Analysis Date2016-01-30 12:57:09
MD54808ae20fa1cf096c64527a79be30a10
SHA1c676228dab3934c77ddb180a9776cc7f6e71798d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5af60949e895e28e84bbb626321c5b40 sha1: f2d8e1d1cb3b58bb134210c21802e4d21c6ba854 size: 535040
Section.rdata md5: 4b97f4ff86fa990971072bc00019c158 sha1: fb46a8d17033b4fc28cc50ed99686d6888aacc44 size: 26112
Section.data md5: 4937ee0defd25b7f15cb9803c79a9362 sha1: 901fbc7527045f033d2cbbb0792f3295160db313 size: 19968
Section.reloc md5: d874e36f2e94388450384a7f92396ba9 sha1: 07070e0ab903a20e1468a1865fec58b07f7100c3 size: 39936
Timestamp2014-05-25 07:23:58
PackerMicrosoft Visual C++ 8
PEhasha44c18152221a0a1e5ab6607a151080c0cb15704
IMPhash2094e1e5745dd72b51b13de1e83e52e2
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHSQ!4808AE20FA1C
AVAvira (antivir)TR/Boryab.622080.45
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAd-AwareGen:Variant.Zusy.141475
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Bayrob.BM
AVGrisoft (avg)Generic37.ADUN
AVSymantecNo Virus
AVFortinetW32/Bayrob.BM!tr
AVBitDefenderGen:Variant.Zusy.141475
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.141475
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVIkarusNo Virus
AVZillya!No Virus
AVKasperskyTrojan.Win32.Bayrob.dbfk
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Zusy.141475
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Zusy.141475

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\dtevdqfjpzf\ooqttz8fhancpmr1i.exe
Creates FileC:\dtevdqfjpzf\ptvqjg
Creates FileC:\WINDOWS\dtevdqfjpzf\ptvqjg
Deletes FileC:\WINDOWS\dtevdqfjpzf\ptvqjg
Creates ProcessC:\dtevdqfjpzf\ooqttz8fhancpmr1i.exe

Process
↳ C:\dtevdqfjpzf\ooqttz8fhancpmr1i.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Connection Call Protection ➝
C:\dtevdqfjpzf\vfmwwzdvanf.exe
Creates FileC:\dtevdqfjpzf\kkitvu
Creates FileC:\dtevdqfjpzf\vfmwwzdvanf.exe
Creates FilePIPE\lsarpc
Creates FileC:\dtevdqfjpzf\ptvqjg
Creates FileC:\WINDOWS\dtevdqfjpzf\ptvqjg
Deletes FileC:\WINDOWS\dtevdqfjpzf\ptvqjg
Creates ProcessC:\dtevdqfjpzf\vfmwwzdvanf.exe
Creates ServiceWired Foundation Endpoint - C:\dtevdqfjpzf\vfmwwzdvanf.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\C676228DAB3934C77DDB180A9776C-1049E0A1.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\OOQTTZ8FHANCPMR1I.EXE-10BF3633.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\VFMWWZDVANF.EXE-2D92C6BB.pf
Creates FileC:\WINDOWS\Prefetch\PMVPKDLOZDI.EXE-38209382.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ Pid 1328

Process
↳ Pid 1868

Process
↳ Pid 944

Process
↳ C:\dtevdqfjpzf\vfmwwzdvanf.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\dtevdqfjpzf\kkitvu
Creates FileC:\dtevdqfjpzf\ptvqjg
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\dtevdqfjpzf\ptvqjg
Creates FileC:\dtevdqfjpzf\l8cilhoy
Creates FileC:\dtevdqfjpzf\pmvpkdlozdi.exe
Deletes FileC:\WINDOWS\dtevdqfjpzf\ptvqjg
Creates Processekdrgoffhlo2 "c:\dtevdqfjpzf\vfmwwzdvanf.exe"

Process
↳ C:\dtevdqfjpzf\vfmwwzdvanf.exe

Creates FileC:\dtevdqfjpzf\ptvqjg
Creates FileC:\WINDOWS\dtevdqfjpzf\ptvqjg
Deletes FileC:\WINDOWS\dtevdqfjpzf\ptvqjg

Process
↳ ekdrgoffhlo2 "c:\dtevdqfjpzf\vfmwwzdvanf.exe"

Creates FileC:\dtevdqfjpzf\ptvqjg
Creates FileC:\WINDOWS\dtevdqfjpzf\ptvqjg
Deletes FileC:\WINDOWS\dtevdqfjpzf\ptvqjg

