Analysis Date2015-05-07 03:25:45
MD5232b1db1211c6685fe11bd7cb8eeb542
SHA1a8bee1d624c9bb13bf0e3b86e91d33a64030f42f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 308168cb655d240a8115adeab46f1d6b sha1: 424ccf81b21f63ea61219d1b8f9bde6bc4641340 size: 183296
Section.rdata md5: 8f646a3fa6249df52e46b7856b70dffc sha1: fc1fd2a4e416d404906f8e792c639079fc96b487 size: 2048
Section.data md5: 9ff8e620363531a274392710246d73b5 sha1: 03520513fc0f19d61e1cc7fff630f069ece65700 size: 4096
Section.rsrc md5: 2f6a27d2e1050673a25c02ef14d87ba8 sha1: 99d855e8162d503b17f970df34fcbc4836b204ca size: 1536
Timestamp2006-10-26 22:57:47
VersionLegalCopyright: eradicating collusion
InternalName: defray
FileVersion: 237, 227, 21, 64
CompanyName: Network Associates, Inc.
PrivateBuild: convenes
LegalTrademarks: cannery
Comments: burette
ProductName: delved
SpecialBuild: engage
ProductVersion: 48, 201, 133, 48
FileDescription: dismally
OriginalFilename: belgrade
PackerMicrosoft Visual C++ v6.0
PEhashfad8b96f57e80fd153a6b4b1379411692404738a
IMPhashc53438ac3c333abd604f6d4018391774
AVAd-AwareTrojan.GenericKD.2321257
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.2321257
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.ZPACK.Gen7
AVBitDefenderTrojan.GenericKD.2321257
AVBullGuardTrojan.GenericKD.2321257
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Carberp.r4
AVClamAVno_virus
AVDr. WebTrojan.DownLoad3.35231
AVEmsisoftTrojan.GenericKD.2321257
AVEset (nod32)Win32/Kryptik.DFTG
AVFortinetW32/Kryptik.DFTG!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.2321257
AVGrisoft (avg)Generic36.BIED
AVIkarusTrojan.Win32.Carberp
AVK7Trojan ( 004be1e51 )
AVKasperskyno_virus
AVMalwareBytesTrojan.Agent
AVMcafeeRDN/Generic.tfr!em
AVMicrosoft Security EssentialsTrojan:Win32/Carberp.I
AVMicroWorld (escan)Trojan.GenericKD.2321257
AVPadvishno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVTwisterTrojan.Girtk.DFTG.moed
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value ➝
15150414\\x00
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\MD7H82HHF7EH2D73

Network Details:

HTTP GEThttp://108.178.42.114:25127/stat?uid=100&downlink=1111&uplink=1111&id=00016E84&statpass=bpass&version=15150414&features=30&guid=26a550c7-d88d-4da0-88b1-458933c89552&comment=15150414&p=0&s=
User-Agent:
HTTP GEThttp://91.229.232.51:18532/stat?uid=100&downlink=1111&uplink=1111&id=000182C7&statpass=bpass&version=15150414&features=30&guid=26a550c7-d88d-4da0-88b1-458933c89552&comment=15150414&p=0&s=
User-Agent:
HTTP GEThttp://108.178.42.114:25127/stat?uid=100&downlink=1111&uplink=1111&id=0001967E&statpass=bpass&version=15150414&features=30&guid=26a550c7-d88d-4da0-88b1-458933c89552&comment=15150414&p=0&s=
User-Agent:
HTTP GEThttp://109.75.163.194:60098/stat?uid=100&downlink=1111&uplink=1111&id=0001AA16&statpass=bpass&version=15150414&features=30&guid=26a550c7-d88d-4da0-88b1-458933c89552&comment=15150414&p=0&s=
User-Agent:
HTTP GEThttp://66.155.9.238:26878/stat?uid=100&downlink=1111&uplink=1111&id=0001BDEC&statpass=bpass&version=15150414&features=30&guid=26a550c7-d88d-4da0-88b1-458933c89552&comment=15150414&p=0&s=
User-Agent:
HTTP GEThttp://216.99.153.26:52112/stat?uid=100&downlink=1111&uplink=1111&id=0001D1A3&statpass=bpass&version=15150414&features=30&guid=26a550c7-d88d-4da0-88b1-458933c89552&comment=15150414&p=0&s=
User-Agent:
HTTP GEThttp://62.212.154.220:53818/stat?uid=100&downlink=1111&uplink=1111&id=0001E53A&statpass=bpass&version=15150414&features=30&guid=26a550c7-d88d-4da0-88b1-458933c89552&comment=15150414&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 108.178.42.114:25127
Flows TCP192.168.1.1:1031 ➝ 108.178.42.114:25127
Flows TCP192.168.1.1:1032 ➝ 91.229.232.51:18532
Flows TCP192.168.1.1:1033 ➝ 108.178.42.114:25127
