Analysis | #totalhash

Analysis Date	2015-08-07 09:25:11
MD5	b89d04991259d89b3c5cba4680b41d14
SHA1	1bf0194aa3ee4186afa381836fc4c76b9163c323

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 2cac747949d6d4c8ad93d826f91894d7 sha1: 962ce9986df988696d8aa65207a7c01891d2799f size: 59392
Section	.rdata md5: b6f626c36f35902475f8149097675376 sha1: 23de5ae8c94087d3d33b45310aba913eba34d067 size: 20992
Section	.data md5: e6d38ab08a9fe9cbad2d493ca324a0c0 sha1: 41675827a2fa71ab58afa301fe7a2dde3c720ca4 size: 15360
Section	.rsrc md5: b3acf3c029e373f7cfa1e4f685c79fa5 sha1: ae758a4fd874eea778ce75b45f3bba34e205b856 size: 214016
Section	cvvvwji md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section	.text md5: 2b45ad4d2a3807cf41685e5f944e12af sha1: fd271b59d32f3a46d4cb3261118c9bba72a61e94 size: 148480
Timestamp	2010-10-12 04:06:34
Pdb path	c:\winter\Set\Bottom\Up\value\wild\industry\Support\nearcare.pdb
PEhash	7bd208dd1622467a09d9c695907b8754bf0ba47b
IMPhash	b2498eed3c3aa5befc085379b8319a74
AV	Rising	Win32.Mgr.a
AV	Mcafee	W32/Ramnit.a
AV	Avira (antivir)	W32/Ramnit.C
AV	Twister	Virus.60E8000000005D8BC5.mg
AV	Ad-Aware	Win32.Ramnit.N
AV	Alwil (avast)	RmnDrp:Win32:RmnDrp
AV	Eset (nod32)	Win32/Ramnit.H virus
AV	Grisoft (avg)	Win32/Zbot.G
AV	Symantec	W32.Ramnit.B!inf
AV	Fortinet	W32/Ramnit.C
AV	BitDefender	Win32.Ramnit.N
AV	K7	Virus ( 002fe95d1 )
AV	Microsoft Security Essentials	Virus:Win32/Ramnit.I
AV	MicroWorld (escan)	Win32.Ramnit.N
AV	MalwareBytes	Virus.Ramnit
AV	Authentium	W32/Ramnit.D
AV	Frisk (f-prot)	W32/Ramnit.D
AV	Ikarus	Trojan-Downloader.Win32.Andromeda
AV	Emsisoft	Win32.Ramnit.N
AV	Zillya!	Virus.Nimnul.Win32.1
AV	Kaspersky	Virus.Win32.Nimnul.a
AV	Trend Micro	PE_RAMNIT.DEN
AV	CAT (quickheal)	W32.Ramnit.BA
AV	VirusBlokAda (vba32)	Virus.Win32.Nimnul.b
AV	Padvish	Downloader.Win32.Gamarue.AA
AV	BullGuard	Win32.Ramnit.N
AV	Arcabit (arcavir)	Win32.Ramnit.N
AV	ClamAV	W32.Ramnit-1
AV	Dr. Web	BackDoor.Andromeda.178
AV	F-Secure	Win32.Ramnit.N
AV	CA (E-Trust Ino)	Win32/Ramnit.C

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\1bf0194aa3ee4186afa381836fc4c76b9163c323mgr.exe
Creates Process	C:\1bf0194aa3ee4186afa381836fc4c76b9163c323mgr.exe
Creates Process	C:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\1bf0194aa3ee4186afa381836fc4c76b9163c323mgr.exe

Creates File	PIPE\lsarpc
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\228c_appcompat.txt
Creates Process	C:\WINDOWS\system32\dwwin.exe -x -s 180

Process
↳ C:\WINDOWS\system32\wuauclt.exe

Registry	HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝ C:\Documents and Settings\All Users\Local Settings\Temp\ccowmuaqe.pif\\x00
Creates File	C:\Documents and Settings\All Users\Local Settings\Temp\ccowmuaqe.pif
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates Mutex	3227095050

