Analysis Date2016-02-09 21:13:54
MD5db7b89bfb391d3bbd204ca79bcf144d0
SHA1db58d50f56518571a2010e441d6b03062a01abb7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 96d1e3fe684f9a6a35fcdc6e7f05acb5 sha1: a1dbc75e2768bdf1e3689c437d25cba3d29cfd83 size: 185344
Section.rdata md5: 86f931f317338d2ac9fd50cff13cebd5 sha1: cfa4d055b433d5f2ea3da9e46ddc9d824b3c0fbe size: 2560
Section.data md5: 14142feae89627fc6d87cc8b14a43c0d sha1: 8c402b9f0c77edf6d5d556fc5ecb1e529c9bb4ff size: 15872
Section.reloc md5: d5b0d383220c2c1665ede4f7ecda03ec sha1: 4055a13a8896c2fc24903b2da90dad9782080910 size: 30720
Timestamp2014-11-04 12:54:03
PEhash105b5dfda52c85b375bf18d14819e53c1792bbb3
IMPhash323f4a3b536869b5d2c122b09ad37b41
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHQT!DB7B89BFB391
AVAvira (antivir)No Virus
AVTwisterVirus.DAEB@2FF0FAF@2FF0F.mg
AVAd-AwareGen:Variant.Kazy.790778
AVAlwil (avast)Vupa [Cryp]
AVEset (nod32)Win32/Bayrob.BA
AVGrisoft (avg)Generic37.AKUT
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Kazy.790778
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DE
AVMicroWorld (escan)Gen:Variant.Kazy.790778
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVEmsisoftGen:Variant.Kazy.790778
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Kazy.790778
AVArcabit (arcavir)Gen:Variant.Kazy.790778
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Kazy.790778

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\dislddelpztn\xajz1lytb5tkxtnzt.exe
Creates FileC:\WINDOWS\dislddelpztn\sr53g5i
Creates FileC:\dislddelpztn\sr53g5i
Deletes FileC:\WINDOWS\dislddelpztn\sr53g5i
Creates ProcessC:\dislddelpztn\xajz1lytb5tkxtnzt.exe

Process
↳ C:\dislddelpztn\xajz1lytb5tkxtnzt.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Launcher Software Connectivity Protected ➝
C:\dislddelpztn\kkbohxb.exe
Creates FileC:\WINDOWS\dislddelpztn\sr53g5i
Creates FileC:\dislddelpztn\bpaxkslfon
Creates FileC:\dislddelpztn\kkbohxb.exe
Creates FilePIPE\lsarpc
Creates FileC:\dislddelpztn\sr53g5i
Deletes FileC:\WINDOWS\dislddelpztn\sr53g5i
Creates ProcessC:\dislddelpztn\kkbohxb.exe
Creates ServicePeer Event Net.Tcp Session Audio PnP-X Backup - C:\dislddelpztn\kkbohxb.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1844

Process
↳ Pid 1128

Process
↳ C:\dislddelpztn\kkbohxb.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\dislddelpztn\sr53g5i
Creates FileC:\dislddelpztn\urkcyoelpuf.exe
Creates FileC:\dislddelpztn\bpaxkslfon
Creates FileC:\dislddelpztn\xjijy9the
Creates File\Device\Afd\Endpoint
Creates FileC:\dislddelpztn\sr53g5i
Deletes FileC:\WINDOWS\dislddelpztn\sr53g5i
Creates Processnbvfytvxctce "c:\dislddelpztn\kkbohxb.exe"

Process
↳ C:\dislddelpztn\kkbohxb.exe

Creates FileC:\WINDOWS\dislddelpztn\sr53g5i
Creates FileC:\dislddelpztn\sr53g5i
Deletes FileC:\WINDOWS\dislddelpztn\sr53g5i

Process
↳ nbvfytvxctce "c:\dislddelpztn\kkbohxb.exe"

Creates FileC:\WINDOWS\dislddelpztn\sr53g5i
Creates FileC:\dislddelpztn\sr53g5i
Deletes FileC:\WINDOWS\dislddelpztn\sr53g5i

Network Details:

