Analysis Date2015-09-03 19:28:42
MD562d29e6c1820296514021ba7bf5eebad
SHA19d51538796c27a9586be024643fe357d86aeb978

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4d45cea78f3ab9f4fead024bd33ce5a1 sha1: 4f574f1ea1198062053208332d2fbfd95fb1563d size: 59392
Section.rdata md5: b6f626c36f35902475f8149097675376 sha1: 23de5ae8c94087d3d33b45310aba913eba34d067 size: 20992
Section.data md5: e6d38ab08a9fe9cbad2d493ca324a0c0 sha1: 41675827a2fa71ab58afa301fe7a2dde3c720ca4 size: 15360
Section.rsrc md5: c9903124f6672cbe53350b50befa903d sha1: 9058adc1386437f2026b3025ae0579b87ebc7251 size: 512
Section.rmnet md5: 61d0a7d666d6a929844106aa0fe7cba5 sha1: c0569e06825b3992e69abc830e107c754cff889e size: 57856
Section.rmnet md5: 61d0a7d666d6a929844106aa0fe7cba5 sha1: c0569e06825b3992e69abc830e107c754cff889e size: 57856
Timestamp2013-04-14 15:26:01
Pdb pathc:\winter\Set\Bottom\Up\value\wild\industry\Support\nearcare.pdb
PEhash4ddd339bbbb354ae2fd51b45f46d91c566892221
IMPhashb2498eed3c3aa5befc085379b8319a74
AVMicroWorld (escan)Backdoor.Bot.77353
AVEmsisoftBackdoor.Bot.77353
AVDr. WebBackDoor.Andromeda.178
AVMalwareBytesTrojan.Downloader
AVMcafeeW32/Ramnit.a
AVZillya!Virus.Nimnul.Win32.1
AVTrend MicroPE_RAMNIT.H
AVClamAVW32.Ramnit-1
AVF-SecureBackdoor.Bot.77353
AVCA (E-Trust Ino)Win32/Ramnit.A
AVGrisoft (avg)Win32/Ramnit.A
AVAvira (antivir)W32/Ramnit.A
AVBullGuardBackdoor.Bot.77353
AVIkarusTrojan-Downloader.Win32.Andromeda
AVKasperskyVirus.Win32.Nimnul.a
AVVirusBlokAda (vba32)Virus.Win32.Nimnul.a
AVArcabit (arcavir)Backdoor.Bot.77353
AVK7Virus ( 002fe95d1 )
AVTwisterVirus.60E8000000005D8BC5.mg
AVBitDefenderBackdoor.Bot.77353
AVFortinetW32/Ramnit.C
AVAuthentiumW32/Ramnit.B
AVSymantecW32.Ramnit!inf
AVAlwil (avast)RmnDrp:Win32:RmnDrp
AVEset (nod32)Win32/Ramnit.A virus
AVAd-AwareBackdoor.Bot.77353
AVRisingWin32.Ramnit.a
AVPadvishDownloader.Win32.Gamarue.AA
AVCAT (quickheal)W32.Ramnit.D
AVMicrosoft Security EssentialsVirus:Win32/Ramnit.A!remnants
AVFrisk (f-prot)W32/Ramnit.B

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2522_appcompat.txt
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 176
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1224 -e 132 -g

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 176

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1224 -e 132 -g

Network Details:


Raw Pcap

Strings