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 180

Network Details:

DNS	www.update.microsoft.com.nsatc.net Type: A 65.55.50.189
DNS	www.update.microsoft.com.nsatc.net Type: A 134.170.58.222
DNS	hzmksreiuojy.in Type: A 195.22.26.254
DNS	hzmksreiuojy.in Type: A 195.22.26.231
DNS	hzmksreiuojy.in Type: A 195.22.26.252
DNS	hzmksreiuojy.in Type: A 195.22.26.253
DNS	hzmksreiuojy.ru Type: A 52.28.3.6
DNS	hzmksreiuojy.biz Type: A 52.28.3.6
DNS	hzmksreiuojy.nl Type: A 176.58.104.168
DNS	www.update.microsoft.com Type: A
DNS	hzmksreiuojy.com Type: A
HTTP POST	http://8.8.8.8/xxxxxxxxx.php User-Agent: Mozilla/4.0
HTTP POST	http://hzmksreiuojy.in/ldr.php User-Agent: Mozilla/4.0
HTTP POST	http://hzmksreiuojy.ru/ldr.php User-Agent: Mozilla/4.0
HTTP POST	http://hzmksreiuojy.biz/ldr.php User-Agent: Mozilla/4.0
HTTP POST	http://hzmksreiuojy.nl/ldr.php User-Agent: Mozilla/4.0
Flows TCP	192.168.1.1:1031 ➝ 65.55.50.189:80
Flows TCP	192.168.1.1:1032 ➝ 8.8.8.8:80
Flows UDP	192.168.1.1:1033 ➝ 8.8.4.4:53
Flows TCP	192.168.1.1:1034 ➝ 195.22.26.254:80
Flows UDP	192.168.1.1:1035 ➝ 8.8.4.4:53
Flows TCP	192.168.1.1:1036 ➝ 52.28.3.6:80
Flows UDP	192.168.1.1:1037 ➝ 8.8.4.4:53
Flows UDP	192.168.1.1:1038 ➝ 8.8.4.4:53
Flows TCP	192.168.1.1:1039 ➝ 52.28.3.6:80
Flows UDP	192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP	192.168.1.1:1041 ➝ 176.58.104.168:80

Raw Pcap

0x00000000 (00000)   504f5354 202f7878 78787878 7878782e   POST /xxxxxxxxx.
0x00000010 (00016)   70687020 48545450 2f312e31 0d0a486f   php HTTP/1.1..Ho
0x00000020 (00032)   73743a20 382e382e 382e380d 0a557365   st: 8.8.8.8..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f342e30 0d0a436f 6e74656e 742d5479   /4.0..Content-Ty
0x00000050 (00080)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000060 (00096)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000070 (00112)   636f6465 640d0a43 6f6e7465 6e742d4c   coded..Content-L
0x00000080 (00128)   656e6774 683a2038 340d0a43 6f6e6e65   ength: 84..Conne
0x00000090 (00144)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x000000a0 (00160)   75707163 68437338 7646544b 464f566d   upqchCs8vFTKFOVm
0x000000b0 (00176)   6e494b47 4977694c 7258387a 554e3638   nIKGIwiLrX8zUN68
0x000000c0 (00192)   54337971 76685175 32547165 74516e33   T3yqvhQu2TqetQn3
0x000000d0 (00208)   71497937 51366270 54664455 74594966   qIy7Q6bpTfDUtYIf
0x000000e0 (00224)   745a3333 4e42414f 4c417367 396d5933   tZ33NBAOLAsg9mY3
0x000000f0 (00240)   71773d3d                              qw==

