Analysis Date2015-07-23 20:03:33
MD5d08acc9145a76f179b097ca358440436
SHA11f445a33bb878bbbd666e7cd7bd70d3bb8f1c104

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f7843dcaf73a8251e55b6e0053a5a301 sha1: c98ae2c10810d8b23c6f9c56c533f03c2b6c297f size: 73216
Section.rdata md5: a8946e22d49b0012bdaa7b0531c65edb sha1: e5a014733335c9522f7f7cceaeec61bf008e8e07 size: 3072
Section.data md5: ef370cca5ea6ac8c0c159cbd74058a12 sha1: c039de44ca9015d455e624a9a57c3cd389e02f1c size: 3584
Section.rsrc md5: 5809e929a6a0303c699d9f0e25dd6765 sha1: 93df3535fa783015beab6521b2f5d5f6fe8db04b size: 17920
Timestamp2005-08-07 12:42:42
PackerMicrosoft Visual C++ v6.0
PEhash7b8a16454b878e7239611d7d73835b364e96a369
IMPhash54c37705776f058dc0b5deb394beba37
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.51605
AVDr. WebTrojan.DownLoad3.35231
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.51605
AVBullGuardGen:Variant.Symmi.51605
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanDownloader.Goo
AVCAT (quickheal)TrojanDownloader.Goo.r4
AVTrend Microno_virus
AVKasperskyTrojan-Downloader.Win32.Goo.rwg
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.51605
AVIkarusTrojan.Win32.Glupteba
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Trojan.VSBO-1430
AVMalwareBytesTrojan.Agent.ALTV
AVMicroWorld (escan)Gen:Variant.Symmi.51605
AVMicrosoft Security EssentialsTrojan:Win32/Carberp.I
AVK7Trojan ( 004bab0e1 )
AVBitDefenderGen:Variant.Symmi.51605
AVFortinetW32/Kryptik.DEYP!tr
AVSymantecTrojan.Gen
AVGrisoft (avg)Crypt4.DZI
AVEset (nod32)Win32/Kryptik.DCZM
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Symmi.51605
AVTwisterTrojanDldr.Goo.rwg.gwgq
AVAvira (antivir)TR/ATRAPS.Gen4
AVMcafeePacked-EJ!D08ACC9145A7
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value ➝
15150319\\x00
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\MD7H82HHF7EH2D73

Network Details:

HTTP GEThttp://198.7.58.68:23480/stat?uid=100&downlink=1111&uplink=1111&id=000167DD&statpass=bpass&version=15150319&features=30&guid=fbea60f2-d6b7-4380-a968-d10186b49ff6&comment=15150319&p=0&s=
User-Agent:
HTTP GEThttp://50.17.185.81:32353/stat?uid=100&downlink=1111&uplink=1111&id=00017BA3&statpass=bpass&version=15150319&features=30&guid=fbea60f2-d6b7-4380-a968-d10186b49ff6&comment=15150319&p=0&s=
User-Agent:
HTTP GEThttp://108.178.2.226:23097/stat?uid=100&downlink=1111&uplink=1111&id=00018F3B&statpass=bpass&version=15150319&features=30&guid=fbea60f2-d6b7-4380-a968-d10186b49ff6&comment=15150319&p=0&s=
User-Agent:
HTTP GEThttp://99.198.97.86:11982/stat?uid=100&downlink=1111&uplink=1111&id=0001A2E2&statpass=bpass&version=15150319&features=30&guid=fbea60f2-d6b7-4380-a968-d10186b49ff6&comment=15150319&p=0&s=
User-Agent:
HTTP GEThttp://85.13.246.219:22887/stat?uid=100&downlink=1111&uplink=1111&id=0001B689&statpass=bpass&version=15150319&features=30&guid=fbea60f2-d6b7-4380-a968-d10186b49ff6&comment=15150319&p=0&s=
User-Agent:
HTTP GEThttp://86.106.77.246:51841/stat?uid=100&downlink=1111&uplink=1111&id=0001CA21&statpass=bpass&version=15150319&features=30&guid=fbea60f2-d6b7-4380-a968-d10186b49ff6&comment=15150319&p=0&s=
User-Agent:
HTTP GEThttp://194.28.175.20:10934/stat?uid=100&downlink=1111&uplink=1111&id=0001DDC8&statpass=bpass&version=15150319&features=30&guid=fbea60f2-d6b7-4380-a968-d10186b49ff6&comment=15150319&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 198.7.58.68:23480
Flows TCP192.168.1.1:1031 ➝ 198.7.58.68:23480
Flows TCP192.168.1.1:1032 ➝ 50.17.185.81:32353
Flows TCP192.168.1.1:1033 ➝ 108.178.2.226:23097
Flows TCP192.168.1.1:1034 ➝ 99.198.97.86:11982
Flows TCP192.168.1.1:1035 ➝ 85.13.246.219:22887
Flows TCP192.168.1.1:1036 ➝ 86.106.77.246:51841
Flows TCP192.168.1.1:1037 ➝ 194.28.175.20:10934

