Analysis Date2016-03-08 16:03:55
MD5642ae12fab9e48c6c17b7f1c002a96c2
SHA1ef977d63bce0640aeec4bee42f2eab46adcaba8a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f7f8fce8c1aafe80ae7956be9d4c510b sha1: 1c7b740418e8a9ff1a83bddab0fe6794f9fb4fb1 size: 188928
Section.rdata md5: acdb0da511f45b6b4e80022259a0b1a9 sha1: 2e17fe33038afd017c1f38923a96b18c6a654f26 size: 18432
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 493c9d536ed9b1d9232c50255f15ee52 sha1: 2fae860cf104ad94ce899b08928a0b6b563e41d9 size: 30208
Timestamp2016-01-06 11:29:49
PEhash9d3350d0feae93320217c059e19cae56eb0249af
IMPhash445de86b51073d1692c6e6a519a4e411
AVCA (E-Trust Ino)Gen:Variant.Razy.12226
AVRisingNo Virus
AVMcafeeTrojan-FHPX!642AE12FAB9E
AVAvira (antivir)TR/Nivdort.A.37591
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.12226
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AT.gen
AVGrisoft (avg)Win32/Heur
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Razy.12226
AVK7Trojan ( 004db0c61 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DD
AVMicroWorld (escan)Gen:Variant.Razy.12226
AVMalwareBytesNo Virus
AVAuthentiumW32/BayRob.G.gen!Eldorado
AVEmsisoftGen:Variant.Razy.12226
AVFrisk (f-prot)W32/BayRob.G.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Razy.12226
AVArcabit (arcavir)Gen:Variant.Razy.12226
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Razy.12226

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\umiltalxjowgxc\k6zruwvhed
Creates FileC:\WINDOWS\umiltalxjowgxc\k6zruwvhed
Creates FileC:\umiltalxjowgxc\hjgwo1l03d9mmulqrhsl.exe
Deletes FileC:\WINDOWS\umiltalxjowgxc\k6zruwvhed
Creates ProcessC:\umiltalxjowgxc\hjgwo1l03d9mmulqrhsl.exe

Process
↳ C:\umiltalxjowgxc\hjgwo1l03d9mmulqrhsl.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Client Solutions PC Enumerator ➝
C:\umiltalxjowgxc\polozet.exe
Creates FileC:\umiltalxjowgxc\polozet.exe
Creates FilePIPE\lsarpc
Creates FileC:\umiltalxjowgxc\xwwiaupqr
Creates FileC:\umiltalxjowgxc\k6zruwvhed
Creates FileC:\WINDOWS\umiltalxjowgxc\k6zruwvhed
Deletes FileC:\WINDOWS\umiltalxjowgxc\k6zruwvhed
Creates ProcessC:\umiltalxjowgxc\polozet.exe
Creates ServiceCryptographic BitLocker Control Topology - C:\umiltalxjowgxc\polozet.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1876

Process
↳ Pid 1176

Process
↳ C:\umiltalxjowgxc\polozet.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\umiltalxjowgxc\ogob7xfjdp5g
Creates File\Device\Afd\Endpoint
Creates FileC:\umiltalxjowgxc\pyolarbzyzfo.exe
Creates FileC:\umiltalxjowgxc\xwwiaupqr
Creates FileC:\umiltalxjowgxc\k6zruwvhed
Creates FileC:\WINDOWS\umiltalxjowgxc\k6zruwvhed
Deletes FileC:\WINDOWS\umiltalxjowgxc\k6zruwvhed
Creates Processzanwcotzpyng "c:\umiltalxjowgxc\polozet.exe"

Process
↳ C:\umiltalxjowgxc\polozet.exe

Creates FileC:\umiltalxjowgxc\k6zruwvhed
Creates FileC:\WINDOWS\umiltalxjowgxc\k6zruwvhed
Deletes FileC:\WINDOWS\umiltalxjowgxc\k6zruwvhed

Process
↳ zanwcotzpyng "c:\umiltalxjowgxc\polozet.exe"

Creates FileC:\umiltalxjowgxc\k6zruwvhed
Creates FileC:\WINDOWS\umiltalxjowgxc\k6zruwvhed
Deletes FileC:\WINDOWS\umiltalxjowgxc\k6zruwvhed

