Analysis Date2016-03-30 04:57:43
MD59f1e5b536697ad760b21736c297c6e3b
SHA1f1b679017568241bb78b9791b41ba712595da3ec

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5a4c73d8e76572ecfc14da27ad06dcf2 sha1: 5e6c893e6daa23f90b9c3b1ec5d5076f631caaed size: 183808
Section.rdata md5: 6696522e822e5c7b8d1cfff111c20e3d sha1: fb33bd6599fb3a423fcf32076d90cb1fd92c9a85 size: 2560
Section.data md5: a57c1771128db351ba3365361f8cf118 sha1: 6f5e47417b0624ff759705060653736528bb2a18 size: 15360
Section.reloc md5: f1b6558ba7ee47c8cfaffb1170e07731 sha1: 6ecdba37fb340f388cf2367f2085ca5e0815cff4 size: 30720
Timestamp2014-08-02 16:20:19
PEhashbb7a806c273745181d7527bd31d22bc48ca030b3
IMPhash505afca0d67054c76dc38d55f7f1ea82
AVCA (E-Trust Ino)Gen:Variant.Razy.15676
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DG
AVRisingNo Virus
AVMcafeeTrojan-FHQT!9F1E5B536697
AVMicroWorld (escan)Gen:Variant.Razy.15676
AVMalwareBytesNo Virus
AVAvira (antivir)TR/Nivdort.zmwc
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVEmsisoftGen:Variant.Razy.15676
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.15676
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVAlwil (avast)Vupa [Cryp]
AVEset (nod32)Win32/Bayrob.BA
AVGrisoft (avg)Generic37.YMW
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVSymantecTrojan.Bayrob!gen6
AVBullGuardGen:Variant.Razy.15676
AVArcabit (arcavir)Gen:Variant.Razy.15676
AVFortinetW32/Bayrob.AQ!tr
AVClamAVNo Virus
AVBitDefenderGen:Variant.Razy.15676
AVDr. WebNo Virus
AVK7Trojan ( 004dc2a31 )
AVF-SecureGen:Variant.Razy.15676

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\vqitnffscqrgv\oynih5zpds0
Creates FileC:\vqitnffscqrgv\iosz9ybomftqduib.exe
Creates FileC:\WINDOWS\vqitnffscqrgv\oynih5zpds0
Deletes FileC:\WINDOWS\vqitnffscqrgv\oynih5zpds0
Creates ProcessC:\vqitnffscqrgv\iosz9ybomftqduib.exe

Process
↳ C:\vqitnffscqrgv\iosz9ybomftqduib.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CNG Connections Provider Peer Human ➝
C:\vqitnffscqrgv\shumlpqfysh.exe
Creates FileC:\vqitnffscqrgv\oynih5zpds0
Creates FilePIPE\lsarpc
Creates FileC:\vqitnffscqrgv\shumlpqfysh.exe
Creates FileC:\WINDOWS\vqitnffscqrgv\oynih5zpds0
Creates FileC:\vqitnffscqrgv\kcqjyuz
Deletes FileC:\WINDOWS\vqitnffscqrgv\oynih5zpds0
Creates ProcessC:\vqitnffscqrgv\shumlpqfysh.exe
Creates ServicePNRP Enumerator Multimedia Certificate SNMP - C:\vqitnffscqrgv\shumlpqfysh.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ Pid 1020

Process
↳ Pid 1208

Process
↳ Pid 1296

Process
↳ Pid 1860

Process
↳ Pid 1540

Process
↳ C:\vqitnffscqrgv\shumlpqfysh.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\vqitnffscqrgv\zshnknemh
Creates FileC:\vqitnffscqrgv\oynih5zpds0
Creates File\Device\Afd\Endpoint
Creates FileC:\vqitnffscqrgv\zswjkqkh.exe
Creates FileC:\WINDOWS\vqitnffscqrgv\oynih5zpds0
Creates FileC:\vqitnffscqrgv\kcqjyuz
Deletes FileC:\WINDOWS\vqitnffscqrgv\oynih5zpds0
Creates Processvejdfozsrwig "c:\vqitnffscqrgv\shumlpqfysh.exe"

Process
↳ C:\vqitnffscqrgv\shumlpqfysh.exe

Creates FileC:\vqitnffscqrgv\oynih5zpds0
Creates FileC:\WINDOWS\vqitnffscqrgv\oynih5zpds0
Deletes FileC:\WINDOWS\vqitnffscqrgv\oynih5zpds0

