Analysis Date2015-11-16 21:17:28
MD5d09c532bedaf4b1826aab6da27118f38
SHA1befa0ebca393fa7755803076a1e1badc07a97e32

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 118a92d44ca10d2e1fa7ded141a7e422 sha1: 5fe5dd1254d9952b36e0f0ee3b80b89490e6c2ba size: 197120
Section.rdata md5: e95de9b57b12319569951da3be7a3737 sha1: 28736421ba7a689d45f24b33e4d863f604edf4db size: 52736
Section.data md5: d7db1a56b94331b622d71fcb997f1b2e sha1: c012f51a0e0ecf9bbccf72cae057c327c3dfe49d size: 7680
Section.reloc md5: 52f0932c07ee0520bdbdef3c0cafb070 sha1: 89874106c543d51095c29f0e3fe90b67b4ece886 size: 14336
Timestamp2015-04-29 19:13:36
PackerMicrosoft Visual C++ 8
PEhash2103c6270f6d218a626aad09afabee99cd12deec
IMPhash0ee7978b9295a1aee0c353e2412a4863
AVRisingError Scanning File
AVMcafeeTrojan-FGIJ!D09C532BEDAF
AVAvira (antivir)TR/Kryptik.qgmpd
AVTwisterTrojan.0000E9000000006A1.mg
AVAd-AwareGen:Variant.Strobosc.1
AVAlwil (avast)VB-AJEW [Trj]
AVEset (nod32)Win32/Bayrob.Q
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Generic.AC.215362
AVBitDefenderGen:Variant.Strobosc.1
AVK7Trojan ( 004c12491 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Scar.R.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Strobosc.1
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Strobosc.1
AVArcabit (arcavir)Gen:Variant.Strobosc.1
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Strobosc.1
AVCA (E-Trust Ino)no_virus
AVRisingError Scanning File
AVMcafeeTrojan-FGIJ!D09C532BEDAF
AVAvira (antivir)TR/Kryptik.qgmpd
AVTwisterTrojan.0000E9000000006A1.mg
AVAd-AwareGen:Variant.Strobosc.1
AVAlwil (avast)VB-AJEW [Trj]
AVEset (nod32)Win32/Bayrob.Q
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Generic.AC.215362
AVBitDefenderGen:Variant.Strobosc.1
AVK7Trojan ( 004c12491 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Scar.R.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\ldgcsaxakzxn\nuvpaovuf
Creates FileC:\ldgcsaxakzxn\mgcd1lmnecsys11pybf.exe
Creates FileC:\ldgcsaxakzxn\nuvpaovuf
Deletes FileC:\WINDOWS\ldgcsaxakzxn\nuvpaovuf
Creates ProcessC:\ldgcsaxakzxn\mgcd1lmnecsys11pybf.exe

Process
↳ C:\ldgcsaxakzxn\mgcd1lmnecsys11pybf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Filtering Compatibility ➝
C:\ldgcsaxakzxn\dhojlhfa.exe
Creates FileC:\ldgcsaxakzxn\dhojlhfa.exe
Creates FileC:\WINDOWS\ldgcsaxakzxn\nuvpaovuf
Creates FileC:\ldgcsaxakzxn\nuvpaovuf
Creates FilePIPE\lsarpc
Creates FileC:\ldgcsaxakzxn\wrrp4vvgp
Deletes FileC:\WINDOWS\ldgcsaxakzxn\nuvpaovuf
Creates ProcessC:\ldgcsaxakzxn\dhojlhfa.exe
Creates ServiceCryptographic Process Registrar User-mode - C:\ldgcsaxakzxn\dhojlhfa.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1856

Process
↳ Pid 1140

Process
↳ C:\ldgcsaxakzxn\dhojlhfa.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\ldgcsaxakzxn\fveeeqr.exe
Creates FileC:\WINDOWS\ldgcsaxakzxn\nuvpaovuf
Creates FileC:\ldgcsaxakzxn\nuvpaovuf
Creates File\Device\Afd\Endpoint
Creates FileC:\ldgcsaxakzxn\uwt97tzmrnr
Creates FileC:\ldgcsaxakzxn\wrrp4vvgp
Deletes FileC:\WINDOWS\ldgcsaxakzxn\nuvpaovuf
Creates Processf2zrkhotxe4c "c:\ldgcsaxakzxn\dhojlhfa.exe"

Process
↳ C:\ldgcsaxakzxn\dhojlhfa.exe

Creates FileC:\WINDOWS\ldgcsaxakzxn\nuvpaovuf
Creates FileC:\ldgcsaxakzxn\nuvpaovuf
Deletes FileC:\WINDOWS\ldgcsaxakzxn\nuvpaovuf