Network Details:

DNSfinishperiod.net
Type: A
23.235.214.94
DNSprobablyalthough.net
Type: A
208.100.26.234
DNSbuildingalmost.net
Type: A
208.100.26.234
DNSbuildingvalue.net
Type: A
50.63.202.2
DNSoutsidechance.net
Type: A
172.99.81.162
DNSoutsideunderstood.net
Type: A
5.2.189.251
DNSbuildingtwenty.net
Type: A
66.6.44.4
DNSsubjectalthough.net
Type: A
DNSwinterperiod.net
Type: A
DNSsubjectperiod.net
Type: A
DNSwinterhowever.net
Type: A
DNSsubjecthowever.net
Type: A
DNSfinishchoose.net
Type: A
DNSleavechoose.net
Type: A
DNSfinishalthough.net
Type: A
DNSleavealthough.net
Type: A
DNSleaveperiod.net
Type: A
DNSfinishhowever.net
Type: A
DNSleavehowever.net
Type: A
DNSsweetchoose.net
Type: A
DNSprobablychoose.net
Type: A
DNSsweetalthough.net
Type: A
DNSsweetperiod.net
Type: A
DNSprobablyperiod.net
Type: A
DNSsweethowever.net
Type: A
DNSprobablyhowever.net
Type: A
DNSseveralchoose.net
Type: A
DNSmaterialchoose.net
Type: A
DNSseveralalthough.net
Type: A
DNSmaterialalthough.net
Type: A
DNSseveralperiod.net
Type: A
DNSmaterialperiod.net
Type: A
DNSseveralhowever.net
Type: A
DNSmaterialhowever.net
Type: A
DNSseverasingle.net
Type: A
DNSlaughsingle.net
Type: A
DNSseveracharge.net
Type: A
DNSlaughcharge.net
Type: A
DNSseveradifference.net
Type: A
DNSlaughdifference.net
Type: A
DNSseveraevery.net
Type: A
DNSlaughevery.net
Type: A
DNSsimplesingle.net
Type: A
DNSmothersingle.net
Type: A
DNSsimplecharge.net
Type: A
DNSmothercharge.net
Type: A
DNSsimpledifference.net
Type: A
DNSmotherdifference.net
Type: A
DNSsimpleevery.net
Type: A
DNSmotherevery.net
Type: A
DNSmountainsingle.net
Type: A
DNSpossiblesingle.net
Type: A
DNSmountaincharge.net
Type: A
DNSpossiblecharge.net
Type: A
DNSmountaindifference.net
Type: A
DNSpossibledifference.net
Type: A
DNSmountainevery.net
Type: A
DNSpossibleevery.net
Type: A
DNSperhapssingle.net
Type: A
DNSwindowsingle.net
Type: A
DNSperhapscharge.net
Type: A
DNSwindowcharge.net
Type: A
DNSperhapsdifference.net
Type: A
DNSwindowdifference.net
Type: A
DNSperhapsevery.net
Type: A
DNSwindowevery.net
Type: A
DNSwintersingle.net
Type: A
DNSsubjectsingle.net
Type: A
DNSwintercharge.net
Type: A
DNSsubjectcharge.net
Type: A
DNSwinterdifference.net
Type: A
DNSsubjectdifference.net
Type: A
DNSwinterevery.net
Type: A
DNSsubjectevery.net
Type: A
DNSfinishsingle.net
Type: A
DNSleavesingle.net
Type: A
DNSfinishcharge.net
Type: A
DNSleavecharge.net
Type: A
DNSfinishdifference.net
Type: A
DNSleavedifference.net
Type: A
DNSfinishevery.net
Type: A
DNSleaveevery.net
Type: A
DNSsweetsingle.net
Type: A
DNSprobablysingle.net
Type: A
DNSsweetcharge.net
Type: A
DNSprobablycharge.net
Type: A
DNSsweetdifference.net
Type: A
DNSprobablydifference.net
Type: A
DNSsweetevery.net
Type: A
DNSprobablyevery.net
Type: A
DNSseveralsingle.net
Type: A
DNSmaterialsingle.net
Type: A
DNSseveralcharge.net
Type: A
DNSmaterialcharge.net
Type: A
