Analysis Date2015-10-12 09:04:31
MD576679c0889aa76caad8d63870e284e97
SHA1c270e40d8beb02d4b472b45a432260615247f013

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dd0fbda2f20587e01a36f93d95450b70 sha1: efed71e8aebf92b630d78f62257259122a61249f size: 289792
Section.rdata md5: 5145068409c49215dcbb5037f815a9f1 sha1: 43f971b8b2bf46f5dfd493ef70d399cbc5a72ab2 size: 43008
Section.data md5: 9e0fa7dbbb50a09bacbbe70bed01413f sha1: 17f8ad8318251c09bc4ed4158a56b70ca525becc size: 7168
Section.reloc md5: 117c7cb2c30b0d7ef25e86b67e01362a sha1: d477b2df89414cdd093b9bc1cd18b8e10bb0eefe size: 24064
Timestamp2015-05-21 03:44:10
PackerMicrosoft Visual C++ ?.?
PEhashfdea4c1d8b38049e53cb606cb2dde66023f4d15a
IMPhashc1e0f6735a43c6cacef9540b1fc04b21
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Diley.1
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVBullGuardGen:Variant.Diley.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Scar.klgx
AVZillya!no_virus
AVEmsisoftGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.V.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Diley.1
AVFortinetW32/Babrob.Y!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Y
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Diley.1
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.185835
AVMcafeeTrojan-FGIJ!76679C0889AA
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\iovazupcppxcxza\ajy1lpoesl3bbsdxew.exe
Creates FileC:\WINDOWS\iovazupcppxcxza\mqpsa5
Creates FileC:\iovazupcppxcxza\mqpsa5
Deletes FileC:\WINDOWS\iovazupcppxcxza\mqpsa5
Creates ProcessC:\iovazupcppxcxza\ajy1lpoesl3bbsdxew.exe

Process
↳ C:\iovazupcppxcxza\ajy1lpoesl3bbsdxew.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Enumerator Compatibility Net.Tcp ➝
C:\iovazupcppxcxza\cvavmhbxzj.exe
Creates FileC:\iovazupcppxcxza\cvavmhbxzj.exe
Creates FileC:\WINDOWS\iovazupcppxcxza\mqpsa5
Creates FileC:\iovazupcppxcxza\mqpsa5
Creates FilePIPE\lsarpc
Creates FileC:\iovazupcppxcxza\icn0aggm
Deletes FileC:\WINDOWS\iovazupcppxcxza\mqpsa5
Creates ProcessC:\iovazupcppxcxza\cvavmhbxzj.exe
Creates ServiceError Session Alerts Superfetch - C:\iovazupcppxcxza\cvavmhbxzj.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1856

Process
↳ Pid 1180

Process
↳ C:\iovazupcppxcxza\cvavmhbxzj.exe

Creates FileC:\WINDOWS\iovazupcppxcxza\mqpsa5
Creates Filepipe\net\NtControlPipe10
Creates FileC:\iovazupcppxcxza\hu6fsfawg7j
Creates FileC:\iovazupcppxcxza\eaehvtmwtkyu.exe
Creates FileC:\iovazupcppxcxza\mqpsa5
Creates FileC:\iovazupcppxcxza\icn0aggm
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\iovazupcppxcxza\mqpsa5
Creates Processvuhvjgz6hnrs "c:\iovazupcppxcxza\cvavmhbxzj.exe"

Process
↳ C:\iovazupcppxcxza\cvavmhbxzj.exe

Creates FileC:\WINDOWS\iovazupcppxcxza\mqpsa5
Creates FileC:\iovazupcppxcxza\mqpsa5
Deletes FileC:\WINDOWS\iovazupcppxcxza\mqpsa5

Process
↳ vuhvjgz6hnrs "c:\iovazupcppxcxza\cvavmhbxzj.exe"

Creates FileC:\WINDOWS\iovazupcppxcxza\mqpsa5
Creates FileC:\iovazupcppxcxza\mqpsa5
Deletes FileC:\WINDOWS\iovazupcppxcxza\mqpsa5

Network Details:

