Analysis Date2015-07-25 11:24:11
MD5ea0dcee619a4ddd6b6ca438b0f69188a
SHA1f6597be659603ed05ec62077c33d16ed69aefb3d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d432067696fd49aa7dda61719b1dfd91 sha1: 2067ff36a9e9cdd069909cacbbe9f028d20e6817 size: 506880
Section.rdata md5: 3fe3fce4e065b2449b4673c1ed0a7c35 sha1: a5eb6d2190bfcc37f4359490ba0cf2fed372a555 size: 79872
Section.data md5: 4e467b812d8d3301c2d75d415a2e8f9f sha1: c2f00b8b62a77ae4a5f9127df1b26a9b3964813f size: 7168
Section.reloc md5: fc316e4fd92ee9ce410a851beddaf9fb sha1: 582b4ba2a6002661a6cbfcccd1d48997f07460de size: 49152
Timestamp2015-05-08 07:30:26
PackerMicrosoft Visual C++ 8
PEhash86bb2b085e4ff32681f0365d504a3528b40da230
IMPhashe70106830927c2909f4ed7610942edbd
AVGrisoft (avg)Win32/Cryptor
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVMcafeeTrojan-FGIJ!EA0DCEE619A4
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVK7Trojan ( 004c77f41 )
AVFrisk (f-prot)no_virus
AVFortinetW32/Generic.AC.215362
AVAvira (antivir)TR/Crypt.Xpack.269490
AVArcabit (arcavir)Gen:Variant.Kazy.609540
AVAd-AwareGen:Variant.Kazy.609540
AVSymantecDownloader.Upatre!g15
AVVirusBlokAda (vba32)no_virus
AVKasperskyTrojan.Win32.Scar.jpje
AVIkarusTrojan.Win32.Bayrob
AVMicroWorld (escan)Gen:Variant.Kazy.609540
AVBitDefenderGen:Variant.Kazy.609540
AVEset (nod32)Win32/Bayrob.T
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVClamAVno_virus
AVDr. WebTrojan.DownLoader13.18260
AVRisingTrojan.Win32.Bayrod.a
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVAuthentiumW32/Scar.R2.gen!Eldorado
AVBullGuardGen:Variant.Kazy.609540
AVPadvishno_virus
AVTrend MicroTROJ_BAYROB.SM0
AVZillya!Trojan.Scar.Win32.90029
AVEmsisoftGen:Variant.Kazy.609540
AVF-SecureGen:Variant.Kazy.609540
AVMalwareBytesTrojan.Agent.KVTGen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\dbpbllbexvn\rdsrfvbqye
Creates FileC:\WINDOWS\dbpbllbexvn\rdsrfvbqye
Creates FileC:\dbpbllbexvn\x91l4fjfbscxcs7y.exe
Deletes FileC:\WINDOWS\dbpbllbexvn\rdsrfvbqye
Creates ProcessC:\dbpbllbexvn\x91l4fjfbscxcs7y.exe

Process
↳ C:\dbpbllbexvn\x91l4fjfbscxcs7y.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Shell Input System Base Secondary Font BranchCache ➝
C:\dbpbllbexvn\vcdgejqf.exe
Creates FileC:\dbpbllbexvn\vcdgejqf.exe
Creates FilePIPE\lsarpc
Creates FileC:\dbpbllbexvn\nckvpmhfvel
Creates FileC:\dbpbllbexvn\rdsrfvbqye
Creates FileC:\WINDOWS\dbpbllbexvn\rdsrfvbqye
Deletes FileC:\WINDOWS\dbpbllbexvn\rdsrfvbqye
Creates ProcessC:\dbpbllbexvn\vcdgejqf.exe
Creates ServiceGateway Link Web Peer Human Profile - C:\dbpbllbexvn\vcdgejqf.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1844

Process
↳ Pid 1048

Process
↳ C:\dbpbllbexvn\vcdgejqf.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\dbpbllbexvn\zgaalwsxbf.exe
Creates FileC:\dbpbllbexvn\nckvpmhfvel
Creates FileC:\dbpbllbexvn\rdsrfvbqye
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\dbpbllbexvn\rdsrfvbqye
Creates FileC:\dbpbllbexvn\pzwmamonafk7
Deletes FileC:\WINDOWS\dbpbllbexvn\rdsrfvbqye
Creates Processyxawevnlekko "c:\dbpbllbexvn\vcdgejqf.exe"

Process
↳ C:\dbpbllbexvn\vcdgejqf.exe

Creates FileC:\dbpbllbexvn\rdsrfvbqye
Creates FileC:\WINDOWS\dbpbllbexvn\rdsrfvbqye
Deletes FileC:\WINDOWS\dbpbllbexvn\rdsrfvbqye

Process
↳ yxawevnlekko "c:\dbpbllbexvn\vcdgejqf.exe"

