Analysis Date2016-02-26 06:24:51
MD53c6cc5af7832f2680e24077c776d8d5d
SHA1386010d790dfb2995927b2d46c6d07674dcd068e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 909f71dd1585f984893ceaa661a6bb1f sha1: 27286dd7cb640d1a836ffaf0fc1da8a79b1514af size: 24576
Section.rdata md5: 821a48e1631120793c31e8782b09b0f6 sha1: 0a77cda32266084dcf573cd66c5499daa5ce6409 size: 4096
Section.data md5: d1c4fb5c3eb73fb76988214fd24ab350 sha1: 7267e8189ec97230b5ffbbb3b9d75aee92b831ed size: 12288
Section.rsrc md5: 1c2b7d69acdc88f3ab03621bb6be1101 sha1: d6e980a95209533f0fc53da7e26d247ddaef62fd size: 36864
Timestamp2013-08-30 06:46:14
VersionLegalCopyright: Rebiz
InternalName: Zifon
FileVersion: 6, 2, 4, 4
CompanyName: Nilem
PrivateBuild: Efendir
LegalTrademarks: Akamer
Comments: Jetar
ProductName: Lapor
SpecialBuild: Sipes
ProductVersion: 3, 2, 5, 6
FileDescription: Baler
OriginalFilename: Dabuz
PackerInstaller VISE Custom
PEhash1f6fe23c37441ca2989cc36c1bd80f27e3ee7231
IMPhash5fe5ebb86d2ac164edc530f21cf2b4e8
AVRisingTrojan.DL.Win32.Wauchos.b
AVMcafeePWSZbot-FEF!3C6CC5AF7832
AVAvira (antivir)TR/Spy.ZBot.ppfx.1
AVTwisterTrojan.192297F624E8CB0E
AVAd-AwareTrojan.Gamarue.CJ
AVAlwil (avast)Downloader-UGC [Trj]
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVGrisoft (avg)PSW.Generic11.CJKF
AVSymantecTrojan.Gen
AVFortinetW32/Injector.ALYX!tr
AVBitDefenderTrojan.Gamarue.CJ
AVK7Riskware ( 0040eff71 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVMicroWorld (escan)Trojan.Gamarue.CJ
AVMalwareBytesTrojan.Email.Bot
AVAuthentiumW32/A-29b5cead!Eldorado
AVEmsisoftTrojan.Gamarue.CJ
AVFrisk (f-prot)No Virus
AVIkarusBackdoor.Win32.Androm
AVZillya!Trojan.Injector.Win32.211625
AVKasperskyTrojan-Downloader.Win32.Injecter.jno
AVTrend MicroWORM_GAMARUE.SMJ
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Wauchos.2183
AVCAT (quickheal)Worm.Gamarue.A4
AVBullGuardTrojan.Gamarue.CJ
AVArcabit (arcavir)Trojan.Gamarue.CJ
AVClamAVWin.Trojan.Gamarue-25
AVDr. WebBackDoor.Andromeda.178
AVF-SecureTrojan.Gamarue.CJ
AVCA (E-Trust Ino)Trojan.Gamarue.CJ

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wupdmgr.exe

Process
↳ C:\WINDOWS\system32\wupdmgr.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\cccxjvfwi.cmd\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\cccxjvfwi.cmd
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNSwww.update.microsoft.com.nsatc.net
Type: A
191.232.80.55
DNSwww.update.microsoft.com
Type: A
DNSrestless.su
Type: A
DNSpacifista.ru
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.50.190:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1034 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53

Raw Pcap

Strings