Analysis Date2014-07-15 16:39:08
MD599e7ff6ec531f89c606f35fe6465f0a4
SHA16d891fef5086febbffa2e4ba09b0936eaeced9c7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: adae077d3981636d381b75d255600232 sha1: a9173deeb62e77874252a41e1b61b8583380b0ce size: 268288
Section.rsrc md5: 3f41d4bec2013e71527246e2cd400603 sha1: b3f3143864601c089f4f8dae7d14aa5017bb2946 size: 3072
Timestamp1992-06-19 22:22:17
PackerUPX -> www.upx.sourceforge.net
PEhashd4b1633d060580eb559b0584a8611050d7b0a430
IMPhashcba5bd52b3e624400ffe41eb22644b79
AV360 SafeTrojan.Generic.3904046
AVAd-AwareTrojan.Generic.3904046
AVAlwil (avast)Rootkit-gen [Rtk]
AVArcabit (arcavir)Trojan.Llac.Gfu
AVAuthentiumW32/Rebhip.A.gen!Eldorado
AVAvira (antivir)Worm/Rebhip.W
AVCA (E-Trust Ino)Win32/Spyrat!generic
AVCAT (quickheal)no_virus
AVClamAVTrojan.Agent-192978
AVDr. WebBackDoor.Cybergate.1
AVEmsisoftTrojan.Generic.3904046
AVEset (nod32)Win32/Spatet.C
AVFortinetW32/Llac.GFU!tr
AVFrisk (f-prot)W32/Rebhip.A.gen!Eldorado (generic, not disinfectable)
AVF-SecureBackdoor:W32/Spyrat.A
AVGrisoft (avg)PSW.Generic8.ISF
AVIkarusWorm.Win32.Rebhip
AVK7Trojan ( 00193f571 )
AVKasperskyTrojan.Win32.Llac.gfu
AVMalwareBytesWorm.Rebhip
AVMcafeeGeneric PWS.di
AVMicrosoft Security EssentialsWorm:Win32/Rebhip.A
AVMicroWorld (escan)Trojan.Generic.3904046
AVNormanwin32:win32:win32/Rebhip.O
AVRisingWorm.Rebhip!48C6
AVSophosW32/Rebhip-AR
AVSymantecW32.Spyrat
AVTrend MicroTSPY_SPATET.SMT
AVVirusBlokAda (vba32)Trojan-Spy.Delf.0729

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HKCU ➝
C:\WINDOWS\intall\flashwr.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies ➝
C:\WINDOWS\intall\flashwr.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies ➝
C:\WINDOWS\intall\flashwr.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HKLM ➝
C:\WINDOWS\intall\flashwr.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{C645W515-0KI5-Y2CR-NFQL-6PQ7457QHO36}\StubPath ➝
C:\WINDOWS\intall\flashwr.exe Restart\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\XX--XX--XX.txt
Creates FileC:\WINDOWS\intall\flashwr.exe
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates Mutex86H7A817K213YX
Creates Mutex_x_X_BLOCKMOUSE_X_x_
Creates Mutex_x_X_PASSWORDLIST_X_x_
Creates Mutex_x_X_UPDATE_X_x_
Creates Mutex86H7A817K213YX_PERSIST

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Remoto\FirstExecution ➝
15/07/2014 -- 13:08
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\UuU.uUu
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\intall\
Creates FileC:\Documents and Settings\Administrator\Application Data\cglogs.dat
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\XxX.xXx
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\UuU.uUu
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\XX--XX--XX.txt
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\XxX.xXx
Creates Process"C:\WINDOWS\intall\flashwr.exe"
Creates Mutex86H7A817K213YX
Creates Mutex_x_X_PASSWORDLIST_X_x_
Creates Mutex86H7A817K213YX_PERSIST

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{C645W515-0KI5-Y2CR-NFQL-6PQ7457QHO36}\StubPath ➝
C:\WINDOWS\intall\flashwr.exe
Creates ProcessC:\WINDOWS\intall\flashwr.exe
Creates ProcessC:\WINDOWS\intall\flashwr.exe
Creates Mutex86H7A817K213YX
Creates Mutex86H7A817K213YX_PERSIST
Creates Mutex86H7A817K213YX_SAIR

Process
↳ C:\WINDOWS\intall\flashwr.exe

Creates FilePIPE\lsarpc
Creates Mutex_x_X_PASSWORDLIST_X_x_
Creates Mutex_x_X_UPDATE_X_x_

Process
↳ C:\WINDOWS\intall\flashwr.exe

Creates FilePIPE\lsarpc
Creates Mutex_x_X_PASSWORDLIST_X_x_
Creates Mutex_x_X_UPDATE_X_x_

Network Details:

DNSlegnalive.ddns.net
Type: A
186.90.180.36
Flows TCP192.168.1.1:1031 ➝ 186.90.180.36:2078
Flows TCP192.168.1.1:1032 ➝ 186.90.180.36:2078
Flows TCP192.168.1.1:1033 ➝ 186.90.180.36:2078
Flows TCP192.168.1.1:1034 ➝ 186.90.180.36:2078

Raw Pcap
0x00000000 (00000)   32397c0a 70c0e428 0226113c 632f8f76   29|.p..(.&.<c/.v
0x00000010 (00016)   b455da05 321f9ab0 3b975a6b 74e05e08   .U..2...;.Zkt.^.
0x00000020 (00032)   3f                                    ?

