Analysis Date2015-12-05 22:27:59
MD5c183b85289908834cf1e01b7f3770250
SHA1984ba56ef2aac646eb2566e29a45bbb63f056650

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 825c1670b761fe64f18001cae269f52c sha1: 2523e0326a0bfc01538336a83a46e20defc0d53b size: 18944
Section.rdata md5: ce30e981494e31532394b49627fb2c05 sha1: d6acd3cba5b6e1590b32b7bcf543c031a10f78ee size: 2560
Section.data md5: e1d259536f258b7519b9fb8398437150 sha1: 5b873e13cdee394967591960ca729a1742c0cb61 size: 11264
Section.rsrc md5: 53d37421d58f0155432d56fddb955422 sha1: 44cc6493b70b6c00fad0b0a419edaa2a332bf2e9 size: 72192
Timestamp2013-07-03 03:13:13
VersionLegalCopyright: Copyright Meh© 2012
InternalName: Imt
FileVersion: 6, 1, 2, 6
CompanyName: House
PrivateBuild: Filam
LegalTrademarks: Fiza©
Comments: Lerim
ProductName: Mifas
SpecialBuild: Opal
ProductVersion: 5, 3, 1, 2
FileDescription: Pioh
OriginalFilename: Dakiram
PackerInstaller VISE Custom
PEhash37b0f59743f61c6e5dc2247f6482d8e5a3524536
IMPhash2f2239cc00ff67bbe73cc510bc8c6ca9
AVKasperskyTrojan.Win32.Generic
AVMicroWorld (escan)Gen:Variant.Symmi.24081
AVGrisoft (avg)Downloader.Small.IVA
AVKasperskyTrojan.Win32.Generic
AVMcafeeW32/Worm-FKT!C183B8528990
AVMicroWorld (escan)Gen:Variant.Symmi.24081
AVFrisk (f-prot)W32/Gamarue.B.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Wauchos.F
AVIkarusWorm.Win32.Gamarue
AVK7Trojan ( 003ea6831 )
AVMalwareBytesTrojan.Email.Bot
AVMcafeeW32/Worm-FKT!C183B8528990
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVFortinetW32/Injector.AKSZ!tr
AVFortinetW32/Injector.AKSZ!tr
AVCAT (quickheal)Worm.Gamarue.B
AVF-SecureTrojan-Downloader:W32/Wauchos.F
AVClamAVWin.Trojan.Agent-734124
AVGrisoft (avg)Downloader.Small.IVA
AVIkarusWorm.Win32.Gamarue
AVK7Trojan ( 003ea6831 )
AVDr. WebBackDoor.Andromeda.178
AVMalwareBytesTrojan.Email.Bot
AVAd-AwareGen:Variant.Symmi.24081
AVDr. WebBackDoor.Andromeda.178
AVEmsisoftGen:Variant.Symmi.24081
AVAvira (antivir)TR/Spy.Agent.125587
AVAvira (antivir)TR/Spy.Agent.125587
AVEmsisoftGen:Variant.Symmi.24081
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVArcabit (arcavir)Gen:Variant.Symmi.24081
AVBitDefenderGen:Variant.Symmi.24081
AVBitDefenderGen:Variant.Symmi.24081
AVArcabit (arcavir)Gen:Variant.Symmi.24081
AVCAT (quickheal)Worm.Gamarue.B
AVFrisk (f-prot)W32/Gamarue.B.gen!Eldorado
AVAd-AwareGen:Variant.Symmi.24081
AVBullGuardGen:Variant.Symmi.24081
AVBullGuardGen:Variant.Symmi.24081
AVAlwil (avast)Downloader-TUU [Trj]
AVAlwil (avast)Downloader-TUU [Trj]
AVClamAVWin.Trojan.Agent-734124
AVAuthentiumW32/Gamarue.B.gen!Eldorado
AVCA (E-Trust Ino)Win32/Gamarue.A!generic
AVCA (E-Trust Ino)Win32/Gamarue.A!generic
AVAuthentiumW32/Gamarue.B.gen!Eldorado
AVRisingWorm.Win32.Gamarue.ab
AVRisingWorm.Win32.Gamarue.ab

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\ccxqvliq.scr\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\ccxqvliq.scr
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
191.232.80.55
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNSwww.update.microsoft.com
Type: A
DNSmorphed.ru
Type: A
DNSamnsreiuojy.ru
Type: A
Flows TCP192.168.1.1:1031 ➝ 191.232.80.55:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1034 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53

Raw Pcap

Strings