Analysis | #totalhash

Analysis Date	2015-10-06 10:37:08
MD5	64f7a646a79da1b297354a9ec47a845a
SHA1	cff5266e564c942f01d4aa5cce6f7dc4bba5fd54

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 2f6eacb07afedaedf4e5126b6436bd1e sha1: f996df4d5b3f7c92ac1448c134bd771d2f170f92 size: 252928
Section	.rdata md5: 7588ddbf2f86663f4026fcfab6ccd866 sha1: 3723dadd9c32b902e0d31204817cdb477e43b7e4 size: 40448
Section	.data md5: 92db6f61df1dfd3d1bfe44517464d330 sha1: e1408512e3688ab0aac457bf7e09b556a92c3f33 size: 7168
Section	.reloc md5: 056f91090e15a8017bc2a6b03db0375a sha1: d6d7eea79fe3aaee3c69b3d5738e790da33a17f5 size: 16384
Timestamp	2015-05-21 04:48:35
Packer	Microsoft Visual C++ ?.?
PEhash	303c29e2b97a3a56940de18ec1ef35460fa41d9b
IMPhash	3987042cdb859403e65a38356cc09ca4
AV	CA (E-Trust Ino)	no_virus
AV	Rising	no_virus
AV	Mcafee	Trojan-FGIJ!64F7A646A79D
AV	Avira (antivir)	TR/Crypt.ZPACK.83430
AV	Twister	no_virus
AV	Ad-Aware	Gen:Variant.Diley.1
AV	Alwil (avast)	Malware-gen:Win32:Malware-gen
AV	Eset (nod32)	Win32/Bayrob.Y
AV	Grisoft (avg)	Win32/Cryptor
AV	Symantec	Downloader.Upatre!g15
AV	Fortinet	W32/Babrob.Y!tr
AV	BitDefender	Gen:Variant.Diley.1
AV	K7	Trojan ( 004c77f41 )
AV	Microsoft Security Essentials	Error Scanning File
AV	MicroWorld (escan)	Gen:Variant.Diley.1
AV	MalwareBytes	no_virus
AV	Authentium	W32/Trojan.FPOZ-8300
AV	Frisk (f-prot)	no_virus
AV	Ikarus	Trojan.Win32.Bayrob
AV	Emsisoft	Gen:Variant.Diley.1
AV	Zillya!	no_virus
AV	Kaspersky	Trojan.Win32.Generic
AV	Trend Micro	no_virus
AV	CAT (quickheal)	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	Padvish	no_virus
AV	BullGuard	Gen:Variant.Diley.1
AV	Arcabit (arcavir)	Gen:Variant.Diley.1
AV	ClamAV	no_virus
AV	Dr. Web	Trojan.DownLoader16.39594
AV	F-Secure	Gen:Variant.Diley.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\gtthfvqozamke\eqvshxywap
Creates File	C:\gtthfvqozamke\u9n1m8cew3smadepaytu.exe
Creates File	C:\WINDOWS\gtthfvqozamke\eqvshxywap
Deletes File	C:\WINDOWS\gtthfvqozamke\eqvshxywap
Creates Process	C:\gtthfvqozamke\u9n1m8cew3smadepaytu.exe

Process
↳ C:\gtthfvqozamke\u9n1m8cew3smadepaytu.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Adapter Smart Auto Upgrade Registrar ➝ C:\gtthfvqozamke\mmvfugf.exe
Creates File	C:\gtthfvqozamke\mmvfugf.exe
Creates File	C:\gtthfvqozamke\eqvshxywap
Creates File	PIPE\lsarpc
Creates File	C:\WINDOWS\gtthfvqozamke\eqvshxywap
Creates File	C:\gtthfvqozamke\hgqgk8ej4
Deletes File	C:\WINDOWS\gtthfvqozamke\eqvshxywap
Creates Process	C:\gtthfvqozamke\mmvfugf.exe
Creates Service	Registry Helper Disk Browser Workstation - C:\gtthfvqozamke\mmvfugf.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1128

Process
↳ C:\gtthfvqozamke\mmvfugf.exe

Creates File	pipe\net\NtControlPipe10
Creates File	C:\gtthfvqozamke\kubtzjeyi.exe
Creates File	C:\gtthfvqozamke\eqvshxywap
Creates File	C:\WINDOWS\gtthfvqozamke\eqvshxywap
Creates File	\Device\Afd\Endpoint
Creates File	C:\gtthfvqozamke\v1bqlksy
Creates File	C:\gtthfvqozamke\hgqgk8ej4
Deletes File	C:\WINDOWS\gtthfvqozamke\eqvshxywap
Creates Process	gc1ncwfitnye "c:\gtthfvqozamke\mmvfugf.exe"

Process
↳ C:\gtthfvqozamke\mmvfugf.exe

Creates File	C:\gtthfvqozamke\eqvshxywap
Creates File	C:\WINDOWS\gtthfvqozamke\eqvshxywap
Deletes File	C:\WINDOWS\gtthfvqozamke\eqvshxywap

Process
↳ gc1ncwfitnye "c:\gtthfvqozamke\mmvfugf.exe"

Creates File	C:\gtthfvqozamke\eqvshxywap
Creates File	C:\WINDOWS\gtthfvqozamke\eqvshxywap
Deletes File	C:\WINDOWS\gtthfvqozamke\eqvshxywap

