Analysis Date2016-02-04 11:06:03
MD58d567c6f26808eb1ab027dc78d661065
SHA1db4406766b8e2960bf1f5b83cc6fa71329116d30

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4f5037349e32074907ab56cd44101fcf sha1: 98cacff8ccd8e17dadbf029c0787b1f0b8c4b67d size: 265216
Section.rdata md5: a58bc5459e15c03568a5ebfa54ad8180 sha1: eedf2654e92c801777095601b1ab624b9e1050a7 size: 44032
Section.data md5: 9b0bb728b38a589676a936113b9ee725 sha1: d240640c0174dae1683b22d68e41bee67a855bb2 size: 2048
Section.reloc md5: 766b2771c4a715318149241d3ec7620d sha1: a2331260be2d06c31a652730b3fd8a84d93027bd size: 53248
Timestamp2015-12-23 04:43:38
PackerBorland Delphi 3.0 (???)
PEhashcaf0c24d5c185f231dcb17086336513dd930a2b2
IMPhash6a60d17a57cd094a50172088f44179c8
AVFortinetW32/Bayrob.AQ!tr
AVMicroWorld (escan)Gen:Variant.Kazy.784853
AVF-SecureGen:Variant.Razy.11545
AVMalwareBytesNo Virus
AVMcafeeTrojan-FHPD!8D567C6F2680
AVIkarusTrojan.Win32.Bayrob
AVTrend MicroNo Virus
AVDr. WebTrojan.DownLoader18.32013
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CW
AVAuthentiumW32/Nivdort.F.gen!Eldorado
AVGrisoft (avg)Win32/Heur
AVTwisterNo Virus
AVBullGuardGen:Variant.Razy.11545
AVZillya!Trojan.Agent.Win32.622596
AVFrisk (f-prot)W32/Nivdort.F.gen!Eldorado
AVKasperskyTrojan.Win32.Agent.netpur
AVCAT (quickheal)No Virus
AVClamAVNo Virus
AVEset (nod32)Win32/Bayrob.AQ
AVAlwil (avast)Win32:Malware-gen
AVCA (E-Trust Ino)No Virus
AVBitDefenderGen:Variant.Razy.11545
AVEmsisoftGen:Variant.Razy.11545
AVSymantecTrojan.Bayrob!gen6
AVK7Trojan ( 004db0c61 )
AVAd-AwareGen:Variant.Razy.11545
AVAvira (antivir)TR/Crypt.Xpack.440265
AVArcabit (arcavir)Gen:Variant.Razy.11545
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.Msgfake
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\wgoauebrz\prggq1lt5znreknngo.exe
Creates FileC:\wgoauebrz\czedirfdfql
Creates FileC:\WINDOWS\wgoauebrz\czedirfdfql
Deletes FileC:\WINDOWS\wgoauebrz\czedirfdfql
Creates ProcessC:\wgoauebrz\prggq1lt5znreknngo.exe

Process
↳ C:\wgoauebrz\prggq1lt5znreknngo.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Offline Alerts Remote Shell ➝
C:\wgoauebrz\nggpprzxbb.exe
Creates FileC:\wgoauebrz\nggpprzxbb.exe
Creates FileC:\wgoauebrz\zcmpqhlojbz
Creates FileC:\wgoauebrz\czedirfdfql
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\wgoauebrz\czedirfdfql
Deletes FileC:\WINDOWS\wgoauebrz\czedirfdfql
Creates ProcessC:\wgoauebrz\nggpprzxbb.exe
Creates ServiceDesktop Shadow Quality Link - C:\wgoauebrz\nggpprzxbb.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1136

Process
↳ C:\wgoauebrz\nggpprzxbb.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\wgoauebrz\vp8vbbwwiu
Creates FileC:\wgoauebrz\bsfqntlmb.exe
Creates FileC:\wgoauebrz\zcmpqhlojbz
Creates FileC:\wgoauebrz\czedirfdfql
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\wgoauebrz\czedirfdfql
Deletes FileC:\WINDOWS\wgoauebrz\czedirfdfql
Creates Processunjzfofgvaq9 "c:\wgoauebrz\nggpprzxbb.exe"

Process
↳ C:\wgoauebrz\nggpprzxbb.exe

Creates FileC:\wgoauebrz\czedirfdfql
Creates FileC:\WINDOWS\wgoauebrz\czedirfdfql
Deletes FileC:\WINDOWS\wgoauebrz\czedirfdfql

Process
↳ unjzfofgvaq9 "c:\wgoauebrz\nggpprzxbb.exe"

