Analysis Date2015-07-29 03:30:56
MD58826bd7c58d2f526db104e0bb17f9efb
SHA1c78a0bd0adee169d65670bde762ad97d6d2bdf3a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 46c9f2496597deb65322e111f664ca62 sha1: aa9e4ad5f6f38e1f5ec9c758f69b5ad6ed18a9e9 size: 648192
Section.rdata md5: edefd1ed2442bb63d14ef68fea855e38 sha1: 19bae4f87c3ee25c463f29c6f1f335a30025fd2d size: 89088
Section.data md5: bba5ab128bafa5c867077b048eaa96d3 sha1: 5b619ed2882f693cffa3bfa323c2413a56353c1c size: 7168
Section.reloc md5: 78f133a8bcfdc047443f38b6a1ac41af sha1: f2bb61922e6cf3dce069e2cdd1dd7df82b91ddf4 size: 67584
Timestamp2015-05-08 06:58:24
PackerMicrosoft Visual C++ 8
PEhash45d6acc15a2b502b738f76e5a1e6159bef6c3c2d
IMPhash1239f09cb8092b206ace063ba2571b0c
AVEmsisoftGen:Variant.Kazy.609540
AVMicroWorld (escan)Gen:Variant.Kazy.609540
AVAvira (antivir)TR/Kryptik.qgmpd
AVIkarusTrojan.Win32.Bayrob
AVCA (E-Trust Ino)no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AF
AVBitDefenderGen:Variant.Kazy.609540
AVTwisterTrojan.Scar.jnye.rtdy
AVRisingTrojan.Win32.Bayrod.a
AVTrend MicroTROJ_BAYROB.SM0
AVVirusBlokAda (vba32)no_virus
AVF-SecureGen:Variant.Kazy.609540
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVFortinetW32/Generic.AC.215362
AVMalwareBytesTrojan.Agent.KVTGen
AVK7Trojan ( 004c77f41 )
AVGrisoft (avg)Win32/Cryptor
AVAd-AwareGen:Variant.Kazy.609540
AVMcafeeTrojan-FGIJ!8826BD7C58D2
AVDr. WebTrojan.Bayrob.1
AVPadvishno_virus
AVFrisk (f-prot)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVBullGuardGen:Variant.Kazy.609540
AVArcabit (arcavir)Gen:Variant.Kazy.609540
AVKasperskyTrojan.Win32.Scar.jnye
AVClamAVno_virus
AVEset (nod32)Win32/Bayrob.T
AVSymantecDownloader.Upatre!g15
AVZillya!Trojan.Scar.Win32.89179
AVAuthentiumW32/Scar.R2.gen!Eldorado

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\evrsayw\efi8pxvfsptk
Creates FileC:\evrsayw\hxn1mk2v8qikwicdyu.exe
Creates FileC:\evrsayw\efi8pxvfsptk
Deletes FileC:\WINDOWS\evrsayw\efi8pxvfsptk
Creates ProcessC:\evrsayw\hxn1mk2v8qikwicdyu.exe

Process
↳ C:\evrsayw\hxn1mk2v8qikwicdyu.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AuthIP KtmRm User-mode Sharing Registry TPM ➝
C:\evrsayw\qanbqywmmlw.exe
Creates FileC:\WINDOWS\evrsayw\efi8pxvfsptk
Creates FileC:\evrsayw\qanbqywmmlw.exe
Creates FilePIPE\lsarpc
Creates FileC:\evrsayw\bdeasimq
Creates FileC:\evrsayw\efi8pxvfsptk
Deletes FileC:\WINDOWS\evrsayw\efi8pxvfsptk
Creates ProcessC:\evrsayw\qanbqywmmlw.exe
Creates ServiceConnections Builder Block Thread Access - C:\evrsayw\qanbqywmmlw.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1148

Process
↳ C:\evrsayw\qanbqywmmlw.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\evrsayw\fcgndttd.exe
Creates FileC:\WINDOWS\evrsayw\efi8pxvfsptk
Creates FileC:\evrsayw\lyrjgxhcdoh
Creates File\Device\Afd\Endpoint
Creates FileC:\evrsayw\bdeasimq
Creates FileC:\evrsayw\efi8pxvfsptk
Deletes FileC:\WINDOWS\evrsayw\efi8pxvfsptk
Creates Processarmrrnrryhrt "c:\evrsayw\qanbqywmmlw.exe"

Process
↳ C:\evrsayw\qanbqywmmlw.exe

Creates FileC:\WINDOWS\evrsayw\efi8pxvfsptk
Creates FileC:\evrsayw\efi8pxvfsptk
Deletes FileC:\WINDOWS\evrsayw\efi8pxvfsptk

Process
↳ armrrnrryhrt "c:\evrsayw\qanbqywmmlw.exe"

Creates FileC:\WINDOWS\evrsayw\efi8pxvfsptk
Creates FileC:\evrsayw\efi8pxvfsptk
Deletes FileC:\WINDOWS\evrsayw\efi8pxvfsptk

Network Details:

