Analysis Date2018-02-06 21:41:18
MD5bf3b5dc6cc56d038020a72e1b268f29b
SHA1bdbd1db14280665a4b730579a1c336e37011e371

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2629e2dec5609871a2b73e65c4919602 sha1: 55f14a7065c13aaa6c05accee05930a0f6b931ed size: 86016
Section.rdata md5: 1701c16a1d51bd2b6f5b97e7c8a5cdc2 sha1: 3c96a7554ff24906f4ff20af92827bcde7b28a3d size: 8192
Section.data md5: 1d1dfd309f3d181d93598c2eb05e2dfc sha1: d053f787533f6aa985738b45f19654873a475daf size: 16384
Section.tls md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: b46357871abfcf44b486a41bb505d860 sha1: 427b16d2e8dd816e126932c76d4b53ac4e63ef11 size: 8192
Timestamp2014-03-14 13:38:54
VersionFileDescription: DieSonne Software
Comments: DieSonne Software
CompanyName: DieSonne Software, GmbH.
PackerMicrosoft Visual C++ v6.0
PEhashef545b38d4476e998e58721e0caf2ebcbcab2d53
IMPhash4e563ea43959a45f018ab0a2a321379e
AVArcabit (arcavir)Gen:Variant.Zusy.85874
AVAuthentiumW32/Trojan.VFKW-2561
AVGrisoft (avg)Error Scanning File
AVAvira (antivir)TR/Kryptik.pow.1
AVAlwil (avast)Dropper-gen [Drp]
AVAd-AwareGen:Variant.Zusy.85874
AVBitDefenderGen:Variant.Zusy.85874
AVBullGuardGen:Variant.Zusy.85874
AVClamAVWin.Trojan.Dofoil-69
AVDr. WebBackDoor.Andromeda.267
AVEmsisoftGen:Variant.Zusy.85874
AVMicroWorld (escan)Gen:Variant.Zusy.85874
AVCA (E-Trust Ino)Gen:Variant.Symmi.41099
AVFortinetError Scanning File
AVFrisk (f-prot)W32/Trojan3.HTR
AVF-SecureGen:Variant.Zusy.85874
AVIkarusTrojan-Downloader.Win32.Dofoil
AVK7Trojan ( 0001140e1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesNo Virus
AVMcafeePWSZbot-FTY!Gamarue
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.I
AVNANOTrojan.Win32.Androm.cvxdlt
AVEset (nod32)Win32/TrojanDownloader.Wauchos.Z
AVPadvishBackdoor.Androm.dpxf
AVCAT (quickheal)Worm.Gamarue.I5
AVRising0x5693a69f
AV360 SafeNo Virus
AVSUPERAntiSpywareError Scanning File
AVSymantecBackdoor.Trojan
AVTrend MicroBKDR_ANDROM.WSDM
AVTwisterBackdoor.DFF46356AD63C4BB
AVVirusBlokAda (vba32)Backdoor.Androm
AVWindows DefenderWorm:Win32/Gamarue.I
AVZillya!Error Scanning File

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\THX1138\AppData\Local\Temp\bdbd1db14280665a4b730579a1c336e37011e371.exe

Creates Mutex
Creates Mutex
Creates File\??\Nsi
Creates FileC:\Users\THX1138\AppData\Local\Temp\bdbd1db14280665a4b730579a1c336e37011e371.exe

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.158
DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSeriksiversen.ru
Type: A
195.22.26.252
DNSeriksiversen.ru
Type: A
195.22.26.253
DNSeriksiversen.ru
Type: A
195.22.26.254
DNSeriksiversen.ru
Type: A
195.22.26.231
DNSjuliussdietz.ru
Type: A
195.22.26.252
DNSjuliussdietz.ru
Type: A
195.22.26.253
DNSjuliussdietz.ru
Type: A
195.22.26.254
DNSjuliussdietz.ru
Type: A
195.22.26.231
DNSupdate.microsoft.com
Type: A
DNScaptioncodes.ru
Type: A
DNSfulldag.ru
Type: A
DNSmantos.su
Type: A
DNSaleersons.ru
Type: A
DNSivabragin.su
Type: A
DNSfairyfall.ru
Type: A
DNStachassu.su
Type: A
DNScomentors.ru
Type: A
DNSbravonor.su
Type: A
DNSwolletnot.ru
Type: A
DNSvalueok.su
Type: A
HTTP POSThttp://eriksiversen.ru/new2/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://juliussdietz.ru/new2/gate.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1036 ➝ 65.55.50.158:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1038 ➝ 195.22.26.252:80
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1042 ➝ 195.22.26.252:80
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1044 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1047 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1048 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1049 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1050 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1051 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1052 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1053 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1054 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1055 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1056 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1057 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1058 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1059 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1060 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1061 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1062 ➝ 8.8.4.4:53