DNScrowdnation.net
Type: A
107.161.23.204
DNScrowdnation.net
Type: A
107.191.99.114
DNScrowdnation.net
Type: A
167.114.213.199
DNScrowdcondition.net
Type: A
195.22.28.197
DNScrowdcondition.net
Type: A
195.22.28.198
DNScrowdcondition.net
Type: A
195.22.28.199
DNScrowdcondition.net
Type: A
195.22.28.196
DNSsmokenation.net
Type: A
195.22.28.197
DNSsmokenation.net
Type: A
195.22.28.198
DNSsmokenation.net
Type: A
195.22.28.199
DNSsmokenation.net
Type: A
195.22.28.196
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSpartynation.net
Type: A
72.52.4.91
DNSfreshpower.net
Type: A
195.149.84.101
DNSfreshpower.net
Type: A
195.149.84.100
DNSmemberfamous.net
Type: A
208.100.26.234
DNScrowdpower.net
Type: A
162.244.253.117
DNSthoughtpower.net
Type: A
23.229.204.192
DNSwaterpower.net
Type: A
69.172.201.208
DNSmemberplease.net
Type: A
DNSfollowcondition.net
Type: A
DNSmembercondition.net
Type: A
DNSbeginnation.net
Type: A
DNSknownnation.net
Type: A
DNSbeginsoldier.net
Type: A
DNSknownsoldier.net
Type: A
DNSbeginplease.net
Type: A
DNSknownplease.net
Type: A
DNSbegincondition.net
Type: A
DNSknowncondition.net
Type: A
DNSsummernation.net
Type: A
DNSsummersoldier.net
Type: A
DNScrowdsoldier.net
Type: A
DNSsummerplease.net
Type: A
DNScrowdplease.net
Type: A
DNSsummercondition.net
Type: A
DNSthoughtnation.net
Type: A
DNSwaternation.net
Type: A
DNSthoughtsoldier.net
Type: A
DNSwatersoldier.net
Type: A
DNSthoughtplease.net
Type: A
DNSwaterplease.net
Type: A
DNSthoughtcondition.net
Type: A
DNSwatercondition.net
Type: A
DNSwomannation.net
Type: A
DNSwomansoldier.net
Type: A
DNSsmokesoldier.net
Type: A
DNSwomanplease.net
Type: A
DNSsmokeplease.net
Type: A
DNSwomancondition.net
Type: A
DNSsmokecondition.net
Type: A
DNSfightnation.net
Type: A
DNSpartysoldier.net
Type: A
DNSfightsoldier.net
Type: A
DNSpartyplease.net
Type: A
DNSfightplease.net
Type: A
DNSpartycondition.net
Type: A
DNSfightcondition.net
Type: A
DNSfreshcentury.net
Type: A
DNSexperiencecentury.net
Type: A
DNSfreshfamous.net
Type: A
DNSexperiencefamous.net
Type: A
DNSexperiencepower.net
Type: A
DNSfreshcountry.net
Type: A
DNSexperiencecountry.net
Type: A
DNSgentlemancentury.net
Type: A
DNSalreadycentury.net
Type: A
DNSgentlemanfamous.net
Type: A
DNSalreadyfamous.net
Type: A
DNSgentlemanpower.net
Type: A
DNSalreadypower.net
Type: A
DNSgentlemancountry.net
Type: A
DNSalreadycountry.net
Type: A
DNSfollowcentury.net
Type: A
DNSmembercentury.net
Type: A
DNSfollowfamous.net
Type: A
DNSfollowpower.net
Type: A
DNSmemberpower.net
Type: A
DNSfollowcountry.net
Type: A
DNSmembercountry.net
Type: A
DNSbegincentury.net
Type: A
DNSknowncentury.net
Type: A
DNSbeginfamous.net
Type: A
DNSknownfamous.net
Type: A
DNSbeginpower.net
Type: A
DNSknownpower.net
Type: A
DNSbegincountry.net
Type: A
DNSknowncountry.net
Type: A
DNSsummercentury.net
Type: A
DNScrowdcentury.net
Type: A
DNSsummerfamous.net
Type: A
DNScrowdfamous.net
Type: A
DNSsummerpower.net
Type: A
DNSsummercountry.net
Type: A
DNScrowdcountry.net
Type: A
DNSthoughtcentury.net
Type: A
DNSwatercentury.net
Type: A
DNSthoughtfamous.net
Type: A
DNSwaterfamous.net
Type: A
DNSthoughtcountry.net
Type: A
DNSwatercountry.net
Type: A
HTTP GEThttp://crowdnation.net/index.php
User-Agent:
HTTP GEThttp://crowdcondition.net/index.php
User-Agent:
HTTP GEThttp://smokenation.net/index.php
User-Agent:
HTTP GEThttp://smokecondition.net/index.php
User-Agent:
HTTP GEThttp://partynation.net/index.php
User-Agent:
HTTP GEThttp://freshpower.net/index.php
User-Agent:
HTTP GEThttp://memberfamous.net/index.php
User-Agent:
HTTP GEThttp://crowdpower.net/index.php
User-Agent:
HTTP GEThttp://thoughtpower.net/index.php
User-Agent:
HTTP GEThttp://waterpower.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 107.161.23.204:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1034 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1035 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1036 ➝ 195.149.84.101:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 162.244.253.117:80
Flows TCP192.168.1.1:1039 ➝ 23.229.204.192:80
Flows TCP192.168.1.1:1040 ➝ 69.172.201.208:80

Raw Pcap

Strings