Process
↳ vejdfozsrwig "c:\vqitnffscqrgv\shumlpqfysh.exe"

Creates FileC:\vqitnffscqrgv\oynih5zpds0
Creates FileC:\WINDOWS\vqitnffscqrgv\oynih5zpds0
Deletes FileC:\WINDOWS\vqitnffscqrgv\oynih5zpds0

Network Details:

DNSknownoclock.net
Type: A
208.100.26.234
DNSleavebehind.net
Type: A
141.8.225.244
DNSsweetbehind.net
Type: A
208.100.26.234
DNSsimplearticle.net
Type: A
74.208.144.186
DNSmountainangry.net
Type: A
195.22.28.197
DNSmountainangry.net
Type: A
195.22.28.198
DNSmountainangry.net
Type: A
195.22.28.199
DNSmountainangry.net
Type: A
195.22.28.196
DNSfreshspeak.net
Type: A
DNSexperiencespeak.net
Type: A
DNSfreshniece.net
Type: A
DNSexperienceniece.net
Type: A
DNSfreshwrite.net
Type: A
DNSexperiencewrite.net
Type: A
DNSfreshoclock.net
Type: A
DNSexperienceoclock.net
Type: A
DNSgentlemanspeak.net
Type: A
DNSalreadyspeak.net
Type: A
DNSgentlemanniece.net
Type: A
DNSalreadyniece.net
Type: A
DNSgentlemanwrite.net
Type: A
DNSalreadywrite.net
Type: A
DNSgentlemanoclock.net
Type: A
DNSalreadyoclock.net
Type: A
DNSfollowspeak.net
Type: A
DNSmemberspeak.net
Type: A
DNSfollowniece.net
Type: A
DNSmemberniece.net
Type: A
DNSfollowwrite.net
Type: A
DNSmemberwrite.net
Type: A
DNSfollowoclock.net
Type: A
DNSmemberoclock.net
Type: A
DNSbeginspeak.net
Type: A
DNSknownspeak.net
Type: A
DNSbeginniece.net
Type: A
DNSknownniece.net
Type: A
DNSbeginwrite.net
Type: A
DNSknownwrite.net
Type: A
DNSbeginoclock.net
Type: A
DNSsummerspeak.net
Type: A
DNScrowdspeak.net
Type: A
DNSsummerniece.net
Type: A
DNScrowdniece.net
Type: A
DNSsummerwrite.net
Type: A
DNScrowdwrite.net
Type: A
DNSsummeroclock.net
Type: A
DNScrowdoclock.net
Type: A
DNSthoughtspeak.net
Type: A
DNSwaterspeak.net
Type: A
DNSthoughtniece.net
Type: A
DNSwaterniece.net
Type: A
DNSthoughtwrite.net
Type: A
DNSwaterwrite.net
Type: A
DNSthoughtoclock.net
Type: A
DNSwateroclock.net
Type: A
DNSwomanspeak.net
Type: A
DNSsmokespeak.net
Type: A
DNSwomanniece.net
Type: A
DNSsmokeniece.net
Type: A
DNSwomanwrite.net
Type: A
DNSsmokewrite.net
Type: A
DNSwomanoclock.net
Type: A
DNSsmokeoclock.net
Type: A
DNSpartyspeak.net
Type: A
DNSfightspeak.net
Type: A
DNSpartyniece.net
Type: A
DNSfightniece.net
Type: A
DNSpartywrite.net
Type: A
DNSfightwrite.net
Type: A
DNSpartyoclock.net
Type: A
DNSfightoclock.net
Type: A
DNSseveraunderstand.net
Type: A
DNSlaughunderstand.net
Type: A
DNSseverabroad.net
Type: A
DNSlaughbroad.net
Type: A
DNSseverabehind.net
Type: A
DNSlaughbehind.net
Type: A
DNSseverabutter.net
Type: A
DNSlaughbutter.net
Type: A
DNSsimpleunderstand.net
Type: A
DNSmotherunderstand.net
Type: A
DNSsimplebroad.net
Type: A
DNSmotherbroad.net
Type: A
DNSsimplebehind.net
Type: A
DNSmotherbehind.net
Type: A
DNSsimplebutter.net
Type: A
DNSmotherbutter.net
Type: A
DNSmountainunderstand.net
Type: A
DNSpossibleunderstand.net
Type: A
DNSmountainbroad.net
Type: A
