Analysis Date2016-02-02 08:59:51
MD55de5e90aa71f5bf478ed9fd31d5ffbca
SHA1e4e09bf49cddf69fdd66594fb9dcd81f5bc7874e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b8f2ecbd9c420893084a6aaf257f76ab sha1: 9f1ed98b1fd9cf7348c61bb145f35ef731f9b71d size: 265216
Section.rdata md5: b025f74a1dcb50500720a84337264d69 sha1: 852ba6829d1d998861383d20c4ec26c66b928517 size: 39424
Section.data md5: cf341be25fa2f7c962792db05a0dced5 sha1: 98b6bd2537715aa368ab348931164aadb86f00cd size: 2048
Section.reloc md5: 4019fe3b987415786e05d70c842367ce sha1: e6b1b05c46c9c6bf3c4ef2e24c75b9edcbacb1bc size: 51712
Timestamp2015-12-23 04:09:42
PackerBorland Delphi 3.0 (???)
PEhashb86579d7b0bf8c2c3eb6f90238e64a608ff99878
IMPhashdf03344c600758addda7b4b57e6626db
AVCA (E-Trust Ino)Gen:Variant.Razy.11545
AVRisingNo Virus
AVMcafeeTrojan-FHPD!5DE5E90AA71F
AVAvira (antivir)TR/Crypt.Xpack.388877
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.11545
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AQ
AVGrisoft (avg)Win32/Heur
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Razy.11545
AVK7Trojan ( 004db0c61 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CW
AVMicroWorld (escan)Gen:Variant.Razy.11545
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.F.gen!Eldorado
AVEmsisoftGen:Variant.Razy.11545
AVFrisk (f-prot)W32/Nivdort.F.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.Msgfake
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Razy.11545
AVArcabit (arcavir)Gen:Variant.Razy.11545
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader18.46101
AVF-SecureGen:Variant.Razy.11545

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\kfmpsmai\ko1kfoyisbgqokwemw.exe
Creates FileC:\WINDOWS\kfmpsmai\sxyxziqch
Creates FileC:\kfmpsmai\sxyxziqch
Deletes FileC:\WINDOWS\kfmpsmai\sxyxziqch
Creates ProcessC:\kfmpsmai\ko1kfoyisbgqokwemw.exe

Process
↳ C:\kfmpsmai\ko1kfoyisbgqokwemw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Profile SNMP Reporting Topology ➝
C:\kfmpsmai\oxollmsmu.exe
Creates FileC:\WINDOWS\kfmpsmai\sxyxziqch
Creates FileC:\kfmpsmai\oxollmsmu.exe
Creates FilePIPE\lsarpc
Creates FileC:\kfmpsmai\jen6mxnq
Creates FileC:\kfmpsmai\sxyxziqch
Deletes FileC:\WINDOWS\kfmpsmai\sxyxziqch
Creates ProcessC:\kfmpsmai\oxollmsmu.exe
Creates ServiceStudio Problem Web File User Service Enumerator - C:\kfmpsmai\oxollmsmu.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1136

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1172

Process
↳ C:\kfmpsmai\oxollmsmu.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\kfmpsmai\sxyxziqch
Creates FileC:\kfmpsmai\uddyjpt9xe6w
Creates FileC:\kfmpsmai\hdemfqlgpgrf.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\kfmpsmai\jen6mxnq
Creates FileC:\kfmpsmai\sxyxziqch
Deletes FileC:\WINDOWS\kfmpsmai\sxyxziqch
Creates Processgnqdxoimloyo "c:\kfmpsmai\oxollmsmu.exe"

Process
↳ C:\kfmpsmai\oxollmsmu.exe

Creates FileC:\WINDOWS\kfmpsmai\sxyxziqch
Creates FileC:\kfmpsmai\sxyxziqch
Deletes FileC:\WINDOWS\kfmpsmai\sxyxziqch

Process
↳ gnqdxoimloyo "c:\kfmpsmai\oxollmsmu.exe"

Creates FileC:\WINDOWS\kfmpsmai\sxyxziqch
Creates FileC:\kfmpsmai\sxyxziqch
Deletes FileC:\WINDOWS\kfmpsmai\sxyxziqch

Network Details:

