)TR/Crypt.ZPACK.135940
AVTwisterno_virus
AVAd-AwareGen:Variant.Diley.1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.V.gen
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.T!tr
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004c3a4d1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BE
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Diley.1
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Diley.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\vwiwycalamqungu\wnao1l34uqgwnch1i4l.exe
Creates FileC:\WINDOWS\vwiwycalamqungu\s38mojuy
Creates FileC:\vwiwycalamqungu\s38mojuy
Deletes FileC:\WINDOWS\vwiwycalamqungu\s38mojuy
Creates ProcessC:\vwiwycalamqungu\wnao1l34uqgwnch1i4l.exe

Process
↳ C:\vwiwycalamqungu\wnao1l34uqgwnch1i4l.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Reports Logon Telephony Adapter ➝
C:\vwiwycalamqungu\letaqavpqmrf.exe
Creates FileC:\vwiwycalamqungu\tk2pavgjlmv
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\vwiwycalamqungu\s38mojuy
Creates FileC:\vwiwycalamqungu\letaqavpqmrf.exe
Creates FileC:\vwiwycalamqungu\s38mojuy
Deletes FileC:\WINDOWS\vwiwycalamqungu\s38mojuy
Creates ProcessC:\vwiwycalamqungu\letaqavpqmrf.exe
Creates ServiceBus Experience WMI Connect Plug - C:\vwiwycalamqungu\letaqavpqmrf.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1144

Process
↳ C:\vwiwycalamqungu\letaqavpqmrf.exe

Creates FileC:\vwiwycalamqungu\agnuaflcrq
Creates Filepipe\net\NtControlPipe10
Creates FileC:\vwiwycalamqungu\pfmrbkvp.exe
Creates FileC:\vwiwycalamqungu\tk2pavgjlmv
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\vwiwycalamqungu\s38mojuy
Creates FileC:\vwiwycalamqungu\s38mojuy
Deletes FileC:\WINDOWS\vwiwycalamqungu\s38mojuy
Creates Processqvffkffxhomj "c:\vwiwycalamqungu\letaqavpqmrf.exe"

Process
↳ C:\vwiwycalamqungu\letaqavpqmrf.exe

Creates FileC:\WINDOWS\vwiwycalamqungu\s38mojuy
Creates FileC:\vwiwycalamqungu\s38mojuy
Deletes FileC:\WINDOWS\vwiwycalamqungu\s38mojuy

Process
↳ qvffkffxhomj "c:\vwiwycalamqungu\letaqavpqmrf.exe"

Creates FileC:\WINDOWS\vwiwycalamqungu\s38mojuy
Creates FileC:\vwiwycalamqungu\s38mojuy
Deletes FileC:\WINDOWS\vwiwycalamqungu\s38mojuy

Network Details:

