Analysis Date2015-10-08 20:36:36
MD52e808d8bae21329adf4513168980343d
SHA1eb2c8ad24028ddf0298aafeebaf177f975a7b8f2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3a4dd57a59aee808155163f7d314b77e sha1: 71688706ead37aa35508231e7f20eb08be4db9f7 size: 198144
Section.rdata md5: e2b1cf3f705f44f7ce7402a855e566b4 sha1: ffbcc42420dad8d10d7775d68e0298f4c15ca763 size: 52224
Section.data md5: 1a99ff662ebd896419ad52dbb3a19e77 sha1: 73eab9e5732c3e29340b3c9f864d1401a5d99ef6 size: 7168
Section.reloc md5: 277082d4ed93ca5d55fa71ef43c39cb0 sha1: cb2ec6e7c6c0ec9540863e59d81aa2f10811910b size: 14336
Timestamp2015-04-29 18:43:39
PackerMicrosoft Visual C++ 8
PEhash33a5d8c4028eefb6b0d3261c7aea999d15ded970
IMPhashe96040f10f7c3838e9ff3428c8d45bb5
AVEmsisoftGen:Variant.Kazy.604861
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVAvira (antivir)TR/Kryptik.qgmpd
AVIkarusTrojan.Win32.Bayrob
AVF-SecureGen:Variant.Kazy.604861
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AF
AVBitDefenderGen:Variant.Kazy.604861
AVTwisterTrojan.0000E9000000006A1.mg
AVMcafeeTrojan-FGIJ!2E808D8BAE21
AVRisingTrojan.Win32.Bayrod.a
AVVirusBlokAda (vba32)no_virus
AVDr. WebTrojan.Bayrob.1
AVAlwil (avast)VB-AJEW [Trj]
AVFortinetW32/Generic.AC.215362
AVMalwareBytesTrojan.Agent.KVTGen
AVK7Trojan ( 004c12491 )
AVGrisoft (avg)Win32/Cryptor
AVAd-AwareGen:Variant.Kazy.604861
AVKasperskyTrojan.Win32.Generic
AVClamAVno_virus
AVTrend Microno_virus
AVFrisk (f-prot)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVBullGuardGen:Variant.Kazy.604861
AVPadvishno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVCA (E-Trust Ino)no_virus
AVEset (nod32)Win32/Bayrob.Q
AVSymantecDownloader.Upatre!g15
AVZillya!no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\nrqabxtqmsbx\aj1lbsegtuawj01hd.exe
Creates FileC:\nrqabxtqmsbx\wfnnek
Creates FileC:\WINDOWS\nrqabxtqmsbx\wfnnek
Deletes FileC:\WINDOWS\nrqabxtqmsbx\wfnnek
Creates ProcessC:\nrqabxtqmsbx\aj1lbsegtuawj01hd.exe

Process
↳ C:\nrqabxtqmsbx\aj1lbsegtuawj01hd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WMI Adaptive AutoConnect Service ➝
C:\nrqabxtqmsbx\poykldqwtqq.exe
Creates FileC:\nrqabxtqmsbx\wfnnek
Creates FileC:\nrqabxtqmsbx\poykldqwtqq.exe
Creates FileC:\WINDOWS\nrqabxtqmsbx\wfnnek
Creates FilePIPE\lsarpc
Creates FileC:\nrqabxtqmsbx\pouu51v6au
Deletes FileC:\WINDOWS\nrqabxtqmsbx\wfnnek
Creates ProcessC:\nrqabxtqmsbx\poykldqwtqq.exe
Creates ServiceWindows Transaction Server Block Files - C:\nrqabxtqmsbx\poykldqwtqq.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1148

Process
↳ C:\nrqabxtqmsbx\poykldqwtqq.exe

Creates FileC:\nrqabxtqmsbx\wfnnek
Creates Filepipe\net\NtControlPipe10
Creates FileC:\nrqabxtqmsbx\gknbic
Creates FileC:\WINDOWS\nrqabxtqmsbx\wfnnek
Creates FileC:\nrqabxtqmsbx\pouu51v6au
Creates File\Device\Afd\Endpoint
Creates FileC:\nrqabxtqmsbx\ihkefbkjqna.exe
Deletes FileC:\WINDOWS\nrqabxtqmsbx\wfnnek
Creates Processobwyrxvulxke "c:\nrqabxtqmsbx\poykldqwtqq.exe"

Process
↳ C:\nrqabxtqmsbx\poykldqwtqq.exe

Creates FileC:\nrqabxtqmsbx\wfnnek
Creates FileC:\WINDOWS\nrqabxtqmsbx\wfnnek
Deletes FileC:\WINDOWS\nrqabxtqmsbx\wfnnek

Process
↳ obwyrxvulxke "c:\nrqabxtqmsbx\poykldqwtqq.exe"

Creates FileC:\nrqabxtqmsbx\wfnnek
Creates FileC:\WINDOWS\nrqabxtqmsbx\wfnnek
Deletes FileC:\WINDOWS\nrqabxtqmsbx\wfnnek

Network Details:

DNSchieffurther.net
Type: A
195.22.26.231
DNSchieffurther.net
Type: A
195.22.26.252
DNSchieffurther.net
Type: A
195.22.26.253
DNSchieffurther.net
Type: A
195.22.26.254
DNScollegecover.net
Type: A
93.115.38.30
DNScollegecompany.net
Type: A
208.91.197.27
DNSalonefurther.net
Type: A
72.52.4.90
DNSratherbecome.net
Type: A
208.100.26.234
DNSstrangecompany.net
Type: A
198.71.232.3
DNShistorycompany.net
Type: A
184.168.221.47
DNSamountbecome.net
Type: A
72.52.4.90
DNSweathercompany.net
Type: A
213.131.64.60
DNSclasscover.net
Type: A
104.28.10.78
DNSclasscover.net
Type: A
104.28.11.78
DNSalonefinger.net
Type: A
72.52.4.90
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNScollegefurther.net
Type: A
DNSchiefcover.net
Type: A
DNSchiefbecome.net
Type: A
DNScollegebecome.net
Type: A
DNSchiefcompany.net
Type: A
DNSoftenfurther.net
Type: A
DNSoftencover.net
Type: A
DNSalonecover.net
Type: A
DNSoftenbecome.net
Type: A
DNSalonebecome.net
Type: A
DNSoftencompany.net
Type: A
DNSalonecompany.net
Type: A
DNSmiddlefurther.net
Type: A
DNStwelvefurther.net
Type: A
DNSmiddlecover.net
Type: A
DNStwelvecover.net
Type: A
DNSmiddlebecome.net
Type: A
DNStwelvebecome.net
Type: A
DNSmiddlecompany.net
Type: A
DNStwelvecompany.net
Type: A
DNSratherfurther.net
Type: A
DNSmorningfurther.net
Type: A
DNSrathercover.net
Type: A
DNSmorningcover.net
Type: A
DNSmorningbecome.net
Type: A
DNSrathercompany.net
Type: A
DNSmorningcompany.net
Type: A
DNSstrangefurther.net
Type: A
DNShistoryfurther.net
Type: A
DNSstrangecover.net
Type: A
DNShistorycover.net
Type: A
DNSstrangebecome.net
Type: A
DNShistorybecome.net
Type: A
DNSamountfurther.net
Type: A
DNSweatherfurther.net
Type: A
DNSamountcover.net
Type: A
DNSweathercover.net
Type: A
DNSweatherbecome.net
Type: A
DNSamountcompany.net
Type: A
DNSthickfurther.net
Type: A
DNSclassfurther.net
Type: A
DNSthickcover.net
Type: A
DNSthickbecome.net
Type: A
DNSclassbecome.net
Type: A
DNSthickcompany.net
Type: A
DNSclasscompany.net
Type: A
DNSthinkuntil.net
Type: A
DNSpresentuntil.net
Type: A
DNSthinkabove.net
Type: A
DNSpresentabove.net
Type: A
DNSthinkshoulder.net
Type: A
DNSpresentshoulder.net
Type: A
DNSthinkfinger.net
Type: A
DNSpresentfinger.net
Type: A
DNSchiefuntil.net
Type: A
DNScollegeuntil.net
Type: A
DNSchiefabove.net
Type: A
DNScollegeabove.net
Type: A
DNSchiefshoulder.net
Type: A
DNScollegeshoulder.net
Type: A
DNSchieffinger.net
Type: A
DNScollegefinger.net
Type: A
DNSoftenuntil.net
Type: A
DNSaloneuntil.net
Type: A
DNSoftenabove.net
Type: A
DNSaloneabove.net
Type: A
DNSoftenshoulder.net
Type: A
DNSaloneshoulder.net
Type: A
DNSoftenfinger.net
Type: A
DNSmiddleuntil.net
Type: A
DNStwelveuntil.net
Type: A
DNSmiddleabove.net
Type: A
DNStwelveabove.net
Type: A
DNSmiddleshoulder.net
Type: A
HTTP GEThttp://chieffurther.net/index.php
User-Agent:
HTTP GEThttp://collegecover.net/index.php
User-Agent:
HTTP GEThttp://collegecompany.net/index.php
User-Agent:
HTTP GEThttp://alonefurther.net/index.php
User-Agent:
HTTP GEThttp://ratherbecome.net/index.php
User-Agent:
HTTP GEThttp://strangecompany.net/index.php
User-Agent:
HTTP GEThttp://historycompany.net/index.php
User-Agent:
HTTP GEThttp://amountbecome.net/index.php
User-Agent:
HTTP GEThttp://weathercompany.net/index.php
User-Agent:
HTTP GEThttp://classcover.net/index.php
User-Agent:
HTTP GEThttp://alonefinger.net/index.php
User-Agent:
HTTP GEThttp://middleshoulder.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1032 ➝ 93.115.38.30:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1034 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1035 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1036 ➝ 198.71.232.3:80
Flows TCP192.168.1.1:1037 ➝ 184.168.221.47:80
Flows TCP192.168.1.1:1038 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1039 ➝ 213.131.64.60:80
Flows TCP192.168.1.1:1040 ➝ 104.28.10.78:80
Flows TCP192.168.1.1:1041 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1042 ➝ 8.5.1.16:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   68696566 66757274 6865722e 6e65740d   hieffurther.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   6f6c6c65 6765636f 7665722e 6e65740d   ollegecover.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   6f6c6c65 6765636f 6d70616e 792e6e65   ollegecompany.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2061   : close..Host: a
0x00000040 (00064)   6c6f6e65 66757274 6865722e 6e65740d   lonefurther.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   61746865 72626563 6f6d652e 6e65740d   atherbecome.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   7472616e 6765636f 6d70616e 792e6e65   trangecompany.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2068   : close..Host: h
0x00000040 (00064)   6973746f 7279636f 6d70616e 792e6e65   istorycompany.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2061   : close..Host: a
0x00000040 (00064)   6d6f756e 74626563 6f6d652e 6e65740d   mountbecome.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   65617468 6572636f 6d70616e 792e6e65   eathercompany.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   6c617373 636f7665 722e6e65 740d0a0d   lasscover.net...
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2061   : close..Host: a
0x00000040 (00064)   6c6f6e65 66696e67 65722e6e 65740d0a   lonefinger.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6964646c 6573686f 756c6465 722e6e65   iddleshoulder.ne
0x00000050 (00080)   740d0a0d 0a                           t....


Strings