DNSwaterclear.net
Type: A
141.8.225.124
DNSsmokenorth.net
Type: A
184.168.221.58
DNSgentlemanreceive.net
Type: A
5.2.189.251
DNScrowdbranch.net
Type: A
98.139.135.129
DNSsummerbelieve.net
Type: A
208.100.26.234
DNSsummerquarter.net
Type: A
46.30.212.27
DNSmembersystem.net
Type: A
85.13.128.193
DNSfollowtrust.net
Type: A
68.178.232.100
DNSthoughtsystem.net
Type: A
213.171.195.105
DNSwatersystem.net
Type: A
199.59.243.120
DNSwatertrust.net
Type: A
208.91.197.27
DNSsmoketrust.net
Type: A
98.139.135.129
DNSpartysystem.net
Type: A
82.165.73.79
DNSbeginnorth.net
Type: A
DNSknownnorth.net
Type: A
DNSsummerclear.net
Type: A
DNScrowdclear.net
Type: A
DNSsummergeneral.net
Type: A
DNScrowdgeneral.net
Type: A
DNSsummerinclude.net
Type: A
DNScrowdinclude.net
Type: A
DNSsummernorth.net
Type: A
DNScrowdnorth.net
Type: A
DNSthoughtclear.net
Type: A
DNSthoughtgeneral.net
Type: A
DNSwatergeneral.net
Type: A
DNSthoughtinclude.net
Type: A
DNSwaterinclude.net
Type: A
DNSthoughtnorth.net
Type: A
DNSwaternorth.net
Type: A
DNSwomanclear.net
Type: A
DNSsmokeclear.net
Type: A
DNSwomangeneral.net
Type: A
DNSsmokegeneral.net
Type: A
DNSwomaninclude.net
Type: A
DNSsmokeinclude.net
Type: A
DNSwomannorth.net
Type: A
DNSpartyclear.net
Type: A
DNSfightclear.net
Type: A
DNSpartygeneral.net
Type: A
DNSfightgeneral.net
Type: A
DNSpartyinclude.net
Type: A
DNSfightinclude.net
Type: A
DNSpartynorth.net
Type: A
DNSfightnorth.net
Type: A
DNSfreshbranch.net
Type: A
DNSexperiencebranch.net
Type: A
DNSfreshbelieve.net
Type: A
DNSexperiencebelieve.net
Type: A
DNSfreshreceive.net
Type: A
DNSexperiencereceive.net
Type: A
DNSfreshquarter.net
Type: A
DNSexperiencequarter.net
Type: A
DNSgentlemanbranch.net
Type: A
DNSalreadybranch.net
Type: A
DNSgentlemanbelieve.net
Type: A
DNSalreadybelieve.net
Type: A
DNSalreadyreceive.net
Type: A
DNSgentlemanquarter.net
Type: A
DNSalreadyquarter.net
Type: A
DNSfollowbranch.net
Type: A
DNSmemberbranch.net
Type: A
DNSfollowbelieve.net
Type: A
DNSmemberbelieve.net
Type: A
DNSfollowreceive.net
Type: A
DNSmemberreceive.net
Type: A
DNSfollowquarter.net
Type: A
DNSmemberquarter.net
Type: A
DNSbeginbranch.net
Type: A
DNSknownbranch.net
Type: A
DNSbeginbelieve.net
Type: A
DNSknownbelieve.net
Type: A
DNSbeginreceive.net
Type: A
DNSknownreceive.net
Type: A
DNSbeginquarter.net
Type: A
DNSknownquarter.net
Type: A
DNSsummerbranch.net
Type: A
DNScrowdbelieve.net
Type: A
DNSsummerreceive.net
Type: A
DNScrowdreceive.net
Type: A
DNScrowdquarter.net
Type: A
DNSthoughtbranch.net
Type: A
DNSwaterbranch.net
Type: A
DNSthoughtbelieve.net
Type: A
DNSwaterbelieve.net
Type: A
DNSthoughtreceive.net
Type: A
DNSwaterreceive.net
Type: A
DNSthoughtquarter.net
Type: A
DNSwaterquarter.net
Type: A
DNSwomanbranch.net
Type: A
DNSsmokebranch.net
Type: A
DNSwomanbelieve.net
Type: A
DNSsmokebelieve.net
Type: A
DNSwomanreceive.net
Type: A
DNSsmokereceive.net
Type: A
DNSwomanquarter.net
Type: A
DNSsmokequarter.net
Type: A
DNSpartybranch.net
Type: A
DNSfightbranch.net
Type: A
DNSpartybelieve.net
Type: A
DNSfightbelieve.net
Type: A
DNSpartyreceive.net
Type: A
DNSfightreceive.net
Type: A
DNSpartyquarter.net
Type: A
DNSfightquarter.net
Type: A
DNSfreshhonor.net