Network Details:

DNS	streetshoulder.net Type: A 95.211.230.75
DNS	gatherabove.net Type: A 72.52.4.90
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	breadabove.net Type: A 195.22.26.253
DNS	breadabove.net Type: A 195.22.26.254
DNS	breadabove.net Type: A 195.22.26.231
DNS	breadabove.net Type: A 195.22.26.252
DNS	chiefshore.net Type: A 162.255.119.250
DNS	chiefwritten.net Type: A 98.139.135.129
DNS	collegewritten.net Type: A 162.255.119.250
DNS	collegedollar.net Type: A 162.255.119.250
DNS	chiefrealize.net Type: A 72.52.4.90
DNS	alonedollar.net Type: A 208.100.26.234
DNS	morningdollar.net Type: A 50.63.202.48
DNS	captainuntil.net Type: A
DNS	largeabove.net Type: A
DNS	captainabove.net Type: A
DNS	largeshoulder.net Type: A
DNS	captainshoulder.net Type: A
DNS	largefinger.net Type: A
DNS	captainfinger.net Type: A
DNS	recorduntil.net Type: A
DNS	electricuntil.net Type: A
DNS	recordabove.net Type: A
DNS	electricabove.net Type: A
DNS	recordshoulder.net Type: A
DNS	electricshoulder.net Type: A
DNS	recordfinger.net Type: A
DNS	electricfinger.net Type: A
DNS	streetuntil.net Type: A
DNS	tradeuntil.net Type: A
DNS	streetabove.net Type: A
DNS	tradeabove.net Type: A
DNS	tradeshoulder.net Type: A
DNS	streetfinger.net Type: A
DNS	tradefinger.net Type: A
DNS	betteruntil.net Type: A
DNS	gatheruntil.net Type: A
DNS	betterabove.net Type: A
DNS	bettershoulder.net Type: A
DNS	gathershoulder.net Type: A
DNS	betterfinger.net Type: A
DNS	gatherfinger.net Type: A
DNS	flieruntil.net Type: A
DNS	breaduntil.net Type: A
DNS	flierabove.net Type: A
DNS	fliershoulder.net Type: A
DNS	breadshoulder.net Type: A
DNS	flierfinger.net Type: A
DNS	breadfinger.net Type: A
DNS	quietuntil.net Type: A
DNS	seasonuntil.net Type: A
DNS	quietabove.net Type: A
DNS	seasonabove.net Type: A
DNS	quietshoulder.net Type: A
DNS	seasonshoulder.net Type: A
DNS	quietfinger.net Type: A
DNS	seasonfinger.net Type: A
DNS	thinkshore.net Type: A
DNS	presentshore.net Type: A
DNS	thinkwritten.net Type: A
DNS	presentwritten.net Type: A
DNS	thinkdollar.net Type: A
DNS	presentdollar.net Type: A
DNS	thinkrealize.net Type: A
DNS	presentrealize.net Type: A
DNS	collegeshore.net Type: A
DNS	chiefdollar.net Type: A
DNS	collegerealize.net Type: A
DNS	oftenshore.net Type: A
DNS	aloneshore.net Type: A
DNS	oftenwritten.net Type: A
DNS	alonewritten.net Type: A
DNS	oftendollar.net Type: A
DNS	oftenrealize.net Type: A
DNS	alonerealize.net Type: A
DNS	middleshore.net Type: A
DNS	twelveshore.net Type: A
DNS	middlewritten.net Type: A
DNS	twelvewritten.net Type: A
DNS	middledollar.net Type: A
DNS	twelvedollar.net Type: A
DNS	middlerealize.net Type: A
DNS	twelverealize.net Type: A
DNS	rathershore.net Type: A
DNS	morningshore.net Type: A
DNS	ratherwritten.net Type: A
DNS	morningwritten.net Type: A
DNS	ratherdollar.net Type: A
HTTP GET	http://streetshoulder.net/index.php User-Agent:
HTTP GET	http://gatherabove.net/index.php User-Agent:
HTTP GET	http://gatherfinger.net/index.php User-Agent:
HTTP GET	http://breadabove.net/index.php User-Agent:
HTTP GET	http://chiefshore.net/index.php User-Agent:
HTTP GET	http://chiefwritten.net/index.php User-Agent:
HTTP GET	http://collegewritten.net/index.php User-Agent:
HTTP GET	http://collegedollar.net/index.php User-Agent:
HTTP GET	http://chiefrealize.net/index.php User-Agent:
HTTP GET	http://alonedollar.net/index.php User-Agent:
HTTP GET	http://morningdollar.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP	192.168.1.1:1032 ➝ 72.52.4.90:80
Flows TCP	192.168.1.1:1033 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1034 ➝ 195.22.26.253:80
Flows TCP	192.168.1.1:1035 ➝ 162.255.119.250:80
Flows TCP	192.168.1.1:1036 ➝ 98.139.135.129:80
Flows TCP	192.168.1.1:1037 ➝ 162.255.119.250:80
Flows TCP	192.168.1.1:1038 ➝ 162.255.119.250:80
Flows TCP	192.168.1.1:1039 ➝ 72.52.4.90:80
Flows TCP	192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1041 ➝ 50.63.202.48:80

Raw Pcap

Strings