Analysis | #totalhash

Analysis Date	2015-07-30 21:49:20
MD5	b7b245b0f3874725c3463edcfc0315fc
SHA1	d738e7280fd210df047468fac79072fc4c99a54e

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 96cd8fcae8b614c14c80b646ae57bf98 sha1: 4ba825d07faed066f91817db376fca626812d992 size: 1272832
Section	.rdata md5: 3086b1f6190a97e8f4bf83e296359790 sha1: b7a814ca7da7502f94ab250a2575fc1127500f36 size: 326144
Section	.data md5: 562368c3427a8a99edae80235de8832e sha1: 6461d1a8d60f05734c54500a839e8ed905f9f540 size: 7680
Section	.reloc md5: 5d6449763bc7c501045a1105d1d4a596 sha1: 42ff9b3f8dc8b0023abe2ee94bb6c318cc75d6cb size: 171008
Timestamp	2015-05-11 03:56:33
Packer	VC8 -> Microsoft Corporation
PEhash	0962157ce52e57c9d8d21a5a50bbbe29bf3c432a
IMPhash	9e9105031eff2aa84e7be1481fda65f4
AV	Rising	0x58e5a58f
AV	Mcafee	Trojan-FGIJ!B7B245B0F387
AV	Avira (antivir)	TR/Crypt.Xpack.266734
AV	Twister	no_virus
AV	Ad-Aware	Gen:Variant.Diley.1
AV	Alwil (avast)	Dropper-OJQ [Drp]
AV	Eset (nod32)	Win32/Bayrob.Y
AV	Grisoft (avg)	Win32/Cryptor
AV	Symantec	Downloader.Upatre!g15
AV	Fortinet	W32/Bayrob.X!tr
AV	BitDefender	Gen:Variant.Diley.1
AV	K7	Trojan ( 004c77f41 )
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.BN
AV	MicroWorld (escan)	Gen:Variant.Diley.1
AV	MalwareBytes	no_virus
AV	Authentium	W32/SoxGrave.A2.gen!Eldorado
AV	Frisk (f-prot)	no_virus
AV	Ikarus	Trojan.Win32.Bayrob
AV	Emsisoft	Gen:Variant.Diley.1
AV	Zillya!	Error Scanning File
AV	Kaspersky	Backdoor.Win32.SoxGrave.aru
AV	Trend Micro	no_virus
AV	CAT (quickheal)	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	Padvish	no_virus
AV	BullGuard	Gen:Variant.Diley.1
AV	Arcabit (arcavir)	Gen:Variant.Diley.1
AV	ClamAV	no_virus
AV	Dr. Web	Trojan.Bayrob.5
AV	F-Secure	Gen:Variant.Diley.1
AV	CA (E-Trust Ino)	no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\pwlhwwr1m8cs2vgvsosa.exe
Creates File	C:\WINDOWS\system32\dtkeexxlfyauk\tst
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\pwlhwwr1m8cs2vgvsosa.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\pwlhwwr1m8cs2vgvsosa.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Access DHCP Logon System TP Computer Shadow ➝ C:\WINDOWS\system32\lzbrzrnbkk.exe
Creates File	C:\WINDOWS\system32\drivers\etc\hosts
Creates File	C:\WINDOWS\system32\dtkeexxlfyauk\etc
Creates File	C:\WINDOWS\system32\dtkeexxlfyauk\tst
Creates File	C:\WINDOWS\system32\dtkeexxlfyauk\lck
Creates File	C:\WINDOWS\system32\lzbrzrnbkk.exe
Deletes File	C:\WINDOWS\system32\\drivers\etc\hosts
Creates Process	C:\WINDOWS\system32\lzbrzrnbkk.exe
Creates Service	Event WWAN Themes Protocol Hardware - C:\WINDOWS\system32\lzbrzrnbkk.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 816

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	pipe\PCHFaultRepExecPipe

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝ NULL
Creates File	WMIDataDevice

Process
↳ Pid 1864

Process
↳ Pid 1152

Process
↳ C:\WINDOWS\system32\lzbrzrnbkk.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1
Creates File	C:\WINDOWS\system32\dtkeexxlfyauk\cfg
Creates File	C:\WINDOWS\system32\dtkeexxlfyauk\run
Creates File	C:\WINDOWS\system32\fgiumul.exe
Creates File	C:\WINDOWS\system32\dtkeexxlfyauk\tst
Creates File	C:\WINDOWS\system32\dtkeexxlfyauk\lck
Creates File	C:\WINDOWS\TEMP\pwlhwwr1twes2.exe
Creates File	pipe\net\NtControlPipe10
Creates File	C:\WINDOWS\system32\dtkeexxlfyauk\rng
Creates File	\Device\Afd\Endpoint
Creates Process	WATCHDOGPROC "c:\windows\system32\lzbrzrnbkk.exe"
Creates Process	C:\WINDOWS\TEMP\pwlhwwr1twes2.exe -r 36873 tcp

Process
↳ C:\WINDOWS\system32\lzbrzrnbkk.exe

Creates File	C:\WINDOWS\system32\dtkeexxlfyauk\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\lzbrzrnbkk.exe"

Creates File	C:\WINDOWS\system32\dtkeexxlfyauk\tst

Process
↳ C:\WINDOWS\TEMP\pwlhwwr1twes2.exe -r 36873 tcp

Creates File	\Device\Afd\Endpoint
Winsock DNS	239.255.255.250

Network Details:

