Analysis Date2016-02-12 03:31:39
MD5ce135902d46243a36431a82a3a93ec9c
SHA1d9cc26c004977c303a71390e8c84ece48b71d0f1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ecc7adb7a20fc49b1529eeb5fd6d5463 sha1: af013ab6bdae21ee99027d68b56c5f54c8eff75d size: 547328
Section.rdata md5: a46ffd64eaee668b7149eb9e66d2e468 sha1: e70386709e2f76e2d3815f67f8c61e70adf457bf size: 211968
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 336a85bf0b9c60102695bffa00c46deb sha1: fa22b282a9d00636ebe223fd7bbeb11cd33efe49 size: 86528
Timestamp2015-12-29 20:37:43
PEhashcca0aa955c3f27bbe6e35b4d4bff7e5d78b53479
IMPhashaf987b8a4d4f2d56a2c7105549bf6c95
AVCA (E-Trust Ino)Gen:Variant.Razy.13381
AVRisingNo Virus
AVMcafeeTrojan-FHPD!CE135902D462
AVAvira (antivir)TR/Nivdort.A.34097
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.13381
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.AS
AVGrisoft (avg)Win32/Heur
AVSymantecNo Virus
AVFortinetW32/Bayrob.AS!tr
AVBitDefenderGen:Variant.Razy.13381
AVK7Trojan ( 004db0c61 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Razy.13381
AVMalwareBytesNo Virus
AVAuthentiumW32/Trojan.BNTH-2669
AVEmsisoftGen:Variant.Razy.13381
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Bayrob.duta
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Kazy.791077
AVArcabit (arcavir)Gen:Variant.Razy.13381
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.19969
AVF-SecureGen:Variant.Razy.13381

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xiukjs7fpx86knlmzfbswoe.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\xoelotpzeehsmae\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\xiukjs7fpx86knlmzfbswoe.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\xiukjs7fpx86knlmzfbswoe.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Error RPC Isolation Provider Plug Topology ➝
C:\WINDOWS\system32\nitljpsk.exe
Creates FileC:\WINDOWS\system32\xoelotpzeehsmae\lck
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\nitljpsk.exe
Creates FileC:\WINDOWS\system32\xoelotpzeehsmae\tst
Creates ProcessC:\WINDOWS\system32\nitljpsk.exe

Process
↳ C:\WINDOWS\system32\nitljpsk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\xoelotpzeehsmae\rng
Creates FileC:\WINDOWS\system32\xoelotpzeehsmae\lck
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xiukjse5x52bknlm.exe
Creates FileC:\WINDOWS\system32\xoelotpzeehsmae\run
Creates FileC:\WINDOWS\system32\xoelotpzeehsmae\cfg
Creates FileC:\WINDOWS\system32\smvtxkhmcz.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\xoelotpzeehsmae\tst
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\xiukjs7fpx86knlmzfbswoe.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\xiukjse5x52bknlm.exe -r 43469 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\nitljpsk.exe"

Process
↳ WATCHDOGPROC "c:\windows\system32\nitljpsk.exe"

Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\xoelotpzeehsmae\tst

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\xiukjse5x52bknlm.exe -r 43469 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSriddenstorm.net
Type: A
66.147.240.171
DNSfaceleft.net
Type: A
94.23.64.5
DNSstorythirteen.net
Type: A
208.100.26.234
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
DNSaloneneighbor.net
Type: A
DNSgentleangry.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSsimonettedwerryhouse.net
Type: A
DNSseasonstrong.net
Type: A
DNSoftensurprise.net
Type: A
DNSchiefanother.net
Type: A
DNSmorningduring.net
Type: A
DNSwifeabout.net
Type: A
DNScasestep.net
Type: A
DNSdoubleobject.net
Type: A
DNSbrokenthird.net
Type: A
DNSmightspecial.net
Type: A
DNSleastthirteen.net
Type: A
DNSfacethirteen.net
Type: A
DNSleasthurry.net
Type: A
DNSfacehurry.net
Type: A
DNSmonthhope.net
Type: A
DNSwalkhope.net
Type: A
DNSmonthleft.net
Type: A
DNSwalkleft.net
Type: A
DNSmonththirteen.net
Type: A
DNSwalkthirteen.net
Type: A
DNSmonthhurry.net
Type: A
DNSwalkhurry.net
Type: A
DNSstoryhope.net
Type: A
DNSweakhope.net
Type: A
DNSstoryleft.net
Type: A
DNSweakleft.net
Type: A
DNSweakthirteen.net
Type: A
DNSstoryhurry.net
Type: A
DNSweakhurry.net
Type: A
DNSafterhope.net
Type: A
DNSforcehope.net
Type: A
DNSafterleft.net
Type: A
DNSforceleft.net
Type: A
DNSafterthirteen.net
Type: A
DNSforcethirteen.net
Type: A
DNSafterhurry.net
Type: A
DNSforcehurry.net
Type: A
DNSsellhope.net
Type: A
DNSwednesdayhope.net
Type: A
DNSsellleft.net
Type: A
DNSwednesdayleft.net
Type: A
DNSsellthirteen.net
Type: A
DNSwednesdaythirteen.net
Type: A
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://faceleft.net/index.php
User-Agent:
HTTP GEThttp://storythirteen.net/index.php
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1038 ➝ 94.23.64.5:80
Flows TCP192.168.1.1:1039 ➝ 208.100.26.234:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69646465 6e73746f 726d2e6e 65740d0a   iddenstorm.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6163656c 6566742e 6e65740d 0a0d0a0a   aceleft.net.....
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   746f7279 74686972 7465656e 2e6e6574   torythirteen.net
0x00000050 (00080)   0d0a0d0a                              ....


Strings