Analysis Date2016-02-04 20:05:49
MD5bddab3f6733b6b819c1731b0163dea5e
SHA1d0a1a69d46434b8520ee041f348d3e903c89d832

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fb50d08e7a975bba166f52fcb5a5fb10 sha1: 8893deb2fa251a7d3a493c44caa1a0075dbd2619 size: 193024
Section.rdata md5: 356bd5a233c019b2a4f602fa764bd3d6 sha1: 52bb15fc70affc2a25b623cac694b0182818ad3b size: 17408
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 1484c36ae3c475c6c079bbfbf32e00da sha1: ea95b8a354f644a28262f55b256ed7125d5cfaf3 size: 31232
Timestamp2016-01-06 15:49:49
PEhash4385f41921b0c81c6123b5e71726dd3938d43f42
IMPhash1959e8f3631ff4ae62712399bbc43330
AVVirusBlokAda (vba32)No Virus
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVCA (E-Trust Ino)Gen:Variant.Razy.12226
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVZillya!No Virus
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVF-SecureGen:Variant.Razy.12226
AVSymantecTrojan.Bayrob!gen6
AVArcabit (arcavir)Gen:Variant.Razy.12226
AVKasperskyTrojan.Win32.Bayrob.mfy
AVTwisterNo Virus
AVK7Trojan ( 004db0c61 )
AVMalwareBytesNo Virus
AVIkarusTrojan.Win32.Bayrob
AVTrend MicroNo Virus
AVBullGuardGen:Variant.Razy.12226
AVDr. WebNo Virus
AVAlwil (avast)Win32:Malware-gen
AVRisingNo Virus
AVMcafeeTrojan-FHPX!BDDAB3F6733B
AVClamAVWin.Trojan.Agent-973698
AVEmsisoftGen:Variant.Razy.12226
AVAd-AwareGen:Variant.Razy.12226
AVEset (nod32)Win32/Bayrob.AT.gen
AVGrisoft (avg)Win32/Heur
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Razy.12226
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Razy.12226
AVAvira (antivir)TR/Taranis.1580

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\uohktlhdijiqtq\yiatz1kjlc6qrxouhkt.exe
Creates FileC:\uohktlhdijiqtq\txq7mx0yxs
Creates FileC:\WINDOWS\uohktlhdijiqtq\txq7mx0yxs
Deletes FileC:\WINDOWS\uohktlhdijiqtq\txq7mx0yxs
Creates ProcessC:\uohktlhdijiqtq\yiatz1kjlc6qrxouhkt.exe

Process
↳ C:\uohktlhdijiqtq\yiatz1kjlc6qrxouhkt.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Notification Key Web Control ➝
C:\uohktlhdijiqtq\qardwszzqxl.exe
Creates FileC:\uohktlhdijiqtq\txq7mx0yxs
Creates FileC:\uohktlhdijiqtq\zekeqkm
Creates FileC:\uohktlhdijiqtq\qardwszzqxl.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\uohktlhdijiqtq\txq7mx0yxs
Deletes FileC:\WINDOWS\uohktlhdijiqtq\txq7mx0yxs
Creates ProcessC:\uohktlhdijiqtq\qardwszzqxl.exe

Process
↳ C:\uohktlhdijiqtq\qardwszzqxl.exe

Creates FileC:\uohktlhdijiqtq\txq7mx0yxs
Creates FileC:\uohktlhdijiqtq\qdpflh62nq
Creates FileC:\uohktlhdijiqtq\zekeqkm
Creates FileC:\uohktlhdijiqtq\sfcksfx.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\uohktlhdijiqtq\txq7mx0yxs
Creates File\Device\Afd\Endpoint
Deletes FileC:\uohktlhdijiqtq\yiatz1kjlc6qrxouhkt.exe
Deletes FileC:\WINDOWS\uohktlhdijiqtq\txq7mx0yxs
Creates Processdgdfqui0oowl "c:\uohktlhdijiqtq\qardwszzqxl.exe"

Process
↳ dgdfqui0oowl "c:\uohktlhdijiqtq\qardwszzqxl.exe"