Flows TCP192.168.1.1:1034 ➝ 109.75.163.194:60098
Flows TCP192.168.1.1:1035 ➝ 66.155.9.238:26878
Flows TCP192.168.1.1:1036 ➝ 216.99.153.26:52112
Flows TCP192.168.1.1:1037 ➝ 62.212.154.220:53818

Raw Pcap
0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303136 45383426 73746174 70617373   0016E84&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 34313426 66656174 75726573   5150414&features
0x00000060 (00096)   3d333026 67756964 3d323661 35353063   =30&guid=26a550c
0x00000070 (00112)   372d6438 38642d34 6461302d 38386231   7-d88d-4da0-88b1
0x00000080 (00128)   2d343538 39333363 38393535 3226636f   -458933c89552&co
0x00000090 (00144)   6d6d656e 743d3135 31353034 31342670   mment=15150414&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303138 32433726 73746174 70617373   00182C7&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 34313426 66656174 75726573   5150414&features
0x00000060 (00096)   3d333026 67756964 3d323661 35353063   =30&guid=26a550c
0x00000070 (00112)   372d6438 38642d34 6461302d 38386231   7-d88d-4da0-88b1
0x00000080 (00128)   2d343538 39333363 38393535 3226636f   -458933c89552&co
0x00000090 (00144)   6d6d656e 743d3135 31353034 31342670   mment=15150414&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303139 36374526 73746174 70617373   001967E&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 34313426 66656174 75726573   5150414&features
0x00000060 (00096)   3d333026 67756964 3d323661 35353063   =30&guid=26a550c
0x00000070 (00112)   372d6438 38642d34 6461302d 38386231   7-d88d-4da0-88b1
0x00000080 (00128)   2d343538 39333363 38393535 3226636f   -458933c89552&co
0x00000090 (00144)   6d6d656e 743d3135 31353034 31342670   mment=15150414&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303141 41313626 73746174 70617373   001AA16&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 34313426 66656174 75726573   5150414&features
0x00000060 (00096)   3d333026 67756964 3d323661 35353063   =30&guid=26a550c
0x00000070 (00112)   372d6438 38642d34 6461302d 38386231   7-d88d-4da0-88b1
0x00000080 (00128)   2d343538 39333363 38393535 3226636f   -458933c89552&co
0x00000090 (00144)   6d6d656e 743d3135 31353034 31342670   mment=15150414&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303142 44454326 73746174 70617373   001BDEC&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 34313426 66656174 75726573   5150414&features
0x00000060 (00096)   3d333026 67756964 3d323661 35353063   =30&guid=26a550c
0x00000070 (00112)   372d6438 38642d34 6461302d 38386231   7-d88d-4da0-88b1
0x00000080 (00128)   2d343538 39333363 38393535 3226636f   -458933c89552&co
0x00000090 (00144)   6d6d656e 743d3135 31353034 31342670   mment=15150414&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303144 31413326 73746174 70617373   001D1A3&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 34313426 66656174 75726573   5150414&features
0x00000060 (00096)   3d333026 67756964 3d323661 35353063   =30&guid=26a550c
0x00000070 (00112)   372d6438 38642d34 6461302d 38386231   7-d88d-4da0-88b1
0x00000080 (00128)   2d343538 39333363 38393535 3226636f   -458933c89552&co
0x00000090 (00144)   6d6d656e 743d3135 31353034 31342670   mment=15150414&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303145 35334126 73746174 70617373   001E53A&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 34313426 66656174 75726573   5150414&features
0x00000060 (00096)   3d333026 67756964 3d323661 35353063   =30&guid=26a550c
0x00000070 (00112)   372d6438 38642d34 6461302d 38386231   7-d88d-4da0-88b1
0x00000080 (00128)   2d343538 39333363 38393535 3226636f   -458933c89552&co
0x00000090 (00144)   6d6d656e 743d3135 31353034 31342670   mment=15150414&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..


