Analysis Date2015-05-09 09:31:10
MD584e771a3208c6a329b86766fc934477a
SHA17d3c01f05f73f1cabee72b070219f6d5bf165709

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 643b7d93bd1730dc6119e3d4c13a6acb sha1: 5794e79c2c0d764a453a7bc9a90eb4532e486578 size: 65536
Section.rdata md5: 4798b7e77e4b1a6aac2ef7d13fe7cdc2 sha1: ab28d684b58fc4dedb023a9ff6cf589a085ab747 size: 4096
Section.data md5: d43303a530c4ff899fb75678c62e4256 sha1: 83eecbb307f4dc01cd9f9fafead3a1d57c67155a size: 4096
Section.rsrc md5: 250ec662801ffc7530ee6d3978d75370 sha1: b24fb196f40f0e488b9027c47d0711c11ec371f2 size: 16384
Timestamp2008-09-24 14:30:47
PackerMicrosoft Visual C++ v6.0
PEhash1852762536bdb1c00478e870cf7099590edb8408
IMPhashea3208959b00baaffbe2e7e7f09c8698
AVAd-AwareTrojan.GenericKD.2214866
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.2214866
AVAuthentiumW32/Trojan.XUFD-2877
AVAvira (antivir)TR/Crypt.Xpack.162766
AVBitDefenderTrojan.GenericKD.2214866
AVBullGuardTrojan.GenericKD.2214866
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoad3.35231
AVEmsisoftTrojan.GenericKD.2214866
AVEset (nod32)Win32/Glupteba.M
AVFortinetW32/Kryptik.UPTS!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.2214866
AVGrisoft (avg)Small.HDD
AVIkarusTrojan.Win32.Glupteba
AVK7Trojan ( 00286e241 )
AVKasperskyTrojan-Downloader.Win32.Goo.rso
AVMalwareBytesTrojan.Agent.ALTV
AVMcafeeRDN/Generic.tfr!ej
AVMicrosoft Security EssentialsTrojan:Win32/Carberp.I
AVMicroWorld (escan)Trojan.GenericKD.2214866
AVPadvishno_virus
AVRisingno_virus
AVSophosTroj/Glupteba-F
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVTwisterTrojanDldr.Goo.rso.rujo
AVVirusBlokAda (vba32)TrojanDownloader.Goo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value ➝
15150305\\x00
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\MD7H82HHF7EH2D73

Network Details:

HTTP GEThttp://193.224.177.4:18532/stat?uid=100&downlink=1111&uplink=1111&id=000172E9&statpass=bpass&version=15150305&features=30&guid=93620c74-e5d0-4548-8ae6-0317227ede08&comment=15150305&p=0&s=
User-Agent:
HTTP GEThttp://108.163.208.82:45297/stat?uid=100&downlink=1111&uplink=1111&id=000186BF&statpass=bpass&version=15150305&features=30&guid=93620c74-e5d0-4548-8ae6-0317227ede08&comment=15150305&p=0&s=
User-Agent:
HTTP GEThttp://108.163.208.82:45297/stat?uid=100&downlink=1111&uplink=1111&id=00019A66&statpass=bpass&version=15150305&features=30&guid=93620c74-e5d0-4548-8ae6-0317227ede08&comment=15150305&p=0&s=
User-Agent:
HTTP GEThttp://159.253.129.110:48439/stat?uid=100&downlink=1111&uplink=1111&id=0001ADFE&statpass=bpass&version=15150305&features=30&guid=93620c74-e5d0-4548-8ae6-0317227ede08&comment=15150305&p=0&s=
User-Agent:
HTTP GEThttp://108.178.30.226:19413/stat?uid=100&downlink=1111&uplink=1111&id=0001C195&statpass=bpass&version=15150305&features=30&guid=93620c74-e5d0-4548-8ae6-0317227ede08&comment=15150305&p=0&s=
User-Agent:
HTTP GEThttp://37.187.252.200:57136/stat?uid=100&downlink=1111&uplink=1111&id=0001D52D&statpass=bpass&version=15150305&features=30&guid=93620c74-e5d0-4548-8ae6-0317227ede08&comment=15150305&p=0&s=
User-Agent:
HTTP GEThttp://95.211.138.69:64167/stat?uid=100&downlink=1111&uplink=1111&id=0001E942&statpass=bpass&version=15150305&features=30&guid=93620c74-e5d0-4548-8ae6-0317227ede08&comment=15150305&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 193.224.177.4:18532
Flows TCP192.168.1.1:1031 ➝ 193.224.177.4:18532
Flows TCP192.168.1.1:1032 ➝ 108.163.208.82:45297
Flows TCP192.168.1.1:1033 ➝ 108.163.208.82:45297
Flows TCP192.168.1.1:1034 ➝ 159.253.129.110:48439
Flows TCP192.168.1.1:1035 ➝ 108.178.30.226:19413
Flows TCP192.168.1.1:1036 ➝ 37.187.252.200:57136
Flows TCP192.168.1.1:1037 ➝ 95.211.138.69:64167

