Analysis Date2016-01-28 16:02:46
MD5520e27b1e94b8e74d96af5fa70bb1800
SHA1c753ed6ad6f849dc35197cacce478150c9a68bbf

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1a96a3409b39eea890ee1e8d4b27652f sha1: e5fb0d693c444038ce2ec386b0ab2c531e9d908e size: 898048
Section.rdata md5: b02f71d6e6980afe065f4cd422900d88 sha1: 5dd4f6b534ea9025f4fefd72a315817666f88efa size: 329728
Section.data md5: 7aae55cd39d60584aa4e7cf089b2b819 sha1: aa2a21b7f2491d35a117486e20230ff62a7d7713 size: 7168
Section.reloc md5: 5676585d630baf4471ef09a84b743ada sha1: 51b28fdc6f9b3f2ac9e53a5909b9447a1d2dde15 size: 120320
Timestamp2015-12-15 15:41:36
PackerVC8 -> Microsoft Corporation
PEhash1d13b5d397abb2ffa198b86625a795142368f2ce
IMPhashf31347feb8303e333c616f80f5fd1ca9
AVRisingNo Virus
AVMcafeeTrojan-FHOH!520E27B1E94B
AVAvira (antivir)TR/Crypt.Xpack.349864
AVTwisterTrojan.Cap16179.xypp
AVAd-AwareGen:Variant.Kazy.788788
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AG
AVGrisoft (avg)Generic37.ORJ
AVSymantecNo Virus
AVFortinetW32/Generic.AG!tr
AVBitDefenderGen:Variant.Kazy.788788
AVK7Trojan ( 004d92091 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.788788
AVMalwareBytesNo Virus
AVAuthentiumW32/Trojan.KQGT-3286
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.788788
AVZillya!Trojan.Bayrob.Win32.6151
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Kazy.788788
AVArcabit (arcavir)Gen:Variant.Kazy.788788
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader18.38282
AVF-SecureGen:Variant.Kazy.788788
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\ixhqzvi\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\npbsshbtwdncw5gjtv8irf.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\npbsshbtwdncw5gjtv8irf.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\npbsshbtwdncw5gjtv8irf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CardSpace Policy Identity Proxy ➝
C:\WINDOWS\system32\yqfgzgzy.exe
Creates FileC:\WINDOWS\system32\yqfgzgzy.exe
Creates FileC:\WINDOWS\system32\ixhqzvi\lck
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\ixhqzvi\tst
Creates ProcessC:\WINDOWS\system32\yqfgzgzy.exe
Creates ServiceSecurity Machine Connection DCOM - C:\WINDOWS\system32\yqfgzgzy.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ Pid 1020

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ Pid 1316

Process
↳ Pid 1848

Process
↳ Pid 1132

Process
↳ C:\WINDOWS\system32\yqfgzgzy.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\ixhqzvi\run
Creates FileC:\WINDOWS\system32\ixhqzvi\cfg
Creates FileC:\WINDOWS\system32\ixhqzvi\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\redwxjzrszi.exe
Creates FileC:\WINDOWS\TEMP\npbsshv0vad9w5g.exe
Creates FileC:\WINDOWS\system32\ixhqzvi\lck
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\ixhqzvi\rng
Deletes FileC:\WINDOWS\TEMP\npbsshv0vad9w5g.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\yqfgzgzy.exe"
Creates ProcessC:\WINDOWS\TEMP\npbsshv0vad9w5g.exe -r 49896 tcp

Process
↳ C:\WINDOWS\system32\yqfgzgzy.exe

Process
↳ WATCHDOGPROC "c:\windows\system32\yqfgzgzy.exe"

Creates FileC:\WINDOWS\system32\ixhqzvi\tst

Process
↳ C:\WINDOWS\TEMP\npbsshv0vad9w5g.exe -r 49896 tcp

Network Details:

DNSjourneymeasure.net
Type: A
50.87.249.65
DNSsimonettedwerryhouse.net
Type: A
98.139.135.129
DNSmorningduring.net
Type: A
98.139.135.129
DNSriddenstorm.net
Type: A
66.147.240.171
DNSeffortbuilt.net
Type: A
198.27.70.45
DNSthosewhile.net
Type: A
198.27.70.45
DNSfearboat.net
Type: A
195.22.28.199
DNSfearboat.net
Type: A
195.22.28.196
DNSfearboat.net
Type: A
195.22.28.197
DNSfearboat.net
Type: A
195.22.28.198
DNSwestboat.net
Type: A
213.186.33.104
DNSwestrest.net
Type: A
208.100.26.234
DNSleadpress.net
Type: A
98.124.199.4
DNSnoseopen.net
Type: A
184.168.221.71
DNSfearwear.net
Type: A
184.168.221.16
DNSwestwear.net
Type: A
66.96.160.141
DNSorderthrown.net
Type: A
DNSdecidepromise.net
Type: A
DNSseasonstrong.net
Type: A
DNSchiefanother.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSoftensurprise.net
Type: A
DNSsorryrest.net
Type: A
DNSfiftyrest.net
Type: A
DNSsorryopen.net
Type: A
DNSfiftyopen.net
Type: A
DNStheirboat.net
Type: A
DNSlikrboat.net
Type: A
DNStheirpress.net
Type: A
DNSlikrpress.net
Type: A
DNStheirrest.net
Type: A
DNSlikrrest.net
Type: A
DNStheiropen.net
Type: A
DNSlikropen.net
Type: A
DNSfearpress.net
Type: A
DNSwestpress.net
Type: A
DNSfearrest.net
Type: A
DNSfearopen.net
Type: A
DNSwestopen.net
Type: A
DNStableboat.net
Type: A
DNSleadboat.net
Type: A
DNStablepress.net
Type: A
DNStablerest.net
Type: A
DNSleadrest.net
Type: A
DNStableopen.net
Type: A
DNSleadopen.net
Type: A
DNSpointboat.net
Type: A
DNScallboat.net
Type: A
DNSpointpress.net
Type: A
DNScallpress.net
Type: A
DNSpointrest.net
Type: A
DNScallrest.net
Type: A
DNSpointopen.net
Type: A
DNScallopen.net
Type: A
DNSnoneboat.net
Type: A
DNSliarboat.net
Type: A
DNSnonepress.net
Type: A
DNSliarpress.net
Type: A
DNSnonerest.net
Type: A
DNSliarrest.net
Type: A
DNSnoneopen.net
Type: A
DNSliaropen.net
Type: A
DNSwellboat.net
Type: A
DNSnoseboat.net
Type: A
DNSwellpress.net
Type: A
DNSnosepress.net
Type: A
DNSwellrest.net
Type: A
DNSnoserest.net
Type: A
DNSwellopen.net
Type: A
DNSringboat.net
Type: A
DNSfavorboat.net
Type: A
DNSringpress.net
Type: A
DNSfavorpress.net
Type: A
DNSringrest.net
Type: A
DNSfavorrest.net
Type: A
DNSringopen.net
Type: A
DNSfavoropen.net
Type: A
DNSsorrytold.net
Type: A
DNSfiftytold.net
Type: A
DNSsorryfind.net
Type: A
DNSfiftyfind.net
Type: A
DNSsorrywear.net
Type: A
DNSfiftywear.net
Type: A
DNSsorryhurt.net
Type: A
DNSfiftyhurt.net
Type: A
DNStheirtold.net
Type: A
DNSlikrtold.net
Type: A
DNStheirfind.net
Type: A
DNSlikrfind.net
Type: A
DNStheirwear.net
Type: A
DNSlikrwear.net
Type: A
DNStheirhurt.net
Type: A
DNSlikrhurt.net
Type: A
DNSfeartold.net
Type: A
DNSwesttold.net
Type: A
DNSfearfind.net
Type: A
DNSwestfind.net
Type: A
DNSfearhurt.net
Type: A
DNSwesthurt.net
Type: A
DNStabletold.net
Type: A
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
HTTP GEThttp://morningduring.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://effortbuilt.net/index.php
User-Agent:
HTTP GEThttp://thosewhile.net/index.php
User-Agent:
HTTP GEThttp://fearboat.net/index.php
User-Agent:
HTTP GEThttp://westboat.net/index.php
User-Agent:
HTTP GEThttp://westrest.net/index.php
User-Agent:
HTTP GEThttp://leadpress.net/index.php
User-Agent:
HTTP GEThttp://noseopen.net/index.php
User-Agent:
HTTP GEThttp://fearwear.net/index.php
User-Agent:
HTTP GEThttp://westwear.net/index.php
User-Agent:
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
HTTP GEThttp://morningduring.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 50.87.249.65:80
Flows TCP192.168.1.1:1037 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1040 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1041 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1042 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1043 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1044 ➝ 213.186.33.104:80
Flows TCP192.168.1.1:1045 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1046 ➝ 98.124.199.4:80
Flows TCP192.168.1.1:1049 ➝ 176.213.85.132:1604
Flows TCP192.168.1.1:1047 ➝ 184.168.221.71:80
Flows TCP192.168.1.1:1048 ➝ 184.168.221.16:80
Flows TCP192.168.1.1:1049 ➝ 66.96.160.141:80
Flows TCP192.168.1.1:1050 ➝ 50.87.249.65:80
Flows TCP192.168.1.1:1051 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1052 ➝ 98.139.135.129:80

Raw Pcap

Strings