Raw Pcap
0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303136 37444426 73746174 70617373   00167DD&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 33313926 66656174 75726573   5150319&features
0x00000060 (00096)   3d333026 67756964 3d666265 61363066   =30&guid=fbea60f
0x00000070 (00112)   322d6436 62372d34 3338302d 61393638   2-d6b7-4380-a968
0x00000080 (00128)   2d643130 31383662 34396666 3626636f   -d10186b49ff6&co
0x00000090 (00144)   6d6d656e 743d3135 31353033 31392670   mment=15150319&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303137 42413326 73746174 70617373   0017BA3&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 33313926 66656174 75726573   5150319&features
0x00000060 (00096)   3d333026 67756964 3d666265 61363066   =30&guid=fbea60f
0x00000070 (00112)   322d6436 62372d34 3338302d 61393638   2-d6b7-4380-a968
0x00000080 (00128)   2d643130 31383662 34396666 3626636f   -d10186b49ff6&co
0x00000090 (00144)   6d6d656e 743d3135 31353033 31392670   mment=15150319&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303138 46334226 73746174 70617373   0018F3B&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 33313926 66656174 75726573   5150319&features
0x00000060 (00096)   3d333026 67756964 3d666265 61363066   =30&guid=fbea60f
0x00000070 (00112)   322d6436 62372d34 3338302d 61393638   2-d6b7-4380-a968
0x00000080 (00128)   2d643130 31383662 34396666 3626636f   -d10186b49ff6&co
0x00000090 (00144)   6d6d656e 743d3135 31353033 31392670   mment=15150319&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303141 32453226 73746174 70617373   001A2E2&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 33313926 66656174 75726573   5150319&features
0x00000060 (00096)   3d333026 67756964 3d666265 61363066   =30&guid=fbea60f
0x00000070 (00112)   322d6436 62372d34 3338302d 61393638   2-d6b7-4380-a968
0x00000080 (00128)   2d643130 31383662 34396666 3626636f   -d10186b49ff6&co
0x00000090 (00144)   6d6d656e 743d3135 31353033 31392670   mment=15150319&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303142 36383926 73746174 70617373   001B689&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 33313926 66656174 75726573   5150319&features
0x00000060 (00096)   3d333026 67756964 3d666265 61363066   =30&guid=fbea60f
0x00000070 (00112)   322d6436 62372d34 3338302d 61393638   2-d6b7-4380-a968
0x00000080 (00128)   2d643130 31383662 34396666 3626636f   -d10186b49ff6&co
0x00000090 (00144)   6d6d656e 743d3135 31353033 31392670   mment=15150319&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303143 41323126 73746174 70617373   001CA21&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 33313926 66656174 75726573   5150319&features
0x00000060 (00096)   3d333026 67756964 3d666265 61363066   =30&guid=fbea60f
0x00000070 (00112)   322d6436 62372d34 3338302d 61393638   2-d6b7-4380-a968
0x00000080 (00128)   2d643130 31383662 34396666 3626636f   -d10186b49ff6&co
0x00000090 (00144)   6d6d656e 743d3135 31353033 31392670   mment=15150319&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303144 44433826 73746174 70617373   001DDC8&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 33313926 66656174 75726573   5150319&features
0x00000060 (00096)   3d333026 67756964 3d666265 61363066   =30&guid=fbea60f
0x00000070 (00112)   322d6436 62372d34 3338302d 61393638   2-d6b7-4380-a968
0x00000080 (00128)   2d643130 31383662 34396666 3626636f   -d10186b49ff6&co
0x00000090 (00144)   6d6d656e 743d3135 31353033 31392670   mment=15150319&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..


Strings