Analysis Date2015-10-08 14:00:59
MD512d6df375aed52bdb908ebbe53c3fe00
SHA1660f72ad788cab99c72d2a5baae4d86475fbc50b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4d45cea78f3ab9f4fead024bd33ce5a1 sha1: 4f574f1ea1198062053208332d2fbfd95fb1563d size: 59392
Section.rdata md5: b6f626c36f35902475f8149097675376 sha1: 23de5ae8c94087d3d33b45310aba913eba34d067 size: 20992
Section.data md5: e6d38ab08a9fe9cbad2d493ca324a0c0 sha1: 41675827a2fa71ab58afa301fe7a2dde3c720ca4 size: 15360
Section.rsrc md5: c9903124f6672cbe53350b50befa903d sha1: 9058adc1386437f2026b3025ae0579b87ebc7251 size: 512
Section.text md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2001-10-10 11:17:19
Pdb pathc:\winter\Set\Bottom\Up\value\wild\industry\Support\nearcare.pdb
PackerMicrosoft Visual C++ ?.?
PEhash2f92c836f2487751446237b2e0e15c82afa85e5f
IMPhashb2498eed3c3aa5befc085379b8319a74
AVAd-AwareTrojan.Gamarue.AP
AVMcafeeno_virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVArcabit (arcavir)Trojan.Gamarue.AP
AVAuthentiumW32/Trojan.NETF-7216
AVTrend Microno_virus
AVMicroWorld (escan)Trojan.Gamarue.AP
AVVirusBlokAda (vba32)BScope.Worm.Gamarue.2413
AVFrisk (f-prot)W32/Trojan2.NWYN
AVGrisoft (avg)Downloader.Generic13.APRF
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVKasperskyTrojan.Win32.Generic
AVClamAVWin.Trojan.Gamarue-35
AVFortinetW32/Kryptik.AYXG!tr
AVSymantecPacked.Dromedan!gen21
AVK7Trojan-Downloader ( 0043f6bc1 )
AVBullGuardTrojan.Gamarue.AP
AVRisingWorm.Win32.Gamarue.x
AVAvira (antivir)BDS/Androm.EB.103
AVZillya!Downloader.Andromeda.Win32.2944
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVDr. WebBackDoor.Andromeda.178
AVIkarusTrojan-Downloader.Win32.Andromeda
AVEmsisoftTrojan.Gamarue.AP
AVBitDefenderTrojan.Gamarue.AP
AVCA (E-Trust Ino)Win32/Gamarue.MKBZAUB
AVMalwareBytesTrojan.Downloader
AVCAT (quickheal)Trojan.Generic.r5
AVF-SecureTrojan.Gamarue.AP
AVTwisterSuspicious.2525@2FF0000@.mg
AVPadvishDownloader.Win32.Gamarue.AA

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\ccyifeu.com\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\ccyifeu.com
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwww.update.microsoft.com.nsatc.net
Type: A
157.55.240.94
DNShzmksreiuojy.in
Type: A
195.22.28.197
DNShzmksreiuojy.in
Type: A
195.22.28.198
DNShzmksreiuojy.in
Type: A
195.22.28.199
DNShzmksreiuojy.in
Type: A
195.22.28.196
DNShzmksreiuojy.ru
Type: A
52.28.249.128
DNShzmksreiuojy.com
Type: A
52.28.249.128
DNShzmksreiuojy.biz
Type: A
52.28.249.128
DNShzmksreiuojy.nl
Type: A
176.58.104.168
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://8.8.8.8/xxxxxxxxx.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.in/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.ru/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.com/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.biz/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.nl/ldr.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.50.189:80
Flows TCP192.168.1.1:1032 ➝ 8.8.8.8:80
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1034 ➝ 195.22.28.197:80
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1036 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1038 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1040 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1042 ➝ 176.58.104.168:80

Raw Pcap

Strings