Creates FileC:\dbpbllbexvn\rdsrfvbqye
Creates FileC:\WINDOWS\dbpbllbexvn\rdsrfvbqye
Deletes FileC:\WINDOWS\dbpbllbexvn\rdsrfvbqye

Network Details:

DNScrowdcatch.net
Type: A
50.63.202.47
DNSsummerdress.net
Type: A
50.87.150.116
DNSpartydress.net
Type: A
208.73.211.195
DNSpartydress.net
Type: A
208.73.211.179
DNSpartydress.net
Type: A
208.73.211.183
DNSpartydress.net
Type: A
208.73.211.192
DNSlaughnotice.net
Type: A
95.211.230.75
DNSsweetindeed.net
Type: A
199.34.228.69
DNSsummereearly.net
Type: A
DNScrowdeearly.net
Type: A
DNSsummerpublic.net
Type: A
DNScrowdpublic.net
Type: A
DNScrowddress.net
Type: A
DNSthoughtcatch.net
Type: A
DNSwatercatch.net
Type: A
DNSthoughteearly.net
Type: A
DNSwatereearly.net
Type: A
DNSthoughtpublic.net
Type: A
DNSwaterpublic.net
Type: A
DNSthoughtdress.net
Type: A
DNSwaterdress.net
Type: A
DNSwomancatch.net
Type: A
DNSsmokecatch.net
Type: A
DNSwomaneearly.net
Type: A
DNSsmokeeearly.net
Type: A
DNSwomanpublic.net
Type: A
DNSsmokepublic.net
Type: A
DNSwomandress.net
Type: A
DNSsmokedress.net
Type: A
DNSpartycatch.net
Type: A
DNSfightcatch.net
Type: A
DNSpartyeearly.net
Type: A
DNSfighteearly.net
Type: A
DNSpartypublic.net
Type: A
DNSfightpublic.net
Type: A
DNSfightdress.net
Type: A
DNSseveralength.net
Type: A
DNSlaughlength.net
Type: A
DNSseveranotice.net
Type: A
DNSseveraindeed.net
Type: A
DNSlaughindeed.net
Type: A
DNSseveraduring.net
Type: A
DNSlaughduring.net
Type: A
DNSsimplelength.net
Type: A
DNSmotherlength.net
Type: A
DNSsimplenotice.net
Type: A
DNSmothernotice.net
Type: A
DNSsimpleindeed.net
Type: A
DNSmotherindeed.net
Type: A
DNSsimpleduring.net
Type: A
DNSmotherduring.net
Type: A
DNSmountainlength.net
Type: A
DNSpossiblelength.net
Type: A
DNSmountainnotice.net
Type: A
DNSpossiblenotice.net
Type: A
DNSmountainindeed.net
Type: A
DNSpossibleindeed.net
Type: A
DNSmountainduring.net
Type: A
DNSpossibleduring.net
Type: A
DNSperhapslength.net
Type: A
DNSwindowlength.net
Type: A
DNSperhapsnotice.net
Type: A
DNSwindownotice.net
Type: A
DNSperhapsindeed.net
Type: A
DNSwindowindeed.net
Type: A
DNSperhapsduring.net
Type: A
DNSwindowduring.net
Type: A
DNSwinterlength.net
Type: A
DNSsubjectlength.net
Type: A
DNSwinternotice.net
Type: A
DNSsubjectnotice.net
Type: A
DNSwinterindeed.net
Type: A
DNSsubjectindeed.net
Type: A
DNSwinterduring.net
Type: A
DNSsubjectduring.net
Type: A
DNSfinishlength.net
Type: A
DNSleavelength.net
Type: A
DNSfinishnotice.net
Type: A
DNSleavenotice.net
Type: A
DNSfinishindeed.net
Type: A
DNSleaveindeed.net
Type: A
DNSfinishduring.net
Type: A
DNSleaveduring.net
Type: A
DNSsweetlength.net
Type: A
DNSprobablylength.net
Type: A
DNSsweetnotice.net
Type: A
DNSprobablynotice.net
Type: A
DNSprobablyindeed.net
Type: A
HTTP GEThttp://crowdcatch.net/index.php
User-Agent:
HTTP GEThttp://summerdress.net/index.php
User-Agent:
HTTP GEThttp://partydress.net/index.php
User-Agent:
HTTP GEThttp://laughnotice.net/index.php
User-Agent:
HTTP GEThttp://sweetindeed.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.47:80
Flows TCP192.168.1.1:1032 ➝ 50.87.150.116:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.195:80
Flows TCP192.168.1.1:1034 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1035 ➝ 199.34.228.69:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 63617463 682e6e65 740d0a0d   rowdcatch.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   756d6d65 72647265 73732e6e 65740d0a   ummerdress.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 64726573 732e6e65 740d0a0d   artydress.net...
0x00000050 (00080)   0a0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61756768 6e6f7469 63652e6e 65740d0a   aughnotice.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 696e6465 65642e6e 65740d0a   weetindeed.net..
0x00000050 (00080)   0d0a                                  ..


Strings