Analysis Date2016-05-04 12:00:26
MD57a4cdc9c229a317e1f8e7c6cfc0d3d41
SHA1f1da31e0524176a0f91c10c931fba5fe9c30add8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d387af49cf67e10306a8d3ea4bfb89be sha1: 7b21fa74f6c195075a0bcc0e17ac0ee6e749afe5 size: 303104
Section.rdata md5: 9d8591ebaf02269f0ce96e1d038f05f0 sha1: 8b59a7ccbb01d0936de3e79e9f009814046c7e5b size: 26112
Section.data md5: 61da563cad220bd5001a11e519d5ae44 sha1: 300f7b793c32f141751ea916ae5b22b56885cf75 size: 20992
Section.reloc md5: 222c067bbacc346bcef812f6097bcf56 sha1: f8bdeea184eb1143bef679459badfe256c1573ee size: 32768
Timestamp2014-10-28 12:17:41
PackerMicrosoft Visual C++ 8
PEhash9b30cd4b493bbe28e8381da53fa811abc2818331
IMPhashdd96d82b1b3e78403f8025599f50bb87
AVCA (E-Trust Ino)Gen:Variant.Razy.15381
AVF-SecureGen:Variant.Razy.15381
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.15381
AVBullGuardGen:Variant.Razy.15381
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Swizzor.e
AVZillya!Trojan.SwizzorGen.Win32.1
AVEmsisoftGen:Variant.Razy.15381
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)W32/Nivdort.I.gen!Eldorado
AVAuthentiumW32/Nivdort.I.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.15381
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Razy.15381
AVFortinetW32/Bayrob.BL!tr
AVSymantecNo Virus
AVGrisoft (avg)Generic_r.GYY
AVEset (nod32)Win32/Bayrob.BJ
AVAlwil (avast)Win32:Malware-gen
AVAlwil (avast)Malware-gen
AVAd-AwareGen:Variant.Razy.15381
AVTwisterNo Virus
AVAvira (antivir)TR/Nivdort.mvjb
AVMcafeeTrojan-FHSQ!7A4CDC9C229A
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\fshgopymgbzcd\ctlya1ktkfbuqxpcl.exe
Creates FileC:\WINDOWS\fshgopymgbzcd\idfhwxfc8py6
Creates FileC:\fshgopymgbzcd\idfhwxfc8py6
Deletes FileC:\WINDOWS\fshgopymgbzcd\idfhwxfc8py6
Creates ProcessC:\fshgopymgbzcd\ctlya1ktkfbuqxpcl.exe

Process
↳ C:\fshgopymgbzcd\ctlya1ktkfbuqxpcl.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Certificate WMI Auto Notification ➝
C:\fshgopymgbzcd\ydxpynrvppo.exe
Creates FileC:\WINDOWS\fshgopymgbzcd\idfhwxfc8py6
Creates FileC:\fshgopymgbzcd\acgvnt2cp2sl
Creates FilePIPE\lsarpc
Creates FileC:\fshgopymgbzcd\ydxpynrvppo.exe
Creates FileC:\fshgopymgbzcd\idfhwxfc8py6
Deletes FileC:\WINDOWS\fshgopymgbzcd\idfhwxfc8py6
Creates ProcessC:\fshgopymgbzcd\ydxpynrvppo.exe
Creates ServiceCall SSDP Workstation Backup Input - C:\fshgopymgbzcd\ydxpynrvppo.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1864

Process
↳ Pid 1176

Process
↳ C:\fshgopymgbzcd\ydxpynrvppo.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\fshgopymgbzcd\idfhwxfc8py6
Creates FileC:\fshgopymgbzcd\acgvnt2cp2sl
Creates FileC:\fshgopymgbzcd\iodot7tgz8
Creates File\Device\Afd\Endpoint
Creates FileC:\fshgopymgbzcd\eqqiukf.exe
Creates FileC:\fshgopymgbzcd\idfhwxfc8py6
Deletes FileC:\WINDOWS\fshgopymgbzcd\idfhwxfc8py6
Creates Processqo7edmo7gfux "c:\fshgopymgbzcd\ydxpynrvppo.exe"

Process
↳ C:\fshgopymgbzcd\ydxpynrvppo.exe

Creates FileC:\WINDOWS\fshgopymgbzcd\idfhwxfc8py6
Creates FileC:\fshgopymgbzcd\idfhwxfc8py6
Deletes FileC:\WINDOWS\fshgopymgbzcd\idfhwxfc8py6

Process
↳ qo7edmo7gfux "c:\fshgopymgbzcd\ydxpynrvppo.exe"

