Analysis Date2015-11-01 04:54:35
MD5b5eae74c7db3aca6009bc4d2cd83c050
SHA1c4ee986e677e05ee050c228ffad2609a2cc65ac0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9ca60a2eba77e4aed19d8c02d4dfea80 sha1: 111d35af05d982bbf65fe895f2de8c8524798a63 size: 197632
Section.rdata md5: 4f6a5b8eb15f395382ffe17c60ff719c sha1: 248cecf2c6d2242f5e61fb039facb3a7cd66108c size: 52736
Section.data md5: 8039c1973452bd5ebc3406c505695e2a sha1: ef683f6330d709ebb81b72f9d8dbccbcbcb95845 size: 7168
Section.reloc md5: 79f93edba35a6d1afba0ade270cda6b2 sha1: 8e2491c9cc83f37a240ca03269d947db281ce8f9 size: 14336
Timestamp2015-04-29 19:19:21
PackerMicrosoft Visual C++ 8
PEhash8f654cab1cc8eeac6c756cb1225ec4128ddc2876
IMPhash9c2075a0f20c30f61da15d0f91469cbb
AVRisingTrojan.Win32.Bayrod.a
AVMcafeeTrojan-FGIJ!B5EAE74C7DB3
AVAvira (antivir)TR/Kryptik.qgmpd
AVTwisterTrojan.0000E9000000006A1.mg
AVAd-AwareGen:Variant.Kazy.604861
AVAlwil (avast)VB-AJEW [Trj]
AVEset (nod32)Win32/Bayrob.Q
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Generic.AC.215362
AVBitDefenderGen:Variant.Kazy.604861
AVK7Trojan ( 004c12491 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Scar.R.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.604861
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.604861
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Kazy.604861
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\qndkksfvtrjpgy\uigv1lmni9paakkl9b.exe
Creates FileC:\WINDOWS\qndkksfvtrjpgy\yyfpqm
Creates FileC:\qndkksfvtrjpgy\yyfpqm
Deletes FileC:\WINDOWS\qndkksfvtrjpgy\yyfpqm
Creates ProcessC:\qndkksfvtrjpgy\uigv1lmni9paakkl9b.exe

Process
↳ C:\qndkksfvtrjpgy\uigv1lmni9paakkl9b.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Detection Biometric Alerts Secure Software ➝
C:\qndkksfvtrjpgy\tldxcee.exe
Creates FilePIPE\lsarpc
Creates FileC:\qndkksfvtrjpgy\tldxcee.exe
Creates FileC:\WINDOWS\qndkksfvtrjpgy\yyfpqm
Creates FileC:\qndkksfvtrjpgy\jedlaefgz
Creates FileC:\qndkksfvtrjpgy\yyfpqm
Deletes FileC:\WINDOWS\qndkksfvtrjpgy\yyfpqm
Creates ProcessC:\qndkksfvtrjpgy\tldxcee.exe
Creates ServiceProfile Discovery Task Identity Session Logs - C:\qndkksfvtrjpgy\tldxcee.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1124

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1884

Process
↳ Pid 1152

Process
↳ C:\qndkksfvtrjpgy\tldxcee.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\qndkksfvtrjpgy\bhljop
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\qndkksfvtrjpgy\yyfpqm
Creates FileC:\qndkksfvtrjpgy\nijwzpq.exe
Creates FileC:\qndkksfvtrjpgy\jedlaefgz
Creates FileC:\qndkksfvtrjpgy\yyfpqm
Deletes FileC:\WINDOWS\qndkksfvtrjpgy\yyfpqm
Creates Processutqbxk3yjyvy "c:\qndkksfvtrjpgy\tldxcee.exe"

Process
↳ C:\qndkksfvtrjpgy\tldxcee.exe

Creates FileC:\WINDOWS\qndkksfvtrjpgy\yyfpqm
Creates FileC:\qndkksfvtrjpgy\yyfpqm
Deletes FileC:\WINDOWS\qndkksfvtrjpgy\yyfpqm

Process
↳ utqbxk3yjyvy "c:\qndkksfvtrjpgy\tldxcee.exe"

Creates FileC:\WINDOWS\qndkksfvtrjpgy\yyfpqm
Creates FileC:\qndkksfvtrjpgy\yyfpqm
Deletes FileC:\WINDOWS\qndkksfvtrjpgy\yyfpqm

Network Details:

DNSthinksystem.net
Type: A
69.161.143.132
DNScollegehonor.net
Type: A
54.186.220.79
DNSalonehonor.net
Type: A
98.139.135.129
DNSaloneneither.net
Type: A
195.22.26.253
DNSaloneneither.net
Type: A
195.22.26.254
DNSaloneneither.net
Type: A
195.22.26.231
DNSaloneneither.net
Type: A
195.22.26.252
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.174.31.254
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.208.74.215
DNSclasstrust.net
Type: A
208.100.26.234
DNSweatherbranch.net
Type: A
DNSamountbelieve.net
Type: A
DNSweatherbelieve.net
Type: A
DNSamountreceive.net
Type: A
DNSweatherreceive.net
Type: A
DNSamountquarter.net
Type: A
DNSweatherquarter.net
Type: A
DNSthickbranch.net
Type: A
DNSclassbranch.net
Type: A
DNSthickbelieve.net
Type: A
DNSclassbelieve.net
Type: A
DNSthickreceive.net
Type: A
DNSclassreceive.net
Type: A
DNSthickquarter.net
Type: A
DNSclassquarter.net
Type: A
DNSthinkhonor.net
Type: A
DNSpresenthonor.net
Type: A
DNSthinkneither.net
Type: A
DNSpresentneither.net
Type: A
DNSpresentsystem.net
Type: A
DNSthinktrust.net
Type: A
DNSpresenttrust.net
Type: A
DNSchiefhonor.net
Type: A
DNSchiefneither.net
Type: A
DNScollegeneither.net
Type: A
DNSchiefsystem.net
Type: A
DNScollegesystem.net
Type: A
DNSchieftrust.net
Type: A
DNScollegetrust.net
Type: A
DNSoftenhonor.net
Type: A
DNSoftenneither.net
Type: A
DNSoftensystem.net
Type: A
DNSalonesystem.net
Type: A
DNSoftentrust.net
Type: A
DNSalonetrust.net
Type: A
DNSmiddlehonor.net
Type: A
DNStwelvehonor.net
Type: A
DNSmiddleneither.net
Type: A
DNStwelveneither.net
Type: A
DNSmiddlesystem.net
Type: A
DNStwelvesystem.net
Type: A
DNSmiddletrust.net
Type: A
DNStwelvetrust.net
Type: A
DNSratherhonor.net
Type: A
DNSmorninghonor.net
Type: A
DNSratherneither.net
Type: A
DNSmorningneither.net
Type: A
DNSrathersystem.net
Type: A
DNSmorningsystem.net
Type: A
DNSrathertrust.net
Type: A
DNSmorningtrust.net
Type: A
DNSstrangehonor.net
Type: A
DNShistoryhonor.net
Type: A
DNSstrangeneither.net
Type: A
DNShistoryneither.net
Type: A
DNSstrangesystem.net
Type: A
DNShistorysystem.net
Type: A
DNSstrangetrust.net
Type: A
DNShistorytrust.net
Type: A
DNSamounthonor.net
Type: A
DNSweatherhonor.net
Type: A
DNSamountneither.net
Type: A
DNSweatherneither.net
Type: A
DNSamountsystem.net
Type: A
DNSweathersystem.net
Type: A
DNSamounttrust.net
Type: A
DNSweathertrust.net
Type: A
DNSthickhonor.net
Type: A
DNSclasshonor.net
Type: A
DNSthickneither.net
Type: A
DNSclassneither.net
Type: A
DNSthicksystem.net
Type: A
DNSclasssystem.net
Type: A
DNSthicktrust.net
Type: A
DNSthinklaughter.net
Type: A
DNSpresentlaughter.net
Type: A
DNSthinkfancy.net
Type: A
DNSpresentfancy.net
Type: A
DNSthinkconsider.net
Type: A
DNSpresentconsider.net
Type: A
HTTP GEThttp://thinksystem.net/index.php
User-Agent:
HTTP GEThttp://alonehonor.net/index.php
User-Agent:
HTTP GEThttp://aloneneither.net/index.php
User-Agent:
HTTP GEThttp://classsystem.net/index.php
User-Agent:
HTTP GEThttp://classtrust.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 69.161.143.132:80
Flows TCP192.168.1.1:1032 ➝ 54.186.220.79:80
Flows TCP192.168.1.1:1033 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1034 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1035 ➝ 54.174.31.254:80
Flows TCP192.168.1.1:1036 ➝ 208.100.26.234:80

Raw Pcap

Strings