Analysis Date2015-11-15 06:37:56
MD54f5db223c89e5d0cbdd3b0f626394484
SHA10b054b5f2b157003737cddd6f4b879342063c2e6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a8f3737512fd50518e77a73ce8e866d6 sha1: a2c319bd2cbe8c57b2e0447dc8608183981aa522 size: 45056
Section.rdata md5: 9aa7ddeaf362143eccab7cab42849cc9 sha1: e37685de9f2a64fc2fc63a4b2fb074dd8b145f7b size: 20992
Section.data md5: 2483264bf684772710ebfddcf9e911da sha1: 76c5cd905a22bc6447a04bfe0479b4e7bba41861 size: 15360
Section.rsrc md5: 31bc5ba38ed96d34676813a6c227f071 sha1: 012ab527f0eab328e730bbb155504282eccdaaa2 size: 512
Sectionffbcslk md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp1997-08-26 07:47:27
Pdb pathc:\rail\lot\and\meat\name\For\port\villagestore.pdb
PackerMicrosoft Visual C++ ?.?
PEhash1b21c4ea847bd3eb4040611aafc70cc407fa10c1
IMPhash0c7c7eb1ac4729e480cc1db17f22f7e0
AVRisingWorm.Win32.Gamarue.v
AVMcafeeGeneric.dx!4F5DB223C89E
AVAvira (antivir)TR/Fraud.Gen8
AVTwisterTrojan.9D9F2DC5AEFE6B57
AVAd-AwareTrojan.Gamarue.CF
AVAlwil (avast)Vitro:Win32:Vitro
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVGrisoft (avg)Generic32.BTGJ
AVSymantecPacked.Dromedan!gen21
AVFortinetW32/Kryptik.AYXG!tr
AVBitDefenderTrojan.Gamarue.CF
AVK7Backdoor ( 04c4f9b81 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVMicroWorld (escan)Trojan.Gamarue.CF
AVMalwareBytesTrojan.Injector.RRE
AVAuthentiumW32/A-e8e4f902!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Inject
AVEmsisoftTrojan.Gamarue.CF
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)Worm.Gamarue.I4
AVVirusBlokAda (vba32)SScope.Trojan.CLR.2407
AVPadvishWorm.Win32.Gamarue.dropped
AVBullGuardTrojan.Gamarue.CF
AVArcabit (arcavir)Trojan.Gamarue.CF
AVClamAVno_virus
AVDr. WebBackDoor.Andromeda.178
AVF-SecureTrojan.Gamarue.CF
AVCA (E-Trust Ino)Win32/SillyAutorun.FUE
AVRisingWorm.Win32.Gamarue.v
AVMcafeeGeneric.dx!4F5DB223C89E
AVAvira (antivir)TR/Fraud.Gen8
AVTwisterTrojan.9D9F2DC5AEFE6B57
AVAd-AwareTrojan.Gamarue.CF
AVAlwil (avast)Vitro:Win32:Vitro
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVGrisoft (avg)Generic32.BTGJ
AVSymantecPacked.Dromedan!gen21
AVFortinetW32/Kryptik.AYXG!tr
AVBitDefenderTrojan.Gamarue.CF
AVK7Backdoor ( 04c4f9b81 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVMicroWorld (escan)Trojan.Gamarue.CF
AVMalwareBytesTrojan.Injector.RRE
AVAuthentiumW32/A-e8e4f902!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Inject

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\ccezzxfis.pif\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\ccezzxfis.pif
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.157
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNShzmksreiuojy.in
Type: A
195.22.28.199
DNShzmksreiuojy.in
Type: A
195.22.28.196
DNShzmksreiuojy.in
Type: A
195.22.28.197
DNShzmksreiuojy.in
Type: A
195.22.28.198
DNShzmksreiuojy.ru
Type: A
52.28.249.128
DNShzmksreiuojy.com
Type: A
52.28.249.128
DNShzmksreiuojy.biz
Type: A
52.28.249.128
DNShzmksreiuojy.nl
Type: A
176.58.104.168
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://8.8.8.8/xxxxxxxxx.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.in/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.ru/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.com/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.biz/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.nl/ldr.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.50.157:80
Flows TCP192.168.1.1:1032 ➝ 8.8.8.8:80
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1034 ➝ 195.22.28.199:80
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1036 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1038 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1040 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1042 ➝ 176.58.104.168:80

Raw Pcap

Strings