DNSseveraldifference.net
Type: A
DNSmaterialdifference.net
Type: A
DNSseveralevery.net
Type: A
DNSmaterialevery.net
Type: A
DNSmovementalmost.net
Type: A
DNSoutsidealmost.net
Type: A
DNSmovementreason.net
Type: A
DNSoutsidereason.net
Type: A
DNSmovementorderly.net
Type: A
DNSoutsideorderly.net
Type: A
DNSmovementvalue.net
Type: A
DNSoutsidevalue.net
Type: A
DNSeveningalmost.net
Type: A
DNSbuildingreason.net
Type: A
DNSeveningreason.net
Type: A
DNSbuildingorderly.net
Type: A
DNSeveningorderly.net
Type: A
DNSeveningvalue.net
Type: A
DNSstorealmost.net
Type: A
DNSmightalmost.net
Type: A
DNSstorereason.net
Type: A
DNSmightreason.net
Type: A
DNSstoreorderly.net
Type: A
DNSmightorderly.net
Type: A
DNSstorevalue.net
Type: A
DNSmightvalue.net
Type: A
DNSdoctoralmost.net
Type: A
DNSprettyalmost.net
Type: A
DNSdoctorreason.net
Type: A
DNSprettyreason.net
Type: A
DNSdoctororderly.net
Type: A
DNSprettyorderly.net
Type: A
DNSdoctorvalue.net
Type: A
DNSprettyvalue.net
Type: A
DNSfellowalmost.net
Type: A
DNSdoublealmost.net
Type: A
DNSfellowreason.net
Type: A
DNSdoublereason.net
Type: A
DNSfelloworderly.net
Type: A
DNSdoubleorderly.net
Type: A
DNSfellowvalue.net
Type: A
DNSdoublevalue.net
Type: A
DNSbrokenalmost.net
Type: A
DNSresultalmost.net
Type: A
DNSbrokenreason.net
Type: A
DNSresultreason.net
Type: A
DNSbrokenorderly.net
Type: A
DNSresultorderly.net
Type: A
DNSbrokenvalue.net
Type: A
DNSresultvalue.net
Type: A
DNSpreparealmost.net
Type: A
DNSdesirealmost.net
Type: A
DNSpreparereason.net
Type: A
DNSdesirereason.net
Type: A
DNSprepareorderly.net
Type: A
DNSdesireorderly.net
Type: A
DNSpreparevalue.net
Type: A
DNSdesirevalue.net
Type: A
DNSstrengthalmost.net
Type: A
DNSstillalmost.net
Type: A
DNSstrengthreason.net
Type: A
DNSstillreason.net
Type: A
DNSstrengthorderly.net
Type: A
DNSstillorderly.net
Type: A
DNSstrengthvalue.net
Type: A
DNSstillvalue.net
Type: A
DNSmovementchance.net
Type: A
DNSmovementmeeting.net
Type: A
DNSoutsidemeeting.net
Type: A
DNSmovementtwenty.net
Type: A
DNSoutsidetwenty.net
Type: A
DNSmovementunderstood.net
Type: A
DNSbuildingchance.net
Type: A
DNSeveningchance.net
Type: A
DNSbuildingmeeting.net
Type: A
DNSeveningmeeting.net
Type: A
HTTP GEThttp://finishperiod.net/index.php
User-Agent:
HTTP GEThttp://probablyalthough.net/index.php
User-Agent:
HTTP GEThttp://buildingalmost.net/index.php
User-Agent:
HTTP GEThttp://buildingvalue.net/index.php
User-Agent:
HTTP GEThttp://outsidechance.net/index.php
User-Agent:
HTTP GEThttp://outsideunderstood.net/index.php
User-Agent:
HTTP GEThttp://buildingtwenty.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 23.235.214.94:80
Flows TCP192.168.1.1:1032 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.2:80
Flows TCP192.168.1.1:1035 ➝ 172.99.81.162:80
Flows TCP192.168.1.1:1036 ➝ 5.2.189.251:80
Flows TCP192.168.1.1:1037 ➝ 66.6.44.4:80

Raw Pcap

Strings