Analysis Date2016-03-10 18:44:16
MD52a784b54087251036671f8ea55d08331
SHA1ff3403ad79577010970a0005d66d5e67ba842053

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1971b3d72b862ba01e6322fd47252381 sha1: 7e7b74072115d9540df16f4c55d99456d4285e21 size: 302080
Section.rdata md5: 2cb24fea82a75d9dceb56c3de1150fca sha1: a49b8263d1b22594fd00393eddd03dcfa0f686a2 size: 26112
Section.data md5: 8b1671f6dc21f396365c384433b483b8 sha1: bd43f29616d63b12b289854a5d8ade61b8b3f7fb size: 20480
Section.reloc md5: c36c105be45ed0935959b79a24b1b24c sha1: 04825d2e5f98f4c504c3ebc70afa727d0633169f size: 32768
Timestamp2014-01-21 13:04:28
PackerMicrosoft Visual C++ 8
PEhashc42c5b805d554c32cf1d703410049bc0d7de8c65
IMPhash13c125ed205ea56909cd13428c2d479b
AVMicroWorld (escan)Gen:Variant.Razy.15381
AVAd-AwareGen:Variant.Razy.15381
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Razy.15381
AVAuthentiumW32/Nivdort.I.gen!Eldorado
AVAvira (antivir)TR/Taranis.2007
AVBitDefenderGen:Variant.Razy.15381
AVBullGuardGen:Variant.Razy.15381
AVCA (E-Trust Ino)Gen:Variant.Razy.15381
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.6789
AVEmsisoftGen:Variant.Razy.15381
AVEset (nod32)Win32/Bayrob.BJ
AVFortinetW32/Bayrob.AQ!tr
AVFrisk (f-prot)W32/Nivdort.I.gen!Eldorado
AVF-SecureGen:Variant.Razy.15381
AVGrisoft (avg)Generic37.AAJU
AVIkarusTrojan.Win32.Bayrob
AVK7Trojan ( 004dc1cb1 )
AVKasperskyTrojan.Win32.Swizzor.e
AVMalwareBytesNo Virus
AVMcafeeTrojan-FHRY!2A784B540872
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVRisingNo Virus
AVSymantecNo Virus
AVTrend MicroNo Virus
AVTwisterNo Virus
AVVirusBlokAda (vba32)No Virus
AVZillya!Trojan.SwizzorGen.Win32.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\nvftciowu\ezh1lc8trocovmvc8m.exe
Creates FileC:\nvftciowu\kkstjvi4br
Creates FileC:\WINDOWS\nvftciowu\kkstjvi4br
Deletes FileC:\WINDOWS\nvftciowu\kkstjvi4br
Creates ProcessC:\nvftciowu\ezh1lc8trocovmvc8m.exe

Process
↳ C:\nvftciowu\ezh1lc8trocovmvc8m.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Secondary Helper Storage Receiver ➝
C:\nvftciowu\otkqciohet.exe
Creates FileC:\nvftciowu\kkstjvi4br
Creates FilePIPE\lsarpc
Creates FileC:\nvftciowu\otkqciohet.exe
Creates FileC:\nvftciowu\etfe6hijp
Creates FileC:\WINDOWS\nvftciowu\kkstjvi4br
Deletes FileC:\WINDOWS\nvftciowu\kkstjvi4br
Creates ProcessC:\nvftciowu\otkqciohet.exe
Creates ServiceBrowser Block Office Player Modules - C:\nvftciowu\otkqciohet.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1136

Process
↳ C:\nvftciowu\otkqciohet.exe

Creates FileC:\nvftciowu\xbtz4szxu
Creates Filepipe\net\NtControlPipe10
Creates FileC:\nvftciowu\kkstjvi4br
Creates File\Device\Afd\Endpoint
Creates FileC:\nvftciowu\etfe6hijp
Creates FileC:\nvftciowu\dfeiold.exe
Creates FileC:\WINDOWS\nvftciowu\kkstjvi4br
Deletes FileC:\WINDOWS\nvftciowu\kkstjvi4br
Creates Processswnhw8hrv0yr "c:\nvftciowu\otkqciohet.exe"

Process
↳ C:\nvftciowu\otkqciohet.exe

Creates FileC:\nvftciowu\kkstjvi4br
Creates FileC:\WINDOWS\nvftciowu\kkstjvi4br
Deletes FileC:\WINDOWS\nvftciowu\kkstjvi4br

Process
↳ swnhw8hrv0yr "c:\nvftciowu\otkqciohet.exe"

Creates FileC:\nvftciowu\kkstjvi4br
Creates FileC:\WINDOWS\nvftciowu\kkstjvi4br
Deletes FileC:\WINDOWS\nvftciowu\kkstjvi4br

Network Details:

