Analysis Date | 2015-10-06 10:37:08 |
---|---|
MD5 | 64f7a646a79da1b297354a9ec47a845a |
SHA1 | cff5266e564c942f01d4aa5cce6f7dc4bba5fd54 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 2f6eacb07afedaedf4e5126b6436bd1e sha1: f996df4d5b3f7c92ac1448c134bd771d2f170f92 size: 252928 | |
Section | .rdata md5: 7588ddbf2f86663f4026fcfab6ccd866 sha1: 3723dadd9c32b902e0d31204817cdb477e43b7e4 size: 40448 | |
Section | .data md5: 92db6f61df1dfd3d1bfe44517464d330 sha1: e1408512e3688ab0aac457bf7e09b556a92c3f33 size: 7168 | |
Section | .reloc md5: 056f91090e15a8017bc2a6b03db0375a sha1: d6d7eea79fe3aaee3c69b3d5738e790da33a17f5 size: 16384 | |
Timestamp | 2015-05-21 04:48:35 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | 303c29e2b97a3a56940de18ec1ef35460fa41d9b | |
IMPhash | 3987042cdb859403e65a38356cc09ca4 | |
AV | CA (E-Trust Ino) | no_virus |
AV | Rising | no_virus |
AV | Mcafee | Trojan-FGIJ!64F7A646A79D |
AV | Avira (antivir) | TR/Crypt.ZPACK.83430 |
AV | Twister | no_virus |
AV | Ad-Aware | Gen:Variant.Diley.1 |
AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
AV | Eset (nod32) | Win32/Bayrob.Y |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Symantec | Downloader.Upatre!g15 |
AV | Fortinet | W32/Babrob.Y!tr |
AV | BitDefender | Gen:Variant.Diley.1 |
AV | K7 | Trojan ( 004c77f41 ) |
AV | Microsoft Security Essentials | Error Scanning File |
AV | MicroWorld (escan) | Gen:Variant.Diley.1 |
AV | MalwareBytes | no_virus |
AV | Authentium | W32/Trojan.FPOZ-8300 |
AV | Frisk (f-prot) | no_virus |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Emsisoft | Gen:Variant.Diley.1 |
AV | Zillya! | no_virus |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Trend Micro | no_virus |
AV | CAT (quickheal) | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | Padvish | no_virus |
AV | BullGuard | Gen:Variant.Diley.1 |
AV | Arcabit (arcavir) | Gen:Variant.Diley.1 |
AV | ClamAV | no_virus |
AV | Dr. Web | Trojan.DownLoader16.39594 |
AV | F-Secure | Gen:Variant.Diley.1 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\gtthfvqozamke\eqvshxywap |
---|---|
Creates File | C:\gtthfvqozamke\u9n1m8cew3smadepaytu.exe |
Creates File | C:\WINDOWS\gtthfvqozamke\eqvshxywap |
Deletes File | C:\WINDOWS\gtthfvqozamke\eqvshxywap |
Creates Process | C:\gtthfvqozamke\u9n1m8cew3smadepaytu.exe |
Process
↳ C:\gtthfvqozamke\u9n1m8cew3smadepaytu.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Adapter Smart Auto Upgrade Registrar ➝ C:\gtthfvqozamke\mmvfugf.exe |
---|---|
Creates File | C:\gtthfvqozamke\mmvfugf.exe |
Creates File | C:\gtthfvqozamke\eqvshxywap |
Creates File | PIPE\lsarpc |
Creates File | C:\WINDOWS\gtthfvqozamke\eqvshxywap |
Creates File | C:\gtthfvqozamke\hgqgk8ej4 |
Deletes File | C:\WINDOWS\gtthfvqozamke\eqvshxywap |
Creates Process | C:\gtthfvqozamke\mmvfugf.exe |
Creates Service | Registry Helper Disk Browser Workstation - C:\gtthfvqozamke\mmvfugf.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 804
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1868
Process
↳ Pid 1128
Process
↳ C:\gtthfvqozamke\mmvfugf.exe
Creates File | pipe\net\NtControlPipe10 |
---|---|
Creates File | C:\gtthfvqozamke\kubtzjeyi.exe |
Creates File | C:\gtthfvqozamke\eqvshxywap |
Creates File | C:\WINDOWS\gtthfvqozamke\eqvshxywap |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\gtthfvqozamke\v1bqlksy |
Creates File | C:\gtthfvqozamke\hgqgk8ej4 |
Deletes File | C:\WINDOWS\gtthfvqozamke\eqvshxywap |
Creates Process | gc1ncwfitnye "c:\gtthfvqozamke\mmvfugf.exe" |
Process
↳ C:\gtthfvqozamke\mmvfugf.exe
Creates File | C:\gtthfvqozamke\eqvshxywap |
---|---|
Creates File | C:\WINDOWS\gtthfvqozamke\eqvshxywap |
Deletes File | C:\WINDOWS\gtthfvqozamke\eqvshxywap |
Process
↳ gc1ncwfitnye "c:\gtthfvqozamke\mmvfugf.exe"
Creates File | C:\gtthfvqozamke\eqvshxywap |
---|---|
Creates File | C:\WINDOWS\gtthfvqozamke\eqvshxywap |
Deletes File | C:\WINDOWS\gtthfvqozamke\eqvshxywap |
Network Details:
DNS | streetshoulder.net Type: A 95.211.230.75 |
---|---|
DNS | gatherabove.net Type: A 72.52.4.90 |
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
DNS | breadabove.net Type: A 195.22.26.253 |
