Analysis Date2015-08-15 13:57:04
MD59b5579401f260f99be2d812f24ed8ef8
SHA1ccfaf3d73a216177a951aa312c9af2acf5932b0b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3e12dc4ffeaa6a5af29df51e1328e2be sha1: 270bdca1bd798eb2449d4d4263a97ae24dde5353 size: 278016
Section.rdata md5: c98b660fda358e633c0cc0faf499012d sha1: c174e87ef4b30e7b3dc3690ea911500c13949c69 size: 42496
Section.data md5: 5315364d7ccf4623c8a01a180ea567fe sha1: 53f62e425444651838b2abc2bbdb7e07e564f3a2 size: 7168
Section.reloc md5: 406a628297fe26b25212e16e897531da sha1: f4facf84cba09fd27517ddcba3eb042cc522e5c1 size: 21504
Timestamp2015-05-21 03:43:09
PackerMicrosoft Visual C++ ?.?
PEhash5064b855f385c3e517693b69e734bf2b0ec2bab6
IMPhash2b9f507397e7c0a248c2302d856fbefb
AVMicroWorld (escan)Gen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVVirusBlokAda (vba32)no_virus
AVMalwareBytesTrojan.Agent.KVTGen
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEmsisoftGen:Variant.Diley.1
AVKasperskyTrojan.Win32.Scar.kahx
AVCAT (quickheal)TrojanSpy.Nivdort.J4
AVClamAVno_virus
AVCA (E-Trust Ino)no_virus
AVFortinetW32/Babrob.Y!tr
AVBullGuardGen:Variant.Diley.1
AVMcafeeTrojan-FGIJ!9B5579401F26
AVRisingno_virus
AVFrisk (f-prot)no_virus
AVZillya!no_virus
AVTrend MicroTROJ_BAYROB.SM0
AVPadvishno_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVDr. Webno_virus
AVF-SecureGen:Variant.Diley.1
AVAuthentiumW32/Scar.V.gen!Eldorado
AVSymantecDownloader.Upatre!g15
AVBitDefenderGen:Variant.Diley.1
AVGrisoft (avg)Win32/Cryptor
AVK7Trojan ( 004c77f41 )
AVEset (nod32)Win32/Bayrob.Y
AVAvira (antivir)TR/Crypt.ZPACK.135297
AVTwisterno_virus
AVAd-AwareGen:Variant.Diley.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AH

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\dohylyj\y1d1laigybcosjqer.exe
Creates FileC:\WINDOWS\dohylyj\g1be1mthjzc
Creates FileC:\dohylyj\g1be1mthjzc
Deletes FileC:\WINDOWS\dohylyj\g1be1mthjzc
Creates ProcessC:\dohylyj\y1d1laigybcosjqer.exe

Process
↳ C:\dohylyj\y1d1laigybcosjqer.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Resolution Policy Controls ➝
C:\dohylyj\jnhdmfxlxw.exe
Creates FileC:\dohylyj\eq2knjtsfgru
Creates FileC:\dohylyj\jnhdmfxlxw.exe
Creates FileC:\WINDOWS\dohylyj\g1be1mthjzc
Creates FilePIPE\lsarpc
Creates FileC:\dohylyj\g1be1mthjzc
Deletes FileC:\WINDOWS\dohylyj\g1be1mthjzc
Creates ProcessC:\dohylyj\jnhdmfxlxw.exe
Creates ServiceNetworking Keying Interface Initiator Spooler - C:\dohylyj\jnhdmfxlxw.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1860

Process
↳ Pid 1128

Process
↳ C:\dohylyj\jnhdmfxlxw.exe

Creates FileC:\dohylyj\eq2knjtsfgru
Creates Filepipe\net\NtControlPipe10
Creates FileC:\dohylyj\qwxubempetw.exe
Creates FileC:\WINDOWS\dohylyj\g1be1mthjzc
Creates FileC:\dohylyj\g1be1mthjzc
Creates File\Device\Afd\Endpoint
Creates FileC:\dohylyj\b0gcbh
Deletes FileC:\WINDOWS\dohylyj\g1be1mthjzc
Creates Processlb795awmyvhb "c:\dohylyj\jnhdmfxlxw.exe"

