Analysis Date2015-11-16 20:57:09
MD5c66788f60b0d2ec5000d3e23e7f704ab
SHA1bed87f27a62e8d8a80a32387fad46552944de4c5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 61d3005fbd95c3b765439c111225f7f5 sha1: e491432cb82d06c9fa3465fdeeea7977a9a0d66c size: 324608
Section.rdata md5: 1bb6699076d88d0345471504c2e32129 sha1: 994a8e0ad7ee78002ed4e381b822d47306b73476 size: 61952
Section.data md5: 96296c0e2bd8589ca5e4700a6ce5ca18 sha1: c14a42651375eaff4d415f61696fc7a6f844ede3 size: 7680
Section.reloc md5: 7e7884e02403597da0c0935c16489ee8 sha1: cece865c699d83e4ee215703c021c6ef08abaabe size: 27136
Timestamp2015-05-11 06:16:05
PackerMicrosoft Visual C++ 8
PEhash4c32bf3c68caffff5fb6c7ed9e99d53419cfa736
IMPhash83629870886d1f2b6a3cd50e04136d88
AVRisingTrojan.Win32.Bayrod.b
AVMcafeePWS-FCCE!C66788F60B0D
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.141475
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.W
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.T!tr
AVBitDefenderGen:Variant.Zusy.141475
AVK7Trojan ( 004c3a4d1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AF
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan-Spy.Win32.Nivdort
AVEmsisoftGen:Variant.Zusy.141475
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.141475
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Zusy.141475
AVCA (E-Trust Ino)no_virus
AVRisingTrojan.Win32.Bayrod.b
AVMcafeePWS-FCCE!C66788F60B0D
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.141475
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.W
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.T!tr
AVBitDefenderGen:Variant.Zusy.141475
AVK7Trojan ( 004c3a4d1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AF
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan-Spy.Win32.Nivdort

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\cnsrfebuhdajitt\vmnq9m
Creates FileC:\cnsrfebuhdajitt\mylwlzwhyqdsukhhe.exe
Creates FileC:\WINDOWS\cnsrfebuhdajitt\vmnq9m
Deletes FileC:\WINDOWS\cnsrfebuhdajitt\vmnq9m
Creates ProcessC:\cnsrfebuhdajitt\mylwlzwhyqdsukhhe.exe

Process
↳ C:\cnsrfebuhdajitt\mylwlzwhyqdsukhhe.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Link Wired Builder Extender Accounts DCOM ➝
C:\cnsrfebuhdajitt\cesjqxuy.exe
Creates FileC:\cnsrfebuhdajitt\mqlmudshvxc
Creates FileC:\cnsrfebuhdajitt\vmnq9m
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\cnsrfebuhdajitt\vmnq9m
Creates FileC:\cnsrfebuhdajitt\cesjqxuy.exe
Deletes FileC:\WINDOWS\cnsrfebuhdajitt\vmnq9m
Creates ProcessC:\cnsrfebuhdajitt\cesjqxuy.exe
Creates ServiceList Certificate Host Thread Registry Agent - C:\cnsrfebuhdajitt\cesjqxuy.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FileWMIDataDevice

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\CESJQXUY.EXE-04175DDB.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\MYLWLZWHYQDSUKHHE.EXE-02EB14F1.pf
Creates FileC:\WINDOWS\Prefetch\GYQOQPRISK.EXE-04E5809E.pf
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1208

Process
↳ Pid 1316

Process
↳ Pid 1856

Process
↳ Pid 1768

Process
↳ C:\cnsrfebuhdajitt\cesjqxuy.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\cnsrfebuhdajitt\mqlmudshvxc
Creates FileC:\cnsrfebuhdajitt\vmnq9m
Creates FileC:\cnsrfebuhdajitt\dttclgu
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\cnsrfebuhdajitt\vmnq9m
Creates FileC:\cnsrfebuhdajitt\gyqoqprisk.exe
Deletes FileC:\WINDOWS\cnsrfebuhdajitt\vmnq9m
Creates Processymnwvfixrneo "c:\cnsrfebuhdajitt\cesjqxuy.exe"

Process
↳ C:\cnsrfebuhdajitt\cesjqxuy.exe

Creates FileC:\cnsrfebuhdajitt\vmnq9m
Creates FileC:\WINDOWS\cnsrfebuhdajitt\vmnq9m
Deletes FileC:\WINDOWS\cnsrfebuhdajitt\vmnq9m