Creates FileC:\uohktlhdijiqtq\txq7mx0yxs
Creates FileC:\WINDOWS\uohktlhdijiqtq\txq7mx0yxs
Deletes FileC:\WINDOWS\uohktlhdijiqtq\txq7mx0yxs

Network Details:

DNSsmokeeearly.net
Type: A
208.100.26.234
DNSpartydress.net
Type: A
208.73.211.183
DNSpartydress.net
Type: A
208.73.211.192
DNSpartydress.net
Type: A
208.73.211.195
DNSpartydress.net
Type: A
208.73.211.179
DNSsweetindeed.net
Type: A
208.91.197.46
DNSlaughnorth.net
Type: A
208.100.26.234
DNSmothergeneral.net
Type: A
98.139.135.129
DNSmothernorth.net
Type: A
87.98.231.5
DNSwatereearly.net
Type: A
DNSthoughtpublic.net
Type: A
DNSwaterpublic.net
Type: A
DNSthoughtdress.net
Type: A
DNSwaterdress.net
Type: A
DNSwomancatch.net
Type: A
DNSsmokecatch.net
Type: A
DNSwomaneearly.net
Type: A
DNSwomanpublic.net
Type: A
DNSsmokepublic.net
Type: A
DNSwomandress.net
Type: A
DNSsmokedress.net
Type: A
DNSpartycatch.net
Type: A
DNSfightcatch.net
Type: A
DNSpartyeearly.net
Type: A
DNSfighteearly.net
Type: A
DNSpartypublic.net
Type: A
DNSfightpublic.net
Type: A
DNSfightdress.net
Type: A
DNSseveralength.net
Type: A
DNSlaughlength.net
Type: A
DNSseveranotice.net
Type: A
DNSlaughnotice.net
Type: A
DNSseveraindeed.net
Type: A
DNSlaughindeed.net
Type: A
DNSseveraduring.net
Type: A
DNSlaughduring.net
Type: A
DNSsimplelength.net
Type: A
DNSmotherlength.net
Type: A
DNSsimplenotice.net
Type: A
DNSmothernotice.net
Type: A
DNSsimpleindeed.net
Type: A
DNSmotherindeed.net
Type: A
DNSsimpleduring.net
Type: A
DNSmotherduring.net
Type: A
DNSmountainlength.net
Type: A
DNSpossiblelength.net
Type: A
DNSmountainnotice.net
Type: A
DNSpossiblenotice.net
Type: A
DNSmountainindeed.net
Type: A
DNSpossibleindeed.net
Type: A
DNSmountainduring.net
Type: A
DNSpossibleduring.net
Type: A
DNSperhapslength.net
Type: A
DNSwindowlength.net
Type: A
DNSperhapsnotice.net
Type: A
DNSwindownotice.net
Type: A
DNSperhapsindeed.net
Type: A
DNSwindowindeed.net
Type: A
DNSperhapsduring.net
Type: A
DNSwindowduring.net
Type: A
DNSwinterlength.net
Type: A
DNSsubjectlength.net
Type: A
DNSwinternotice.net
Type: A
DNSsubjectnotice.net
Type: A
DNSwinterindeed.net
Type: A
DNSsubjectindeed.net
Type: A
DNSwinterduring.net
Type: A
DNSsubjectduring.net
Type: A
DNSfinishlength.net
Type: A
DNSleavelength.net
Type: A
DNSfinishnotice.net
Type: A
DNSleavenotice.net
Type: A
DNSfinishindeed.net
Type: A
DNSleaveindeed.net
Type: A
DNSfinishduring.net
Type: A
DNSleaveduring.net
Type: A
DNSsweetlength.net
Type: A
DNSprobablylength.net
Type: A
DNSsweetnotice.net
Type: A
DNSprobablynotice.net
Type: A
DNSprobablyindeed.net
Type: A
DNSsweetduring.net
Type: A
DNSprobablyduring.net
Type: A
DNSseverallength.net
Type: A
DNSmateriallength.net
Type: A
DNSseveralnotice.net
Type: A
DNSmaterialnotice.net
Type: A
DNSseveralindeed.net
Type: A
DNSmaterialindeed.net
Type: A
DNSseveralduring.net
Type: A
DNSmaterialduring.net
Type: A