DNSoutsidesquare.net
Type: A
50.87.248.167
DNSoutsideneighbor.net
Type: A
208.100.26.234
DNSbuildingattempt.net
Type: A
195.22.28.197
DNSbuildingattempt.net
Type: A
195.22.28.198
DNSbuildingattempt.net
Type: A
195.22.28.199
DNSbuildingattempt.net
Type: A
195.22.28.196
DNSdoublesquare.net
Type: A
162.214.15.225
DNSbrokensquare.net
Type: A
68.230.132.227
DNSbuildingmarket.net
Type: A
82.165.213.98
DNSbuildingreport.net
Type: A
104.27.156.208
DNSbuildingreport.net
Type: A
104.27.157.208
DNSeveningreport.net
Type: A
210.55.30.67
DNSstorereport.net
Type: A
50.194.159.145
DNSstoregarden.net
Type: A
46.30.212.240
DNSdoctormarket.net
Type: A
184.168.221.37
DNSprettymarket.net
Type: A
208.100.26.234
DNSdoctorreport.net
Type: A
204.11.56.48
DNSdoctorbeauty.net
Type: A
62.149.128.166
DNSdoctorbeauty.net
Type: A
62.149.128.163
DNSdoctorbeauty.net
Type: A
62.149.128.160
DNSdoctorbeauty.net
Type: A
62.149.128.157
DNSdoctorbeauty.net
Type: A
62.149.128.154
DNSdoctorbeauty.net
Type: A
62.149.128.151
DNSdoctorbeauty.net
Type: A
62.149.128.74
DNSdoctorbeauty.net
Type: A
62.149.128.72
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
52.0.96.24
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
52.71.117.99
DNSdoublebeauty.net
Type: A
192.0.78.24
DNSdoublebeauty.net
Type: A
192.0.78.25
DNSdoublepartial.net
Type: A
DNSbrokennumber.net
Type: A
DNSresultnumber.net
Type: A
DNSbrokenposition.net
Type: A
DNSresultposition.net
Type: A
DNSbrokenstrike.net
Type: A
DNSresultstrike.net
Type: A
DNSbrokenpartial.net
Type: A
DNSresultpartial.net
Type: A
DNSpreparenumber.net
Type: A
DNSdesirenumber.net
Type: A
DNSprepareposition.net
Type: A
DNSdesireposition.net
Type: A
DNSpreparestrike.net
Type: A
DNSdesirestrike.net
Type: A
DNSpreparepartial.net
Type: A
DNSdesirepartial.net
Type: A
DNSstrengthnumber.net
Type: A
DNSstillnumber.net
Type: A
DNSstrengthposition.net
Type: A
DNSstillposition.net
Type: A
DNSstrengthstrike.net
Type: A
DNSstillstrike.net
Type: A
DNSstrengthpartial.net
Type: A
DNSstillpartial.net
Type: A
DNSmovementattempt.net
Type: A
DNSoutsideattempt.net
Type: A
DNSmovementsquare.net
Type: A
DNSmovementneighbor.net
Type: A
DNSmovementspread.net
Type: A
DNSoutsidespread.net
Type: A
DNSeveningattempt.net
Type: A
DNSbuildingsquare.net
Type: A
DNSeveningsquare.net
Type: A
DNSbuildingneighbor.net
Type: A
DNSeveningneighbor.net
Type: A
DNSbuildingspread.net
Type: A
DNSeveningspread.net
Type: A
DNSstoreattempt.net
Type: A
DNSmightattempt.net
Type: A
DNSstoresquare.net
Type: A
DNSmightsquare.net
Type: A
DNSstoreneighbor.net
Type: A
DNSmightneighbor.net
Type: A
DNSstorespread.net
Type: A
DNSmightspread.net
Type: A
DNSdoctorattempt.net
Type: A
DNSprettyattempt.net
Type: A
DNSdoctorsquare.net
Type: A
DNSprettysquare.net
Type: A
DNSdoctorneighbor.net
Type: A
DNSprettyneighbor.net
Type: A
DNSdoctorspread.net
Type: A
DNSprettyspread.net
Type: A
DNSfellowattempt.net
Type: A
DNSdoubleattempt.net
Type: A
DNSfellowsquare.net
Type: A
DNSfellowneighbor.net
Type: A
DNSdoubleneighbor.net
Type: A
DNSfellowspread.net
Type: A
DNSdoublespread.net
Type: A
DNSbrokenattempt.net
Type: A
DNSresultattempt.net
Type: A
DNSresultsquare.net
Type: A
DNSbrokenneighbor.net
Type: A
DNSresultneighbor.net
Type: A
DNSbrokenspread.net
Type: A
DNSresultspread.net
Type: A
DNSprepareattempt.net
Type: A
DNSdesireattempt.net
Type: A
DNSpreparesquare.net
Type: A
DNSdesiresquare.net
Type: A
DNSprepareneighbor.net
Type: A
DNSdesireneighbor.net
Type: A
DNSpreparespread.net
Type: A
DNSdesirespread.net
Type: A
DNSstrengthattempt.net
Type: A
DNSstillattempt.net
Type: A
DNSstrengthsquare.net
Type: A
DNSstillsquare.net
Type: A
DNSstrengthneighbor.net
Type: A
DNSstillneighbor.net
Type: A
DNSstrengthspread.net
Type: A
DNSstillspread.net
Type: A
DNSmovementmarket.net
Type: A
DNSoutsidemarket.net
Type: A
DNSmovementreport.net
Type: A
DNSoutsidereport.net
Type: A
DNSmovementbeauty.net
Type: A
DNSoutsidebeauty.net
Type: A
DNSmovementgarden.net
Type: A
DNSoutsidegarden.net
Type: A