Process
↳ ymnwvfixrneo "c:\cnsrfebuhdajitt\cesjqxuy.exe"

Creates FileC:\cnsrfebuhdajitt\vmnq9m
Creates FileC:\WINDOWS\cnsrfebuhdajitt\vmnq9m
Deletes FileC:\WINDOWS\cnsrfebuhdajitt\vmnq9m

Network Details:

DNShusbandthrown.net
Type: A
95.211.230.75
DNSdestroystorm.net
Type: A
216.239.138.86
DNSlittlestorm.net
Type: A
184.168.221.49
DNSriddenstorm.net
Type: A
66.147.240.171
DNSlittlealthough.net
Type: A
208.100.26.234
DNSjourneystorm.net
Type: A
DNShusbandstorm.net
Type: A
DNSjourneythrown.net
Type: A
DNSdestroyhunger.net
Type: A
DNSlittlehunger.net
Type: A
DNSdestroytraining.net
Type: A
DNSlittletraining.net
Type: A
DNSdestroythrown.net
Type: A
DNSlittlethrown.net
Type: A
DNSriddenhunger.net
Type: A
DNSbelonghunger.net
Type: A
DNSriddentraining.net
Type: A
DNSbelongtraining.net
Type: A
DNSbelongstorm.net
Type: A
DNSriddenthrown.net
Type: A
DNSbelongthrown.net
Type: A
DNSchairhunger.net
Type: A
DNSthosehunger.net
Type: A
DNSchairtraining.net
Type: A
DNSthosetraining.net
Type: A
DNSchairstorm.net
Type: A
DNSthosestorm.net
Type: A
DNSchairthrown.net
Type: A
DNSthosethrown.net
Type: A
DNSwithinhunger.net
Type: A
DNSsufferhunger.net
Type: A
DNSwithintraining.net
Type: A
DNSsuffertraining.net
Type: A
DNSwithinstorm.net
Type: A
DNSsufferstorm.net
Type: A
DNSwithinthrown.net
Type: A
DNSsufferthrown.net
Type: A
DNSefforthunger.net
Type: A
DNSthroughhunger.net
Type: A
DNSefforttraining.net
Type: A
DNSthroughtraining.net
Type: A
DNSeffortstorm.net
Type: A
DNSthroughstorm.net
Type: A
DNSeffortthrown.net
Type: A
DNSthroughthrown.net
Type: A
DNSforgethunger.net
Type: A
DNSincreasehunger.net
Type: A
DNSforgettraining.net
Type: A
DNSincreasetraining.net
Type: A
DNSforgetstorm.net
Type: A
DNSincreasestorm.net
Type: A
DNSforgetthrown.net
Type: A
DNSincreasethrown.net
Type: A
DNSwouldhunger.net
Type: A
DNSrememberhunger.net
Type: A
DNSwouldtraining.net
Type: A
DNSremembertraining.net
Type: A
DNSwouldstorm.net
Type: A
DNSrememberstorm.net
Type: A
DNSwouldthrown.net
Type: A
DNSrememberthrown.net
Type: A
DNSjourneychoose.net
Type: A
DNShusbandchoose.net
Type: A
DNSjourneyalthough.net
Type: A
DNShusbandalthough.net
Type: A
DNSjourneyperiod.net
Type: A
DNShusbandperiod.net
Type: A
DNSjourneyhowever.net
Type: A
DNShusbandhowever.net
Type: A
DNSdestroychoose.net
Type: A
DNSlittlechoose.net
Type: A
DNSdestroyalthough.net
Type: A
DNSdestroyperiod.net
Type: A
DNSlittleperiod.net
Type: A
DNSdestroyhowever.net
Type: A
DNSlittlehowever.net
Type: A
DNSriddenchoose.net
Type: A
DNSbelongchoose.net
Type: A
DNSriddenalthough.net
Type: A
DNSbelongalthough.net
Type: A
DNSriddenperiod.net
Type: A
DNSbelongperiod.net
Type: A
DNSriddenhowever.net
Type: A
DNSbelonghowever.net
Type: A
DNSchairchoose.net
Type: A
HTTP GEThttp://husbandthrown.net/index.php
User-Agent:
HTTP GEThttp://destroystorm.net/index.php
User-Agent:
HTTP GEThttp://littlestorm.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://littlealthough.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.49:80
Flows TCP192.168.1.1:1034 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1035 ➝ 208.100.26.234:80

Raw Pcap

Strings