Type: A
DNSexperiencehonor.net
Type: A
DNSfreshneither.net
Type: A
DNSexperienceneither.net
Type: A
DNSfreshsystem.net
Type: A
DNSexperiencesystem.net
Type: A
DNSfreshtrust.net
Type: A
DNSexperiencetrust.net
Type: A
DNSgentlemanhonor.net
Type: A
DNSalreadyhonor.net
Type: A
DNSgentlemanneither.net
Type: A
DNSalreadyneither.net
Type: A
DNSgentlemansystem.net
Type: A
DNSalreadysystem.net
Type: A
DNSgentlemantrust.net
Type: A
DNSalreadytrust.net
Type: A
DNSfollowhonor.net
Type: A
DNSmemberhonor.net
Type: A
DNSfollowneither.net
Type: A
DNSmemberneither.net
Type: A
DNSfollowsystem.net
Type: A
DNSmembertrust.net
Type: A
DNSbeginhonor.net
Type: A
DNSknownhonor.net
Type: A
DNSbeginneither.net
Type: A
DNSknownneither.net
Type: A
DNSbeginsystem.net
Type: A
DNSknownsystem.net
Type: A
DNSbegintrust.net
Type: A
DNSknowntrust.net
Type: A
DNSsummerhonor.net
Type: A
DNScrowdhonor.net
Type: A
DNSsummerneither.net
Type: A
DNScrowdneither.net
Type: A
DNSsummersystem.net
Type: A
DNScrowdsystem.net
Type: A
DNSsummertrust.net
Type: A
DNScrowdtrust.net
Type: A
DNSthoughthonor.net
Type: A
DNSwaterhonor.net
Type: A
DNSthoughtneither.net
Type: A
DNSwaterneither.net
Type: A
DNSthoughttrust.net
Type: A
DNSwomanhonor.net
Type: A
DNSsmokehonor.net
Type: A
DNSwomanneither.net
Type: A
DNSsmokeneither.net
Type: A
DNSwomansystem.net
Type: A
DNSsmokesystem.net
Type: A
DNSwomantrust.net
Type: A
DNSpartyhonor.net
Type: A
DNSfighthonor.net
Type: A
DNSpartyneither.net
Type: A
DNSfightneither.net
Type: A
DNSfightsystem.net
Type: A
DNSpartytrust.net
Type: A
DNSfighttrust.net
Type: A
DNSfreshlaughter.net
Type: A
DNSexperiencelaughter.net
Type: A
DNSfreshfancy.net
Type: A
DNSexperiencefancy.net
Type: A
DNSfreshconsider.net
Type: A
DNSexperienceconsider.net
Type: A
DNSfreshfriend.net
Type: A
DNSexperiencefriend.net
Type: A
HTTP GEThttp://waterclear.net/index.php
User-Agent:
HTTP GEThttp://smokenorth.net/index.php
User-Agent:
HTTP GEThttp://gentlemanreceive.net/index.php
User-Agent:
HTTP GEThttp://crowdbranch.net/index.php
User-Agent:
HTTP GEThttp://summerbelieve.net/index.php
User-Agent:
HTTP GEThttp://summerquarter.net/index.php
User-Agent:
HTTP GEThttp://membersystem.net/index.php
User-Agent:
HTTP GEThttp://followtrust.net/index.php
User-Agent:
HTTP GEThttp://thoughtsystem.net/index.php
User-Agent:
HTTP GEThttp://watersystem.net/index.php
User-Agent:
HTTP GEThttp://watertrust.net/index.php
User-Agent:
HTTP GEThttp://smoketrust.net/index.php
User-Agent:
HTTP GEThttp://partysystem.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 141.8.225.124:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.58:80
Flows TCP192.168.1.1:1033 ➝ 5.2.189.251:80
Flows TCP192.168.1.1:1034 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1035 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1036 ➝ 46.30.212.27:80
Flows TCP192.168.1.1:1037 ➝ 85.13.128.193:80
Flows TCP192.168.1.1:1038 ➝ 68.178.232.100:80
Flows TCP192.168.1.1:1039 ➝ 213.171.195.105:80
Flows TCP192.168.1.1:1040 ➝ 199.59.243.120:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1042 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1043 ➝ 82.165.73.79:80

Raw Pcap

Strings