Raw Pcap
0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303137 32453926 73746174 70617373   00172E9&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 33303526 66656174 75726573   5150305&features
0x00000060 (00096)   3d333026 67756964 3d393336 32306337   =30&guid=93620c7
0x00000070 (00112)   342d6535 64302d34 3534382d 38616536   4-e5d0-4548-8ae6
0x00000080 (00128)   2d303331 37323237 65646530 3826636f   -0317227ede08&co
0x00000090 (00144)   6d6d656e 743d3135 31353033 30352670   mment=15150305&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303138 36424626 73746174 70617373   00186BF&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 33303526 66656174 75726573   5150305&features
0x00000060 (00096)   3d333026 67756964 3d393336 32306337   =30&guid=93620c7
0x00000070 (00112)   342d6535 64302d34 3534382d 38616536   4-e5d0-4548-8ae6
0x00000080 (00128)   2d303331 37323237 65646530 3826636f   -0317227ede08&co
0x00000090 (00144)   6d6d656e 743d3135 31353033 30352670   mment=15150305&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303139 41363626 73746174 70617373   0019A66&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 33303526 66656174 75726573   5150305&features
0x00000060 (00096)   3d333026 67756964 3d393336 32306337   =30&guid=93620c7
0x00000070 (00112)   342d6535 64302d34 3534382d 38616536   4-e5d0-4548-8ae6
0x00000080 (00128)   2d303331 37323237 65646530 3826636f   -0317227ede08&co
0x00000090 (00144)   6d6d656e 743d3135 31353033 30352670   mment=15150305&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303141 44464526 73746174 70617373   001ADFE&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 33303526 66656174 75726573   5150305&features
0x00000060 (00096)   3d333026 67756964 3d393336 32306337   =30&guid=93620c7
0x00000070 (00112)   342d6535 64302d34 3534382d 38616536   4-e5d0-4548-8ae6
0x00000080 (00128)   2d303331 37323237 65646530 3826636f   -0317227ede08&co
0x00000090 (00144)   6d6d656e 743d3135 31353033 30352670   mment=15150305&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303143 31393526 73746174 70617373   001C195&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 33303526 66656174 75726573   5150305&features
0x00000060 (00096)   3d333026 67756964 3d393336 32306337   =30&guid=93620c7
0x00000070 (00112)   342d6535 64302d34 3534382d 38616536   4-e5d0-4548-8ae6
0x00000080 (00128)   2d303331 37323237 65646530 3826636f   -0317227ede08&co
0x00000090 (00144)   6d6d656e 743d3135 31353033 30352670   mment=15150305&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303144 35324426 73746174 70617373   001D52D&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 33303526 66656174 75726573   5150305&features
0x00000060 (00096)   3d333026 67756964 3d393336 32306337   =30&guid=93620c7
0x00000070 (00112)   342d6535 64302d34 3534382d 38616536   4-e5d0-4548-8ae6
0x00000080 (00128)   2d303331 37323237 65646530 3826636f   -0317227ede08&co
0x00000090 (00144)   6d6d656e 743d3135 31353033 30352670   mment=15150305&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303145 39343226 73746174 70617373   001E942&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 33303526 66656174 75726573   5150305&features
0x00000060 (00096)   3d333026 67756964 3d393336 32306337   =30&guid=93620c7
0x00000070 (00112)   342d6535 64302d34 3534382d 38616536   4-e5d0-4548-8ae6
0x00000080 (00128)   2d303331 37323237 65646530 3826636f   -0317227ede08&co
0x00000090 (00144)   6d6d656e 743d3135 31353033 30352670   mment=15150305&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..


