Analysis Date2016-01-28 20:00:01
MD59cfbd172066cc995714c390c4deb691d
SHA1cd8cd978f533a35c63193efd0278480f9aa23eba

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9b579129f1dc02ce6568bc3362e2c3ec sha1: 45b5cedaf1bc47577578689fae1938f79506189b size: 257536
Section.rdata md5: 1dedad7df3beb1b50e6fa1d8c12397c6 sha1: 04ce94d11d8fc82ed29adcd317bc58c143be5256 size: 40448
Section.data md5: 3323cb02ec318ff556c3fdaf6412821a sha1: 92505b5ad8e76b9e22e69236e15bb212e96c47e7 size: 7168
Section.reloc md5: 8b2b3b0cae60a7557e780a6693a194fc sha1: 6a9cdc3de8bc8550bee1e6577ad35fa296e46ec2 size: 17408
Timestamp2015-05-21 04:10:58
PackerMicrosoft Visual C++ ?.?
PEhash8e6ff95ef4b95db43d2044b6cfae9a022f63cefa
IMPhash2d0449388d6ad53a52816e7abe519d42
AVRisingNo Virus
AVMcafeeTrojan-FGIJ!9CFBD172066C
AVAvira (antivir)TR/Crypt.Xpack.431419
AVTwisterNo Virus
AVAd-AwareGen:Variant.Diley.1
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.Y
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetNo Virus
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CP
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesTrojan.Bayrob.KVTGen
AVAuthentiumW32/Scar.V.gen!Eldorado
AVEmsisoftGen:Variant.Diley.1
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.OL4
AVBullGuardGen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Diley.1
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\mhezczaopzfuqcv\xlcq1knxdmhjhu4kbgi.exe
Creates FileC:\mhezczaopzfuqcv\tmhuq1
Creates FileC:\WINDOWS\mhezczaopzfuqcv\tmhuq1
Deletes FileC:\WINDOWS\mhezczaopzfuqcv\tmhuq1
Creates ProcessC:\mhezczaopzfuqcv\xlcq1knxdmhjhu4kbgi.exe

Process
↳ C:\mhezczaopzfuqcv\xlcq1knxdmhjhu4kbgi.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Internet TP CNG Connectivity ➝
C:\mhezczaopzfuqcv\bmpzrfrwbax.exe
Creates FileC:\mhezczaopzfuqcv\bmpzrfrwbax.exe
Creates FileC:\mhezczaopzfuqcv\mxbi7zy9ul
Creates FilePIPE\lsarpc
Creates FileC:\mhezczaopzfuqcv\tmhuq1
Creates FileC:\WINDOWS\mhezczaopzfuqcv\tmhuq1
Deletes FileC:\WINDOWS\mhezczaopzfuqcv\tmhuq1
Creates ProcessC:\mhezczaopzfuqcv\bmpzrfrwbax.exe
Creates ServiceReports Search Tools Event UserMode - C:\mhezczaopzfuqcv\bmpzrfrwbax.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1168

Process
↳ C:\mhezczaopzfuqcv\bmpzrfrwbax.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\mhezczaopzfuqcv\zsogpchvlz
Creates FileC:\mhezczaopzfuqcv\mxbi7zy9ul
Creates FileC:\mhezczaopzfuqcv\dvfnxbzxdduu.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\mhezczaopzfuqcv\tmhuq1
Creates FileC:\WINDOWS\mhezczaopzfuqcv\tmhuq1
Deletes FileC:\WINDOWS\mhezczaopzfuqcv\tmhuq1
Creates Processldfv0jlkgeyr "c:\mhezczaopzfuqcv\bmpzrfrwbax.exe"

Process
↳ C:\mhezczaopzfuqcv\bmpzrfrwbax.exe

Creates FileC:\mhezczaopzfuqcv\tmhuq1
Creates FileC:\WINDOWS\mhezczaopzfuqcv\tmhuq1
Deletes FileC:\WINDOWS\mhezczaopzfuqcv\tmhuq1

Process
↳ ldfv0jlkgeyr "c:\mhezczaopzfuqcv\bmpzrfrwbax.exe"

Creates FileC:\mhezczaopzfuqcv\tmhuq1
Creates FileC:\WINDOWS\mhezczaopzfuqcv\tmhuq1
Deletes FileC:\WINDOWS\mhezczaopzfuqcv\tmhuq1

Network Details:

