Analysis Date2015-07-30 21:49:20
MD5b7b245b0f3874725c3463edcfc0315fc
SHA1d738e7280fd210df047468fac79072fc4c99a54e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 96cd8fcae8b614c14c80b646ae57bf98 sha1: 4ba825d07faed066f91817db376fca626812d992 size: 1272832
Section.rdata md5: 3086b1f6190a97e8f4bf83e296359790 sha1: b7a814ca7da7502f94ab250a2575fc1127500f36 size: 326144
Section.data md5: 562368c3427a8a99edae80235de8832e sha1: 6461d1a8d60f05734c54500a839e8ed905f9f540 size: 7680
Section.reloc md5: 5d6449763bc7c501045a1105d1d4a596 sha1: 42ff9b3f8dc8b0023abe2ee94bb6c318cc75d6cb size: 171008
Timestamp2015-05-11 03:56:33
PackerVC8 -> Microsoft Corporation
PEhash0962157ce52e57c9d8d21a5a50bbbe29bf3c432a
IMPhash9e9105031eff2aa84e7be1481fda65f4
AVRising0x58e5a58f
AVMcafeeTrojan-FGIJ!B7B245B0F387
AVAvira (antivir)TR/Crypt.Xpack.266734
AVTwisterno_virus
AVAd-AwareGen:Variant.Diley.1
AVAlwil (avast)Dropper-OJQ [Drp]
AVEset (nod32)Win32/Bayrob.Y
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.X!tr
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesno_virus
AVAuthentiumW32/SoxGrave.A2.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Diley.1
AVZillya!Error Scanning File
AVKasperskyBackdoor.Win32.SoxGrave.aru
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.5
AVF-SecureGen:Variant.Diley.1
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\pwlhwwr1m8cs2vgvsosa.exe
Creates FileC:\WINDOWS\system32\dtkeexxlfyauk\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\pwlhwwr1m8cs2vgvsosa.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\pwlhwwr1m8cs2vgvsosa.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Access DHCP Logon System TP Computer Shadow ➝
C:\WINDOWS\system32\lzbrzrnbkk.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\dtkeexxlfyauk\etc
Creates FileC:\WINDOWS\system32\dtkeexxlfyauk\tst
Creates FileC:\WINDOWS\system32\dtkeexxlfyauk\lck
Creates FileC:\WINDOWS\system32\lzbrzrnbkk.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\lzbrzrnbkk.exe
Creates ServiceEvent WWAN Themes Protocol Hardware - C:\WINDOWS\system32\lzbrzrnbkk.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 816

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1864

Process
↳ Pid 1152

Process
↳ C:\WINDOWS\system32\lzbrzrnbkk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\dtkeexxlfyauk\cfg
Creates FileC:\WINDOWS\system32\dtkeexxlfyauk\run
Creates FileC:\WINDOWS\system32\fgiumul.exe
Creates FileC:\WINDOWS\system32\dtkeexxlfyauk\tst
Creates FileC:\WINDOWS\system32\dtkeexxlfyauk\lck
Creates FileC:\WINDOWS\TEMP\pwlhwwr1twes2.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\dtkeexxlfyauk\rng
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "c:\windows\system32\lzbrzrnbkk.exe"
Creates ProcessC:\WINDOWS\TEMP\pwlhwwr1twes2.exe -r 36873 tcp

Process
↳ C:\WINDOWS\system32\lzbrzrnbkk.exe

Creates FileC:\WINDOWS\system32\dtkeexxlfyauk\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\lzbrzrnbkk.exe"

