Analysis Date2018-05-12 20:39:49
MD55a48b1fdea13b49247b71ac58f09fd67
SHA13721f0a91e87e9a612c8964035bc3146f78ae3dc

Static Details:

AVArcabit (arcavir)Gen:Variant.Symmi.22996
AVAuthentiumW32/A-49bf794c!Eldorado
AVGrisoft (avg)Dropper.Generic8.BBQY
AVAvira (antivir)TR/Dropper.Gen
AVAlwil (avast)Downloader-TSN [Trj]
AVAd-AwareGen:Variant.Symmi.22996
AVBitDefenderGen:Variant.Symmi.22996
AVBullGuardGen:Variant.Symmi.22996
AVClamAVWin.Trojan.Downloader-61798
AVDr. WebBackDoor.Andromeda.178
AVEmsisoftGen:Variant.Symmi.22996
AVMicroWorld (escan)Gen:Variant.Symmi.22996
AVCA (E-Trust Ino)Gen:Variant.Symmi.22996
AVFortinetW32/Kryptik.BBYD!tr
AVFrisk (f-prot)W32/A-49bf794c!Eldorado
AVF-SecureTrojan-Downloader:W32/Wauchos.F
AVIkarusTrojan.Inject
AVK7Error Scanning File
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeW32/Worm-FKU!5A48B1FDEA13
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.AJ
AVNANOTrojan.Win32.Andromeda.ccgyxx
AVEset (nod32)Win32/Injector.AIOX
AVPadvishNo Virus
AVCAT (quickheal)Worm.Gamarue.B
AVRisingTrojan.Win32.Read.a
AV360 SafeWorm.Win32.Gamarue.V
AVSUPERAntiSpywareError Scanning File
AVSymantecDownloader.Dromedan
AVTrend MicroWORM_GAMARUE.SMJ
AVTwisterTrojan.D875EDBFBC8E8805
AVVirusBlokAda (vba32)SScope.Worm.Gamarue.2713
AVWindows DefenderWorm:Win32/Gamarue.AJ
AVZillya!Downloader.Andromeda.Win32.3263

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\3721f0a91e87e9a612c8964035bc3146f78ae3dc.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\3721f0a91e87e9a612c8964035bc3146f78ae3dc.exe

Creates FileC:\Windows\SysWOW64\svchost.exe

Process
↳ C:\Windows\SysWOW64\svchost.exe

Creates Mutex
Creates Mutex3770066751
Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\3721f0a91e87e9a612c8964035bc3146f78ae3dc.exe
Creates FileC:\ProgramData\Local Settings\Temp\cclouvay.com
Creates FileC:\Windows\SysWOW64\svchost.exe
Creates FileC:\ProgramData\Local Settings\Temp\cclouvay.com
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\42815 ➝
C:\PROGRA~3\LOCALS~1\Temp\cclouvay.com

Network Details:


Raw Pcap
0x00000000 (00000)   504f5354 202f7374 61746963 2e706870   POST /static.php
0x00000010 (00016)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000020 (00032)   206d6f72 70686564 2e72750d 0a557365    morphed.ru..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f342e30 0d0a436f 6e74656e 742d5479   /4.0..Content-Ty
0x00000050 (00080)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000060 (00096)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000070 (00112)   636f6465 640d0a43 6f6e7465 6e742d4c   coded..Content-L
0x00000080 (00128)   656e6774 683a2038 340d0a43 6f6e6e65   ength: 84..Conne
0x00000090 (00144)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x000000a0 (00160)   75707163 68433435 75315446 462b4a6d   upqchC45u1TFF+Jm
0x000000b0 (00176)   6e594b47 4977694c 7258387a 554e3638   nYKGIwiLrX8zUN68
0x000000c0 (00192)   54337971 76685175 32547165 74513738   T3yqvhQu2TqetQ78
0x000000d0 (00208)   726f7937 5136626f 54664455 74594966   roy7Q6boTfDUtYIf
0x000000e0 (00224)   745a3333 4e686b45 4a774167 396d5933   tZ33NhkEJwAg9mY3
0x000000f0 (00240)   71773d3d                              qw==


Strings