Analysis Date2015-10-01 18:06:58
MD55d94707530094f8145d5111d0e748483
SHA1ccbf0114d777b3d251952b6ba013d82a6e866a9f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3cfc6cf25e72fad8859a5057c2c6fba5 sha1: 5fda5d3885703a1374a9a466e4fc42c6a86d758d size: 1255424
Section.rdata md5: a2366734b518316342af6f7e35d272c4 sha1: 60a1d58d9779aea568f3869370e4ff8b63e39dd4 size: 326144
Section.data md5: 54286a1c2c8b039639923968785fc2ef sha1: 4fd42b1b8ad9ab84836e1badf9fefbf3d506eccd size: 8192
Section.reloc md5: 9bd09a9b1100f42245922870173ffed8 sha1: ae7c3ecbb94802e187680990162543963a6cd410 size: 161280
Timestamp2015-05-11 03:54:53
PackerVC8 -> Microsoft Corporation
PEhash90a1676d1b8cbfb1de90c733ed663f0b4946d578
IMPhash578bc548cee3e9c5d7d0d6314f1529d9
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Diley.1
AVDr. WebTrojan.Bayrob.5
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVBullGuardGen:Variant.Diley.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Diley.1
AVFortinetW32/Bayrob.X!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Z
AVAlwil (avast)Dropper-OJQ [Drp]
AVAd-AwareGen:Variant.Diley.1
AVTwisterno_virus
AVAvira (antivir)TR/AD.Nivdort.M.26
AVMcafeeTrojan-FGIJ!5D9470753009

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\sqezphhgzjwdid\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zrehvj1mbecbqqnqluzhd.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\zrehvj1mbecbqqnqluzhd.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\zrehvj1mbecbqqnqluzhd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Diagnostic Auto-Discovery ActiveX Proxy ➝
C:\WINDOWS\system32\ymnslzmn.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\ymnslzmn.exe
Creates FileC:\WINDOWS\system32\sqezphhgzjwdid\tst
Creates FileC:\WINDOWS\system32\sqezphhgzjwdid\lck
Creates FileC:\WINDOWS\system32\sqezphhgzjwdid\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\ymnslzmn.exe
Creates ServiceSoftware Interactive Fax Policy - C:\WINDOWS\system32\ymnslzmn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 816

Process
↳ Pid 868

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1224

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1880

Process
↳ Pid 1196

Process
↳ C:\WINDOWS\system32\ymnslzmn.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\zrehvj1tzfcbq.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\sqezphhgzjwdid\run
Creates FileC:\WINDOWS\system32\sqezphhgzjwdid\rng
Creates FileC:\WINDOWS\system32\sqezphhgzjwdid\cfg
Creates FileC:\WINDOWS\system32\sqezphhgzjwdid\tst
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\dyhwviaajy.exe
Creates FileC:\WINDOWS\system32\sqezphhgzjwdid\lck
Creates ProcessC:\WINDOWS\TEMP\zrehvj1tzfcbq.exe -r 21903 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\ymnslzmn.exe"

Process
↳ C:\WINDOWS\system32\ymnslzmn.exe

Creates FileC:\WINDOWS\system32\sqezphhgzjwdid\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\ymnslzmn.exe"

Creates FileC:\WINDOWS\system32\sqezphhgzjwdid\tst

Process
↳ C:\WINDOWS\TEMP\zrehvj1tzfcbq.exe -r 21903 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSsignimportant.net
Type: A
95.211.230.75
DNSlooknice.net
Type: A
72.52.4.91
DNSfeltelse.net
Type: A
195.22.26.252
DNSfeltelse.net
Type: A
195.22.26.253
DNSfeltelse.net
Type: A
195.22.26.254
DNSfeltelse.net
Type: A
195.22.26.231
DNSknowsleep.net
Type: A
208.91.197.27
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSpickfine.net
Type: A
DNSsongfine.net
Type: A
DNSpicknice.net
Type: A
DNSsongnice.net
Type: A
DNSpickelse.net
Type: A
DNSsongelse.net
Type: A
DNSpickimportant.net
Type: A
DNSsongimportant.net
Type: A
DNSroomfine.net
Type: A
DNSsignfine.net
Type: A
DNSroomnice.net
Type: A
DNSsignnice.net
Type: A
DNSroomelse.net
Type: A
DNSsignelse.net
Type: A
DNSroomimportant.net
Type: A
DNSmovefine.net
Type: A
DNSjumpfine.net
Type: A
DNSmovenice.net
Type: A
DNSjumpnice.net
Type: A
DNSmoveelse.net
Type: A
DNSjumpelse.net
Type: A
DNSmoveimportant.net
Type: A
DNSjumpimportant.net
Type: A
DNShillfine.net
Type: A
DNSwhomfine.net
Type: A
DNShillnice.net
Type: A
DNSwhomnice.net
Type: A
DNShillelse.net
Type: A
DNSwhomelse.net
Type: A
DNShillimportant.net
Type: A
DNSwhomimportant.net
Type: A
DNSfeltfine.net
Type: A
DNSlookfine.net
Type: A
DNSfeltnice.net
Type: A
DNSlookelse.net
Type: A
DNSfeltimportant.net
Type: A
DNSlookimportant.net
Type: A
DNSthreefine.net
Type: A
DNSlordfine.net
Type: A
DNSthreenice.net
Type: A
DNSlordnice.net
Type: A
DNSthreeelse.net
Type: A
DNSlordelse.net
Type: A
DNSthreeimportant.net
Type: A
DNSlordimportant.net
Type: A
DNSdrinkfine.net
Type: A
DNSwifefine.net
Type: A
DNSdrinknice.net
Type: A
DNSwifenice.net
Type: A
DNSdrinkelse.net
Type: A
DNSwifeelse.net
Type: A
DNSdrinkimportant.net
Type: A
DNSwifeimportant.net
Type: A
DNSablesleep.net
Type: A
DNSknowheight.net
Type: A
DNSableheight.net
Type: A
DNSknowheld.net
Type: A
DNSableheld.net
Type: A
DNSknowrain.net
Type: A
DNSablerain.net
Type: A
DNSpicksleep.net
Type: A
DNSsongsleep.net
Type: A
DNSpickheight.net
Type: A
DNSsongheight.net
Type: A
DNSpickheld.net
Type: A
DNSsongheld.net
Type: A
DNSpickrain.net
Type: A
DNSsongrain.net
Type: A
DNSroomsleep.net
Type: A
DNSsignsleep.net
Type: A
DNSroomheight.net
Type: A
DNSsignheight.net
Type: A
DNSroomheld.net
Type: A
DNSsignheld.net
Type: A
DNSroomrain.net
Type: A
DNSsignrain.net
Type: A
DNSmovesleep.net
Type: A
DNSjumpsleep.net
Type: A
DNSmoveheight.net
Type: A
DNSjumpheight.net
Type: A
DNSmoveheld.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://signimportant.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://looknice.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://feltelse.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://knowsleep.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f926808&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1051 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1052 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1053 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1054 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1055 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80

Raw Pcap

Strings