Analysis Date2015-11-17 11:02:47
MD5936a8b32e9a38a968dfef4b46a390f79
SHA14e295b79ee8b0c08ef29bdd73abfdf3626b2d418

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b33988c37af66a96faf84ae2f8bea62b sha1: 8ebe6276b81f0affb1be042c79b9c3166889ddca size: 59392
Section.rdata md5: b6f626c36f35902475f8149097675376 sha1: 23de5ae8c94087d3d33b45310aba913eba34d067 size: 20992
Section.data md5: e6d38ab08a9fe9cbad2d493ca324a0c0 sha1: 41675827a2fa71ab58afa301fe7a2dde3c720ca4 size: 15360
Section.rsrc md5: 39fbbc3032e9991a0ce90a474ca1e77d sha1: adc3b29b69c75e99d40ee7720f4bbe9018fbf9cb size: 1024
Timestamp2004-04-12 11:46:02
Pdb pathc:\winter\Set\Bottom\Up\value\wild\industry\Support\nearcare.pdb
PackerMicrosoft Visual C++ ?.?
PEhash6ff44ed52c3844449d9626b63faae013871813fc
IMPhashb2498eed3c3aa5befc085379b8319a74
AVF-SecureTrojan.Gamarue.AP
AVAuthentiumW32/S-f11c0c89!Eldorado
AVMalwareBytesTrojan.Downloader
AVDr. WebBackDoor.Andromeda.178
AVGrisoft (avg)Downloader.Generic13.APRF
AVMalwareBytesTrojan.Downloader
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVMicroWorld (escan)Trojan.Gamarue.AP
AVTrend Microno_virus
AVClamAVWin.Trojan.Gamarue-58
AVAd-AwareTrojan.Gamarue.AP
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVBitDefenderTrojan.Gamarue.AP
AVMicroWorld (escan)Trojan.Gamarue.AP
AVAvira (antivir)BDS/Androm.EB.103
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVFortinetW32/Kryptik.AYXG!tr
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVIkarusTrojan-Downloader.Win32.Andromeda
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)BScope.Worm.Gamarue.2413
AVArcabit (arcavir)Trojan.Gamarue.AP
AVMcafeeGeneric.dx!936A8B32E9A3
AVTwisterSuspicious.2525@2FF0000@.mg
AVAvira (antivir)BDS/Androm.EB.103
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVSymantecPacked.Dromedan!gen21
AVFortinetW32/Kryptik.AYXG!tr
AVK7Backdoor ( 04c4e83f1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVRisingWorm.Win32.Gamarue.x
AVMcafeeGeneric.dx!936A8B32E9A3
AVTwisterSuspicious.2525@2FF0000@.mg
AVAd-AwareTrojan.Gamarue.AP
AVGrisoft (avg)Downloader.Generic13.APRF
AVSymantecPacked.Dromedan!gen21
AVBitDefenderTrojan.Gamarue.AP
AVK7Backdoor ( 04c4e83f1 )
AVAuthentiumW32/S-f11c0c89!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftTrojan.Gamarue.AP
AVZillya!Downloader.Andromeda.Win32.2944
AVCAT (quickheal)Worm.Gamarue.HK4
AVPadvishDownloader.Win32.Gamarue.AA
AVBullGuardTrojan.Gamarue.AP
AVCA (E-Trust Ino)no_virus
AVRisingWorm.Win32.Gamarue.x
AVIkarusTrojan-Downloader.Win32.Andromeda
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\ccyybtt.bat\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\ccyybtt.bat
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNShzmksreiuojy.in
Type: A
195.22.28.199
DNShzmksreiuojy.in
Type: A
195.22.28.196
DNShzmksreiuojy.in
Type: A
195.22.28.197
DNShzmksreiuojy.in
Type: A
195.22.28.198
DNShzmksreiuojy.ru
Type: A
52.28.249.128
DNShzmksreiuojy.com
Type: A
52.28.249.128
DNShzmksreiuojy.biz
Type: A
52.28.249.128
DNShzmksreiuojy.nl
Type: A
176.58.104.168
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://8.8.8.8/xxxxxxxxx.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.in/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.ru/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.com/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.biz/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.nl/ldr.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.50.190:80
Flows TCP192.168.1.1:1032 ➝ 8.8.8.8:80
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1034 ➝ 195.22.28.199:80
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1036 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1038 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1040 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1042 ➝ 176.58.104.168:80

Raw Pcap

Strings