Analysis Date2015-12-04 13:36:32
MD588ec04adc31f558f58d3254e01c16f38
SHA1ad1c83ff4b438ef1a14a3834d7800cb340af466e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4770af2f3e47ed34327fbd7e56adfe1c sha1: 664915538a366eb66e2b6e310f059cbb5732f750 size: 24576
Section.rdata md5: d5458a6bd9ea64c9e25e41a24edc82d8 sha1: 7d9d4d5f3dc89766601d740e95c08f0b7eabd4e6 size: 4096
Section.data md5: a17e535a096a9ff5a4e7fb88a881fef6 sha1: e4a1652cebb186c24f525fd097b5ab8e512b7954 size: 4096
Section.rsrc md5: 2a82087463aeeea59005f3f27c420257 sha1: 5f27e3af2a83efa43cb8b71b5089e4900e665771 size: 81920
Timestamp2013-08-15 22:06:41
VersionLegalCopyright: Zileg
InternalName: Rapiz
FileVersion: 1, 6, 2, 3
CompanyName: Lampi
PrivateBuild: Delim
LegalTrademarks: Zapaz
Comments: Zepac
ProductName: Daber
SpecialBuild: Fizar
ProductVersion: 4, 8, 2, 6
FileDescription: Zefir
OriginalFilename: Moreg
PackerMicrosoft Visual C++ v6.0
PEhashc693504673b0ed2416b8f01958e7222f8b6a22a1
IMPhash977babce4039e5d0e6e58ca1c95a4799
AVKasperskyBackdoor.Win32.Androm.deu
AVPadvishWorm.Win32.Gamarue.SameMsiexec1
AVF-SecureTrojan-Downloader:W32/Wauchos.F
AVKasperskyBackdoor.Win32.Androm.deu
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVMicroWorld (escan)Gen:Variant.Symmi.28546
AVFortinetW32/Wauchos.LB!tr
AVFrisk (f-prot)W32/Trojan2.OAPW
AVIkarusTrojan-Downloader.Small
AVK7Trojan ( 0001140e1 )
AVMcafeeW32/Worm-FKO!88EC04ADC31F
AVMcafeeW32/Worm-FKO!88EC04ADC31F
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVMicroWorld (escan)Gen:Variant.Symmi.28546
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVFortinetW32/Wauchos.LB!tr
AVFrisk (f-prot)W32/Trojan2.OAPW
AVF-SecureTrojan-Downloader:W32/Wauchos.F
AVGrisoft (avg)Downloader.Small.IZA
AVIkarusTrojan-Downloader.Small
AVK7Trojan ( 0001140e1 )
AVMalwareBytesTrojan.Email.Bot
AVMalwareBytesTrojan.Email.Bot
AVAd-AwareGen:Variant.Symmi.28546
AVBullGuardGen:Variant.Symmi.28546
AVBullGuardGen:Variant.Symmi.28546
AVAlwil (avast)Bundpil-C [Trj]
AVAuthentiumW32/Trojan.KYQA-2633
AVCA (E-Trust Ino)Win32/Gamarue.JcURVL
AVCA (E-Trust Ino)Win32/Gamarue.JcURVL
AVAuthentiumW32/Trojan.KYQA-2633
AVAlwil (avast)Bundpil-C [Trj]
AVCAT (quickheal)no_virus
AVCAT (quickheal)no_virus
AVAd-AwareGen:Variant.Symmi.28546
AVAvira (antivir)TR/Kryptik.1625441
AVClamAVWin.Trojan.Agent-723835
AVClamAVWin.Trojan.Agent-723835
AVAvira (antivir)TR/Kryptik.1625441
AVGrisoft (avg)Downloader.Small.IZA
AVDr. WebBackDoor.Andromeda.178
AVDr. WebBackDoor.Andromeda.178
AVArcabit (arcavir)Gen:Variant.Symmi.28546
AVBitDefenderGen:Variant.Symmi.28546
AVEmsisoftGen:Variant.Symmi.28546
AVEmsisoftGen:Variant.Symmi.28546
AVBitDefenderGen:Variant.Symmi.28546
AVArcabit (arcavir)Gen:Variant.Symmi.28546
AVPadvishWorm.Win32.Gamarue.SameMsiexec1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\52a9_appcompat.txt
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 176
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1772 -e 132 -g

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 176

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1772 -e 132 -g

Network Details:


Raw Pcap

Strings