Strings
.
.r1_.k.
%....Y7
.b.
i.#^..`eQ...F..2.~
+.#}/....zc`A...aHSf0AE..&-..
0.;6.|p...
.`9%.....".N....[.$
'.m;..M_.Y...Um.....$...t_....H.b.....s^....!..v..<r..
..i.......R.F(
.L4..7..
O.8.C...A.7..}.aPaOP..o....^.F....0*.@.......
....T.z.=Rtb..Q
.../..;.m..D.I7Ug.J,.!..P.D............
kynD*.g
.k}8|...M...d.T...~.E..lAO.K
.~As...w~..tZQ...<oS2/6..C`L.4..KQ|C..Y..;
+u!sI|[.
...@....(.Iz.(U...F$ v..`..I>...0..w.
...7...hsY.s.<<c.PW.Y.Z.......+.:5}r.k...z.
.s2..P.]j_......V..+.M..
.+.*_
..{...AaGU:..3...K....
}"
.Z.g.....$.F...h....?....9f T.
.+p)....
Y=...?...
.b.....L
_.J...~
.
.w..y.
P.1.z..>
D-....Q.
H.2!........u....s.
....3p.
<.v..r.5.....G
$2.'...2.a.0h#f
.y.....:..
.....$.ff..&............;.:..Wr.}...=!(!.
..
....v.......
&2.2.O,.
g.
..'D..a.4.uO
....<..AF
.>.W....1......
..
\.h.I....
..;P.eAJ..3eZ..n.z..
...
...'..?.,J.:[.L.^..s8J..W+.F<....aF
k.......|X..
...y.NU./Z&.1%.....-.BBv.._.$
..7[.?u.O..0....n".a(..
.G.&B..W....~.
.o:.`R.....2.I..;......
Q....I.
......x.2r..r|
..1...FuT.5.w.........U.$B#.m1.N(.l..dG
F[9....>kxQ...#.*....{...
N.@y...
.'3.
..(5.-.r
..W.C..b..S&..G..xe.B.}
M{#f...|8.ZbF.5...>.y.}..h.H..i0......S.DK..C.1L
&L..)...n...g.>.t.k..LB...
.....y..9-m0..T2..X..V....0J..
..!.W..W..
.
.
.
.
.
.
.
.
.P.*...
....
.
GH..=s..Bh
040904b0
237, 227, 21, 64
48, 201, 133, 48
atmospheric
belgrade
burette
cannery
Comments
CompanyName
convenes
defray
delved
dismally
easement
engage
eradicating collusion
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
MS Sans Serif
Network Associates, Inc.
