Analysis Date2018-02-06 22:28:58
MD5a96a32e2950d55993bededb1d7472927
SHA122a7cf87129c65d897b22ff4f0669474af3011b3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 334e47849da978bd88411b7de90ee4a1 sha1: b320d5ab497ac05c09e81c493b7953791df98df7 size: 131072
Section.code md5: 56ca630f964e7d7d3d634b942f86275e sha1: 6b4ecd2bbaa933b698cdd032c355bc2e9877030a size: 4096
Section.rdata md5: 8d16e96e15264aae1485051754bf1503 sha1: bbe6ef4af8082b472b2e9340026e7a9121ba5150 size: 8192
Section.data md5: bb888de256a4f469d8de3bb0f34da22d sha1: 40cb194e492d8de40e316c6c364fa07a74cf5178 size: 16384
Section.rsrc md5: 39dcc0ba65eeed978d2bd70cd2acb894 sha1: 2ee6f7e6f371a70a5aedc91329b165f4012cdfd1 size: 8192
Timestamp2014-03-06 11:10:57
PackerMicrosoft Visual C++ v6.0
PEhash756d905137f2525c8cfb553d68344d872b8d6f86
IMPhashdf19d3eddfa879ce43724908862b94e3
AVArcabit (arcavir)Trojan.AgentWDCR.RI
AVAuthentiumW32/Trojan.LDJM-8968
AVGrisoft (avg)Error Scanning File
AVAvira (antivir)TR/Crypt.ZPACK.50746
AVAlwil (avast)Dropper-gen [Drp]
AVAd-AwareTrojan.AgentWDCR.RI
AVBitDefenderTrojan.AgentWDCR.RI
AVBullGuardTrojan.AgentWDCR.RI
AVClamAVNo Virus
AVDr. WebBackDoor.Andromeda.267
AVEmsisoftTrojan.AgentWDCR.RI
AVMicroWorld (escan)Trojan.AgentWDCR.RI
AVCA (E-Trust Ino)Trojan.AgentWDCR.RI
AVFortinetW32/Androm.AOB!tr.bdr
AVFrisk (f-prot)W32/Trojan3.HRP
AVF-SecureTrojan.AgentWDCR.RI
AVIkarusTrojan.Bublik
AVK7Error Scanning File
AVKasperskyBackdoor.Win32.Androm.dpca
AVMalwareBytesSpyware.Zbot
AVMcafeeGeneric BackDoor.u
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.I
AVNANOTrojan.Win32.Androm.cvafwo
AVEset (nod32)Win32/TrojanDownloader.Wauchos.Z
AVPadvishNo Virus
AVCAT (quickheal)Worm.Gamarue.I5
AVRising0x568b81f1
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecBackdoor.Trojan
AVTrend MicroBKDR_ANDROM.YUM
AVTwisterNo Virus
AVVirusBlokAda (vba32)Backdoor.Androm
AVWindows DefenderWorm:Win32/Gamarue.I
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\THX1138\AppData\Local\Temp\22a7cf87129c65d897b22ff4f0669474af3011b3.exe

Creates FileC:\Users\THX1138\AppData\Local\Temp\22a7cf87129c65d897b22ff4f0669474af3011b3.exe

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.157
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSeriksiversen.ru
Type: A
195.22.26.252
DNSeriksiversen.ru
Type: A
195.22.26.231
DNSeriksiversen.ru
Type: A
195.22.26.254
DNSeriksiversen.ru
Type: A
195.22.26.253
DNSjuliussdietz.ru
Type: A
195.22.26.231
DNSjuliussdietz.ru
Type: A
195.22.26.254
DNSjuliussdietz.ru
Type: A
195.22.26.253
DNSjuliussdietz.ru
Type: A
195.22.26.252
DNSupdate.microsoft.com
Type: A
DNScaptioncodes.ru
Type: A
DNSfulldag.ru
Type: A
DNSmantos.su
Type: A
HTTP POSThttp://eriksiversen.ru/new2/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://juliussdietz.ru/new2/gate.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1036 ➝ 65.55.50.157:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1039 ➝ 195.22.26.252:80
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1042 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 195.22.26.231:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1048 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1049 ➝ 8.8.4.4:53

Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .


