Analysis Date2015-12-04 01:19:51
MD5ec9262453d1c28e0ae20d36cf1d32f30
SHA17568630cac1ec68d1556860b9f638d0251c79e8b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 44bbdd4e209476837e3db454c8f68848 sha1: 343fe1e0d286de6e537280d330db060d4bc6f78a size: 139264
Section.rdata md5: 70b9d21c31fffdc9fe75536ee957cfa7 sha1: 1827fc7e8dec3550ee570c7fe309fc117c059500 size: 28672
Section.data md5: e7a4077b7f56365f2d04c13bd2db56dd sha1: 7504025197b6712a01411ac623e867e37cee7a75 size: 28672
Section.reloc md5: 6db0e8019dca4c1b417ae45c47ed7e4f sha1: 5e399f72645aea73a5e7383b0d05579d21c68460 size: 12288
Timestamp2015-08-12 10:56:00
Pdb pathc:\town\parent\length\depend\Segment\area\Broad\notepress.pdb
PackerMicrosoft Visual C++ ?.?
PEhashdb78f7149f31f773514aebed3b46cee5e8070454
IMPhash7bc520d824df9222f012aaa88ac9481e
AVMcafeeGamarue-FCM!EC9262453D1C
AVMcafeeGamarue-FCM!EC9262453D1C
AVCA (E-Trust Ino)no_virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVCA (E-Trust Ino)no_virus
AVMicroWorld (escan)Trojan.Agent.BMES
AVMicroWorld (escan)Trojan.Agent.BMES
AVArcabit (arcavir)Trojan.Agent.BMES
AVPadvishno_virus
AVPadvishno_virus
AVCAT (quickheal)no_virus
AVRisingno_virus
AVRisingno_virus
AVCAT (quickheal)no_virus
AVSophosno_virus
AVAd-AwareTrojan.Agent.BMES
AVSymantecPacked.Dromedan!gen17
AVSymantecPacked.Dromedan!gen17
AVClamAVWin.Trojan.Agent-931565
AVTrend Microno_virus
AVTrend Microno_virus
AVClamAVWin.Trojan.Agent-931565
AVTwisterTrojan.Girtk.DTXO.ttjx
AVTwisterTrojan.Girtk.DTXO.ttjx
AVAuthentiumW32/Trojan.SJKS-6650
AVVirusBlokAda (vba32)Backdoor.Androm
AVVirusBlokAda (vba32)Backdoor.Androm
AVDr. WebBackDoor.Andromeda.614
AVZillya!Trojan.Kryptik.Win32.785814
AVZillya!Trojan.Kryptik.Win32.785814
AVDr. WebBackDoor.Andromeda.614
AVAuthentiumW32/Trojan.SJKS-6650
AVEmsisoftTrojan.Agent.BMES
AVEmsisoftTrojan.Agent.BMES
AVAlwil (avast)Dorder-F [Trj]
AVEset (nod32)Win32/Kryptik.DTXO
AVEset (nod32)Win32/Kryptik.DTXO
AVAvira (antivir)Worm/Gamarue.1262448.13
AVFortinetW32/Kryptik.DULO!tr
AVFortinetW32/Kryptik.DULO!tr
AVAvira (antivir)Worm/Gamarue.1262448.13
AVFrisk (f-prot)no_virus
AVFrisk (f-prot)no_virus
AVAlwil (avast)Dorder-F [Trj]
AVF-SecureTrojan:W32/Gamarue.F
AVF-SecureTrojan:W32/Gamarue.F
AVBitDefenderTrojan.Agent.BMES
AVGrisoft (avg)Crypt4.CEGL

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
157.161.57.2
DNSeurope.pool.ntp.org
Type: A
134.0.16.1
DNSeurope.pool.ntp.org
Type: A
104.232.5.3
DNSeurope.pool.ntp.org
Type: A
85.25.85.13
DNSnorth-america.pool.ntp.org
Type: A
66.96.99.10
DNSnorth-america.pool.ntp.org
Type: A
138.236.128.112
DNSnorth-america.pool.ntp.org
Type: A
72.20.40.62
DNSnorth-america.pool.ntp.org
Type: A
66.228.59.187
DNSsouth-america.pool.ntp.org
Type: A
200.160.0.8
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSsouth-america.pool.ntp.org
Type: A
201.49.148.135
DNSsouth-america.pool.ntp.org
Type: A
200.186.125.195
DNSasia.pool.ntp.org
Type: A
123.108.200.124
DNSasia.pool.ntp.org
Type: A
120.88.46.10
DNSasia.pool.ntp.org
Type: A
113.30.137.34
DNSasia.pool.ntp.org
Type: A
80.241.0.72
DNSoceania.pool.ntp.org
Type: A
121.0.0.41
DNSoceania.pool.ntp.org
Type: A
45.114.116.62
DNSoceania.pool.ntp.org
Type: A
192.189.54.17
DNSoceania.pool.ntp.org
Type: A
130.102.128.23
DNSafrica.pool.ntp.org
Type: A
146.231.129.86
DNSafrica.pool.ntp.org
Type: A
41.79.80.34
DNSafrica.pool.ntp.org
Type: A
41.73.42.22
DNSafrica.pool.ntp.org
Type: A
196.49.6.67

Raw Pcap

Strings