Analysis Date2016-02-09 09:08:58
MD55098b18ab9b3deb765acbe1d0a1a17cb
SHA1d80c3b454134fda37678dd439cfe85ffcfc4c540

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 83cbcc6811f7065101d18dd70b981ab1 sha1: 3646982cabb6bf199b2506b14e97588bebd75edd size: 530432
Section.rdata md5: de7df92922762a97e93425a1ef915280 sha1: 714dc43a5f951f87050d034dc6883fd2b3fa3be1 size: 26112
Section.data md5: e72f9a3ce9373601cf97289dc7779c4f sha1: 1075d8d9b995ea84ab01b70937048f10cb2c6cfe size: 19968
Section.reloc md5: 700c02fe1ecd7339b2345c9f5d8925ff sha1: e088f4d231172f2b33c6f1c48706cc9652722f90 size: 39424
Timestamp2014-09-03 15:38:21
PackerMicrosoft Visual C++ 8
PEhash959371ab6b4f428aff6dbcfe21fbbb1fffc9cd41
IMPhash9d5568492a8790437bbf4383a6dbae40
AVCA (E-Trust Ino)Gen:Variant.Razy.13928
AVRisingNo Virus
AVMcafeeTrojan-FHSQ!5098B18AB9B3
AVAvira (antivir)TR/Taranis.2113
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAd-AwareGen:Variant.Razy.13928
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.BM
AVGrisoft (avg)Generic37.AKSB
AVSymantecTrojan.Gen
AVFortinetW32/Bayrob.BM!tr
AVBitDefenderGen:Variant.Razy.13928
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Razy.13928
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVIkarusTrojan.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Zusy.141475
AVArcabit (arcavir)Gen:Variant.Razy.13928
AVClamAVWin.Trojan.Bancos-2115
AVDr. WebNo Virus
AVF-SecureGen:Variant.Razy.13928

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\nrwxfnwqphzyg\mpy2ap3e
Creates FileC:\nrwxfnwqphzyg\dx1kpow1are1wmvqj.exe
Creates FileC:\nrwxfnwqphzyg\mpy2ap3e
Deletes FileC:\WINDOWS\nrwxfnwqphzyg\mpy2ap3e
Creates ProcessC:\nrwxfnwqphzyg\dx1kpow1are1wmvqj.exe

Process
↳ C:\nrwxfnwqphzyg\dx1kpow1are1wmvqj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Adaptive Firewall Netlogon NGEN Trap Time DCOM ➝
C:\nrwxfnwqphzyg\tyuvwtbc.exe
Creates FileC:\WINDOWS\nrwxfnwqphzyg\mpy2ap3e
Creates FileC:\nrwxfnwqphzyg\tyuvwtbc.exe
Creates FilePIPE\lsarpc
Creates FileC:\nrwxfnwqphzyg\lyftyekobs
Creates FileC:\nrwxfnwqphzyg\mpy2ap3e
Deletes FileC:\WINDOWS\nrwxfnwqphzyg\mpy2ap3e
Creates ProcessC:\nrwxfnwqphzyg\tyuvwtbc.exe
Creates ServiceCall Audio Cache Removal Receiver Netlogon WinHTTP - C:\nrwxfnwqphzyg\tyuvwtbc.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1112

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1120

Process
↳ C:\nrwxfnwqphzyg\tyuvwtbc.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\nrwxfnwqphzyg\mpy2ap3e
Creates FileC:\nrwxfnwqphzyg\atovjlsiyhv.exe
Creates FileC:\nrwxfnwqphzyg\mmzr6oc
Creates File\Device\Afd\Endpoint
Creates FileC:\nrwxfnwqphzyg\lyftyekobs
Creates FileC:\nrwxfnwqphzyg\mpy2ap3e
Deletes FileC:\WINDOWS\nrwxfnwqphzyg\mpy2ap3e
Creates Processqiflmmw4g1wh "c:\nrwxfnwqphzyg\tyuvwtbc.exe"

Process
↳ C:\nrwxfnwqphzyg\tyuvwtbc.exe

Creates FileC:\WINDOWS\nrwxfnwqphzyg\mpy2ap3e
Creates FileC:\nrwxfnwqphzyg\mpy2ap3e
Deletes FileC:\WINDOWS\nrwxfnwqphzyg\mpy2ap3e

Process
↳ qiflmmw4g1wh "c:\nrwxfnwqphzyg\tyuvwtbc.exe"

Creates FileC:\WINDOWS\nrwxfnwqphzyg\mpy2ap3e
Creates FileC:\nrwxfnwqphzyg\mpy2ap3e
Deletes FileC:\WINDOWS\nrwxfnwqphzyg\mpy2ap3e