Network Details:

DNSmachinebusiness.net
Type: A
69.73.160.55
DNSforeignanother.net
Type: A
195.22.28.196
DNSforeignanother.net
Type: A
195.22.28.197
DNSforeignanother.net
Type: A
195.22.28.198
DNSforeignanother.net
Type: A
195.22.28.199
DNSthoughanother.net
Type: A
98.139.135.129
DNSthoughappear.net
Type: A
208.100.26.234
DNSpicturebusiness.net
Type: A
76.8.58.103
DNSfamilybusiness.net
Type: A
69.172.201.208
DNSenglishmanner.net
Type: A
202.143.64.131
DNSenglishbusiness.net
Type: A
184.168.221.71
DNSpicturebright.net
Type: A
72.52.4.90
DNSfamilybright.net
Type: A
208.91.197.39
DNSeitherinstead.net
Type: A
98.139.135.129
DNSenglishexplain.net
Type: A
208.100.26.234
DNSrightpeople.net
Type: A
114.141.197.235
DNSenglishdivide.net
Type: A
DNSexpectmanner.net
Type: A
DNSbecausemanner.net
Type: A
DNSexpectanother.net
Type: A
DNSbecauseanother.net
Type: A
DNSexpectbusiness.net
Type: A
DNSbecausebusiness.net
Type: A
DNSexpectappear.net
Type: A
DNSbecauseappear.net
Type: A
DNSpersonmanner.net
Type: A
DNSmachinemanner.net
Type: A
DNSpersonanother.net
Type: A
DNSmachineanother.net
Type: A
DNSpersonbusiness.net
Type: A
DNSpersonappear.net
Type: A
DNSmachineappear.net
Type: A
DNSsuddenmanner.net
Type: A
DNSforeignmanner.net
Type: A
DNSsuddenanother.net
Type: A
DNSsuddenbusiness.net
Type: A
DNSforeignbusiness.net
Type: A
DNSsuddenappear.net
Type: A
DNSforeignappear.net
Type: A
DNSwhethermanner.net
Type: A
DNSrightmanner.net
Type: A
DNSwhetheranother.net
Type: A
DNSrightanother.net
Type: A
DNSwhetherbusiness.net
Type: A
DNSrightbusiness.net
Type: A
DNSwhetherappear.net
Type: A
DNSrightappear.net
Type: A
DNSfiguremanner.net
Type: A
DNSthoughmanner.net
Type: A
DNSfigureanother.net
Type: A
DNSfigurebusiness.net
Type: A
DNSthoughbusiness.net
Type: A
DNSfigureappear.net
Type: A
DNSpicturemanner.net
Type: A
DNScigarettemanner.net
Type: A
DNSpictureanother.net
Type: A
DNScigaretteanother.net
Type: A
DNScigarettebusiness.net
Type: A
DNSpictureappear.net
Type: A
DNScigaretteappear.net
Type: A
DNSchildrenmanner.net
Type: A
DNSfamilymanner.net
Type: A
DNSchildrenanother.net
Type: A
DNSfamilyanother.net
Type: A
DNSchildrenbusiness.net
Type: A
DNSchildrenappear.net
Type: A
DNSfamilyappear.net
Type: A
DNSeithermanner.net
Type: A
DNSeitheranother.net
Type: A
DNSenglishanother.net
Type: A
DNSeitherbusiness.net
Type: A
DNSeitherappear.net
Type: A
DNSenglishappear.net
Type: A
DNSexpectinstead.net
Type: A
DNSbecauseinstead.net
Type: A
DNSexpectexplain.net
Type: A
DNSbecauseexplain.net
Type: A
DNSexpectbright.net
Type: A
DNSbecausebright.net
Type: A
DNSexpectinside.net
Type: A
DNSbecauseinside.net
Type: A
DNSpersoninstead.net
Type: A
DNSmachineinstead.net
Type: A
DNSpersonexplain.net
Type: A
DNSmachineexplain.net
Type: A
DNSpersonbright.net
Type: A
DNSmachinebright.net
Type: A
DNSpersoninside.net
Type: A
DNSmachineinside.net
Type: A
DNSsuddeninstead.net
Type: A
DNSforeigninstead.net
Type: A
DNSsuddenexplain.net
Type: A
DNSforeignexplain.net
Type: A
DNSsuddenbright.net
Type: A
DNSforeignbright.net
Type: A
DNSsuddeninside.net
Type: A
DNSforeigninside.net
Type: A
DNSwhetherinstead.net
Type: A
DNSrightinstead.net
Type: A
DNSwhetherexplain.net
Type: A
DNSrightexplain.net
Type: A
DNSwhetherbright.net
Type: A
DNSrightbright.net