DNS	recordsoldier.net Type: A 208.91.197.241
DNS	fliersurprise.net Type: A 208.91.197.241
DNS	historybright.net Type: A 208.91.197.241
DNS	chiefsoldier.net Type: A 208.91.197.241
DNS	classsurprise.net Type: A 208.91.197.241
DNS	thosecontinue.net Type: A 208.91.197.241
DNS	throughcontain.net Type: A 208.91.197.241
DNS	belongguard.net Type: A 208.91.197.241
DNS	maybellinethaddeus.net Type: A 208.91.197.241
DNS	kimberleyshavonne.net Type: A 208.91.197.241
DNS	naildeep.com Type: A 74.220.215.218
DNS	riddenstorm.net Type: A 66.147.240.171
DNS	destroystorm.net Type: A 216.239.138.86
DNS	lifefind.net Type: A 66.151.181.49
DNS	lifewear.net Type: A 72.29.73.31
DNS	tillfind.net Type: A 95.211.230.75
DNS	deepfind.net Type: A 68.178.232.100
DNS	pushwear.net Type: A 192.186.216.0
DNS	fridaywear.net Type: A 216.21.239.197
DNS	husbandfound.net Type: A
DNS	leadershort.net Type: A
DNS	eggbraker.com Type: A
DNS	ithouneed.com Type: A
DNS	pushopen.net Type: A
DNS	fridayopen.net Type: A
DNS	alongboat.net Type: A
DNS	decemberboat.net Type: A
DNS	alongpress.net Type: A
DNS	decemberpress.net Type: A
DNS	alongrest.net Type: A
DNS	decemberrest.net Type: A
DNS	alongopen.net Type: A
DNS	decemberopen.net Type: A
DNS	longtold.net Type: A
DNS	soiltold.net Type: A
DNS	longfind.net Type: A
DNS	soilfind.net Type: A
DNS	longwear.net Type: A
DNS	soilwear.net Type: A
DNS	longhurt.net Type: A
DNS	soilhurt.net Type: A
DNS	wheeltold.net Type: A
DNS	saidtold.net Type: A
DNS	wheelfind.net Type: A
DNS	saidfind.net Type: A
DNS	wheelwear.net Type: A
DNS	saidwear.net Type: A
DNS	wheelhurt.net Type: A
DNS	saidhurt.net Type: A
DNS	sticktold.net Type: A
DNS	balltold.net Type: A
DNS	stickfind.net Type: A
DNS	ballfind.net Type: A
DNS	stickwear.net Type: A
DNS	ballwear.net Type: A
DNS	stickhurt.net Type: A
DNS	ballhurt.net Type: A
DNS	enemytold.net Type: A
DNS	lifetold.net Type: A
DNS	enemyfind.net Type: A
DNS	enemywear.net Type: A
DNS	enemyhurt.net Type: A
DNS	lifehurt.net Type: A
DNS	mouthtold.net Type: A
DNS	tilltold.net Type: A
DNS	mouthfind.net Type: A
DNS	mouthwear.net Type: A
DNS	tillwear.net Type: A
DNS	mouthhurt.net Type: A
DNS	tillhurt.net Type: A
DNS	shalltold.net Type: A
DNS	deeptold.net Type: A
DNS	shallfind.net Type: A
DNS	shallwear.net Type: A
DNS	deepwear.net Type: A
DNS	shallhurt.net Type: A
DNS	deephurt.net Type: A
DNS	pushtold.net Type: A
DNS	fridaytold.net Type: A
DNS	pushfind.net Type: A
DNS	fridayfind.net Type: A
DNS	pushhurt.net Type: A
DNS	fridayhurt.net Type: A
DNS	alongtold.net Type: A
DNS	decembertold.net Type: A
DNS	alongfind.net Type: A
DNS	decemberfind.net Type: A
DNS	alongwear.net Type: A
DNS	decemberwear.net Type: A
DNS	alonghurt.net Type: A
DNS	decemberhurt.net Type: A
DNS	longslow.net Type: A
DNS	soilslow.net Type: A
DNS	longfebruary.net Type: A
DNS	soilfebruary.net Type: A
DNS	longhelp.net Type: A
DNS	soilhelp.net Type: A
DNS	longnovember.net Type: A
DNS	soilnovember.net Type: A
DNS	wheelslow.net Type: A
DNS	saidslow.net Type: A
DNS	wheelfebruary.net Type: A
HTTP GET	http://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://historybright.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://lifefind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://lifewear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://tillfind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://deepfind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://pushwear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://fridaywear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://historybright.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://lifefind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://lifewear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://tillfind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://deepfind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://pushwear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
HTTP GET	http://fridaywear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent:
Flows TCP	192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP	192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP	192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP	192.168.1.1:1050 ➝ 66.151.181.49:80
Flows TCP	192.168.1.1:1051 ➝ 72.29.73.31:80
Flows TCP	192.168.1.1:1052 ➝ 95.211.230.75:80
Flows TCP	192.168.1.1:1053 ➝ 68.178.232.100:80
Flows TCP	192.168.1.1:1054 ➝ 192.186.216.0:80
Flows TCP	192.168.1.1:1055 ➝ 216.21.239.197:80
Flows TCP	192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1066 ➝ 74.220.215.218:80
Flows TCP	192.168.1.1:1067 ➝ 66.147.240.171:80
Flows TCP	192.168.1.1:1068 ➝ 216.239.138.86:80
Flows TCP	192.168.1.1:1069 ➝ 66.151.181.49:80
Flows TCP	192.168.1.1:1070 ➝ 72.29.73.31:80
Flows TCP	192.168.1.1:1071 ➝ 95.211.230.75:80
Flows TCP	192.168.1.1:1072 ➝ 68.178.232.100:80
Flows TCP	192.168.1.1:1073 ➝ 192.186.216.0:80
Flows TCP	192.168.1.1:1074 ➝ 216.21.239.197:80

Raw Pcap

Strings