Process
↳ f2zrkhotxe4c "c:\ldgcsaxakzxn\dhojlhfa.exe"

Creates FileC:\WINDOWS\ldgcsaxakzxn\nuvpaovuf
Creates FileC:\ldgcsaxakzxn\nuvpaovuf
Deletes FileC:\WINDOWS\ldgcsaxakzxn\nuvpaovuf

Network Details:

DNShusbandthrown.net
Type: A
95.211.230.75
DNSdestroystorm.net
Type: A
216.239.138.86
DNSlittlestorm.net
Type: A
184.168.221.49
DNSriddenstorm.net
Type: A
66.147.240.171
DNSlittlealthough.net
Type: A
208.100.26.234
DNShusbandtraining.net
Type: A
DNSjourneystorm.net
Type: A
DNShusbandstorm.net
Type: A
DNSjourneythrown.net
Type: A
DNSdestroyhunger.net
Type: A
DNSlittlehunger.net
Type: A
DNSdestroytraining.net
Type: A
DNSlittletraining.net
Type: A
DNSdestroythrown.net
Type: A
DNSlittlethrown.net
Type: A
DNSriddenhunger.net
Type: A
DNSbelonghunger.net
Type: A
DNSriddentraining.net
Type: A
DNSbelongtraining.net
Type: A
DNSbelongstorm.net
Type: A
DNSriddenthrown.net
Type: A
DNSbelongthrown.net
Type: A
DNSchairhunger.net
Type: A
DNSthosehunger.net
Type: A
DNSchairtraining.net
Type: A
DNSthosetraining.net
Type: A
DNSchairstorm.net
Type: A
DNSthosestorm.net
Type: A
DNSchairthrown.net
Type: A
DNSthosethrown.net
Type: A
DNSwithinhunger.net
Type: A
DNSsufferhunger.net
Type: A
DNSwithintraining.net
Type: A
DNSsuffertraining.net
Type: A
DNSwithinstorm.net
Type: A
DNSsufferstorm.net
Type: A
DNSwithinthrown.net
Type: A
DNSsufferthrown.net
Type: A
DNSefforthunger.net
Type: A
DNSthroughhunger.net
Type: A
DNSefforttraining.net
Type: A
DNSthroughtraining.net
Type: A
DNSeffortstorm.net
Type: A
DNSthroughstorm.net
Type: A
DNSeffortthrown.net
Type: A
DNSthroughthrown.net
Type: A
DNSforgethunger.net
Type: A
DNSincreasehunger.net
Type: A
DNSforgettraining.net
Type: A
DNSincreasetraining.net
Type: A
DNSforgetstorm.net
Type: A
DNSincreasestorm.net
Type: A
DNSforgetthrown.net
Type: A
DNSincreasethrown.net
Type: A
DNSwouldhunger.net
Type: A
DNSrememberhunger.net
Type: A
DNSwouldtraining.net
Type: A
DNSremembertraining.net
Type: A
DNSwouldstorm.net
Type: A
DNSrememberstorm.net
Type: A
DNSwouldthrown.net
Type: A
DNSrememberthrown.net
Type: A
DNSjourneychoose.net
Type: A
DNShusbandchoose.net
Type: A
DNSjourneyalthough.net
Type: A
DNShusbandalthough.net
Type: A
DNSjourneyperiod.net
Type: A
DNShusbandperiod.net
Type: A
DNSjourneyhowever.net
Type: A
DNShusbandhowever.net
Type: A
DNSdestroychoose.net
Type: A
DNSlittlechoose.net
Type: A
DNSdestroyalthough.net
Type: A
DNSdestroyperiod.net
Type: A
DNSlittleperiod.net
Type: A
DNSdestroyhowever.net
Type: A
DNSlittlehowever.net
Type: A
DNSriddenchoose.net
Type: A
DNSbelongchoose.net
Type: A
DNSriddenalthough.net
Type: A
DNSbelongalthough.net
Type: A
DNSriddenperiod.net
Type: A
DNSbelongperiod.net
Type: A
DNSriddenhowever.net
Type: A
DNSbelonghowever.net
Type: A
HTTP GEThttp://husbandthrown.net/index.php
User-Agent:
HTTP GEThttp://destroystorm.net/index.php
User-Agent:
HTTP GEThttp://littlestorm.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://littlealthough.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.49:80
Flows TCP192.168.1.1:1034 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1035 ➝ 208.100.26.234:80

Raw Pcap

Strings