Analysis Date2015-09-30 19:03:49
MD586ab0c06a0145f759bfb2f06d326d8e4
SHA130f7aab091b2ae94cd71e5840168cd2d07a899b4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 94dd4849a58af1674dcc3bd5f6584886 sha1: 5825f4b04b2d29ce54ac4cb35c7b960caf30c3ba size: 126976
Section.rsrc md5: 27505fcc731b156f0b9fb43b79b6151d sha1: 252ce8e84c703b8070829f6be47f84b32428bb4c size: 4096
Section.reloc md5: 723f9773bc169f06d4c3ebee9c3183a1 sha1: 0fdc4177a74f6497069ecbdb3873d4549ed29476 size: 4096
Timestamp2015-05-13 11:18:43
VersionLegalCopyright:
Assembly Version: 1.0.0.0
InternalName: phpEPKrpG_cr.exe
FileVersion: 1.0.0.0
ProductVersion: 1.0.0.0
FileDescription:
OriginalFilename: phpEPKrpG_cr.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhashee582ec8b465ea27f6de7f2344396ab5a6e85065
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVDr. WebTrojan.DownLoad.64914
AVAlwil (avast)Crypt-YE [Trj]
AVTrend Microno_virus
AVK7Trojan ( 004567271 )
AVGrisoft (avg)Generic36.BLXE
AVEset (nod32)Win32/Wigon.PI
AVArcabit (arcavir)Trojan.GenericKD.2403524
AVSymantecTrojan.Gen
AVZillya!Trojan.Cutwail.Win32.1148
AVBitDefenderTrojan.GenericKD.2403524
AVIkarusTrojan.Win32.Wigon
AVRisingno_virus
AVMicroWorld (escan)Trojan.GenericKD.2403524
AVCAT (quickheal)Trojan.Kovter.RN3
AVMalwareBytesTrojan.MSIL.PHP
AVPadvishno_virus
AVFrisk (f-prot)W32/Trojan2.OUIE
AVFortinetMSIL/Injector.JMI!tr
AVVirusBlokAda (vba32)no_virus
AVKasperskyTrojan.Win32.Cutwail.flh
AVEmsisoftTrojan.GenericKD.2403524
AVMcafeeRDN/Spybot.bfr!q
AVTwisterno_virus
AVAvira (antivir)TR/Dropper.MSIL.153151
AVClamAVno_virus
AVBullGuardTrojan.GenericKD.2403524
AVF-SecureTrojan.GenericKD.2403524
AVMicrosoft Security EssentialsTrojanDownloader:MSIL/Dowector.A
AVAd-AwareTrojan.GenericKD.2403524
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Trojan.KNUN-6420

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\ROUTER
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\update.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\update.exe
Creates ProcessC:\malware.exe
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME
Creates MutexDuTLtzQgvozDtApg
Starts ServiceRASMAN

Process
↳ C:\malware.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 828

Process
↳ Pid 872

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\wkssvc
Creates FileWANARP
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates MutexGlobal\RAS_MO_01
Creates MutexRAS_MO_02

Process
↳ Pid 1228

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1876

Process
↳ Pid 1176

Network Details:

DNSmicrosoftwindowsupdate.ru
Type: A
173.44.63.49
HTTP GEThttp://microsoftwindowsupdate.ru/flash/update.exe
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 173.44.63.49:80

Raw Pcap
0x00000000 (00000)   47455420 2f666c61 73682f75 70646174   GET /flash/updat
0x00000010 (00016)   652e6578 65204854 54502f31 2e310d0a   e.exe HTTP/1.1..
0x00000020 (00032)   486f7374 3a206d69 63726f73 6f667477   Host: microsoftw
0x00000030 (00048)   696e646f 77737570 64617465 2e72750d   indowsupdate.ru.
0x00000040 (00064)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000050 (00080)   702d416c 6976650d 0a0d0a              p-Alive....


Strings