Analysis Date2016-03-19 17:55:08
MD507d9bfcc0cd92f86cf60a18d95bfa09b
SHA1ba50760adf2294939590a9abb2ed591b44522fea

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 853a14169133ce912b2015e54de972ea sha1: 3420ae432d6656c8185f81515c18ffa8370793c5 size: 22016
Section.rdata md5: 4f879abcff03ad41c650b24fdaec1cd7 sha1: 566f06058a15a94662fefdb5dcd3c80fa911acf7 size: 2560
Section.data md5: 07db0ce8ff56f80369620d256be7093a sha1: d676884c676da6256741c672c2633c52ab19be5a size: 10752
Section.rsrc md5: 6bc9c721550f630afb17a6da4e299d60 sha1: a7558074317d457fc11d06f4a22a89965cb79cf3 size: 95232
Timestamp2013-08-09 18:10:19
VersionLegalCopyright: Milko
InternalName: Zepa
FileVersion: 1, 3, 1, 9
CompanyName: Firer
PrivateBuild: Papak
LegalTrademarks: Bapiz
Comments: Tabak
ProductName: Selem
SpecialBuild: Rile
ProductVersion: 1, 8, 2, 6
FileDescription: Zamaz
OriginalFilename: Dabaris
PackerMicrosoft Visual C++ v6.0
PEhash5e81e568c8838c80d0ac4a642e72ff33a520373b
IMPhash1e981a857730d2d2d49c3cc3486f0953
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVRisingNo Virus
AVMcafeeW32/Worm-FQF!Gamarue
AVMicroWorld (escan)Trojan.Generic.15663504
AVMalwareBytesBackdoor.Bot
AVAvira (antivir)TR/Graftor.rqwouean
AVIkarusTrojan.Inject
AVFrisk (f-prot)W32/Gamarue.E.gen!Eldorado
AVAuthentiumW32/Gamarue.E.gen!Eldorado
AVEmsisoftTrojan.Generic.15663504
AVTwisterTrojan.9BB3718F65F3438B
AVAd-AwareTrojan.Generic.15663504
AVZillya!Backdoor.Androm.Win32.2949
AVKasperskyWorm.Win32.Agent.bwa
AVTrend MicroWORM_GAMARUE.SMV
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVGrisoft (avg)Inject.BDSO
AVCAT (quickheal)Worm.Gamarue.A5
AVVirusBlokAda (vba32)Worm.Agent
AVSymantecPacked.Dromedan!gen7
AVBullGuardTrojan.Generic.15663504
AVArcabit (arcavir)Trojan.Generic.15663504
AVFortinetW32/Wauchos.LB!tr
AVClamAVWin.Trojan.Agent-722093
AVBitDefenderTrojan.Generic.15663504
AVDr. WebBackDoor.Andromeda.178
AVK7Trojan-Downloader ( 0043f6bc1 )
AVF-SecureTrojan-Downloader:W32/Wauchos.F
AVCA (E-Trust Ino)Trojan.Generic.15663504

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wupdmgr.exe

Process
↳ C:\WINDOWS\system32\wupdmgr.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\ccrnpn.exe\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\ccrnpn.exe
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwww.update.microsoft.com.nsatc.net
Type: A
157.55.240.94
DNSdevicesta.ru
Type: A
195.22.28.199
DNSdevicesta.ru
Type: A
195.22.28.196
DNSdevicesta.ru
Type: A
195.22.28.197
DNSdevicesta.ru
Type: A
195.22.28.198
DNSwww.update.microsoft.com
Type: A
DNSrestlesz.su
Type: A
HTTP POSThttp://devicesta.ru/gate02.php
User-Agent: Mozi1la/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.50.189:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1034 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1038 ➝ 195.22.28.199:80

Raw Pcap
0x00000000 (00000)   504f5354 202f6761 74653032 2e706870   POST /gate02.php
0x00000010 (00016)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000020 (00032)   20646576 69636573 74612e72 750d0a55    devicesta.ru..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a6931   ser-Agent: Mozi1
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038300d 0a436f6e   -Length: 80..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 73387646 544b464f   ..upqchCs8vFTKFO
0x000000b0 (00176)   566d6e49 4b474977 694c7158 77794773   VmnIKGIwiLqXwyGs
0x000000c0 (00192)   436f4133 4f757431 41683348 61567467   CoA3Out1Ah3HaVtg
0x000000d0 (00208)   502b3559 4371474b 796c5866 32507649   P+5YCqGKylXf2PvI
0x000000e0 (00224)   4d65744a 33784e68 6f424c45 51393553   MetJ3xNhoBLEQ95S
0x000000f0 (00240)   3438                                  48


Strings