Strings
m
g
V
..

A"(%
,Book Antiqua
CO63WY L49Yhk vSR
eV90e
Franklin Gothic Medium
Fy6 Gd6M64T K0r043
GHjyEi v04vl0
h2413Qc eWB
L970yv7
&M0f n924
M0Sa1q18 kZ1kJuW5 yPmp
md7oE3LG ql8 c8dR3M8 S572
mJ81a4
MOTORING
&odj6aa
&r2s s0Rwe63
REDS
&uP4X1 a0hW g4g0eY
VWfzE37 W6165
&W25 K700 C053jG b4Rk
Y29e MU4W wK1 Ww64M
&Y4N089q B9G649u8 x12c aZ553858
z3pv F7f IC0 Z6wk
0n%[sF
1$CnSKDu
2PJj%>
3M\k}t(=
5apCD`
5'hRm/
6=R/1*DvN*
8g'xPh
_acmdln
AddPrinterDriverExA
_adjust_fdiv
ADVAPI32.dll
AFFCJoyp
_controlfp
CreateRoundRectRgn
@.data
DdeConnect
>	e$d#p
~El;:S 
_except_handler3
/fR>{[7t
FreeSid
GDI32.dll
__getmainargs
GetModuleHandleA
GetPrinterDriverA
GetStartupInfoA
-|HdTx
hMs@MM
HNTJEE
_initterm
itBY!S-]
Jh4Y1$
jRich 
KERNEL32.dll
MjU<^	
MSVCRT.dll
Oepwmt
ok-Wn^
o|Mo,8
__p__commode
PdhAddCounterA
PdhBrowseCountersA
PdhBrowseCountersW
PdhCalculateCounterFromRawValue
PdhCloseLog
PdhCloseQuery
PdhCollectQueryData
PdhCollectQueryDataEx
PdhComputeCounterStatistics
PdhConnectMachineA
PdhConnectMachineW
pdh.dll
PdhEnumMachinesA
PdhEnumMachinesW
PdhEnumObjectItemsW
PdhEnumObjectsW
PdhExpandCounterPathW
PdhFormatFromRawValue
PdhGetCounterInfoA
PdhGetCounterInfoW
PdhGetCounterTimeBase
PdhGetDataSourceTimeRangeA
PdhGetDefaultPerfCounterA
PdhGetDefaultPerfCounterW
PdhGetDefaultPerfObjectA
PdhGetDefaultPerfObjectW
PdhGetDllVersion
PdhGetFormattedCounterArrayA
PdhGetFormattedCounterValue
PdhGetLogFileSize
PdhGetRawCounterArrayA
PdhGetRawCounterArrayW
PdhGetRawCounterValue
PdhLookupPerfIndexByNameW
PdhLookupPerfNameByIndexA
PdhMakeCounterPathA
PdhMakeCounterPathW
PdhOpenLogA
PdhOpenLogW
PdhOpenQueryA
PdhOpenQueryW
PdhParseCounterPathA
PdhParseCounterPathW
PdhParseInstanceNameA
PdhParseInstanceNameW
PdhReadRawLogRecord
PdhRemoveCounter
PdhSelectDataSourceA
PdhSetCounterScaleFactor
PdhSetQueryTimeRange
PdhUpdateLogA
PdhUpdateLogW
PdhValidatePathA
PdhValidatePathW
__p__fmode
p[nR5s
`qNuv,I
`.rdata
^r,UWd
__set_app_type
SetScrollPos
SETUPAPI.dll
SetupDiDestroyClassImageList
__setusermatherr
ShowCursor
/!"t4C
!This program cannot be run in DOS mode.
T?,Q,H
>t{YNB.
TZKQp2.
USER32.dll
*|~uz@<
v6$_~3
w4iLh@
WINSPOOL.DRV
WSOCK32.dll
w&YBz?
_XcptFilter
_xDy=6
X}kkdiH{
y=I^L2
]y;!;T
ZLOBCe
<z\M2-oYYzE
zT)x7j
[ZZE`>