DNSstreetclose.net
Type: A
72.52.4.90
DNSbetterspace.net
Type: A
208.91.197.46
DNSgatherspace.net
Type: A
216.157.91.112
DNSbettertravel.net
Type: A
207.148.248.143
DNSthinkbeyond.net
Type: A
207.148.248.143
DNSpresentbeing.net
Type: A
69.16.192.64
DNSpresentbottom.net
Type: A
98.139.135.129
DNSchiefbeyond.net
Type: A
195.22.26.252
DNSchiefbeyond.net
Type: A
195.22.26.253
DNSchiefbeyond.net
Type: A
195.22.26.254
DNSchiefbeyond.net
Type: A
195.22.26.231
DNSchiefbeing.net
Type: A
72.52.4.90
DNSalonebeing.net
Type: A
98.139.135.129
DNStwelveforever.net
Type: A
157.166.173.157
DNSratherforever.net
Type: A
208.100.26.234
DNShistoryforever.net
Type: A
72.52.4.90
DNSweatherforever.net
Type: A
50.63.202.42
DNStradetravel.net
Type: A
DNSstreetyellow.net
Type: A
DNStradeyellow.net
Type: A
DNStradeclose.net
Type: A
DNSgathertravel.net
Type: A
DNSbetteryellow.net
Type: A
DNSgatheryellow.net
Type: A
DNSbetterclose.net
Type: A
DNSgatherclose.net
Type: A
DNSflierspace.net
Type: A
DNSbreadspace.net
Type: A
DNSfliertravel.net
Type: A
DNSbreadtravel.net
Type: A
DNSflieryellow.net
Type: A
DNSbreadyellow.net
Type: A
DNSflierclose.net
Type: A
DNSbreadclose.net
Type: A
DNSquietspace.net
Type: A
DNSseasonspace.net
Type: A
DNSquiettravel.net
Type: A
DNSseasontravel.net
Type: A
DNSquietyellow.net
Type: A
DNSseasonyellow.net
Type: A
DNSquietclose.net
Type: A
DNSseasonclose.net
Type: A
DNSpresentbeyond.net
Type: A
DNSthinkbeing.net
Type: A
DNSthinkforever.net
Type: A
DNSpresentforever.net
Type: A
DNSthinkbottom.net
Type: A
DNScollegebeyond.net
Type: A
DNScollegebeing.net
Type: A
DNSchiefforever.net
Type: A
DNScollegeforever.net
Type: A
DNSchiefbottom.net
Type: A
DNScollegebottom.net
Type: A
DNSoftenbeyond.net
Type: A
DNSalonebeyond.net
Type: A
DNSoftenbeing.net
Type: A
DNSoftenforever.net
Type: A
DNSaloneforever.net
Type: A
DNSoftenbottom.net
Type: A
DNSalonebottom.net
Type: A
DNSmiddlebeyond.net
Type: A
DNStwelvebeyond.net
Type: A
DNSmiddlebeing.net
Type: A
DNStwelvebeing.net
Type: A
DNSmiddleforever.net
Type: A
DNSmiddlebottom.net
Type: A
DNStwelvebottom.net
Type: A
DNSratherbeyond.net
Type: A
DNSmorningbeyond.net
Type: A
DNSratherbeing.net
Type: A
DNSmorningbeing.net
Type: A
DNSmorningforever.net
Type: A
DNSratherbottom.net
Type: A
DNSmorningbottom.net
Type: A
DNSstrangebeyond.net
Type: A
DNShistorybeyond.net
Type: A
DNSstrangebeing.net
Type: A
DNShistorybeing.net
Type: A
DNSstrangeforever.net
Type: A
DNSstrangebottom.net
Type: A
DNShistorybottom.net
Type: A
DNSamountbeyond.net
Type: A
DNSweatherbeyond.net
Type: A
DNSamountbeing.net
Type: A
DNSweatherbeing.net
Type: A
DNSamountforever.net
Type: A
DNSamountbottom.net
Type: A
DNSweatherbottom.net
Type: A
HTTP GEThttp://streetclose.net/index.php
User-Agent:
HTTP GEThttp://betterspace.net/index.php
User-Agent:
HTTP GEThttp://gatherspace.net/index.php
User-Agent:
HTTP GEThttp://bettertravel.net/index.php
User-Agent:
HTTP GEThttp://thinkbeyond.net/index.php
User-Agent:
HTTP GEThttp://presentbeing.net/index.php
User-Agent:
HTTP GEThttp://presentbottom.net/index.php
User-Agent:
HTTP GEThttp://chiefbeyond.net/index.php
User-Agent:
HTTP GEThttp://chiefbeing.net/index.php
User-Agent:
HTTP GEThttp://alonebeing.net/index.php
User-Agent:
HTTP GEThttp://twelveforever.net/index.php
User-Agent:
HTTP GEThttp://ratherforever.net/index.php
User-Agent:
HTTP GEThttp://historyforever.net/index.php
User-Agent:
HTTP GEThttp://weatherforever.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1032 ➝ 208.91.197.46:80
Flows TCP192.168.1.1:1033 ➝ 216.157.91.112:80
Flows TCP192.168.1.1:1034 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1035 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1036 ➝ 69.16.192.64:80
Flows TCP192.168.1.1:1037 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1038 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1040 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1041 ➝ 157.166.173.157:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1043 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1044 ➝ 50.63.202.42:80

Raw Pcap

Strings