DNSfollownothing.net
Type: A
95.211.230.75
DNSknownstream.net
Type: A
74.208.56.10
DNSsummerstream.net
Type: A
66.96.132.53
DNScrowdstream.net
Type: A
184.168.221.61
DNScrowdnothing.net
Type: A
208.91.197.241
DNSthoughtstream.net
Type: A
50.63.202.54
DNSwaterstream.net
Type: A
91.198.165.243
DNSwaterbottle.net
Type: A
209.15.13.134
DNSfightstream.net
Type: A
184.168.221.32
DNSpartybottle.net
Type: A
91.215.216.53
DNSfreshbusiness.net
Type: A
72.52.4.120
DNSexperiencebusiness.net
Type: A
188.40.135.139
DNSalreadybottle.net
Type: A
DNSgentlemandivide.net
Type: A
DNSalreadydivide.net
Type: A
DNSfollowstream.net
Type: A
DNSmemberstream.net
Type: A
DNSmembernothing.net
Type: A
DNSfollowbottle.net
Type: A
DNSmemberbottle.net
Type: A
DNSfollowdivide.net
Type: A
DNSmemberdivide.net
Type: A
DNSbeginstream.net
Type: A
DNSbeginnothing.net
Type: A
DNSknownnothing.net
Type: A
DNSbeginbottle.net
Type: A
DNSknownbottle.net
Type: A
DNSbegindivide.net
Type: A
DNSknowndivide.net
Type: A
DNSsummernothing.net
Type: A
DNSsummerbottle.net
Type: A
DNScrowdbottle.net
Type: A
DNSsummerdivide.net
Type: A
DNScrowddivide.net
Type: A
DNSthoughtnothing.net
Type: A
DNSwaternothing.net
Type: A
DNSthoughtbottle.net
Type: A
DNSthoughtdivide.net
Type: A
DNSwaterdivide.net
Type: A
DNSwomanstream.net
Type: A
DNSsmokestream.net
Type: A
DNSwomannothing.net
Type: A
DNSsmokenothing.net
Type: A
DNSwomanbottle.net
Type: A
DNSsmokebottle.net
Type: A
DNSwomandivide.net
Type: A
DNSsmokedivide.net
Type: A
DNSpartystream.net
Type: A
DNSpartynothing.net
Type: A
DNSfightnothing.net
Type: A
DNSfightbottle.net
Type: A
DNSpartydivide.net
Type: A
DNSfightdivide.net
Type: A
DNSfreshmanner.net
Type: A
DNSexperiencemanner.net
Type: A
DNSfreshanother.net
Type: A
DNSexperienceanother.net
Type: A
DNSfreshappear.net
Type: A
DNSexperienceappear.net
Type: A
DNSgentlemanmanner.net
Type: A
DNSalreadymanner.net
Type: A
DNSgentlemananother.net
Type: A
DNSalreadyanother.net
Type: A
DNSgentlemanbusiness.net
Type: A
DNSalreadybusiness.net
Type: A
DNSgentlemanappear.net
Type: A
DNSalreadyappear.net
Type: A
DNSfollowmanner.net
Type: A
DNSmembermanner.net
Type: A
DNSfollowanother.net
Type: A
DNSmemberanother.net
Type: A
DNSfollowbusiness.net
Type: A
DNSmemberbusiness.net
Type: A
DNSfollowappear.net
Type: A
DNSmemberappear.net
Type: A
DNSbeginmanner.net
Type: A
DNSknownmanner.net
Type: A
DNSbeginanother.net
Type: A
DNSknownanother.net
Type: A
DNSbeginbusiness.net
Type: A
DNSknownbusiness.net
Type: A
DNSbeginappear.net
Type: A
DNSknownappear.net
Type: A
DNSsummermanner.net
Type: A
DNScrowdmanner.net
Type: A
HTTP GEThttp://follownothing.net/index.php
User-Agent:
HTTP GEThttp://knownstream.net/index.php
User-Agent:
HTTP GEThttp://summerstream.net/index.php
User-Agent:
HTTP GEThttp://crowdstream.net/index.php
User-Agent:
HTTP GEThttp://crowdnothing.net/index.php
User-Agent:
HTTP GEThttp://thoughtstream.net/index.php
User-Agent:
HTTP GEThttp://waterstream.net/index.php
User-Agent:
HTTP GEThttp://waterbottle.net/index.php
User-Agent:
HTTP GEThttp://fightstream.net/index.php
User-Agent:
HTTP GEThttp://partybottle.net/index.php
User-Agent:
HTTP GEThttp://freshbusiness.net/index.php
User-Agent:
HTTP GEThttp://experiencebusiness.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 74.208.56.10:80
Flows TCP192.168.1.1:1033 ➝ 66.96.132.53:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.61:80
Flows TCP192.168.1.1:1035 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1036 ➝ 50.63.202.54:80
Flows TCP192.168.1.1:1037 ➝ 91.198.165.243:80
Flows TCP192.168.1.1:1038 ➝ 209.15.13.134:80
Flows TCP192.168.1.1:1039 ➝ 184.168.221.32:80
Flows TCP192.168.1.1:1040 ➝ 91.215.216.53:80
Flows TCP192.168.1.1:1041 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1042 ➝ 188.40.135.139:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f6c6c6f 776e6f74 68696e67 2e6e6574   ollownothing.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206b   : close..Host: k
0x00000040 (00064)   6e6f776e 73747265 616d2e6e 65740d0a   nownstream.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   756d6d65 72737472 65616d2e 6e65740d   ummerstream.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 73747265 616d2e6e 65740d0a   rowdstream.net..
0x00000050 (00080)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 6e6f7468 696e672e 6e65740d   rowdnothing.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7567 68747374 7265616d 2e6e6574   houghtstream.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 73747265 616d2e6e 65740d0a   aterstream.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 626f7474 6c652e6e 65740d0a   aterbottle.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   69676874 73747265 616d2e6e 65740d0a   ightstream.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 626f7474 6c652e6e 65740d0a   artybottle.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   72657368 62757369 6e657373 2e6e6574   reshbusiness.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   78706572 69656e63 65627573 696e6573   xperiencebusines
0x00000050 (00080)   732e6e65 740d0a0d 0a                  s.net....


Strings