0x00000000 (00000)   32397c0a 70c0e428 0226113c 632f8f76   29|.p..(.&.<c/.v
0x00000010 (00016)   b455da05 321f9ab0 3b975a6b 74e05e08   .U..2...;.Zkt.^.
0x00000020 (00032)   3f                                    ?

0x00000000 (00000)   32397c0a 70c0e428 0226113c 632f8f76   29|.p..(.&.<c/.v
0x00000010 (00016)   b455da05 321f9ab0 3b975a6b 74e05e08   .U..2...;.Zkt.^.
0x00000020 (00032)   3f                                    ?

0x00000000 (00000)   32397c0a 70c0e428 0226113c 632f8f76   29|.p..(.&.<c/.v
0x00000010 (00016)   b455da05 321f9ab0 3b975a6b 74e05e08   .U..2...;.Zkt.^.
0x00000020 (00032)   3f                                    ?


Strings
|
.
|
.e.z
...)X
.....
.
..
.
o

DVCLAL
ICON_STANDARD
MAINICON
PACKAGEINFO
XX-XX-XX-XX
 !"#$%&'
%=}>+.
()*+,-./0123
 $(,048w"
0FvP-ow
0GY( (
#0naQv
 1}&9"1
1N)WKL;
@1p	oO
23950oHT
^2 /EL
2gS.4U
\2h["I*
2h:V$y
2XFIM[.
 2Y}K5z
3 Avenger by NhT^j@
;3cV4q;1
3~INIX
3P1!<6gK
3yOmP\
456789:;<=
%4aljt
$4D;%Q
>((4g400<
4S<kWb
4W(|Pp\
5|+;~.
55274-640-267306@
5\"$f0
]5pp~8F
5~Y095
5zT(y|T
?6aLK 
6!	GJy
 _+6H|
6! #I^
6:IE7_deco
6$_Mefau
6OFTWARE\p
6|*	x4
764874-317703751
78[dT-
7E7V7L
7\F4wH.)
7ke<A]
7UPDAT/
$$ (8  ,,
8''''( 
8<::0<
?^8429
&,8d'W
8(gK%I
}94De;
-9D^p*'8
9LP1Go
9[~m\<
9yoq`b	NMX
-a358-c22904dba7f7
a~a}a|
abe2869f-9b47-4cd9
Active S
advapi32.dll
aF(SNh
=\AHem
AK_PDs
alKeySlot/ta
A@P#`@
=aP3%\j
AppData5
%A{Ql7r,
ar^$Dp
a(R.u,
%'AUTO
&|B_3A
b8g7?U
Base64_D
b.FNC`
bky1Zx
B:NJ>6
B?sI;84T
BSQKoB
btdcX@
BT:%W{
!byuh_
C04q5t}\x
C5}}Cx,
c[6'_GMl 
C8/x",
CAutostar
cC ` 0
CfqE>0
CgBma<
(.cG#c
=_#C;-i
cLBM;"
|~CLSID2T
cOplds
CoTaskMemFree
crypt32.dll
CryptUnprotectData
d|?[~]
;D(8q>
DAEMON
DFV1@B
d^IJmNN]
dn6m,,|
`d\NXHT
dP9,c4
dS6ir_ 5
dSh \Oi
D)Vcf>P
DW $Bi
dx3J}eM
e3}k"5E"a
EditSvr
EFOX'IELOGIN
ehmsn~
%-e@J>
@:;em8
EN?Cib
'%e"o:
EO go`
EPETMj
ep}JLjM
E u,##
,'eV[^
EWQ0bD
ExitProcess
ExKQy1
{,ey@{8
\\E@)Z:a^
$F2lY*
~|FfEU
FfX&3R
F,g6Tu:
f]i2@E
`fJjTPs
 Fold2
F?P<Uo
FQ\jp1
f|zu;Ni
f~z}Z8
GbL+O!
gB$S|8nF
)'gc0<
GetMod
GetProcAddress
GHx)5<g
,gJrvEU
GK wbH
gPgJbu
gq2aq>
gramFil
&GR{-%B
._gwH8
~}*h,+
?h8\9P:D
h8"&UF'
_hbf|O
he0D&/
h(I	T5
HK`\hN
)h'P)`
!hP7(kw
H@vB^r
/h,.x)
'hYxM.
;i`6<V
I>= FgmS