DNSseveraclear.net
Type: A
DNSlaughclear.net
Type: A
DNSseverageneral.net
Type: A
DNSlaughgeneral.net
Type: A
DNSseverainclude.net
Type: A
DNSlaughinclude.net
Type: A
DNSseveranorth.net
Type: A
DNSsimpleclear.net
Type: A
DNSmotherclear.net
Type: A
DNSsimplegeneral.net
Type: A
DNSsimpleinclude.net
Type: A
DNSmotherinclude.net
Type: A
DNSsimplenorth.net
Type: A
DNSmountainclear.net
Type: A
DNSpossibleclear.net
Type: A
DNSmountaingeneral.net
Type: A
DNSpossiblegeneral.net
Type: A
DNSmountaininclude.net
Type: A
DNSpossibleinclude.net
Type: A
DNSmountainnorth.net
Type: A
DNSpossiblenorth.net
Type: A
DNSperhapsclear.net
Type: A
DNSwindowclear.net
Type: A
DNSperhapsgeneral.net
Type: A
DNSwindowgeneral.net
Type: A
DNSperhapsinclude.net
Type: A
DNSwindowinclude.net
Type: A
DNSperhapsnorth.net
Type: A
DNSwindownorth.net
Type: A
DNSwinterclear.net
Type: A
DNSsubjectclear.net
Type: A
DNSwintergeneral.net
Type: A
DNSsubjectgeneral.net
Type: A
DNSwinterinclude.net
Type: A
DNSsubjectinclude.net
Type: A
DNSwinternorth.net
Type: A
DNSsubjectnorth.net
Type: A
DNSfinishclear.net
Type: A
DNSleaveclear.net
Type: A
DNSfinishgeneral.net
Type: A
DNSleavegeneral.net
Type: A
DNSfinishinclude.net
Type: A
DNSleaveinclude.net
Type: A
DNSfinishnorth.net
Type: A
DNSleavenorth.net
Type: A
DNSsweetclear.net
Type: A
DNSprobablyclear.net
Type: A
DNSsweetgeneral.net
Type: A
DNSprobablygeneral.net
Type: A
DNSsweetinclude.net
Type: A
DNSprobablyinclude.net
Type: A
DNSsweetnorth.net
Type: A
DNSprobablynorth.net
Type: A
DNSseveralclear.net
Type: A
DNSmaterialclear.net
Type: A
DNSseveralgeneral.net
Type: A
DNSmaterialgeneral.net
Type: A
DNSseveralinclude.net
Type: A
DNSmaterialinclude.net
Type: A
DNSseveralnorth.net
Type: A
DNSmaterialnorth.net
Type: A
DNSseverabranch.net
Type: A
DNSlaughbranch.net
Type: A
DNSseverabelieve.net
Type: A
DNSlaughbelieve.net
Type: A
DNSseverareceive.net
Type: A
DNSlaughreceive.net
Type: A
DNSseveraquarter.net
Type: A
DNSlaughquarter.net
Type: A
DNSsimplebranch.net
Type: A
DNSmotherbranch.net
Type: A
DNSsimplebelieve.net
Type: A
DNSmotherbelieve.net
Type: A
DNSsimplereceive.net
Type: A
DNSmotherreceive.net
Type: A
DNSsimplequarter.net
Type: A
DNSmotherquarter.net
Type: A
DNSmountainbranch.net
Type: A
DNSpossiblebranch.net
Type: A
DNSmountainbelieve.net
Type: A
DNSpossiblebelieve.net
Type: A
DNSmountainreceive.net
Type: A
HTTP GEThttp://smokeeearly.net/index.php
User-Agent:
HTTP GEThttp://partydress.net/index.php
User-Agent:
HTTP GEThttp://sweetindeed.net/index.php
User-Agent:
HTTP GEThttp://laughnorth.net/index.php
User-Agent:
HTTP GEThttp://mothergeneral.net/index.php
User-Agent:
HTTP GEThttp://mothernorth.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.183:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.46:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1036 ➝ 87.98.231.5:80

Raw Pcap

Strings