Analysis Date2015-03-30 18:37:08
MD5ac7e50e9fd0b71e1698d7d25b5ad22e3
SHA18d6074bb3caa60dda9d8738c638df0da2ca0ecba

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d44aa4fcdf9c5d10d465a28438cb694c sha1: d71665994dd0a3a47c917699559575322da18eaa size: 7168
Section.rdata md5: 4bab86bd6aac59b0adf0d28f17689e49 sha1: cc48a1e029ae396aa9d5ab2f8f016f71eba23ca7 size: 512
Section.data md5: 46c4bf5900e6c6a90f05cb39d813c3fc sha1: d052d4dd8caefd708a1a8c0a7c876097e7b37a07 size: 512
Section.rsrc md5: 16637ed8deb3948c6ed4ad32c9f8f3ec sha1: 42497eb9693c929b3f5439e7f6c08b5d2d1a13a4 size: 24576
Timestamp2012-12-25 01:38:56
VersionLegalCopyright: Copyright Divine© 2012
InternalName: CheckSum Fixer
FileVersion: 1, 0, 0, 1
CompanyName: Divine
PrivateBuild:
LegalTrademarks: Divine©
Comments:
ProductName: Divine CRC CheckSum Fixer
SpecialBuild:
ProductVersion: 1, 0, 1, 1
FileDescription: CRC CheckSum Fixer
OriginalFilename: CheckSum Fixer.exe
PEhash53ec89c5c4b643434a1fe64cc211bc66d0b39ff8
IMPhash95aa5f98dd84693544353d2012e4ccf7
AV360 Safeno_virus
AVAd-AwareGen:Variant.Gamarue.1
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)Gen:Variant.Gamarue.1
AVAuthentiumW32/Andromeda.D.gen!Eldorado
AVAvira (antivir)TR/Kazy.131988
AVBullGuardGen:Variant.Gamarue.1
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDownloader.Andromeda.fs
AVClamAVno_virus
AVDr. WebBackDoor.Andromeda.22
AVEmsisoftGen:Variant.Gamarue.1
AVEset (nod32)Win32/Injector.AAPF
AVFortinetW32/Andromeda.FQR!tr.dldr
AVFrisk (f-prot)W32/Andromeda.D.gen!Eldorado
AVF-SecureGen:Variant.Gamarue.1
AVGrisoft (avg)Dropper.Generic7.AEIM
AVIkarusTrojan-Downloader.Win32.Andromeda
AVK7Trojan ( 001d712b1 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeGenericR-DCM!AC7E50E9FD0B
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Gamarue.1
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen.2
AVTrend Microno_virus
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Wauchos.2183

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexDBWinMutex

Process
↳ C:\malware.exe

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSwww.update.microsoft.com.nsatc.net
Type: A
191.232.80.55
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://31.200.244.37/l.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 134.170.58.222:80
Flows TCP192.168.1.1:1032 ➝ 31.200.244.37:80

Raw Pcap
0x00000000 (00000)   504f5354 202f6c2e 70687020 48545450   POST /l.php HTTP
0x00000010 (00016)   2f312e31 0d0a486f 73743a20 33312e32   /1.1..Host: 31.2
0x00000020 (00032)   30302e32 34342e33 370d0a55 7365722d   00.244.37..User-
0x00000030 (00048)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000040 (00064)   2e300d0a 436f6e74 656e742d 54797065   .0..Content-Type
0x00000050 (00080)   3a206170 706c6963 6174696f 6e2f782d   : application/x-
0x00000060 (00096)   7777772d 666f726d 2d75726c 656e636f   www-form-urlenco
0x00000070 (00112)   6465640d 0a436f6e 74656e74 2d4c656e   ded..Content-Len
0x00000080 (00128)   6774683a 2038340d 0a436f6e 6e656374   gth: 84..Connect
0x00000090 (00144)   696f6e3a 20636c6f 73650d0a 0d0a7570   ion: close....up
0x000000a0 (00160)   71636843 73387646 544b464f 566d6e49   qchCs8vFTKFOVmnI
0x000000b0 (00176)   4b474977 694c7258 30305664 36385433   KGIwiLrX00Vd68T3
0x000000c0 (00192)   79717668 51753254 71657451 6e337149   yqvhQu2TqetQn3qI
0x000000d0 (00208)   79375136 62705466 44557459 4966745a   y7Q6bpTfDUtYIftZ
0x000000e0 (00224)   33334e42 384f4c77 4567396d 59337177   33NB8OLwEg9mY3qw
0x000000f0 (00240)   3d3d                                  ==