DNS | breadabove.net Type: A 195.22.26.254 |
DNS | breadabove.net Type: A 195.22.26.231 |
DNS | breadabove.net Type: A 195.22.26.252 |
DNS | chiefshore.net Type: A 162.255.119.250 |
DNS | chiefwritten.net Type: A 98.139.135.129 |
DNS | collegewritten.net Type: A 162.255.119.250 |
DNS | collegedollar.net Type: A 162.255.119.250 |
DNS | chiefrealize.net Type: A 72.52.4.90 |
DNS | alonedollar.net Type: A 208.100.26.234 |
DNS | morningdollar.net Type: A 50.63.202.48 |
DNS | captainuntil.net Type: A |
DNS | largeabove.net Type: A |
DNS | captainabove.net Type: A |
DNS | largeshoulder.net Type: A |
DNS | captainshoulder.net Type: A |
DNS | largefinger.net Type: A |
DNS | captainfinger.net Type: A |
DNS | recorduntil.net Type: A |
DNS | electricuntil.net Type: A |
DNS | recordabove.net Type: A |
DNS | electricabove.net Type: A |
DNS | recordshoulder.net Type: A |
DNS | electricshoulder.net Type: A |
DNS | recordfinger.net Type: A |
DNS | electricfinger.net Type: A |
DNS | streetuntil.net Type: A |
DNS | tradeuntil.net Type: A |
DNS | streetabove.net Type: A |
DNS | tradeabove.net Type: A |
DNS | tradeshoulder.net Type: A |
DNS | streetfinger.net Type: A |
DNS | tradefinger.net Type: A |
DNS | betteruntil.net Type: A |
DNS | gatheruntil.net Type: A |
DNS | betterabove.net Type: A |
DNS | bettershoulder.net Type: A |
DNS | gathershoulder.net Type: A |
DNS | betterfinger.net Type: A |
DNS | gatherfinger.net Type: A |
DNS | flieruntil.net Type: A |
DNS | breaduntil.net Type: A |
DNS | flierabove.net Type: A |
DNS | fliershoulder.net Type: A |
DNS | breadshoulder.net Type: A |
DNS | flierfinger.net Type: A |
DNS | breadfinger.net Type: A |
DNS | quietuntil.net Type: A |
DNS | seasonuntil.net Type: A |
DNS | quietabove.net Type: A |
DNS | seasonabove.net Type: A |
DNS | quietshoulder.net Type: A |
DNS | seasonshoulder.net Type: A |
DNS | quietfinger.net Type: A |
DNS | seasonfinger.net Type: A |
DNS | thinkshore.net Type: A |
DNS | presentshore.net Type: A |
DNS | thinkwritten.net Type: A |
DNS | presentwritten.net Type: A |
DNS | thinkdollar.net Type: A |
DNS | presentdollar.net Type: A |
DNS | thinkrealize.net Type: A |
DNS | presentrealize.net Type: A |
DNS | collegeshore.net Type: A |
DNS | chiefdollar.net Type: A |
DNS | collegerealize.net Type: A |
DNS | oftenshore.net Type: A |
DNS | aloneshore.net Type: A |
DNS | oftenwritten.net Type: A |
DNS | alonewritten.net Type: A |
DNS | oftendollar.net Type: A |
DNS | oftenrealize.net Type: A |
DNS | alonerealize.net Type: A |
DNS | middleshore.net Type: A |
DNS | twelveshore.net Type: A |
DNS | middlewritten.net Type: A |
DNS | twelvewritten.net Type: A |
DNS | middledollar.net Type: A |
DNS | twelvedollar.net Type: A |
DNS | middlerealize.net Type: A |
DNS | twelverealize.net Type: A |
DNS | rathershore.net Type: A |
DNS | morningshore.net Type: A |
DNS | ratherwritten.net Type: A |
DNS | morningwritten.net Type: A |
DNS | ratherdollar.net Type: A |
HTTP GET | http://streetshoulder.net/index.php User-Agent: |
HTTP GET | http://gatherabove.net/index.php User-Agent: |
HTTP GET | http://gatherfinger.net/index.php User-Agent: |
HTTP GET | http://breadabove.net/index.php User-Agent: |
HTTP GET | http://chiefshore.net/index.php User-Agent: |
HTTP GET | http://chiefwritten.net/index.php User-Agent: |
HTTP GET | http://collegewritten.net/index.php User-Agent: |
HTTP GET | http://collegedollar.net/index.php User-Agent: |
HTTP GET | http://chiefrealize.net/index.php User-Agent: |
HTTP GET | http://alonedollar.net/index.php User-Agent: |
HTTP GET | http://morningdollar.net/index.php User-Agent: |
Flows TCP | 192.168.1.1:1031 ➝ 95.211.230.75:80 |
Flows TCP | 192.168.1.1:1032 ➝ 72.52.4.90:80 |
Flows TCP | 192.168.1.1:1033 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1034 ➝ 195.22.26.253:80 |
Flows TCP | 192.168.1.1:1035 ➝ 162.255.119.250:80 |
Flows TCP | 192.168.1.1:1036 ➝ 98.139.135.129:80 |
Flows TCP | 192.168.1.1:1037 ➝ 162.255.119.250:80 |
Flows TCP | 192.168.1.1:1038 ➝ 162.255.119.250:80 |
Flows TCP | 192.168.1.1:1039 ➝ 72.52.4.90:80 |
Flows TCP | 192.168.1.1:1040 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1041 ➝ 50.63.202.48:80 |
Raw Pcap
Strings