Analysis Date2015-07-02 15:36:52
MD599cb0193d89ce083005c20debea9ac50
SHA138e8a47220b1141222a8c22e6ee42c58dd7c8d9c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectiontext md5: 7ef677a09729b6dd4c1a42f2e16f5d93 sha1: 876ac94e09f410eeab787145d10eb257e3bf2dea size: 18688
Sectionrdata md5: d4889486d37bc0c73ada4fb8a130448d sha1: d0a91c1021ef4d94a245aa0bbf2daeeb6c1b9bb1 size: 12288
Section.dfta md5: 083592a9a122454ba2202001822447da sha1: 16a5c9980bef5bcb97c206f96e4b32c5aced08e0 size: 4096
Sectionrsrc md5: 5f41ee39620e56c321fa509594bd499e sha1: fecd8c91942ab07669fa031c7536142aca7cfddc size: 8192
Timestamp2015-06-09 18:09:28
PackerMicrosoft Visual C++ v6.0
PEhash762bc998ae6c85b0ef137f9c7b4b75fbff338947
IMPhash0cdce74dddea78fdf3c91357934f11db
AVIkarusTrojan.Win32.Kelihos
AVRisingno_virus
AVDr. WebTrojan.DownLoad3.35231
AVFortinetW32/Glupteba.EWG!tr
AVVirusBlokAda (vba32)TrojanProxy.Glupteba
AVEset (nod32)Win32/Injector.CDEP
AVK7Trojan ( 004c62701 )
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVTrend Microno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAuthentiumW32/Trojan.BWPT-8749
AVMicroWorld (escan)Gen:Variant.Zusy.146789
AVKasperskyTrojan-Proxy.Win32.Glupteba.ewg
AVEmsisoftGen:Variant.Zusy.146789
AVBitDefenderGen:Variant.Zusy.146789
AVGrisoft (avg)Inject2.CIVI
AVSymantecTrojan.Gen
AVMicrosoft Security EssentialsDDoS:Win32/Nitol.B
AVCA (E-Trust Ino)no_virus
AVArcabit (arcavir)Gen:Variant.Zusy.146789
AVMalwareBytesTrojan.Upnoda
AVTwisterno_virus
AVFrisk (f-prot)no_virus
AVAd-AwareGen:Variant.Zusy.146789
AVAvira (antivir)TR/Crypt.Xpack.48119
AVF-SecureGen:Variant.Zusy.146789
AVPadvishno_virus
AVZillya!Trojan.Glupteba.Win32.1078
AVBullGuardGen:Variant.Zusy.146789
AVMcafeeRDN/Generic.bfr!io

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value ➝
21150605\\x00
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\MD7H82HHF7EH2D73

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexqazwsxedc
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Network Details:

HTTP GEThttp://54.241.28.66:21074/stat?uid=100&downlink=1111&uplink=1111&id=00018680&statpass=bpass&version=21150605&features=30&guid=21abccb7-0c53-4183-8323-f3248f13e870&comment=21150605&p=0&s=
User-Agent:
HTTP GEThttp://79.137.209.137:37127/stat?uid=100&downlink=1111&uplink=1111&id=00019A56&statpass=bpass&version=21150605&features=30&guid=21abccb7-0c53-4183-8323-f3248f13e870&comment=21150605&p=0&s=
User-Agent:
HTTP GEThttp://80.68.240.170:25338/stat?uid=100&downlink=1111&uplink=1111&id=0001ADEE&statpass=bpass&version=21150605&features=30&guid=21abccb7-0c53-4183-8323-f3248f13e870&comment=21150605&p=0&s=
User-Agent:
HTTP GEThttp://85.13.218.26:22237/stat?uid=100&downlink=1111&uplink=1111&id=0001C186&statpass=bpass&version=21150605&features=30&guid=21abccb7-0c53-4183-8323-f3248f13e870&comment=21150605&p=0&s=
User-Agent:
HTTP GEThttp://173.236.56.202:45297/stat?uid=100&downlink=1111&uplink=1111&id=0001D51D&statpass=bpass&version=21150605&features=30&guid=21abccb7-0c53-4183-8323-f3248f13e870&comment=21150605&p=0&s=
User-Agent:
HTTP GEThttp://46.229.171.130:13586/stat?uid=100&downlink=1111&uplink=1111&id=0001E8B5&statpass=bpass&version=21150605&features=30&guid=21abccb7-0c53-4183-8323-f3248f13e870&comment=21150605&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 54.241.28.66:21074
Flows TCP192.168.1.1:1031 ➝ 54.241.28.66:21074
Flows TCP192.168.1.1:1032 ➝ 79.137.209.137:37127
Flows TCP192.168.1.1:1033 ➝ 80.68.240.170:25338
Flows TCP192.168.1.1:1034 ➝ 85.13.218.26:22237
Flows TCP192.168.1.1:1035 ➝ 173.236.56.202:45297
Flows TCP192.168.1.1:1036 ➝ 46.229.171.130:13586

