Analysis Date2015-12-17 18:10:40
MD586b3f0076a02997e497b0c7f76ee44e6
SHA14d7f5abef45bfcae966e0c9201a2b17a410acec9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 13fdd48b597d50ea253ce1678400a745 sha1: a5fb3fbc5baa848f6443fb18b5d51448b8619432 size: 45056
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: 103a228ebf167b31fdd3e68067673b71 sha1: 3149b7b18d4ad09ac26709a19f2ce9761400168d size: 4096
Timestamp2015-10-21 08:49:24
VersionInternalName: Charpentier
FileVersion: 1.01.0001
Comments: Mentimeter
ProductName: Strobila
ProductVersion: 1.01.0001
FileDescription: Villus
OriginalFilename: Charpentier.exe
PackerMicrosoft Visual Basic v5.0
PEhash4527c99cf030d1af40dde28752105c2f9e8f8a99
IMPhash7708517f9ffa89aae0b28247fce3060f
AVZillya!no_virus
AVEset (nod32)Win32/Injector.CKUE
AVTwisterno_virus
AVBullGuardGen:Variant.Graftor.253103
AVArcabit (arcavir)Gen:Variant.Graftor.253103
AVMalwareBytesno_virus
AVTrend MicroTROJ_INJECT.XUAN
AVFortinetW32/CKUE!tr
AVDr. Webno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVClamAVno_virus
AVBitDefenderGen:Variant.Graftor.253103
AVMicroWorld (escan)Gen:Variant.Graftor.253103
AVIkarusTrojan.Win32.Injector
AVRisingno_virus
AVSymantecBackdoor.Trojan
AVGrisoft (avg)Inject3.LBH
AVAuthentiumW32/Trojan.GCDG-7230
AVCA (E-Trust Ino)no_virus
AVK7Trojan ( 004d475d1 )
AVKasperskyBackdoor.Win32.Androm.imjw
AVCAT (quickheal)Trojan.Skeeyah.r3
AVVirusBlokAda (vba32)Backdoor.Androm
AVAd-AwareGen:Variant.Graftor.253103
AVMcafeeRDN/Generic.dx
AVF-SecureGen:Variant.Graftor.253103
AVEmsisoftGen:Variant.Graftor.253103
AVAvira (antivir)TR/AD.Gamarue.Y.1280
AVMicrosoft Security EssentialsVirTool:Win32/Injector.FQ
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\mssiyisi.scr\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\mssiyisi.scr
Creates File\Device\Afd\Endpoint
Deletes FileC:\4D7F5A~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.158
DNSwww.update.microsoft.com
Type: A
DNSfood-chinacos.in
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.50.190:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53

Raw Pcap

Strings