Analysis Date2015-12-10 19:58:57
MD516d1b9e2e7280f0c8861ba49dfc8217c
SHA19c870bfc90ab72ecd8ba713cf40e20429f977280

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 55fe63c3820212eb070c1a4e97e185fb sha1: e680c6a80679acb9f839a59009ada05d14aa880b size: 155648
Section.rdata md5: cce94666e0ac0210298e5bbe3ca50436 sha1: 7252fe0b2486fce5d6107ecaffc33716ba294603 size: 99328
Section.data md5: 3611fb8c3676d89a7b50c48099d88b88 sha1: 35d3e3db7c74235b8786279b7a940cfccf911cd8 size: 5120
Section.rsrc md5: 52452ce2a17a4819e71cb2506bbf2666 sha1: 5da45be28cc22dc4e8dd97ee4eb3a61f6c3dae1d size: 95232
Timestamp2015-08-20 07:22:21
VersionLegalCopyright: Copyright (c) D.Kuznetzoff
InternalName: update.exe
FileVersion: 1.1.0.0
ProductVersion: 1.1.0.0
FileDescription: uVS Update module
OriginalFilename: update.exe
PackerMicrosoft Visual C++ ?.?
PEhash6ebea97ff93c9f9c94ca6a5b0e8d1e317edfc74e
IMPhash5e2eed59ee0b86d4d07a64ce87bb4842
AVGrisoft (avg)Crypt4.BZEX
AVMicroWorld (escan)Gen:Variant.Symmi.56438
AVCAT (quickheal)Worm.Gamarue.r4
AVCA (E-Trust Ino)no_virus
AVEset (nod32)Win32/Kryptik.DUDE
AVAvira (antivir)TR/Crypt.Xpack.266942
AVMalwareBytesBackdoor.Bot
AVClamAVno_virus
AVMcafeeRDN/Generic BackDoor
AVTrend MicroBKDR_ANDROM.SMWE
AVKasperskyTrojan.Win32.Generic
AVAlwil (avast)Androp [Drp]
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Ngrbot.2195
AVFrisk (f-prot)no_virus
AVSymantecTrojan.Gen.2
AVFortinetW32/Kryptik.DTOI!tr
AVK7Trojan ( 004cd8221 )
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVBullGuardGen:Variant.Symmi.56438
AVF-SecureGen:Variant.Symmi.56438
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.AU
AVDr. WebTrojan.Siggen6.33932
AVEmsisoftGen:Variant.Symmi.56438
AVZillya!Backdoor.Kasidet.Win32.941
AVIkarusTrojan-Spy.Zbot
AVAd-AwareGen:Variant.Symmi.56438
AVBitDefenderGen:Variant.Symmi.56438
AVArcabit (arcavir)Gen:Variant.Symmi.56438
AVRisingno_virus
AVTwisterno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
93.190.144.3
DNSeurope.pool.ntp.org
Type: A
91.207.136.55
DNSeurope.pool.ntp.org
Type: A
217.144.138.234
DNSeurope.pool.ntp.org
Type: A
176.221.42.125
DNSnorth-america.pool.ntp.org
Type: A
66.219.116.140
DNSnorth-america.pool.ntp.org
Type: A
74.120.8.2
DNSnorth-america.pool.ntp.org
Type: A
108.59.2.24
DNSnorth-america.pool.ntp.org
Type: A
132.163.4.101
DNSsouth-america.pool.ntp.org
Type: A
200.93.227.170
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSsouth-america.pool.ntp.org
Type: A
146.164.48.5
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.197
DNSasia.pool.ntp.org
Type: A
129.250.35.251
DNSasia.pool.ntp.org
Type: A
168.63.242.24
DNSasia.pool.ntp.org
Type: A
210.23.18.197
DNSasia.pool.ntp.org
Type: A
212.26.18.41
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSoceania.pool.ntp.org
Type: A
202.127.210.36
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
103.242.70.4
DNSafrica.pool.ntp.org
Type: A

Raw Pcap

Strings