Raw Pcap
0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303138 36383026 73746174 70617373   0018680&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d32   =bpass&version=2
0x00000050 (00080)   31313530 36303526 66656174 75726573   1150605&features
0x00000060 (00096)   3d333026 67756964 3d323161 62636362   =30&guid=21abccb
0x00000070 (00112)   372d3063 35332d34 3138332d 38333233   7-0c53-4183-8323
0x00000080 (00128)   2d663332 34386631 33653837 3026636f   -f3248f13e870&co
0x00000090 (00144)   6d6d656e 743d3231 31353036 30352670   mment=21150605&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303139 41353626 73746174 70617373   0019A56&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d32   =bpass&version=2
0x00000050 (00080)   31313530 36303526 66656174 75726573   1150605&features
0x00000060 (00096)   3d333026 67756964 3d323161 62636362   =30&guid=21abccb
0x00000070 (00112)   372d3063 35332d34 3138332d 38333233   7-0c53-4183-8323
0x00000080 (00128)   2d663332 34386631 33653837 3026636f   -f3248f13e870&co
0x00000090 (00144)   6d6d656e 743d3231 31353036 30352670   mment=21150605&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303141 44454526 73746174 70617373   001ADEE&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d32   =bpass&version=2
0x00000050 (00080)   31313530 36303526 66656174 75726573   1150605&features
0x00000060 (00096)   3d333026 67756964 3d323161 62636362   =30&guid=21abccb
0x00000070 (00112)   372d3063 35332d34 3138332d 38333233   7-0c53-4183-8323
0x00000080 (00128)   2d663332 34386631 33653837 3026636f   -f3248f13e870&co
0x00000090 (00144)   6d6d656e 743d3231 31353036 30352670   mment=21150605&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303143 31383626 73746174 70617373   001C186&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d32   =bpass&version=2
0x00000050 (00080)   31313530 36303526 66656174 75726573   1150605&features
0x00000060 (00096)   3d333026 67756964 3d323161 62636362   =30&guid=21abccb
0x00000070 (00112)   372d3063 35332d34 3138332d 38333233   7-0c53-4183-8323
0x00000080 (00128)   2d663332 34386631 33653837 3026636f   -f3248f13e870&co
0x00000090 (00144)   6d6d656e 743d3231 31353036 30352670   mment=21150605&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303144 35314426 73746174 70617373   001D51D&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d32   =bpass&version=2
0x00000050 (00080)   31313530 36303526 66656174 75726573   1150605&features
0x00000060 (00096)   3d333026 67756964 3d323161 62636362   =30&guid=21abccb
0x00000070 (00112)   372d3063 35332d34 3138332d 38333233   7-0c53-4183-8323
0x00000080 (00128)   2d663332 34386631 33653837 3026636f   -f3248f13e870&co
0x00000090 (00144)   6d6d656e 743d3231 31353036 30352670   mment=21150605&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303145 38423526 73746174 70617373   001E8B5&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d32   =bpass&version=2
0x00000050 (00080)   31313530 36303526 66656174 75726573   1150605&features
0x00000060 (00096)   3d333026 67756964 3d323161 62636362   =30&guid=21abccb
0x00000070 (00112)   372d3063 35332d34 3138332d 38333233   7-0c53-4183-8323
0x00000080 (00128)   2d663332 34386631 33653837 3026636f   -f3248f13e870&co
0x00000090 (00144)   6d6d656e 743d3231 31353036 30352670   mment=21150605&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..


Strings