DNSpossiblebroad.net
Type: A
DNSmountainbehind.net
Type: A
DNSpossiblebehind.net
Type: A
DNSmountainbutter.net
Type: A
DNSpossiblebutter.net
Type: A
DNSperhapsunderstand.net
Type: A
DNSwindowunderstand.net
Type: A
DNSperhapsbroad.net
Type: A
DNSwindowbroad.net
Type: A
DNSperhapsbehind.net
Type: A
DNSwindowbehind.net
Type: A
DNSperhapsbutter.net
Type: A
DNSwindowbutter.net
Type: A
DNSwinterunderstand.net
Type: A
DNSsubjectunderstand.net
Type: A
DNSwinterbroad.net
Type: A
DNSsubjectbroad.net
Type: A
DNSwinterbehind.net
Type: A
DNSsubjectbehind.net
Type: A
DNSwinterbutter.net
Type: A
DNSsubjectbutter.net
Type: A
DNSfinishunderstand.net
Type: A
DNSleaveunderstand.net
Type: A
DNSfinishbroad.net
Type: A
DNSleavebroad.net
Type: A
DNSfinishbehind.net
Type: A
DNSfinishbutter.net
Type: A
DNSleavebutter.net
Type: A
DNSsweetunderstand.net
Type: A
DNSprobablyunderstand.net
Type: A
DNSsweetbroad.net
Type: A
DNSprobablybroad.net
Type: A
DNSprobablybehind.net
Type: A
DNSsweetbutter.net
Type: A
DNSprobablybutter.net
Type: A
DNSseveralunderstand.net
Type: A
DNSmaterialunderstand.net
Type: A
DNSseveralbroad.net
Type: A
DNSmaterialbroad.net
Type: A
DNSseveralbehind.net
Type: A
DNSmaterialbehind.net
Type: A
DNSseveralbutter.net
Type: A
DNSmaterialbutter.net
Type: A
DNSseveradried.net
Type: A
DNSlaughdried.net
Type: A
DNSseverafifteen.net
Type: A
DNSlaughfifteen.net
Type: A
DNSseveraangry.net
Type: A
DNSlaughangry.net
Type: A
DNSseveraarticle.net
Type: A
DNSlaugharticle.net
Type: A
DNSsimpledried.net
Type: A
DNSmotherdried.net
Type: A
DNSsimplefifteen.net
Type: A
DNSmotherfifteen.net
Type: A
DNSsimpleangry.net
Type: A
DNSmotherangry.net
Type: A
DNSmotherarticle.net
Type: A
DNSmountaindried.net
Type: A
DNSpossibledried.net
Type: A
DNSmountainfifteen.net
Type: A
DNSpossiblefifteen.net
Type: A
DNSpossibleangry.net
Type: A
DNSmountainarticle.net
Type: A
DNSpossiblearticle.net
Type: A
DNSperhapsdried.net
Type: A
DNSwindowdried.net
Type: A
DNSperhapsfifteen.net
Type: A
DNSwindowfifteen.net
Type: A
DNSperhapsangry.net
Type: A
DNSwindowangry.net
Type: A
DNSperhapsarticle.net
Type: A
DNSwindowarticle.net
Type: A
DNSwinterdried.net
Type: A
DNSsubjectdried.net
Type: A
DNSwinterfifteen.net
Type: A
DNSsubjectfifteen.net
Type: A
DNSwinterangry.net
Type: A
DNSsubjectangry.net
Type: A
DNSwinterarticle.net
Type: A
DNSsubjectarticle.net
Type: A
DNSfinishdried.net
Type: A
DNSleavedried.net
Type: A
HTTP GEThttp://knownoclock.net/index.php
User-Agent:
HTTP GEThttp://leavebehind.net/index.php
User-Agent:
HTTP GEThttp://sweetbehind.net/index.php
User-Agent:
HTTP GEThttp://simplearticle.net/index.php
User-Agent:
HTTP GEThttp://mountainangry.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.244:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 74.208.144.186:80
Flows TCP192.168.1.1:1035 ➝ 195.22.28.197:80

Raw Pcap

Strings