Creates FileC:\wgoauebrz\czedirfdfql
Creates FileC:\WINDOWS\wgoauebrz\czedirfdfql
Deletes FileC:\WINDOWS\wgoauebrz\czedirfdfql

Network Details:

DNSwomanhealth.net
Type: A
69.89.22.137
DNSpartyclothes.net
Type: A
109.68.33.25
DNSfreshcatch.net
Type: A
192.155.217.146
DNSbegincatch.net
Type: A
195.22.28.198
DNSbegincatch.net
Type: A
195.22.28.199
DNSbegincatch.net
Type: A
195.22.28.196
DNSbegincatch.net
Type: A
195.22.28.197
DNScrowdcatch.net
Type: A
50.63.202.47
DNSsummerdress.net
Type: A
50.87.150.116
DNSsmokeeearly.net
Type: A
208.100.26.234
DNSpartydress.net
Type: A
208.73.211.179
DNSpartydress.net
Type: A
208.73.211.183
DNSpartydress.net
Type: A
208.73.211.192
DNSpartydress.net
Type: A
208.73.211.195
DNSsweetindeed.net
Type: A
208.91.197.46
DNSmothergeneral.net
Type: A
98.139.135.129
DNSmothernorth.net
Type: A
87.98.231.5
DNSwomanseparate.net
Type: A
DNSsmokeseparate.net
Type: A
DNSsmokehealth.net
Type: A
DNSwomanclothes.net
Type: A
DNSsmokeclothes.net
Type: A
DNSwomandistant.net
Type: A
DNSsmokedistant.net
Type: A
DNSpartyseparate.net
Type: A
DNSfightseparate.net
Type: A
DNSpartyhealth.net
Type: A
DNSfighthealth.net
Type: A
DNSfightclothes.net
Type: A
DNSpartydistant.net
Type: A
DNSfightdistant.net
Type: A
DNSexperiencecatch.net
Type: A
DNSfresheearly.net
Type: A
DNSexperienceeearly.net
Type: A
DNSfreshpublic.net
Type: A
DNSexperiencepublic.net
Type: A
DNSfreshdress.net
Type: A
DNSexperiencedress.net
Type: A
DNSgentlemancatch.net
Type: A
DNSalreadycatch.net
Type: A
DNSgentlemaneearly.net
Type: A
DNSalreadyeearly.net
Type: A
DNSgentlemanpublic.net
Type: A
DNSalreadypublic.net
Type: A
DNSgentlemandress.net
Type: A
DNSalreadydress.net
Type: A
DNSfollowcatch.net
Type: A
DNSmembercatch.net
Type: A
DNSfolloweearly.net
Type: A
DNSmembereearly.net
Type: A
DNSfollowpublic.net
Type: A
DNSmemberpublic.net
Type: A
DNSfollowdress.net
Type: A
DNSmemberdress.net
Type: A
DNSknowncatch.net
Type: A
DNSbegineearly.net
Type: A
DNSknowneearly.net
Type: A
DNSbeginpublic.net
Type: A
DNSknownpublic.net
Type: A
DNSbegindress.net
Type: A
DNSknowndress.net
Type: A
DNSsummercatch.net
Type: A
DNSsummereearly.net
Type: A
DNScrowdeearly.net
Type: A
DNSsummerpublic.net
Type: A
DNScrowdpublic.net
Type: A
DNScrowddress.net
Type: A
DNSthoughtcatch.net
Type: A
DNSwatercatch.net
Type: A
DNSthoughteearly.net
Type: A
DNSwatereearly.net
Type: A
DNSthoughtpublic.net
Type: A
DNSwaterpublic.net
Type: A
DNSthoughtdress.net
Type: A
DNSwaterdress.net
Type: A
DNSwomancatch.net
Type: A
DNSsmokecatch.net
Type: A
DNSwomaneearly.net
Type: A
DNSwomanpublic.net
Type: A
DNSsmokepublic.net
Type: A
DNSwomandress.net
Type: A
DNSsmokedress.net
Type: A
DNSpartycatch.net
Type: A
DNSfightcatch.net
Type: A
DNSpartyeearly.net
Type: A
DNSfighteearly.net
Type: A
DNSpartypublic.net
Type: A
DNSfightpublic.net
Type: A
DNSfightdress.net
Type: A
DNSseveralength.net
Type: A
DNSlaughlength.net
Type: A
DNSseveranotice.net
Type: A
DNSlaughnotice.net
Type: A
DNSseveraindeed.net
Type: A
DNSlaughindeed.net
Type: A
DNSseveraduring.net
Type: A
DNSlaughduring.net
Type: A
DNSsimplelength.net
Type: A
DNSmotherlength.net
Type: A
DNSsimplenotice.net
Type: A
DNSmothernotice.net
Type: A
DNSsimpleindeed.net
Type: A
