Analysis Date | 2015-08-14 10:05:10 |
---|---|
MD5 | 610095e5fe7fa26b8a1cd40cacfcd373 |
SHA1 | f1574d0346858cc1228c2040bf4a2ffd0929967b |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: a3110f742d10492ac21a4d05a2d1897d sha1: 286db2f70d6e9ea6adfcea706139d6217c336a2a size: 197632 | |
Section | .rdata md5: 6035edc0867899a642dc631e6060759b sha1: 73f0360eda9e2f645ab793b2c685280e705277cd size: 53760 | |
Section | .data md5: f47c6a40c1c1249d0716ce8acf5771a0 sha1: e383d5d9770a065fcf4480f76fcf4eb94f032d8b size: 7168 | |
Section | .reloc md5: c51a267da7a97547092eced7e7159788 sha1: 4bc7dadfd41364280697548bf075586a9c78458b size: 14336 | |
Timestamp | 2015-04-29 19:22:04 | |
Packer | Microsoft Visual C++ 8 | |
PEhash | ab491d2ccafdf83678cf7a6537956f4ed028416b | |
IMPhash | 9c5e6cd735944ac00313550d5b307b18 | |
AV | Authentium | W32/Scar.R.gen!Eldorado |
AV | BullGuard | Gen:Variant.Kazy.604861 |
AV | Ad-Aware | Gen:Variant.Kazy.604861 |
AV | MicroWorld (escan) | Gen:Variant.Kazy.604861 |
AV | Zillya! | no_virus |
AV | Frisk (f-prot) | no_virus |
AV | ClamAV | no_virus |
AV | Alwil (avast) | VB-AJEW [Trj] |
AV | Grisoft (avg) | PSW.Generic12.BSCD |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.AY |
AV | VirusBlokAda (vba32) | no_virus |
AV | Rising | Trojan.Win32.Bayrod.a |
AV | Kaspersky | Trojan.Win32.Scar.jckp |
AV | Twister | Trojan.0000E9000000006A1.mg |
AV | BitDefender | Gen:Variant.Kazy.604861 |
AV | Padvish | no_virus |
AV | Emsisoft | Gen:Variant.Kazy.604861 |
AV | CAT (quickheal) | TrojanSpy.Nivdort.OD4 |
AV | Arcabit (arcavir) | Gen:Variant.Kazy.604861 |
AV | Dr. Web | Trojan.Bayrob.1 |
AV | CA (E-Trust Ino) | no_virus |
AV | Trend Micro | TROJ_BAYROB.SM0 |
AV | Avira (antivir) | TR/Crypt.Xpack.196074 |
AV | Mcafee | Trojan-FGIJ!610095E5FE7F |
AV | Fortinet | W32/Generic.AC.215362 |
AV | Symantec | Downloader.Upatre!g15 |
AV | Eset (nod32) | Win32/Bayrob.Q |
AV | MalwareBytes | Trojan.Agent.KVTGen |
AV | Ikarus | Trojan-Spy.Win32.Nivdort |
AV | F-Secure | Gen:Variant.Kazy.604861 |
AV | K7 | Trojan ( 004c12491 ) |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\onxzbrqvdw\blepizkkpmy |
---|---|
Creates File | C:\onxzbrqvdw\vfq41l3kkxmmw5mt.exe |
Creates File | C:\WINDOWS\onxzbrqvdw\blepizkkpmy |
Deletes File | C:\WINDOWS\onxzbrqvdw\blepizkkpmy |
Creates Process | C:\onxzbrqvdw\vfq41l3kkxmmw5mt.exe |
Process
↳ C:\onxzbrqvdw\vfq41l3kkxmmw5mt.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Tracking Backup Certificate ➝ C:\onxzbrqvdw\gdfjbygsr.exe |
---|---|
Creates File | C:\onxzbrqvdw\blepizkkpmy |
Creates File | C:\WINDOWS\onxzbrqvdw\blepizkkpmy |
Creates File | PIPE\lsarpc |
Creates File | C:\onxzbrqvdw\gdfjbygsr.exe |
Creates File | C:\onxzbrqvdw\teckjal3 |
Deletes File | C:\WINDOWS\onxzbrqvdw\blepizkkpmy |
Creates Process | C:\onxzbrqvdw\gdfjbygsr.exe |
Creates Service | Net.Tcp Connections Trap - C:\onxzbrqvdw\gdfjbygsr.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 800
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1864
Process
↳ Pid 1144
Process
↳ C:\onxzbrqvdw\gdfjbygsr.exe
Creates File | C:\onxzbrqvdw\blepizkkpmy |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\onxzbrqvdw\ubjzpuijfmu.exe |
Creates File | C:\WINDOWS\onxzbrqvdw\blepizkkpmy |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\onxzbrqvdw\qvxrrxph1a |
Creates File | C:\onxzbrqvdw\teckjal3 |
Deletes File | C:\WINDOWS\onxzbrqvdw\blepizkkpmy |
Creates Process | likyojbsjlr3 "c:\onxzbrqvdw\gdfjbygsr.exe" |
Process
↳ C:\onxzbrqvdw\gdfjbygsr.exe
Creates File | C:\onxzbrqvdw\blepizkkpmy |
---|---|
Creates File | C:\WINDOWS\onxzbrqvdw\blepizkkpmy |
Deletes File | C:\WINDOWS\onxzbrqvdw\blepizkkpmy |
Process
↳ likyojbsjlr3 "c:\onxzbrqvdw\gdfjbygsr.exe"
Creates File | C:\onxzbrqvdw\blepizkkpmy |
---|---|
Creates File | C:\WINDOWS\onxzbrqvdw\blepizkkpmy |
Deletes File | C:\WINDOWS\onxzbrqvdw\blepizkkpmy |
Network Details:
Raw Pcap
Strings