Network Details:

DNSpartybright.net
Type: A
50.63.202.44
DNSbeginbrown.net
Type: A
195.22.28.198
DNSbeginbrown.net
Type: A
195.22.28.199
DNSbeginbrown.net
Type: A
195.22.28.196
DNSbeginbrown.net
Type: A
195.22.28.197
DNSknownpeople.net
Type: A
50.30.43.150
DNSsummerready.net
Type: A
198.71.232.3
DNSsummerpeople.net
Type: A
65.254.248.141
DNSwaterready.net
Type: A
98.124.243.38
DNSwaterpeople.net
Type: A
207.148.248.143
DNSsmokepeople.net
Type: A
195.22.26.248
DNSpartyready.net
Type: A
8.5.1.51
DNSpartypeople.net
Type: A
217.138.13.211
DNSpartydaughter.net
Type: A
208.100.26.234
DNScrowdnation.net
Type: A
107.191.99.114
DNScrowdnation.net
Type: A
167.114.213.199
DNScrowdnation.net
Type: A
107.161.23.204
DNSsmokenation.net
Type: A
195.22.28.198
DNSsmokenation.net
Type: A
195.22.28.199
DNSsmokenation.net
Type: A
195.22.28.196
DNSsmokenation.net
Type: A
195.22.28.197
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSpartynation.net
Type: A
72.52.4.91
DNSfreshpower.net
Type: A
195.149.84.100
DNSfreshpower.net
Type: A
195.149.84.101
DNSfightinstead.net
Type: A
DNSpartyexplain.net
Type: A
DNSfightexplain.net
Type: A
DNSfightbright.net
Type: A
DNSpartyinside.net
Type: A
DNSfightinside.net
Type: A
DNSfreshready.net
Type: A
DNSexperienceready.net
Type: A
DNSfreshbrown.net
Type: A
DNSexperiencebrown.net
Type: A
DNSfreshpeople.net
Type: A
DNSexperiencepeople.net
Type: A
DNSfreshdaughter.net
Type: A
DNSexperiencedaughter.net
Type: A
DNSgentlemanready.net
Type: A
DNSalreadyready.net
Type: A
DNSgentlemanbrown.net
Type: A
DNSalreadybrown.net
Type: A
DNSgentlemanpeople.net
Type: A
DNSalreadypeople.net
Type: A
DNSgentlemandaughter.net
Type: A
DNSalreadydaughter.net
Type: A
DNSfollowready.net
Type: A
DNSmemberready.net
Type: A
DNSfollowbrown.net
Type: A
DNSmemberbrown.net
Type: A
DNSfollowpeople.net
Type: A
DNSmemberpeople.net
Type: A
DNSfollowdaughter.net
Type: A
DNSmemberdaughter.net
Type: A
DNSbeginready.net
Type: A
DNSknownready.net
Type: A
DNSknownbrown.net
Type: A
DNSbeginpeople.net
Type: A
DNSbegindaughter.net
Type: A
DNSknowndaughter.net
Type: A
DNScrowdready.net
Type: A
DNSsummerbrown.net
Type: A
DNScrowdbrown.net
Type: A
DNScrowdpeople.net
Type: A
DNSsummerdaughter.net
Type: A
DNScrowddaughter.net
Type: A
DNSthoughtready.net
Type: A
DNSthoughtbrown.net
Type: A
DNSwaterbrown.net
Type: A
DNSthoughtpeople.net
Type: A
DNSthoughtdaughter.net
Type: A
DNSwaterdaughter.net
Type: A
DNSwomanready.net
Type: A
DNSsmokeready.net
Type: A
DNSwomanbrown.net
Type: A
DNSsmokebrown.net
Type: A
DNSwomanpeople.net
Type: A
DNSwomandaughter.net
Type: A
DNSsmokedaughter.net
Type: A
DNSfightready.net
Type: A
DNSpartybrown.net
Type: A
DNSfightbrown.net
Type: A
DNSfightpeople.net
Type: A
DNSfightdaughter.net
Type: A
DNSfreshnation.net
Type: A
DNSexperiencenation.net
Type: A
DNSfreshsoldier.net
Type: A
DNSexperiencesoldier.net
Type: A
DNSfreshplease.net
Type: A
DNSexperienceplease.net
Type: A
DNSfreshcondition.net
Type: A
DNSexperiencecondition.net
Type: A
DNSgentlemannation.net
Type: A
DNSalreadynation.net
Type: A
DNSgentlemansoldier.net
Type: A
DNSalreadysoldier.net
Type: A
DNSgentlemanplease.net
Type: A
DNSalreadyplease.net
Type: A
DNSgentlemancondition.net
Type: A
DNSalreadycondition.net
Type: A
DNSfollownation.net
Type: A
DNSmembernation.net
Type: A
DNSfollowsoldier.net
Type: A
DNSmembersoldier.net
Type: A
DNSfollowplease.net
Type: A
DNSmemberplease.net
Type: A
DNSfollowcondition.net