DNSmotherindeed.net
Type: A
DNSsimpleduring.net
Type: A
DNSmotherduring.net
Type: A
DNSmountainlength.net
Type: A
DNSpossiblelength.net
Type: A
DNSmountainnotice.net
Type: A
DNSpossiblenotice.net
Type: A
DNSmountainindeed.net
Type: A
DNSpossibleindeed.net
Type: A
DNSmountainduring.net
Type: A
DNSpossibleduring.net
Type: A
DNSperhapslength.net
Type: A
DNSwindowlength.net
Type: A
DNSperhapsnotice.net
Type: A
DNSwindownotice.net
Type: A
DNSperhapsindeed.net
Type: A
DNSwindowindeed.net
Type: A
DNSperhapsduring.net
Type: A
DNSwindowduring.net
Type: A
DNSwinterlength.net
Type: A
DNSsubjectlength.net
Type: A
DNSwinternotice.net
Type: A
DNSsubjectnotice.net
Type: A
DNSwinterindeed.net
Type: A
DNSsubjectindeed.net
Type: A
DNSwinterduring.net
Type: A
DNSsubjectduring.net
Type: A
DNSfinishlength.net
Type: A
DNSleavelength.net
Type: A
DNSfinishnotice.net
Type: A
DNSleavenotice.net
Type: A
DNSfinishindeed.net
Type: A
DNSleaveindeed.net
Type: A
DNSfinishduring.net
Type: A
DNSleaveduring.net
Type: A
DNSsweetlength.net
Type: A
DNSprobablylength.net
Type: A
DNSsweetnotice.net
Type: A
DNSprobablynotice.net
Type: A
DNSprobablyindeed.net
Type: A
DNSsweetduring.net
Type: A
DNSprobablyduring.net
Type: A
DNSseverallength.net
Type: A
DNSmateriallength.net
Type: A
DNSseveralnotice.net
Type: A
DNSmaterialnotice.net
Type: A
DNSseveralindeed.net
Type: A
DNSmaterialindeed.net
Type: A
DNSseveralduring.net
Type: A
DNSmaterialduring.net
Type: A
DNSseveraclear.net
Type: A
DNSlaughclear.net
Type: A
DNSseverageneral.net
Type: A
DNSlaughgeneral.net
Type: A
DNSseverainclude.net
Type: A
DNSlaughinclude.net
Type: A
DNSseveranorth.net
Type: A
DNSlaughnorth.net
Type: A
DNSsimpleclear.net
Type: A
DNSmotherclear.net
Type: A
DNSsimplegeneral.net
Type: A
DNSsimpleinclude.net
Type: A
DNSmotherinclude.net
Type: A
DNSsimplenorth.net
Type: A
DNSmountainclear.net
Type: A
DNSpossibleclear.net
Type: A
DNSmountaingeneral.net
Type: A
DNSpossiblegeneral.net
Type: A
DNSmountaininclude.net
Type: A
DNSpossibleinclude.net
Type: A
DNSmountainnorth.net
Type: A
DNSpossiblenorth.net
Type: A
DNSperhapsclear.net
Type: A
DNSwindowclear.net
Type: A
HTTP GEThttp://womanhealth.net/index.php
User-Agent:
HTTP GEThttp://partyclothes.net/index.php
User-Agent:
HTTP GEThttp://freshcatch.net/index.php
User-Agent:
HTTP GEThttp://begincatch.net/index.php
User-Agent:
HTTP GEThttp://crowdcatch.net/index.php
User-Agent:
HTTP GEThttp://summerdress.net/index.php
User-Agent:
HTTP GEThttp://smokeeearly.net/index.php
User-Agent:
HTTP GEThttp://partydress.net/index.php
User-Agent:
HTTP GEThttp://sweetindeed.net/index.php
User-Agent:
HTTP GEThttp://mothergeneral.net/index.php
User-Agent:
HTTP GEThttp://mothernorth.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 69.89.22.137:80
Flows TCP192.168.1.1:1032 ➝ 109.68.33.25:80
Flows TCP192.168.1.1:1033 ➝ 192.155.217.146:80
Flows TCP192.168.1.1:1034 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.47:80
Flows TCP192.168.1.1:1036 ➝ 50.87.150.116:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 208.73.211.179:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.46:80
Flows TCP192.168.1.1:1040 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1041 ➝ 87.98.231.5:80

Raw Pcap

Strings