DNSmightplease.net
Type: A
208.100.26.234
DNSprettysoldier.net
Type: A
184.168.221.52
DNSprettyplease.net
Type: A
207.148.248.143
DNSbrokennation.net
Type: A
208.91.197.27
DNSresultnation.net
Type: A
208.91.197.27
DNSbrokensoldier.net
Type: A
173.236.158.114
DNSbuildingpower.net
Type: A
188.40.84.184
DNSprettypower.net
Type: A
208.91.197.23
DNSdoublefamous.net
Type: A
210.157.1.134
DNSfellowpower.net
Type: A
98.139.135.129
DNSmightsoldier.net
Type: A
DNSstoreplease.net
Type: A
DNSstorecondition.net
Type: A
DNSmightcondition.net
Type: A
DNSdoctornation.net
Type: A
DNSprettynation.net
Type: A
DNSdoctorsoldier.net
Type: A
DNSdoctorplease.net
Type: A
DNSdoctorcondition.net
Type: A
DNSprettycondition.net
Type: A
DNSfellownation.net
Type: A
DNSdoublenation.net
Type: A
DNSfellowsoldier.net
Type: A
DNSdoublesoldier.net
Type: A
DNSfellowplease.net
Type: A
DNSdoubleplease.net
Type: A
DNSfellowcondition.net
Type: A
DNSdoublecondition.net
Type: A
DNSresultsoldier.net
Type: A
DNSbrokenplease.net
Type: A
DNSresultplease.net
Type: A
DNSbrokencondition.net
Type: A
DNSresultcondition.net
Type: A
DNSpreparenation.net
Type: A
DNSdesirenation.net
Type: A
DNSpreparesoldier.net
Type: A
DNSdesiresoldier.net
Type: A
DNSprepareplease.net
Type: A
DNSdesireplease.net
Type: A
DNSpreparecondition.net
Type: A
DNSdesirecondition.net
Type: A
DNSstrengthnation.net
Type: A
DNSstillnation.net
Type: A
DNSstrengthsoldier.net
Type: A
DNSstillsoldier.net
Type: A
DNSstrengthplease.net
Type: A
DNSstillplease.net
Type: A
DNSstrengthcondition.net
Type: A
DNSstillcondition.net
Type: A
DNSmovementcentury.net
Type: A
DNSoutsidecentury.net
Type: A
DNSmovementfamous.net
Type: A
DNSoutsidefamous.net
Type: A
DNSmovementpower.net
Type: A
DNSoutsidepower.net
Type: A
DNSmovementcountry.net
Type: A
DNSoutsidecountry.net
Type: A
DNSbuildingcentury.net
Type: A
DNSeveningcentury.net
Type: A
DNSbuildingfamous.net
Type: A
DNSeveningfamous.net
Type: A
DNSeveningpower.net
Type: A
DNSbuildingcountry.net
Type: A
DNSeveningcountry.net
Type: A
DNSstorecentury.net
Type: A
DNSmightcentury.net
Type: A
DNSstorefamous.net
Type: A
DNSmightfamous.net
Type: A
DNSstorepower.net
Type: A
DNSmightpower.net
Type: A
DNSstorecountry.net
Type: A
DNSmightcountry.net
Type: A
DNSdoctorcentury.net
Type: A
DNSprettycentury.net
Type: A
DNSdoctorfamous.net
Type: A
DNSprettyfamous.net
Type: A
DNSdoctorpower.net
Type: A
DNSdoctorcountry.net
Type: A
DNSprettycountry.net
Type: A
DNSfellowcentury.net
Type: A
DNSdoublecentury.net
Type: A
DNSfellowfamous.net
Type: A
DNSdoublepower.net
Type: A
DNSfellowcountry.net
Type: A
DNSdoublecountry.net
Type: A
HTTP GEThttp://mightplease.net/index.php
User-Agent:
HTTP GEThttp://prettysoldier.net/index.php
User-Agent:
HTTP GEThttp://prettyplease.net/index.php
User-Agent:
HTTP GEThttp://brokennation.net/index.php
User-Agent:
HTTP GEThttp://resultnation.net/index.php
User-Agent:
HTTP GEThttp://brokensoldier.net/index.php
User-Agent:
HTTP GEThttp://buildingpower.net/index.php
User-Agent:
HTTP GEThttp://prettypower.net/index.php
User-Agent:
HTTP GEThttp://doublefamous.net/index.php
User-Agent:
HTTP GEThttp://fellowpower.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.52:80
Flows TCP192.168.1.1:1033 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1035 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1036 ➝ 173.236.158.114:80
Flows TCP192.168.1.1:1037 ➝ 188.40.84.184:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.23:80
Flows TCP192.168.1.1:1039 ➝ 210.157.1.134:80
Flows TCP192.168.1.1:1040 ➝ 98.139.135.129:80

Raw Pcap

Strings