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
0$?lfY
33D3HL
3A AHue
  $3 D
3$eEtH
3He@H@L
3ottrr
3@ u@ED 
3utDHP@
4P6t 3
6',z,/
A@AAo$H
_acmdln
AcnIfYo
A DeAAo
 ADE@D
_adjust_fdiv
A$DLP@
A@DrH3
A$E3Ae$t
$AeAD PL
^>a}geqVM
$AH3DEH
AHDEL u
$$A@LAL
A LEEE
ALEr3oD
aNpwXqUTlk
Aru@rtPu
At@ 3e 
AuELoE
AuoED$
AuttLD
BbrOixBTPhi
bjVYxBQ
borEKGPc
BStdvweADS
bXMYjbnyjod
cHqevledCHO
cmqW+V
_controlfp
CUkVmOKU
D7BS8uL
@.data
 DA$uu
dBMyKD
DErteE$
DLo@@ouA3A
$$Do3o
@DoLo uePeH3r
D  tDt
DtubMIJTYL
D@u$PA
dWe+Qw)
E$3@ALAr
e3Aoo3
 eDu3e
eDuA ELL
eEuEDA
EHoe@L
eih-wtJ
@eooLA
E$ ott
e PE @H
EP$H t3 @
ePoL@$
ePt3oHo
erPott$
eto$LA$
E@uHrt$3
@eu@ L
eutEr$
_except_handler3
e}X".r<?
e&{Z(e
FindMediaTypeClass
fUIBLLP
__getmainargs
GetMessageA
GetModuleHandleA
GetStartupInfoA
GVGttwGJHM
hNWQnafUxV
HoAA$3Ht
HrAuu@
IMM32.dll
ImmCreateContext
ImmDestroyContext
ImmEnumRegisterWordW
ImmEscapeA
ImmGetCandidateListA
ImmGetCandidateListW
ImmGetCompositionFontA
ImmGetCompositionStringA
ImmGetCompositionStringW
ImmGetCompositionWindow
ImmGetContext
ImmGetConversionListW
ImmGetConversionStatus
ImmGetDescriptionA
ImmGetGuideLineA
ImmGetIMEFileNameA
ImmGetIMEFileNameW
ImmGetProperty
ImmGetRegisterWordStyleA
ImmGetStatusWindowPos
ImmIsUIMessageA
ImmRegisterWordA
_initterm
KERNEL32.dll
kJtV [
KWMSfY
L3.1L2.
L3.1L3.
L3.Rich1L3.
L3.SS .ZL3.gS .hL3.
LE$DoHu
  LHLo
Lo HDrA AP
LoLHA r
 LrLD$
L @tPDr
Lu3$tr
LuD@ L
MPR.dll
Mq ^$[
MSVCRT.dll
MultinetGetConnectionPerformanceW
  oAA3
$oAHHt@PHr
 oAt@@D
o$ @@DP
oDtLPDAA
oDt$rEA3
oEr H$
-ofq(<
OjHWtPO
ooo@tu3
ooP@ur$E$rE
or@@tuA
o@utr@Ho
PADu$ u
__p__commode
@P  ED
PeD3PD
PEuA e
__p__fmode
PH$tPP$
PoABVpqabSn
 PPDEt
PPu@Pu
PrAELADHL
Pt$Att
qrDvaFdXNqD
Q)UEcqh
`.rdata
r$E AP
reHA o@3
rHE EA
rHeP3A@r$DP
rHteuo
@r@Hu 
rLADAo
ro3ree
ro$rAoL
RqbHlBXksWM
rrLEAu
ScO&{}
__set_app_type
__setusermatherr
SFjd>-
Sid#ma
$t3r@oo
tAou rA
tEL He 
t@EP3u
!This program cannot be run in DOS mode.
tHLA3A
@toHreA
tPLPD3u
@ttAL 
u-]}1L3.1L3.1L3.1L2.}L3.1L3.
u3$eL3
uD ALe
uDuErr$
uEEuo@
uLEPL@eA
uL L e 33
uNE*TR8
uPLPoA
ur3rL3tu Loe$A
urlmon.dll
uruPo3
USER32.dll
utA@$r
uu3PuA
viSgQx
vJhPScfhi
VVbO]J
WNetAddConnection2A
WNetCancelConnection2A
WNetCancelConnection2W
WNetCancelConnectionA
WNetConnectionDialog
WNetDisconnectDialog1A
WNetGetConnectionA
WNetGetConnectionW
WNetGetLastErrorW
WNetGetNetworkInformationW
WNetGetProviderNameW
WTtlkD
_XcptFilter
xGNotP
xw|{lAH=]
)xz;$Ej
|ynGa	
yppRxLQbw
YWHPgi
Z:M]BZ