Type: A
DNSmembercondition.net
Type: A
DNSbeginnation.net
Type: A
DNSknownnation.net
Type: A
DNSbeginsoldier.net
Type: A
DNSknownsoldier.net
Type: A
DNSbeginplease.net
Type: A
DNSknownplease.net
Type: A
DNSbegincondition.net
Type: A
DNSknowncondition.net
Type: A
DNSsummernation.net
Type: A
DNSsummersoldier.net
Type: A
DNScrowdsoldier.net
Type: A
DNSsummerplease.net
Type: A
DNScrowdplease.net
Type: A
DNSsummercondition.net
Type: A
DNScrowdcondition.net
Type: A
DNSthoughtnation.net
Type: A
DNSwaternation.net
Type: A
DNSthoughtsoldier.net
Type: A
DNSwatersoldier.net
Type: A
DNSthoughtplease.net
Type: A
DNSwaterplease.net
Type: A
DNSthoughtcondition.net
Type: A
DNSwatercondition.net
Type: A
DNSwomannation.net
Type: A
DNSwomansoldier.net
Type: A
DNSsmokesoldier.net
Type: A
DNSwomanplease.net
Type: A
DNSsmokeplease.net
Type: A
DNSwomancondition.net
Type: A
DNSsmokecondition.net
Type: A
DNSfightnation.net
Type: A
DNSpartysoldier.net
Type: A
DNSfightsoldier.net
Type: A
DNSpartyplease.net
Type: A
DNSfightplease.net
Type: A
DNSpartycondition.net
Type: A
DNSfightcondition.net
Type: A
DNSfreshcentury.net
Type: A
DNSexperiencecentury.net
Type: A
DNSfreshfamous.net
Type: A
DNSexperiencefamous.net
Type: A
DNSexperiencepower.net
Type: A
DNSfreshcountry.net
Type: A
DNSexperiencecountry.net
Type: A
DNSgentlemancentury.net
Type: A
DNSalreadycentury.net
Type: A
DNSgentlemanfamous.net
Type: A
DNSalreadyfamous.net
Type: A
DNSgentlemanpower.net
Type: A
DNSalreadypower.net
Type: A
DNSgentlemancountry.net
Type: A
DNSalreadycountry.net
Type: A
DNSfollowcentury.net
Type: A
DNSmembercentury.net
Type: A
DNSfollowfamous.net
Type: A
DNSmemberfamous.net
Type: A
DNSfollowpower.net
Type: A
DNSmemberpower.net
Type: A
DNSfollowcountry.net
Type: A
DNSmembercountry.net
Type: A
HTTP GEThttp://partybright.net/index.php
User-Agent:
HTTP GEThttp://beginbrown.net/index.php
User-Agent:
HTTP GEThttp://knownpeople.net/index.php
User-Agent:
HTTP GEThttp://summerready.net/index.php
User-Agent:
HTTP GEThttp://summerpeople.net/index.php
User-Agent:
HTTP GEThttp://waterready.net/index.php
User-Agent:
HTTP GEThttp://waterpeople.net/index.php
User-Agent:
HTTP GEThttp://smokepeople.net/index.php
User-Agent:
HTTP GEThttp://partyready.net/index.php
User-Agent:
HTTP GEThttp://partypeople.net/index.php
User-Agent:
HTTP GEThttp://partydaughter.net/index.php
User-Agent:
HTTP GEThttp://crowdnation.net/index.php
User-Agent:
HTTP GEThttp://smokenation.net/index.php
User-Agent:
HTTP GEThttp://smokecondition.net/index.php
User-Agent:
HTTP GEThttp://partynation.net/index.php
User-Agent:
HTTP GEThttp://freshpower.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.44:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1033 ➝ 50.30.43.150:80
Flows TCP192.168.1.1:1034 ➝ 198.71.232.3:80
Flows TCP192.168.1.1:1035 ➝ 65.254.248.141:80
Flows TCP192.168.1.1:1036 ➝ 98.124.243.38:80
Flows TCP192.168.1.1:1037 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1038 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1039 ➝ 8.5.1.51:80
Flows TCP192.168.1.1:1040 ➝ 217.138.13.211:80
Flows TCP192.168.1.1:1041 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1042 ➝ 107.191.99.114:80
Flows TCP192.168.1.1:1043 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1044 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1045 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1046 ➝ 195.149.84.100:80

Raw Pcap

Strings