Analysis Date | 2016-02-23 00:12:40 |
---|---|
MD5 | f14592616682ea11fd433a7bd629aed9 |
SHA1 | e75baf6bff67709c01af844bed1867824e7b1b22 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 599f62c1d3bbcd7d2d5109182ea29f66 sha1: d3feb5bb52a24d7e47850b6398642669246d4833 size: 189440 | |
Section | .rdata md5: 9d3102629021f3f6e34000eaadb7c3bd sha1: 3957071148da8565cdc066576ac41086c034ce5a size: 18432 | |
Section | .data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512 | |
Section | .reloc md5: 8da23321f05a057056327ed7a12ca8a5 sha1: 4e8e2f03beb9e6d297f404078cb1e6f51e590e55 size: 30720 | |
Timestamp | 2016-01-06 16:45:50 | |
PEhash | 61d586d7e362725919bd3581c0622335b4374b23 | |
IMPhash | 9cd11555e734dd5da01c573ef6d96b03 | |
AV | CA (E-Trust Ino) | Gen:Variant.Razy.12226 |
AV | Rising | No Virus |
AV | Mcafee | Trojan-FHPX!F14592616682 |
AV | Avira (antivir) | TR/AD.Nivdort.Y.11526 |
AV | Twister | No Virus |
AV | Ad-Aware | Gen:Variant.Razy.12226 |
AV | Alwil (avast) | Win32:Malware-gen |
AV | Eset (nod32) | Win32/Bayrob.AT.gen |
AV | Grisoft (avg) | Win32/Heur |
AV | Symantec | Trojan.Bayrob!gen6 |
AV | Fortinet | W32/Bayrob.AQ!tr |
AV | BitDefender | Gen:Variant.Razy.12226 |
AV | K7 | Trojan ( 004db0c61 ) |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort!rfn |
AV | MicroWorld (escan) | Gen:Variant.Razy.12226 |
AV | MalwareBytes | No Virus |
AV | Authentium | W32/Nivdort.G.gen!Eldorado |
AV | Emsisoft | Gen:Variant.Razy.12226 |
AV | Frisk (f-prot) | W32/Nivdort.G.gen!Eldorado |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Zillya! | No Virus |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Trend Micro | No Virus |
AV | VirusBlokAda (vba32) | No Virus |
AV | CAT (quickheal) | TrojanSpy.Nivdort.WR4 |
AV | BullGuard | Gen:Variant.Razy.12226 |
AV | Arcabit (arcavir) | Gen:Variant.Razy.12226 |
AV | ClamAV | No Virus |
AV | Dr. Web | No Virus |
AV | F-Secure | Gen:Variant.Razy.12226 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\zkqiukopljc\xgs8ijs |
---|---|
Creates File | C:\WINDOWS\zkqiukopljc\xgs8ijs |
Creates File | C:\zkqiukopljc\ifd1kaheid1nkwhog.exe |
Deletes File | C:\WINDOWS\zkqiukopljc\xgs8ijs |
Creates Process | C:\zkqiukopljc\ifd1kaheid1nkwhog.exe |
Process
↳ C:\zkqiukopljc\ifd1kaheid1nkwhog.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Alerts Encrypting Receiver Biometric Framework ➝ C:\zkqiukopljc\yxwfbkkpe.exe |
---|---|
Creates File | C:\zkqiukopljc\yxwfbkkpe.exe |
Creates File | C:\zkqiukopljc\xgs8ijs |
Creates File | C:\WINDOWS\zkqiukopljc\xgs8ijs |
Creates File | PIPE\lsarpc |
Creates File | C:\zkqiukopljc\gv2uky7r |
Deletes File | C:\WINDOWS\zkqiukopljc\xgs8ijs |
Creates Process | C:\zkqiukopljc\yxwfbkkpe.exe |
Creates Service | Volume Link-Layer Quality Information Shadow - C:\zkqiukopljc\yxwfbkkpe.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 796
Process
↳ Pid 844
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1868
Process
↳ Pid 1164
Process
↳ C:\zkqiukopljc\yxwfbkkpe.exe
Creates File | C:\zkqiukopljc\xgs8ijs |
---|---|
Creates File | C:\WINDOWS\zkqiukopljc\xgs8ijs |
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\zkqiukopljc\gv2uky7r |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\zkqiukopljc\lnwfgbhua.exe |
Creates File | C:\zkqiukopljc\r9h1ahdvldw |
Deletes File | C:\WINDOWS\zkqiukopljc\xgs8ijs |
Creates Process | hsqfwgop8xru "c:\zkqiukopljc\yxwfbkkpe.exe" |
Process
↳ C:\zkqiukopljc\yxwfbkkpe.exe
Creates File | C:\zkqiukopljc\xgs8ijs |
---|---|
Creates File | C:\WINDOWS\zkqiukopljc\xgs8ijs |
Deletes File | C:\WINDOWS\zkqiukopljc\xgs8ijs |
Process
↳ hsqfwgop8xru "c:\zkqiukopljc\yxwfbkkpe.exe"
Creates File | C:\zkqiukopljc\xgs8ijs |
---|---|
Creates File | C:\WINDOWS\zkqiukopljc\xgs8ijs |
Deletes File | C:\WINDOWS\zkqiukopljc\xgs8ijs |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206d : close..Host: m 0x00000040 (00064) 61636869 6e65636f 6e74726f 6c2e6e65 achinecontrol.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 6f726569 676e636f 6e74726f 6c2e6e65 oreigncontrol.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2072 : close..Host: r 0x00000040 (00064) 69676874 746f6765 74686572 2e6e6574 ighttogether.net 0x00000050 (00080) 0d0a0d0a 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 69677572 656d6174 7465722e 6e65740d igurematter.net. 0x00000050 (00080) 0a0d0a0a 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 69677572 65746f67 65746865 722e6e65 iguretogether.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 68696c64 72656e6d 61747465 722e6e65 hildrenmatter.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 616d696c 79746f67 65746865 722e6e65 amilytogether.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 69676172 65747465 6170706c 652e6e65 igaretteapple.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 616d696c 79617070 6c652e6e 65740d0a amilyapple.net.. 0x00000050 (00080) 0d0a0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2065 : close..Host: e 0x00000040 (00064) 6e676c69 73686661 74686572 2e6e6574 nglishfather.net 0x00000050 (00080) 0d0a0d0a 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 6572736f 6e6d6561 73757265 2e6e6574 ersonmeasure.net 0x00000050 (00080) 0d0a0d0a 0a .....
Strings