Creates FileC:\WINDOWS\system32\dtkeexxlfyauk\tst

Process
↳ C:\WINDOWS\TEMP\pwlhwwr1twes2.exe -r 36873 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSlifefind.net
Type: A
66.151.181.49
DNSlifewear.net
Type: A
72.29.73.31
DNStillfind.net
Type: A
95.211.230.75
DNSdeepfind.net
Type: A
68.178.232.100
DNSpushwear.net
Type: A
192.186.216.0
DNSfridaywear.net
Type: A
216.21.239.197
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSpushopen.net
Type: A
DNSfridayopen.net
Type: A
DNSalongboat.net
Type: A
DNSdecemberboat.net
Type: A
DNSalongpress.net
Type: A
DNSdecemberpress.net
Type: A
DNSalongrest.net
Type: A
DNSdecemberrest.net
Type: A
DNSalongopen.net
Type: A
DNSdecemberopen.net
Type: A
DNSlongtold.net
Type: A
DNSsoiltold.net
Type: A
DNSlongfind.net
Type: A
DNSsoilfind.net
Type: A
DNSlongwear.net
Type: A
DNSsoilwear.net
Type: A
DNSlonghurt.net
Type: A
DNSsoilhurt.net
Type: A
DNSwheeltold.net
Type: A
DNSsaidtold.net
Type: A
DNSwheelfind.net
Type: A
DNSsaidfind.net
Type: A
DNSwheelwear.net
Type: A
DNSsaidwear.net
Type: A
DNSwheelhurt.net
Type: A
DNSsaidhurt.net
Type: A
DNSsticktold.net
Type: A
DNSballtold.net
Type: A
DNSstickfind.net
Type: A
DNSballfind.net
Type: A
DNSstickwear.net
Type: A
DNSballwear.net
Type: A
DNSstickhurt.net
Type: A
DNSballhurt.net
Type: A
DNSenemytold.net
Type: A
DNSlifetold.net
Type: A
DNSenemyfind.net
Type: A
DNSenemywear.net
Type: A
DNSenemyhurt.net
Type: A
DNSlifehurt.net
Type: A
DNSmouthtold.net
Type: A
DNStilltold.net
Type: A
DNSmouthfind.net
Type: A
DNSmouthwear.net
Type: A
DNStillwear.net
Type: A
DNSmouthhurt.net
Type: A
DNStillhurt.net
Type: A
DNSshalltold.net
Type: A
DNSdeeptold.net
Type: A
DNSshallfind.net
Type: A
DNSshallwear.net
Type: A
DNSdeepwear.net
Type: A
DNSshallhurt.net
Type: A
DNSdeephurt.net
Type: A
DNSpushtold.net
Type: A
DNSfridaytold.net
Type: A
DNSpushfind.net
Type: A
DNSfridayfind.net
Type: A
DNSpushhurt.net
Type: A
DNSfridayhurt.net
Type: A
DNSalongtold.net
Type: A
DNSdecembertold.net
Type: A
DNSalongfind.net
Type: A
DNSdecemberfind.net
Type: A
DNSalongwear.net
Type: A
DNSdecemberwear.net
Type: A
DNSalonghurt.net
Type: A
DNSdecemberhurt.net
Type: A
DNSlongslow.net
Type: A
DNSsoilslow.net
Type: A
DNSlongfebruary.net
Type: A
DNSsoilfebruary.net
Type: A
DNSlonghelp.net
Type: A
DNSsoilhelp.net
Type: A
DNSlongnovember.net
Type: A
DNSsoilnovember.net
Type: A
DNSwheelslow.net
Type: A
DNSsaidslow.net
Type: A
DNSwheelfebruary.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://lifefind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://lifewear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://tillfind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://deepfind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://pushwear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://fridaywear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://lifefind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://lifewear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://tillfind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://deepfind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://pushwear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
HTTP GEThttp://fridaywear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 66.151.181.49:80
Flows TCP192.168.1.1:1051 ➝ 72.29.73.31:80
Flows TCP192.168.1.1:1052 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1053 ➝ 68.178.232.100:80
Flows TCP192.168.1.1:1054 ➝ 192.186.216.0:80
Flows TCP192.168.1.1:1055 ➝ 216.21.239.197:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1067 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1068 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1069 ➝ 66.151.181.49:80
Flows TCP192.168.1.1:1070 ➝ 72.29.73.31:80
Flows TCP192.168.1.1:1071 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1072 ➝ 68.178.232.100:80
Flows TCP192.168.1.1:1073 ➝ 192.186.216.0:80
Flows TCP192.168.1.1:1074 ➝ 216.21.239.197:80

Raw Pcap

Strings