DNSbettercompany.net
Type: A
121.254.178.252
DNSbreadfurther.net
Type: A
98.139.135.129
DNSbreadcompany.net
Type: A
23.236.62.147
DNSquietcompany.net
Type: A
164.109.153.213
DNSquietcompany.net
Type: A
164.109.45.92
DNSnightuntil.net
Type: A
72.52.4.90
DNSstreetshoulder.net
Type: A
95.211.230.75
DNSgatherabove.net
Type: A
72.52.4.90
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSgathercompany.net
Type: A
DNSflierfurther.net
Type: A
DNSfliercover.net
Type: A
DNSbreadcover.net
Type: A
DNSflierbecome.net
Type: A
DNSbreadbecome.net
Type: A
DNSfliercompany.net
Type: A
DNSquietfurther.net
Type: A
DNSseasonfurther.net
Type: A
DNSquietcover.net
Type: A
DNSseasoncover.net
Type: A
DNSquietbecome.net
Type: A
DNSseasonbecome.net
Type: A
DNSseasoncompany.net
Type: A
DNSagainstuntil.net
Type: A
DNSdoubtuntil.net
Type: A
DNSagainstabove.net
Type: A
DNSdoubtabove.net
Type: A
DNSagainstshoulder.net
Type: A
DNSdoubtshoulder.net
Type: A
DNSagainstfinger.net
Type: A
DNSdoubtfinger.net
Type: A
DNSdecideuntil.net
Type: A
DNSnightabove.net
Type: A
DNSdecideabove.net
Type: A
DNSnightshoulder.net
Type: A
DNSdecideshoulder.net
Type: A
DNSnightfinger.net
Type: A
DNSdecidefinger.net
Type: A
DNSlargeuntil.net
Type: A
DNScaptainuntil.net
Type: A
DNSlargeabove.net
Type: A
DNScaptainabove.net
Type: A
DNSlargeshoulder.net
Type: A
DNScaptainshoulder.net
Type: A
DNSlargefinger.net
Type: A
DNScaptainfinger.net
Type: A
DNSrecorduntil.net
Type: A
DNSelectricuntil.net
Type: A
DNSrecordabove.net
Type: A
DNSelectricabove.net
Type: A
DNSrecordshoulder.net
Type: A
DNSelectricshoulder.net
Type: A
DNSrecordfinger.net
Type: A
DNSelectricfinger.net
Type: A
DNSstreetuntil.net
Type: A
DNStradeuntil.net
Type: A
DNSstreetabove.net
Type: A
DNStradeabove.net
Type: A
DNStradeshoulder.net
Type: A
DNSstreetfinger.net
Type: A
DNStradefinger.net
Type: A
DNSbetteruntil.net
Type: A
DNSgatheruntil.net
Type: A
DNSbetterabove.net
Type: A
DNSbettershoulder.net
Type: A
DNSgathershoulder.net
Type: A
DNSbetterfinger.net
Type: A
DNSgatherfinger.net
Type: A
DNSflieruntil.net
Type: A
DNSbreaduntil.net
Type: A
DNSflierabove.net
Type: A
DNSbreadabove.net
Type: A
DNSfliershoulder.net
Type: A
DNSbreadshoulder.net
Type: A
DNSflierfinger.net
Type: A
DNSbreadfinger.net
Type: A
DNSquietuntil.net
Type: A
DNSseasonuntil.net
Type: A
DNSquietabove.net
Type: A
DNSseasonabove.net
Type: A
DNSquietshoulder.net
Type: A
DNSseasonshoulder.net
Type: A
DNSquietfinger.net
Type: A
DNSseasonfinger.net
Type: A
DNSthinkshore.net
Type: A
DNSpresentshore.net
Type: A
DNSthinkwritten.net
Type: A
HTTP GEThttp://bettercompany.net/index.php
User-Agent:
HTTP GEThttp://breadfurther.net/index.php
User-Agent:
HTTP GEThttp://breadcompany.net/index.php
User-Agent:
HTTP GEThttp://quietcompany.net/index.php
User-Agent:
HTTP GEThttp://nightuntil.net/index.php
User-Agent:
HTTP GEThttp://streetshoulder.net/index.php
User-Agent:
HTTP GEThttp://gatherabove.net/index.php
User-Agent:
HTTP GEThttp://gatherfinger.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 121.254.178.252:80
Flows TCP192.168.1.1:1032 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1033 ➝ 23.236.62.147:80
Flows TCP192.168.1.1:1034 ➝ 164.109.153.213:80
Flows TCP192.168.1.1:1035 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1036 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1037 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1038 ➝ 8.5.1.16:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   65747465 72636f6d 70616e79 2e6e6574   ettercompany.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   72656164 66757274 6865722e 6e65740d   readfurther.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   72656164 636f6d70 616e792e 6e65740d   readcompany.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2071   : close..Host: q
0x00000040 (00064)   75696574 636f6d70 616e792e 6e65740d   uietcompany.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   69676874 756e7469 6c2e6e65 740d0a0d   ightuntil.net...
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74726565 7473686f 756c6465 722e6e65   treetshoulder.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2067   : close..Host: g
0x00000040 (00064)   61746865 7261626f 76652e6e 65740d0a   atherabove.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2067   : close..Host: g
0x00000040 (00064)   61746865 7266696e 6765722e 6e65740d   atherfinger.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....


Strings