0x00000000 (00000)   504f5354 202f6c64 722e7068 70204854   POST /ldr.php HT
0x00000010 (00016)   54502f31 2e310d0a 486f7374 3a20687a   TP/1.1..Host: hz
0x00000020 (00032)   6d6b7372 6569756f 6a792e69 6e0d0a55   mksreiuojy.in..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038340d 0a436f6e   -Length: 84..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 73387646 544b464f   ..upqchCs8vFTKFO
0x000000b0 (00176)   566d6e49 4b474977 694c7258 387a554e   VmnIKGIwiLrX8zUN
0x000000c0 (00192)   36385433 79717668 51753254 71657451   68T3yqvhQu2TqetQ
0x000000d0 (00208)   6e337149 79375136 62705466 44557459   n3qIy7Q6bpTfDUtY
0x000000e0 (00224)   4966745a 33334e42 414f4c41 7367396d   IftZ33NBAOLAsg9m
0x000000f0 (00240)   59337177 3d3d                         Y3qw==

0x00000000 (00000)   504f5354 202f6c64 722e7068 70204854   POST /ldr.php HT
0x00000010 (00016)   54502f31 2e310d0a 486f7374 3a20687a   TP/1.1..Host: hz
0x00000020 (00032)   6d6b7372 6569756f 6a792e72 750d0a55   mksreiuojy.ru..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038340d 0a436f6e   -Length: 84..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 73387646 544b464f   ..upqchCs8vFTKFO
0x000000b0 (00176)   566d6e49 4b474977 694c7258 387a554e   VmnIKGIwiLrX8zUN
0x000000c0 (00192)   36385433 79717668 51753254 71657451   68T3yqvhQu2TqetQ
0x000000d0 (00208)   6e337149 79375136 62705466 44557459   n3qIy7Q6bpTfDUtY
0x000000e0 (00224)   4966745a 33334e42 414f4c41 7367396d   IftZ33NBAOLAsg9m
0x000000f0 (00240)   59337177 3d3d                         Y3qw==

0x00000000 (00000)   504f5354 202f6c64 722e7068 70204854   POST /ldr.php HT
0x00000010 (00016)   54502f31 2e310d0a 486f7374 3a20687a   TP/1.1..Host: hz
0x00000020 (00032)   6d6b7372 6569756f 6a792e62 697a0d0a   mksreiuojy.biz..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000040 (00064)   6c6c612f 342e300d 0a436f6e 74656e74   lla/4.0..Content
0x00000050 (00080)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000060 (00096)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000070 (00112)   6c656e63 6f646564 0d0a436f 6e74656e   lencoded..Conten
0x00000080 (00128)   742d4c65 6e677468 3a203834 0d0a436f   t-Length: 84..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000000a0 (00160)   0a0d0a75 70716368 43733876 46544b46   ...upqchCs8vFTKF
0x000000b0 (00176)   4f566d6e 494b4749 77694c72 58387a55   OVmnIKGIwiLrX8zU
0x000000c0 (00192)   4e363854 33797176 68517532 54716574   N68T3yqvhQu2Tqet
0x000000d0 (00208)   516e3371 49793751 36627054 66445574   Qn3qIy7Q6bpTfDUt
0x000000e0 (00224)   59496674 5a33334e 42414f4c 41736739   YIftZ33NBAOLAsg9
0x000000f0 (00240)   6d593371 773d3d                       mY3qw==

0x00000000 (00000)   504f5354 202f6c64 722e7068 70204854   POST /ldr.php HT
0x00000010 (00016)   54502f31 2e310d0a 486f7374 3a20687a   TP/1.1..Host: hz
0x00000020 (00032)   6d6b7372 6569756f 6a792e6e 6c0d0a55   mksreiuojy.nl..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038340d 0a436f6e   -Length: 84..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 73387646 544b464f   ..upqchCs8vFTKFO
0x000000b0 (00176)   566d6e49 4b474977 694c7258 387a554e   VmnIKGIwiLrX8zUN
0x000000c0 (00192)   36385433 79717668 51753254 71657451   68T3yqvhQu2TqetQ
0x000000d0 (00208)   6e337149 79375136 62705466 44557459   n3qIy7Q6bpTfDUtY
0x000000e0 (00224)   4966745a 33334e42 414f4c41 7367396d   IftZ33NBAOLAsg9m
0x000000f0 (00240)   59337177 3d3d3d                       Y3qw===

Strings