Process
↳ C:\dohylyj\jnhdmfxlxw.exe

Creates FileC:\WINDOWS\dohylyj\g1be1mthjzc
Creates FileC:\dohylyj\g1be1mthjzc
Deletes FileC:\WINDOWS\dohylyj\g1be1mthjzc

Process
↳ lb795awmyvhb "c:\dohylyj\jnhdmfxlxw.exe"

Creates FileC:\WINDOWS\dohylyj\g1be1mthjzc
Creates FileC:\dohylyj\g1be1mthjzc
Deletes FileC:\WINDOWS\dohylyj\g1be1mthjzc

Network Details:

DNSrightcharge.net
Type: A
95.211.230.75
DNSenglishhowever.net
Type: A
DNSexpectsingle.net
Type: A
DNSbecausesingle.net
Type: A
DNSexpectcharge.net
Type: A
DNSbecausecharge.net
Type: A
DNSexpectdifference.net
Type: A
DNSbecausedifference.net
Type: A
DNSexpectevery.net
Type: A
DNSbecauseevery.net
Type: A
DNSpersonsingle.net
Type: A
DNSmachinesingle.net
Type: A
DNSpersoncharge.net
Type: A
DNSmachinecharge.net
Type: A
DNSpersondifference.net
Type: A
DNSmachinedifference.net
Type: A
DNSpersonevery.net
Type: A
DNSmachineevery.net
Type: A
DNSsuddensingle.net
Type: A
DNSforeignsingle.net
Type: A
DNSsuddencharge.net
Type: A
DNSforeigncharge.net
Type: A
DNSsuddendifference.net
Type: A
DNSforeigndifference.net
Type: A
DNSsuddenevery.net
Type: A
DNSforeignevery.net
Type: A
DNSwhethersingle.net
Type: A
DNSrightsingle.net
Type: A
DNSwhethercharge.net
Type: A
DNSwhetherdifference.net
Type: A
DNSrightdifference.net
Type: A
DNSwhetherevery.net
Type: A
DNSrightevery.net
Type: A
DNSfiguresingle.net
Type: A
DNSthoughsingle.net
Type: A
DNSfigurecharge.net
Type: A
DNSthoughcharge.net
Type: A
DNSfiguredifference.net
Type: A
DNSthoughdifference.net
Type: A
DNSfigureevery.net
Type: A
DNSthoughevery.net
Type: A
DNSpicturesingle.net
Type: A
DNScigarettesingle.net
Type: A
DNSpicturecharge.net
Type: A
DNScigarettecharge.net
Type: A
DNSpicturedifference.net
Type: A
DNScigarettedifference.net
Type: A
DNSpictureevery.net
Type: A
DNScigaretteevery.net
Type: A
DNSchildrensingle.net
Type: A
DNSfamilysingle.net
Type: A
DNSchildrencharge.net
Type: A
DNSfamilycharge.net
Type: A
DNSchildrendifference.net
Type: A
DNSfamilydifference.net
Type: A
DNSchildrenevery.net
Type: A
DNSfamilyevery.net
Type: A
DNSeithersingle.net
Type: A
DNSenglishsingle.net
Type: A
DNSeithercharge.net
Type: A
DNSenglishcharge.net
Type: A
DNSeitherdifference.net
Type: A
DNSenglishdifference.net
Type: A
DNSeitherevery.net
Type: A
DNSenglishevery.net
Type: A
DNSfreshshould.net
Type: A
DNSexperienceshould.net
Type: A
DNSfreshshort.net
Type: A
DNSexperienceshort.net
Type: A
DNSfreshopinion.net
Type: A
DNSexperienceopinion.net
Type: A
DNSfreshpromise.net
Type: A
DNSexperiencepromise.net
Type: A
DNSgentlemanshould.net
Type: A
DNSalreadyshould.net
Type: A
DNSgentlemanshort.net
Type: A
DNSalreadyshort.net
Type: A
DNSgentlemanopinion.net
Type: A
DNSalreadyopinion.net
Type: A
DNSgentlemanpromise.net
Type: A
DNSalreadypromise.net
Type: A
DNSfollowshould.net
Type: A
DNSmembershould.net
Type: A
DNSfollowshort.net
Type: A
DNSmembershort.net
Type: A
HTTP GEThttp://rightcharge.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69676874 63686172 67652e6e 65740d0a   ightcharge.net..
0x00000050 (00080)   0d0a                                  ..


Strings