Strings
..~
 T.
.r.
8.xa
x'
^...
..
F
xd
..O
....~
 T.
.r.
\
. 
C::::% BbmHpAadYySMI--

         (((((                  H
3wWa.7B_:A
6;5 kB
$#"8_#
abnormal program termination
america
american
american english
american-english
Argentina
August
Australia
australian
Austria
Basque
belgian
Belgium
britain
Canada
canadian
CCsd::Control SET_MAX_SAMPLE_VALUE = %d
chinese
chinese-hongkong
chinese-simplified
chinese-singapore
chinese-traditional
CloseHandle
`.code
Colombia
CompareStringA
CompareStringW
Costa Rica
CreateFileA
CreateFileW
CreateThread
>Cu28V
@.data
dddd, MMMM dd, yyyy
December
DeleteCriticalSection
DOMAIN error
Dominican Republic
%d OnDebounce %d samp, OffDebounce %d samp
dutch-belgian
Ecuador
england
English
english-american
english-aus
english-belize
english-can
english-caribbean
english-ire
english-jamaica
english-nz
english-south africa
english-trinidad y tobago
english-uk
english-us
english-usa
EnterCriticalSection
EnumSystemLocalesA
EV_HMAC_OID_INTEL_ISV_PMODE_ENABLE
Execute: unknown command
ExitProcess
FatalAppExitA
February
FindClose
FindFirstFileW
Finland
Finnish
F@j@Ph
- floating point not loaded
FlushFileBuffers
FormatMessageW
F PjPWj
F$PjQWj
F.PjRWj
F*PjTWj
F+PjUWj
F,PjVWj
F-PjWWj
France
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibraryAndExitThread
French
french-belgian
french-canadian
french-luxembourg
french-swiss
Friday
German
german-austrian
german-lichtenstein
german-luxembourg
german-swiss
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetConsoleMode
GetCPInfo
GetCurrentProcess
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileSize
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocaleInfoW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetTcpStatisticsEx
GetTickCount
GetTimeZoneInformation
GetUserDefaultLCID
GetVersion
GetVersionExA
GetVersionExW
__GLOBAL_HEAP_SELECTED
great britain
Guatemala
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HHtiHtGH
H:mm:ss
holland
hong-kong
HtHHt(
HtOHt)H
Iceland
Icelandic
InitializeCriticalSection
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
IPHLPAPI.DLL
irish-english
IsBadWritePtr
IsDebuggerPresent
IsValidCodePage
IsValidLocale
italian-swiss
It[IItM
JanFebMarAprMayJunJulAugSepOctNovDec
January
j>OGu>
KERNEL32.dll
% l=]9 hE
LC_ALL
LC_COLLATE
LC_CTYPE
LCMapStringA
LCMapStringW
LC_MONETARY
LC_NUMERIC
LC_TIME
LeaveCriticalSection
LoadLibraryA
LocalFree
lstrlenW
Luxembourg
M/d/yy
MessageBoxA
Mexico
Microsoft Visual C++ Runtime Library
Monday
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
new-zealand
norwegian
norwegian-bokmal
norwegian-nynorsk
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
October
Panama
Paraguay
portuguese-brazilian
PPPPPPPP
pr china
pr-china
Program: 
<program name unknown>
puerto-rico
- pure virtual function call
PVhl&B
QQSVW3
QQSVWj
RaiseException
`.rdata
ReadFile
$#Rich
RtlUnwind
runtime error 
Runtime Error!
Saturday
September
SetEnvironmentVariableA
SetEvent
SetFilePointerEx
SetHandleCount
SetLastError
SHCopyKeyA
SHLWAPI.dll
[Shp&B
SING error
slovak
south africa
south-africa
South Africa
south korea
south-korea
Spanish
spanish-argentina
spanish-bolivia
spanish-chile
spanish-colombia
spanish-costa rica
spanish-dominican republic
spanish-ecuador
spanish-el salvador
spanish-guatemala
spanish-honduras
spanish-mexican
spanish-modern
Spanish - Modern Sort
spanish-nicaragua
spanish-panama
spanish-paraguay
spanish-peru
spanish-puerto rico
Spanish - Traditional Sort
spanish-uruguay
spanish-venezuela
SS@SSPVSS
STATUS_CLUSTER_NETWORK_NOT_FOUND
Sunday
SunMonTueWedThuFriSat
Sweden
Swedish
swedish-finland
Switzerland
tEj@Vh
TerminateProcess
!This program cannot be run in DOS mode.
Thursday
t,hx-B
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tn<%t2
tPhD&B
trinidad & tobago
TryEnterCriticalSection
t#SSUP
t.;t$$t(
Tuesday
t$$VSS
t/WWUPj
uA;5$kB
>:u#FV
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
>:uNFV
UnhandledExceptionFilter
united-kingdom
united-states
Uruguay
user32.dll
UYg	UY1
VC20XC00U
Venezuela
^Vhp&B
VirtualAlloc
VirtualFree
Vtvj0j
VWuBh`&B
WaitForSingleObject
WaitForSingleObjectEx
Wednesday
WideCharToMultiByte
WI	~&r
WQj1Pj
WriteFile
"WWShl&B
~xv|uw
_^][YY
YYh @B
zu^SSS