Creates FileC:\WINDOWS\fshgopymgbzcd\idfhwxfc8py6
Creates FileC:\fshgopymgbzcd\idfhwxfc8py6
Deletes FileC:\WINDOWS\fshgopymgbzcd\idfhwxfc8py6

Network Details:

DNSthosepeople.net
Type: A
208.91.197.39
DNSeffortpeople.net
Type: A
50.63.202.43
DNSincreaseready.net
Type: A
195.22.28.199
DNSincreaseready.net
Type: A
195.22.28.196
DNSincreaseready.net
Type: A
195.22.28.198
DNSincreaseready.net
Type: A
195.22.28.197
DNSrememberpeople.net
Type: A
184.168.221.39
DNSjourneycondition.net
Type: A
208.100.26.234
DNSlittlesoldier.net
Type: A
50.87.229.214
DNSbelongcondition.net
Type: A
195.22.26.248
DNSchaircondition.net
Type: A
195.22.28.199
DNSchaircondition.net
Type: A
195.22.28.196
DNSchaircondition.net
Type: A
195.22.28.198
DNSchaircondition.net
Type: A
195.22.28.197
DNSsufferplease.net
Type: A
208.100.26.234
DNSlittlecountry.net
Type: A
84.16.80.74
DNSeffortcountry.net
Type: A
195.22.28.198
DNSeffortcountry.net
Type: A
195.22.28.199
DNSeffortcountry.net
Type: A
195.22.28.196
DNSeffortcountry.net
Type: A
195.22.28.197
DNSremembercentury.net
Type: A
208.100.26.234
DNSthosebrown.net
Type: A
DNSchairpeople.net
Type: A
DNSchairdaughter.net
Type: A
DNSthosedaughter.net
Type: A
DNSwithinready.net
Type: A
DNSsufferready.net
Type: A
DNSwithinbrown.net
Type: A
DNSsufferbrown.net
Type: A
DNSwithinpeople.net
Type: A
DNSsufferpeople.net
Type: A
DNSwithindaughter.net
Type: A
DNSsufferdaughter.net
Type: A
DNSeffortready.net
Type: A
DNSthroughready.net
Type: A
DNSeffortbrown.net
Type: A
DNSthroughbrown.net
Type: A
DNSthroughpeople.net
Type: A
DNSeffortdaughter.net
Type: A
DNSthroughdaughter.net
Type: A
DNSforgetready.net
Type: A
DNSforgetbrown.net
Type: A
DNSincreasebrown.net
Type: A
DNSforgetpeople.net
Type: A
DNSincreasepeople.net
Type: A
DNSforgetdaughter.net
Type: A
DNSincreasedaughter.net
Type: A
DNSwouldready.net
Type: A
DNSrememberready.net
Type: A
DNSwouldbrown.net
Type: A
DNSrememberbrown.net
Type: A
DNSwouldpeople.net
Type: A
DNSwoulddaughter.net
Type: A
DNSrememberdaughter.net
Type: A
DNSjourneynation.net
Type: A
DNShusbandnation.net
Type: A
DNSjourneysoldier.net
Type: A
DNShusbandsoldier.net
Type: A
DNSjourneyplease.net
Type: A
DNShusbandplease.net
Type: A
DNShusbandcondition.net
Type: A
DNSdestroynation.net
Type: A
DNSlittlenation.net
Type: A
DNSdestroysoldier.net
Type: A
DNSdestroyplease.net
Type: A
DNSlittleplease.net
Type: A
DNSdestroycondition.net
Type: A
DNSlittlecondition.net
Type: A
DNSriddennation.net
Type: A
DNSbelongnation.net
Type: A
DNSriddensoldier.net
Type: A
DNSbelongsoldier.net
Type: A
DNSriddenplease.net
Type: A
DNSbelongplease.net
Type: A
DNSriddencondition.net
Type: A
DNSchairnation.net
Type: A
DNSthosenation.net
Type: A
DNSchairsoldier.net
Type: A
DNSthosesoldier.net
Type: A
DNSchairplease.net
Type: A
DNSthoseplease.net
Type: A
DNSthosecondition.net
Type: A
DNSwithinnation.net
Type: A
DNSsuffernation.net
Type: A
DNSwithinsoldier.net
Type: A
DNSsuffersoldier.net
Type: A
DNSwithinplease.net
Type: A
DNSwithincondition.net
Type: A
DNSsuffercondition.net
Type: A
DNSeffortnation.net
Type: A
DNSthroughnation.net
Type: A
DNSeffortsoldier.net
Type: A
DNSthroughsoldier.net
Type: A
DNSeffortplease.net
Type: A
DNSthroughplease.net
Type: A
DNSeffortcondition.net
Type: A
DNSthroughcondition.net
Type: A
DNSforgetnation.net
Type: A
DNSincreasenation.net
Type: A
DNSforgetsoldier.net
Type: A
DNSincreasesoldier.net
Type: A
DNSforgetplease.net
Type: A
DNSincreaseplease.net
