Analysis Date2018-04-22 13:06:49
MD5392a540fccfa5632242987c4382f99dc
SHA1c1da25f9d08fad1d131518b4b719da156a59f8bc

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows
PEhash
AV360 SafeNo Virus
AVAd-AwareGen:Variant.Razy.12226
AVKasperskyTrojan.Win32.Generic
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVMicroWorld (escan)Gen:Variant.Razy.12226
AVRisingNo Virus
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader26.39017
AVArcabit (arcavir)Gen:Variant.Razy.12226
AVEmsisoftGen:Variant.Razy.12226
AVZillya!No Virus
AVMcafeeTrojan-FHPX!392A540FCCFA
AVIkarusTrojan.Win32.Bayrob
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVBitDefenderGen:Variant.Razy.12226
AVCA (E-Trust Ino)Gen:Variant.Razy.12226
AVPadvishNo Virus
AVTrend MicroNo Virus
AVNANOTrojan.Win32.Boryab.dzsiwk
AVSUPERAntiSpywareTrojan.Agent/Gen-Bayrob
AVF-SecureGen:Variant.Razy.12226
AVBullGuardGen:Variant.Razy.12226
AVEset (nod32)Win32/Bayrob.AT.gen
AVMalwareBytesError Scanning File
AVFortinetW32/Bayrob.AQ!tr
AVVirusBlokAda (vba32)BScope.TrojanSpy.Nivdort
AVWindows DefenderTrojanSpy:Win32/Nivdort
AVSymantecTrojan.Bayrob!gen6
AVAvira (antivir)TR/Nivdort.ofrgu
AVTwisterNo Virus
AVGrisoft (avg)Generic37.XCH
AVK7Error Scanning File
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort
AVAlwil (avast)Evo-gen [Susp]
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\c1da25f9d08fad1d131518b4b719da156a59f8bc.exe

Creates Mutex
Creates Mutex
Creates Mutex
Creates FileC:\Windows\nkdppfhqmdzu\xzlrlkgw
Creates FileC:\nkdppfhqmdzu\xzlrlkgw
Creates Filec:\Users\Phil\AppData\Local\Temp\c1da25f9d08fad1d131518b4b719da156a59f8bc.exe
Creates FileC:\nkdppfhqmdzu\sqkcl51rstxqbb7taiyi.exe

Process
↳ C:\nkdppfhqmdzu\sqkcl51rstxqbb7taiyi.exe

Creates Mutex
Creates Mutex
Creates Mutex
Creates FileC:\Windows\nkdppfhqmdzu\xzlrlkgw
Creates FileC:\nkdppfhqmdzu\xzlrlkgw
Creates FileC:\nkdppfhqmdzu\nwiopxxi9ch
Creates FileC:\nkdppfhqmdzu\run

Process
↳ C:\nkdppfhqmdzu\cnfzxmyvge.exe

Creates Mutex
Creates Mutex
Creates Mutex
Creates FileC:\Windows\nkdppfhqmdzu\xzlrlkgw
Creates FileC:\nkdppfhqmdzu\xzlrlkgw
Creates FileC:\nkdppfhqmdzu\nwiopxxi9ch

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f746865 72746f67 65746865 722e6e65   othertogether.ne
0x00000050 (00080)   740d0a0d 0a6e6373 692e636f 6d0d0a0d   t....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d706c 65636f6e 74726f6c 2e6e6574   implecontrol.net
0x00000050 (00080)   0d0a0d0a 0a6e6373 692e636f 6d0d0a0d   .....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f746865 72636f6e 74726f6c 2e6e6574   othercontrol.net
0x00000050 (00080)   0d0a0d0a 0a6e6373 692e636f 6d0d0a0d   .....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e6d 61747465 722e6e65   ountainmatter.ne
0x00000050 (00080)   740d0a0d 0a6e6373 692e636f 6d0d0a0d   t....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6f737369 626c656d 61747465 722e6e65   ossiblematter.ne
0x00000050 (00080)   740d0a0d 0a6e6373 692e636f 6d0d0a0d   t....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e73 70656e74 2e6e6574   ountainspent.net
0x00000050 (00080)   0d0a0d0a 0a6e6373 692e636f 6d0d0a0d   .....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6f737369 626c6573 70656e74 2e6e6574   ossiblespent.net
0x00000050 (00080)   0d0a0d0a 0a6e6373 692e636f 6d0d0a0d   .....ncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e74 6f676574 6865722e   ountaintogether.
0x00000050 (00080)   6e65740d 0a0d0a73 692e636f 6d0d0a0d   net....si.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6f737369 626c6574 6f676574 6865722e   ossibletogether.
0x00000050 (00080)   6e65740d 0a0d0a73 692e636f 6d0d0a0d   net....si.com...
0x00000060 (00096)   0a                                    .


Strings