Analysis Date2015-12-04 15:42:30
MD52d6b95cda45ad2461e8b74d7d484c0cf
SHA1333affc38f1ef7717a55b95fbf93b2c088da921f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 123a4574576ddf1bbfd7995358b67906 sha1: dd0b134150ca7b4b8db546a12d565982ef92fbc6 size: 135168
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: dec87cf6cfcaa4d0774c221249d857f0 sha1: 554bf6f91478d34173d53b7040d205c21b65f3e6 size: 20480
Timestamp2014-07-15 14:43:36
VersionInternalName: stub
FileVersion: 1.00.0219
CompanyName: Reasen
ProductName: Project1
ProductVersion: 1.00.0219
OriginalFilename: stub.exe
PackerMicrosoft Visual Basic v5.0
PEhash10b159400480235ab13c312827634db20a77b816
IMPhashe2800aaa620d617c846aa4fbf6256a8d
AVKasperskyWorm.Win32.VBNA.b
AVPadvishno_virus
AVF-SecureGen:Variant.Barys.441
AVKasperskyWorm.Win32.VBNA.b
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.I
AVMicroWorld (escan)Gen:Variant.Barys.441
AVFortinetW32/Refroso.ATR!tr
AVFrisk (f-prot)W32/Andromeda.A.gen!Eldorado
AVIkarusTrojan.Defiler
AVK7Spyware ( 000003a81 )
AVMcafeeW32/Worm-FFE!C41D705DE10F
AVMcafeeW32/Worm-FFE!C41D705DE10F
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.I
AVMicroWorld (escan)Gen:Variant.Barys.441
AVEset (nod32)Win32/Spy.KeyLogger.NHM
AVEset (nod32)Win32/Spy.KeyLogger.NHM
AVFortinetW32/Refroso.ATR!tr
AVFrisk (f-prot)W32/Andromeda.A.gen!Eldorado
AVF-SecureGen:Variant.Barys.441
AVGrisoft (avg)Defiler.G.dropper
AVIkarusTrojan.Defiler
AVK7Spyware ( 000003a81 )
AVMalwareBytesno_virus
AVMalwareBytesno_virus
AVAd-AwareGen:Variant.Barys.441
AVBullGuardGen:Variant.Barys.441
AVBullGuardGen:Variant.Barys.441
AVAlwil (avast)Citadel-A [Trj]
AVAuthentiumW32/Andromeda.A.gen!Eldorado
AVCA (E-Trust Ino)Win32/VBInject.C!generic
AVCA (E-Trust Ino)Win32/VBInject.C!generic
AVAuthentiumW32/Andromeda.A.gen!Eldorado
AVAlwil (avast)Citadel-A [Trj]
AVCAT (quickheal)Worm.Gamarue.I1
AVCAT (quickheal)Worm.Gamarue.I1
AVAd-AwareGen:Variant.Barys.441
AVAvira (antivir)Worm/Gamarue.itza
AVClamAVWin.Trojan.Barys-847
AVClamAVWin.Trojan.Barys-847
AVAvira (antivir)Worm/Gamarue.itza
AVGrisoft (avg)Defiler.G.dropper
AVDr. WebBackDoor.Andromeda.22
AVDr. WebBackDoor.Andromeda.22
AVArcabit (arcavir)Gen:Variant.Barys.441:Gen:Variant.Kazy.219676
AVBitDefenderGen:Variant.Barys.441
AVEmsisoftGen:Variant.Barys.441
AVEmsisoftGen:Variant.Barys.441
AVBitDefenderGen:Variant.Barys.441
AVArcabit (arcavir)Gen:Variant.Barys.441:Gen:Variant.Kazy.219676
AVPadvishno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\FXKasTd.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\wFXKasTd
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\FXKasTd
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\aFXKasTd
Creates ProcessC:\\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNScentralstub.com
Winsock URLhttp://centralstub.com/logger/plugin.exe

Process
↳ C:\\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\mspovu.com\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\mspovu.com
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSwww.update.microsoft.com.nsatc.net
Type: A
157.55.240.94
DNScentralstub.com
Type: A
DNSwww.update.microsoft.com
Type: A
Flows TCP192.168.1.1:1032 ➝ 134.170.58.222:80

Raw Pcap

Strings