Type: A
DNSforgetcondition.net
Type: A
DNSincreasecondition.net
Type: A
DNSwouldnation.net
Type: A
DNSremembernation.net
Type: A
DNSwouldsoldier.net
Type: A
DNSremembersoldier.net
Type: A
DNSwouldplease.net
Type: A
DNSrememberplease.net
Type: A
DNSwouldcondition.net
Type: A
DNSremembercondition.net
Type: A
DNSjourneycentury.net
Type: A
DNShusbandcentury.net
Type: A
DNSjourneyfamous.net
Type: A
DNShusbandfamous.net
Type: A
DNSjourneypower.net
Type: A
DNShusbandpower.net
Type: A
DNSjourneycountry.net
Type: A
DNShusbandcountry.net
Type: A
DNSdestroycentury.net
Type: A
DNSlittlecentury.net
Type: A
DNSdestroyfamous.net
Type: A
DNSlittlefamous.net
Type: A
DNSdestroypower.net
Type: A
DNSlittlepower.net
Type: A
DNSdestroycountry.net
Type: A
DNSriddencentury.net
Type: A
DNSbelongcentury.net
Type: A
DNSriddenfamous.net
Type: A
DNSbelongfamous.net
Type: A
DNSriddenpower.net
Type: A
DNSbelongpower.net
Type: A
DNSriddencountry.net
Type: A
DNSbelongcountry.net
Type: A
DNSchaircentury.net
Type: A
DNSthosecentury.net
Type: A
DNSchairfamous.net
Type: A
DNSthosefamous.net
Type: A
DNSchairpower.net
Type: A
DNSthosepower.net
Type: A
DNSchaircountry.net
Type: A
DNSthosecountry.net
Type: A
DNSwithincentury.net
Type: A
DNSsuffercentury.net
Type: A
DNSwithinfamous.net
Type: A
DNSsufferfamous.net
Type: A
DNSwithinpower.net
Type: A
DNSsufferpower.net
Type: A
DNSwithincountry.net
Type: A
DNSsuffercountry.net
Type: A
DNSeffortcentury.net
Type: A
DNSthroughcentury.net
Type: A
DNSeffortfamous.net
Type: A
DNSthroughfamous.net
Type: A
DNSeffortpower.net
Type: A
DNSthroughpower.net
Type: A
DNSthroughcountry.net
Type: A
DNSforgetcentury.net
Type: A
DNSincreasecentury.net
Type: A
DNSforgetfamous.net
Type: A
DNSincreasefamous.net
Type: A
DNSforgetpower.net
Type: A
DNSincreasepower.net
Type: A
DNSforgetcountry.net
Type: A
DNSincreasecountry.net
Type: A
DNSwouldcentury.net
Type: A
DNSwouldfamous.net
Type: A
DNSrememberfamous.net
Type: A
DNSwouldpower.net
Type: A
DNSrememberpower.net
Type: A
DNSwouldcountry.net
Type: A
DNSremembercountry.net
Type: A
DNSjourneysurprise.net
Type: A
DNShusbandsurprise.net
Type: A
DNSjourneybeside.net
Type: A
DNShusbandbeside.net
Type: A
DNSjourneyletter.net
Type: A
HTTP GEThttp://thosepeople.net/index.php
User-Agent:
HTTP GEThttp://effortpeople.net/index.php
User-Agent:
HTTP GEThttp://increaseready.net/index.php
User-Agent:
HTTP GEThttp://rememberpeople.net/index.php
User-Agent:
HTTP GEThttp://journeycondition.net/index.php
User-Agent:
HTTP GEThttp://littlesoldier.net/index.php
User-Agent:
HTTP GEThttp://belongcondition.net/index.php
User-Agent:
HTTP GEThttp://chaircondition.net/index.php
User-Agent:
HTTP GEThttp://sufferplease.net/index.php
User-Agent:
HTTP GEThttp://littlecountry.net/index.php
User-Agent:
HTTP GEThttp://effortcountry.net/index.php
User-Agent:
HTTP GEThttp://remembercentury.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.91.197.39:80
Flows TCP192.168.1.1:1032 ➝ 50.63.202.43:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.39:80
Flows TCP192.168.1.1:1035 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1036 ➝ 50.87.229.214:80
Flows TCP192.168.1.1:1037 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1038 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1039 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1040 ➝ 84.16.80.74:80
Flows TCP192.168.1.1:1041 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80

Raw Pcap

Strings