DNSeveningmarket.net
Type: A
DNSbuildingbeauty.net
Type: A
DNSeveningbeauty.net
Type: A
DNSbuildinggarden.net
Type: A
DNSeveninggarden.net
Type: A
DNSstoremarket.net
Type: A
DNSmightmarket.net
Type: A
DNSmightreport.net
Type: A
DNSstorebeauty.net
Type: A
DNSmightbeauty.net
Type: A
DNSmightgarden.net
Type: A
DNSprettyreport.net
Type: A
DNSprettybeauty.net
Type: A
DNSdoctorgarden.net
Type: A
DNSprettygarden.net
Type: A
DNSfellowmarket.net
Type: A
DNSdoublemarket.net
Type: A
DNSfellowreport.net
Type: A
DNSdoublereport.net
Type: A
DNSfellowbeauty.net
Type: A
DNSfellowgarden.net
Type: A
DNSdoublegarden.net
Type: A
DNSbrokenmarket.net
Type: A
DNSresultmarket.net
Type: A
DNSbrokenreport.net
Type: A
HTTP GEThttp://outsidesquare.net/index.php
User-Agent:
HTTP GEThttp://outsideneighbor.net/index.php
User-Agent:
HTTP GEThttp://buildingattempt.net/index.php
User-Agent:
HTTP GEThttp://doublesquare.net/index.php
User-Agent:
HTTP GEThttp://brokensquare.net/index.php
User-Agent:
HTTP GEThttp://buildingmarket.net/index.php
User-Agent:
HTTP GEThttp://buildingreport.net/index.php
User-Agent:
HTTP GEThttp://eveningreport.net/index.php
User-Agent:
HTTP GEThttp://storereport.net/index.php
User-Agent:
HTTP GEThttp://storegarden.net/index.php
User-Agent:
HTTP GEThttp://doctormarket.net/index.php
User-Agent:
HTTP GEThttp://prettymarket.net/index.php
User-Agent:
HTTP GEThttp://doctorreport.net/index.php
User-Agent:
HTTP GEThttp://doctorbeauty.net/index.php
User-Agent:
HTTP GEThttp://prettygarden.net/index.php
User-Agent:
HTTP GEThttp://doublebeauty.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.87.248.167:80
Flows TCP192.168.1.1:1032 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1034 ➝ 162.214.15.225:80
Flows TCP192.168.1.1:1035 ➝ 68.230.132.227:80
Flows TCP192.168.1.1:1036 ➝ 82.165.213.98:80
Flows TCP192.168.1.1:1037 ➝ 104.27.156.208:80
Flows TCP192.168.1.1:1038 ➝ 210.55.30.67:80
Flows TCP192.168.1.1:1039 ➝ 50.194.159.145:80
Flows TCP192.168.1.1:1040 ➝ 46.30.212.240:80
Flows TCP192.168.1.1:1041 ➝ 184.168.221.37:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1043 ➝ 204.11.56.48:80
Flows TCP192.168.1.1:1044 ➝ 62.149.128.166:80
Flows TCP192.168.1.1:1045 ➝ 52.0.96.24:80
Flows TCP192.168.1.1:1046 ➝ 192.0.78.24:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64657371 75617265 2e6e6574   utsidesquare.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64656e65 69676862 6f722e6e   utsideneighbor.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6761 7474656d 70742e6e   uildingattempt.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f75626c 65737175 6172652e 6e65740d   oublesquare.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e737175 6172652e 6e65740d   rokensquare.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e676d 61726b65 742e6e65   uildingmarket.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6772 65706f72 742e6e65   uildingreport.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   76656e69 6e677265 706f7274 2e6e6574   veningreport.net
0x00000050 (00080)   0d0a0d0a 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   746f7265 7265706f 72742e6e 65740d0a   torereport.net..
0x00000050 (00080)   0d0a0d0a 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   746f7265 67617264 656e2e6e 65740d0a   toregarden.net..
0x00000050 (00080)   0d0a0d0a 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726d6172 6b65742e 6e65740d   octormarket.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657474 796d6172 6b65742e 6e65740d   rettymarket.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72726570 6f72742e 6e65740d   octorreport.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72626561 7574792e 6e65740d   octorbeauty.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657474 79676172 64656e2e 6e65740d   rettygarden.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f75626c 65626561 7574792e 6e65740d   oublebeauty.net.
0x00000050 (00080)   0a0d0a                                ...


Strings