Analysis Date2015-08-01 18:44:50
MD584bb1c8c5957125029e4fbfa9ec63045
SHA12d99e88c30cd805f5e346388d312f7a3e3386798

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 85190e8eb1c8d72ebbccf4639eb9421d sha1: 1edcbb6cf9e4261af6966e117265392162ba548e size: 20480
Section.rdata md5: 856ccaa7d78f278a01048093d6f7c9d5 sha1: 6ec8d859481d211bf5bc2a8d2d68d523943c4f60 size: 8192
Section.data md5: 4805e103b08e96a4fe517035f700d11c sha1: 45574152397be199b10a4cd19d9031883a1d7f26 size: 73728
Section.rsrc md5: 5b1cc8154d38ea91e5afe0cbba0d62b9 sha1: 6922a09b86738636336120fa76f3fd3cd6904b6d size: 61440
Timestamp2015-03-26 08:29:35
VersionLegalCopyright: Copyright (C) 2014
InternalName:
FileVersion: 6.1.7600.16385
CompanyName: Microsoft Corporation. All rights reserved.
PrivateBuild:
LegalTrademarks:
Comments:
ProductName:
SpecialBuild:
ProductVersion: 6, 1, 7600, 16385
FileDescription:
OriginalFilename:
PackerMicrosoft Visual C++ v6.0
PEhash7a455bf3e32667bd260962ba1a41d317bed38388
IMPhash4f3d6df29aed03d098d53c60e71d6007
AVRisingno_virus
AVMcafeeRDN/Generic BackDoor
AVAvira (antivir)BDS/Gulpix.167936.1
AVTwisterno_virus
AVAd-AwareTrojan.GenericKD.2589797
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Generik.KMMSGFS
AVGrisoft (avg)BackDoor.Generic19.CAQ
AVSymantecBackdoor.Trojan
AVFortinetW32/Gulpix.VIR!tr.bdr
AVBitDefenderTrojan.GenericKD.2589797
AVK7Riskware ( 0040eff71 )
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx!rfn
AVMicroWorld (escan)Trojan.GenericKD.2589797
AVMalwareBytesno_virus
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusBackdoor.Win32.Gulpix
AVEmsisoftTrojan.GenericKD.2589797
AVZillya!Backdoor.Gulpix.Win32.220
AVKasperskyBackdoor.Win32.Gulpix.vir
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)BScope.Trojan.SvcHorse.01643
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.2589797
AVArcabit (arcavir)Trojan.GenericKD.2589797
AVCA (E-Trust Ino)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureTrojan.GenericKD.2589797

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps_user.dat
Creates ProcessC:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps.dll", ShadowPlay 84
Creates MutexFast

Process
↳ C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps.dll", ShadowPlay 84

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexnvdisps_event
Winsock DNS103.249.28.6

Network Details:

HTTP POSThttp://103.249.28.6:443/update?id=002d4098
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows TCP192.168.1.1:1031 ➝ 103.249.28.6:443

Raw Pcap
0x00000000 (00000)   504f5354 202f7570 64617465 3f69643d   POST /update?id=
0x00000010 (00016)   30303264 34303938 20485454 502f312e   002d4098 HTTP/1.
0x00000020 (00032)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000030 (00048)   48536573 73696f6e 3a20300d 0a485374   HSession: 0..HSt
0x00000040 (00064)   61747573 3a20300d 0a485369 7a653a20   atus: 0..HSize: 
0x00000050 (00080)   36313435 360d0a48 536e3a20 310d0a55   61456..HSn: 1..U
0x00000060 (00096)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000070 (00112)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000080 (00128)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000090 (00144)   6e646f77 73204e54 20352e31 3b202e4e   ndows NT 5.1; .N
0x000000a0 (00160)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a203130   ; SV1)..Host: 10
0x000000c0 (00192)   332e3234 392e3238 2e360d0a 436f6e74   3.249.28.6..Cont
0x000000d0 (00208)   656e742d 4c656e67 74683a20 300d0a43   ent-Length: 0..C
0x000000e0 (00224)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000f0 (00240)   416c6976 650d0a43 61636865 2d436f6e   Alive..Cache-Con
0x00000100 (00256)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000110 (00272)   0d0a                                  ..


Strings