Strings
9
040904b0
1, 0, 0, 1
1, 0, 1, 1
 2012
About
CheckSum Fixer
CheckSum Fixer.exe
Comments
CompanyName
Copyright Divine
CRC CheckSum Fixer
Divine
Divine 
Divine CRC CheckSum Fixer
Exit
FileDescription
FileVersion
Fix CheckSum
InternalName
jjjj
LegalCopyright
LegalTrademarks
MS Sans Serif
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)2m`gr
3oG4O:K,
5tX(**
8!O962
9"uUxY
AcJ@`GDaIG^GK\HS]J[OCaPDVD7=)
<AS8<.=?6+
(B(,;!
B/!bRGeUJeUJeUJeUJcSH\PGWMFULFSNKPONLNOIMPFOUCPZ?P\8M\CW`qnZ
bLMn#0
bLq@Gs
C0#eVKiZOhYOhYOhYO_SK<]t.`
C1$hYOl]Sk]Sk]Sk\R\TO/j
C4.M?9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9F810 
:cDH+5
cvruWz}v
`cWiZQk]Sk]Sl]TeVLD2%/
D1&k\SoaWo`Wo`Wn_V\VS0k
D3'naXse\re\re\rd[]YW0p
@.data
Da)Ym4qs9
DialogBoxParamA
Divine CRC CheckSum Fixer
Divine CRC CheckSum Fixer v1.0
E4)rd\viaviaviatg_][[0t
Ea#B^C
Eb*Zp7yz>
eg\m^Uo`Wo`Wo`WoaXiZPA/"-
>]&?e+I
EndDialog
ExitProcess
FCLp7`
FindResourceA
For more informations visit our website http://divineprotector.com
fu>'Nn
GetProcAddress
}gj0j>j
gkwUg!X}
GNy8=[+)H$
gQ+	;Ps
}HB7OA7PC8NA6E4&8"
hP17PAJilwGKMVdLPA16PA
hzuvTyr
_hzYm%\
I2 J4!J4!J4!J4!J3!J3!J3!J3!J3!J3!G1 Q9
}icYqd[re\re\re\re\sf]eVM9&
i#R 7X!>
Jb0B)6
j@hL@@
jnpmhewkdymfxleyle{og|pi|qi|pi|pi|pi|pi|pi|pi|pi|pi|pi|pi|pi}qixldF6,G7-{pi
K=6wmh
KAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGP
KERNEL32.dll
k/H_"xQ5
_`\`k]mymmpgjg^kb[oc]tg`vjcwkdxldxleylexlexlexlexlexleymeth`F5+F6,xld}qi|pi|pi|og_ab4|
\K>_NA_M@_M@_M@_M@_N@_N@_N@_NA_NA_NA_N@_M@_M@_NAYI=dO5
L6%M7&M7&M7&M7&M7&M7&M7&M7&M7&M7&J5$U>"
LoadLibraryA
LoadResource
lpsnkjrkgvkezng}rk
MA*\d0O
MessageBoxA
n1"'N?Q
_NBbQEbQEbQEbQEbQEbQEaQDaPDaPCaOC`OB`OB_NA_NA^NAXI>gP4
nxmhi`ic[kaYnbZsf_uhaviaviaviaviaviard\E4)F5+th`ymexleylewkc\]^0x
O6aC=ubh*
O9)P;+P;+P;+P;+P;+P;+P;+P;+P;+P;*L8)X@%
OH;WG;YI<ZH<[I=]K?\K=M:,8#
oopuol|rn
ov{qopslixni~sl
PPjOj<j
\^QgWMhYOiZPcSID1$0
QH:ZH;[I<\I<\I<TA3B-
QjOj7j
{qlPB<,
Q=,S>.S>.S>.S>.S>.S>.S>.S>.S>.S>.O<-\D)
qsXOrg
>R5GI}E3$
`.rdata
/RFEQPP
rfNmfDuF
RYwPc&\
SizeofResource
;_Sr~&
sr}R}}
%s%s%s%s%s%s%s%s%s%s%s
SVWh(@@
sy=Q;,
s~z3WlRz
T@1VB3VB3VB3VB3VB3VB3VB3VB3VB3VB3T@2VB.iO.kQ-zb3~h5
tcjcj3j
!This program cannot be run in DOS mode.
t.j@h4A@
t#jKjLj
tmH8/G7.
tmjge?
}TrtyvV
u%h$@@
un{piG7-H9/
USER32.dll
u}}?u}}
V#9[#@
}vDC?u}}
v}DC?u}}
}vDCWz
^V|FX<&l
vtzr}W
WD5YF8YF8YF8YF8YF8YF8YF8YF8YF8YF8XF8VD7TB5SB4RA4M=1[F-
Welcome to Divine CRC CheckSum Fixer.
wqD4+-
wrI91=-$~sm
W]T#aq
x4R~"E
X$;^&C
(X Gg/fv=
x}v`s{vt
YP33^E
ysyojS|
ytirxv
yv}}DC?u}}
YYKdSHeUJ^NBC/!1
*Z&=a)F
ZH:\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=WF:aL3
;zw*']u'
Z_z@R:1U.@d$b