Type: A
DNSwhetherinside.net
Type: A
DNSrightinside.net
Type: A
DNSfigureinstead.net
Type: A
DNSthoughinstead.net
Type: A
DNSfigureexplain.net
Type: A
DNSthoughexplain.net
Type: A
DNSfigurebright.net
Type: A
DNSthoughbright.net
Type: A
DNSfigureinside.net
Type: A
DNSthoughinside.net
Type: A
DNSpictureinstead.net
Type: A
DNScigaretteinstead.net
Type: A
DNSpictureexplain.net
Type: A
DNScigaretteexplain.net
Type: A
DNScigarettebright.net
Type: A
DNSpictureinside.net
Type: A
DNScigaretteinside.net
Type: A
DNSchildreninstead.net
Type: A
DNSfamilyinstead.net
Type: A
DNSchildrenexplain.net
Type: A
DNSfamilyexplain.net
Type: A
DNSchildrenbright.net
Type: A
DNSchildreninside.net
Type: A
DNSfamilyinside.net
Type: A
DNSenglishinstead.net
Type: A
DNSeitherexplain.net
Type: A
DNSeitherbright.net
Type: A
DNSenglishbright.net
Type: A
DNSeitherinside.net
Type: A
DNSenglishinside.net
Type: A
DNSexpectready.net
Type: A
DNSbecauseready.net
Type: A
DNSexpectbrown.net
Type: A
DNSbecausebrown.net
Type: A
DNSexpectpeople.net
Type: A
DNSbecausepeople.net
Type: A
DNSexpectdaughter.net
Type: A
DNSbecausedaughter.net
Type: A
DNSpersonready.net
Type: A
DNSmachineready.net
Type: A
DNSpersonbrown.net
Type: A
DNSmachinebrown.net
Type: A
DNSpersonpeople.net
Type: A
DNSmachinepeople.net
Type: A
DNSpersondaughter.net
Type: A
DNSmachinedaughter.net
Type: A
DNSsuddenready.net
Type: A
DNSforeignready.net
Type: A
DNSsuddenbrown.net
Type: A
DNSforeignbrown.net
Type: A
DNSsuddenpeople.net
Type: A
DNSforeignpeople.net
Type: A
DNSsuddendaughter.net
Type: A
DNSforeigndaughter.net
Type: A
DNSwhetherready.net
Type: A
DNSrightready.net
Type: A
DNSwhetherbrown.net
Type: A
DNSrightbrown.net
Type: A
DNSwhetherpeople.net
Type: A
DNSwhetherdaughter.net
Type: A
DNSrightdaughter.net
Type: A
DNSfigureready.net
Type: A
DNSthoughready.net
Type: A
DNSfigurebrown.net
Type: A
DNSthoughbrown.net
Type: A
DNSfigurepeople.net
Type: A
DNSthoughpeople.net
Type: A
DNSfiguredaughter.net
Type: A
DNSthoughdaughter.net
Type: A
DNSpictureready.net
Type: A
HTTP GEThttp://machinebusiness.net/index.php
User-Agent:
HTTP GEThttp://foreignanother.net/index.php
User-Agent:
HTTP GEThttp://thoughanother.net/index.php
User-Agent:
HTTP GEThttp://thoughappear.net/index.php
User-Agent:
HTTP GEThttp://picturebusiness.net/index.php
User-Agent:
HTTP GEThttp://familybusiness.net/index.php
User-Agent:
HTTP GEThttp://englishmanner.net/index.php
User-Agent:
HTTP GEThttp://englishbusiness.net/index.php
User-Agent:
HTTP GEThttp://picturebright.net/index.php
User-Agent:
HTTP GEThttp://familybright.net/index.php
User-Agent:
HTTP GEThttp://eitherinstead.net/index.php
User-Agent:
HTTP GEThttp://englishexplain.net/index.php
User-Agent:
HTTP GEThttp://rightpeople.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 69.73.160.55:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1033 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 76.8.58.103:80
Flows TCP192.168.1.1:1036 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1037 ➝ 202.143.64.131:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.71:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.39:80
Flows TCP192.168.1.1:1041 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1043 ➝ 114.141.197.235:80

Raw Pcap

Strings