Analysis Date2015-09-28 02:01:17
MD55f6aec57457deeca934ce3934929b802
SHA17e63a04cf5fa43a38b61b2c93c9a905741193bd7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f98497ef5f9a58e049e4c6ff15146ea8 sha1: b642e8b4c81c6d507de4a403eb7c4fc81a9250c8 size: 204288
Section.text3 md5: 364b5591434e488a4983b2048ef9073d sha1: f299902c8684525897a94c4b05e0dd9b51710a08 size: 7168
Section.rdata md5: 93cd5dd185f06405d60141f3e674314e sha1: fbb6a541bf73d8fbd09b328f1a417eba46604ebf size: 10752
Section.data md5: b39e60d2b28fd9d767da443c730844f6 sha1: cd3d87957188f343d56989b90c0ca79332b1d6da size: 3584
Section.rsrc md5: d6457b0b59195a7b55e53b0ce9063cd3 sha1: 9b1c1ec3674ae7b6ecc66ace927b182ec2ab04ca size: 2048
Timestamp2008-04-02 14:33:17
VersionLegalCopyright: fang
InternalName: gassier
FileVersion: 124, 151, 66, 254
CompanyName: Vodafone
PrivateBuild: machination
LegalTrademarks: ins
Comments: multiphase
ProductName: malva
SpecialBuild: idealistically
ProductVersion: 186, 131, 180, 155
FileDescription: mnemonics
OriginalFilename: koreans
Translation: ЉҰ
PackerMicrosoft Visual C++ v6.0
PEhasha5a8f0240dd3a5e09bae3ba42b460ac2e3f3cfc2
IMPhashd6f0e6776a3311755d402e5631095bed
AVCA (E-Trust Ino)Win32/Carberp.ZABH!suspicious
AVF-SecureGen:Variant.Symmi.51817
AVDr. WebTrojan.DownLoad3.35231
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.51817
AVBullGuardGen:Variant.Symmi.51817
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyno_virus
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.51817
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Trojan.CTGJ-6338
AVMalwareBytesTrojan.Agent.ALTV
AVMicroWorld (escan)Gen:Variant.Symmi.51817
AVMicrosoft Security EssentialsTrojan:Win32/Carberp.I
AVK7Trojan ( 004bd8ce1 )
AVBitDefenderGen:Variant.Symmi.51817
AVFortinetW32/Kryptik.DEYP!tr
AVSymantecTrojan.Gen
AVGrisoft (avg)Crypt4.CFNA
AVEset (nod32)Win32/Kryptik.DEGS
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Symmi.51817
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.Gen4
AVMcafeePacked-EJ!5F6AEC57457D
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value ➝
15150403\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\MD7H82HHF7EH2D73
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

HTTP GEThttp://46.105.103.103:37127/stat?uid=100&downlink=1111&uplink=1111&id=00017867&statpass=bpass&version=15150403&features=30&guid=f38e9374-5597-49b8-9fdd-e5801408814d&comment=15150403&p=0&s=
User-Agent:
HTTP GEThttp://91.229.232.51:18532/stat?uid=100&downlink=1111&uplink=1111&id=00018C3D&statpass=bpass&version=15150403&features=30&guid=f38e9374-5597-49b8-9fdd-e5801408814d&comment=15150403&p=0&s=
User-Agent:
HTTP GEThttp://37.187.252.200:57136/stat?uid=100&downlink=1111&uplink=1111&id=00019FD5&statpass=bpass&version=15150403&features=30&guid=f38e9374-5597-49b8-9fdd-e5801408814d&comment=15150403&p=0&s=
User-Agent:
HTTP GEThttp://82.211.20.226:54127/stat?uid=100&downlink=1111&uplink=1111&id=0001B36C&statpass=bpass&version=15150403&features=30&guid=f38e9374-5597-49b8-9fdd-e5801408814d&comment=15150403&p=0&s=
User-Agent:
HTTP GEThttp://108.178.2.226:23097/stat?uid=100&downlink=1111&uplink=1111&id=0001C714&statpass=bpass&version=15150403&features=30&guid=f38e9374-5597-49b8-9fdd-e5801408814d&comment=15150403&p=0&s=
User-Agent:
HTTP GEThttp://69.17.223.12:49116/stat?uid=100&downlink=1111&uplink=1111&id=0001DAAB&statpass=bpass&version=15150403&features=30&guid=f38e9374-5597-49b8-9fdd-e5801408814d&comment=15150403&p=0&s=
User-Agent:
HTTP GEThttp://50.17.185.81:32353/stat?uid=100&downlink=1111&uplink=1111&id=0001EE43&statpass=bpass&version=15150403&features=30&guid=f38e9374-5597-49b8-9fdd-e5801408814d&comment=15150403&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 46.105.103.103:37127
Flows TCP192.168.1.1:1031 ➝ 46.105.103.103:37127
Flows TCP192.168.1.1:1032 ➝ 91.229.232.51:18532
Flows TCP192.168.1.1:1033 ➝ 37.187.252.200:57136
Flows TCP192.168.1.1:1034 ➝ 82.211.20.226:54127
Flows TCP192.168.1.1:1035 ➝ 108.178.2.226:23097
Flows TCP192.168.1.1:1036 ➝ 69.17.223.12:49116
Flows TCP192.168.1.1:1037 ➝ 50.17.185.81:32353

Raw Pcap

Strings