`i{j4@r&+
In`Lib@ry
I[Osj5|
[<i$Rl
IsDebug
ix#~BI
izeofR
~j3cTN
J]C?vS
` :jGU
jIXfmX~Km
[jk5K.
k0MqP=
;*Kb}"
k)d~xm
KERNEL32.DLL
kernel32.Load
{kFCMQ
kgtr^QT 
klavwN
"}k\`]R
%!~KU/
 K)/ Xc
/@{,l{
l_{57>hz
L\ar60
lDD,3g~g
lExecut
l>GKO|
l*{hQk
L|iG/C
L@mn{B+
^ln(:J
LoadLibraryA
LsaClose
l%`&T' H X
lzg>	%R
]M6?2,
'M6dk74
mozcrt19
Mozilla F$
MQxD#G
MSN%'FIR
ms\SHag:
<mt84+
Mvg_GZ@
M;\v;p
mXhh7<;-
n\2I&F
.n2'Yi
*n4f?|
N7w~"={A}
nAOU=dC
\n}d*e
Networ<Connecl
Next?7 
&n N~?
`\NNNNX
'NnP_P
= >nO9
NOIP.abc
No-ip J|
Nrw;Xh
_'NSS_I
?+n#|t6
O"#)}	
O$9s}dJ
"oAsvi1\
oAt#?S
 o?{E}
~{@O*J
olDie.
ole32.dll
oleaut32.dll
\opZ\co
ortions Copyright (c) 19
Ov~yPh
.Ox_X_BLOCKMOUSE
p3$7{)
_p4F	]<
P >@?8
'PASSWORDL
PBIMl#6ZJ
PCREDE 
[(pDdA
_PERSIST
PF3%%W
P]FnIF/
P,g[-|
PJXq](
P(K^S27
,_<+pN
PnIb<P
PQ(Qqd=
|$%|prG
>ProcAddress
PScL'L
:psDv+
pstorec.dll
PStoreCreateInstance
p t0e@*
ptApi79
p/ujb4
Px@L%Cr!L|!
^,P":xpaD
pz$1K.
`	Q!""
q,-0@,(
q3tOl[
Q^51`5~
QdRE"Y
/qFa7a
qh:b$]
^qL5``U
qlite3
QQH_Y}+MX
Q=]>s9
rasapi32.dll
RasEnumEntriesA
_-Rf;` 
r:kY}mj
RLL??	
rOl6-1
rOoNnI
>rr14A
%\]R@T
Rtl8wi
&Rw~Yv
{@RxHy{
s7i7zH
s7noFw
S8Sf>z=7
{S9mIoF
s?%<b]*m
shell32.dll
SHGetSpecialFolderPathA
Si(CQD-
signon
+sl	7"e
Smh[XW
Snapshot7H4"ListFir
SPSTORECL_TL
strlenAcmpi
STVUWO\
<>S^xX=
\\.\Sy
SysFreeString
teToolh,p.
tGo[2B
This program must be run under Win32
tL 91w
tlMemory
To4QU6
ToAscii
TObject
t\}P@~b/
TRUEw7
TSFweH_
>tss`e
,t(uwL$
u5Hvtw;_J@
ucnTR2
UH.zw	
Ui\4en+
U~[iJ#p]
U%rX|2
user32.dll
#UttQW
UType4
uURLHis
U VlDj
uVx3P%
	*V;/&
:VBoxS
vc${ SgS
V$d<,g
vibu$sR
VirtualAlloc
VirtualFree
VirtualProtect
??vIS-
V>K]In:g
Vk)l{e
Vnz,Y'
V_o>:i
vplo r\
VrCD}Z
VvQuqPpRG,
V,xB(C
w3*Cr28
=w]!8l?
w8NI>0
WB}3Wj
W\BS	U
[^_WC^
+WF6;#
WFkh55
w%GC\G
wIF)1Kq
\Windows\Cur.n
<WLcPn[P
wlFmDirP
Wn1`L\X
wptukstqrgdvef
_w'!rrr
WRtQ$~M
W	VB9vr2[
WV;I6+
 @=#	WY
!wY0$(
 wY4,()
+wYX\TP
*- @,x
X\`( `
x6+hPd
x8lX;9L
XfTtP=
x/H5gc
X(h$XY  @
X[Jf*|{r:
X,Lfcx
Xm5}r!
|xNNNNtplhNNNNd
XPTPSW
^xS3zX
|xtplhd`\XTPL
^XUQ4oW
\!xv%pqs.i
*xXuzx
XZ(kx, s^
,x?Zxnh7
-:(:Y9
YC>l~i
)y<\(D{
,y]~d:0d
%y%dd\
YL>M@JG
:yNO	S0
{<:y&q?	
yr!x `BK
	[yvJUO
yXE#bA
_yxF\ 
z1Q7E%
Z]4=FH
}ZDc``E6
Z=`fm8
)'z+J hgV
Z/	LXt
_&:Z~O