Raw Pcap

Strings
q
I...k
q
I...k
.f~
.4'\
. 
C::::% BbmHpAadYySMI--lB
040904b0
Comments
CompanyName
DieSonne Software
DieSonne Software, GmbH.
FileDescription
         (((((                  H
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
*******
^}%95X
abnormal program termination
america
american
american english
american-english
Argentina
August
Australia
australian
Austria
Basque
belgian
Belgium
britain
Canada
canadian
chinese
chinese-hongkong
chinese-simplified
chinese-singapore
chinese-traditional
CloseHandle
Colombia
CompareStringA
CompareStringW
Costa Rica
CreateDirectoryA
CreateEventW
CreateMutexA
>Cu28V
@.data
dddd, MMMM dd, yyyy
December
DeleteCriticalSection
DeleteIpForwardEntry
DOMAIN error
Dominican Republic
dutch-belgian
Ecuador
england
English
english-american
english-aus
english-belize
english-can
english-caribbean
english-ire
english-jamaica
english-nz
english-south africa
english-trinidad y tobago
english-uk
english-us
english-usa
EnterCriticalSection
EnumSystemLocalesA
e=&W[o=Y[
ExitProcess
FatalAppExitA
February
FileTimeToLocalFileTime
FileTimeToSystemTime
FindFirstFileW
FindResourceW
Finland
Finnish
F@j@Ph
- floating point not loaded
FlushFileBuffers
F PjPWj
F$PjQWj
F.PjRWj
F*PjTWj
F+PjUWj
F,PjVWj
F-PjWWj
France
FreeEnvironmentStringsA
FreeEnvironmentStringsW
French
french-belgian
french-canadian
french-luxembourg
french-swiss
Friday
German
german-austrian
german-lichtenstein
german-luxembourg
german-swiss
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileSize
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocaleInfoW
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetTickCount
GetTimeZoneInformation
GetUserDefaultLCID
GetVersion
GetVersionExA
GetVersionExW
GlobalAlloc
__GLOBAL_HEAP_SELECTED
great britain
Guatemala
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HH6MHP6]
HHHHHHHHHH
HHtiHtGH
H:mm:ss
holland
hong-kong
HtHHt(
HtOHt)H
Iceland
Icelandic
InitializeCriticalSection
InterlockedDecrement
InterlockedExchangeAdd
InterlockedIncrement
IPHLPAPI.DLL
irish-english
IsBadWritePtr
IsCharUpperW
IsValidCodePage
IsValidLocale
italian-swiss
It[IItM
JanFebMarAprMayJunJulAugSepOctNovDec
January
KERNEL32.dll
LC_ALL
LC_COLLATE
LC_CTYPE
LCMapStringA
LCMapStringW
LC_MONETARY
LC_NUMERIC
LC_TIME
LeaveCriticalSection
LoadLibraryA
Luxembourg
M/d/yy
MEM         
MessageBoxA
Mexico
Microsoft Visual C++ Runtime Library
Monday
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
new-zealand
norwegian
norwegian-bokmal
norwegian-nynorsk
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
October
ogggio
Panama
Paraguay
portuguese-brazilian
PPPPPPPP
pr china
pr-china
Program: 
<program name unknown>
puerto-rico
- pure virtual function call
PVhteA
Q0o`pVncbcH`'{
QQSVW3
QQSVWj
QueryPerformanceCounter
RaiseException
R\C|8==^W
`.rdata
RtlUnwind
runtime error 
Runtime Error!
rx_Info0
RZU4ssjt
Saturday
September
SetEnvironmentVariableA
SetHandleCount
SetLastError
[ShxeA
SING error
slovak
south africa
south-africa
South Africa
south korea
south-korea
Spanish
spanish-argentina
spanish-bolivia
spanish-chile
spanish-colombia
spanish-costa rica
spanish-dominican republic
spanish-ecuador
spanish-el salvador
spanish-guatemala
spanish-honduras
spanish-mexican
spanish-modern
Spanish - Modern Sort
spanish-nicaragua
spanish-panama
spanish-paraguay
spanish-peru
spanish-puerto rico
Spanish - Traditional Sort
spanish-uruguay
spanish-venezuela
SS@SSPVSS
STATUS_NO_YIELD_PERFORMED
Sunday
SunMonTueWedThuFriSat
Sweden
Swedish
swedish-finland
Switzerland
tEj@Vh
TerminateProcess
!This program cannot be run in DOS mode.
Thursday
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tn<%t2
tPhLeA
trinidad & tobago
t#SSUP
t.;t$$t(
Tuesday
t$$VSS
t/WWUPj
>:u#FV
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
>:uNFV
UnhandledExceptionFilter
united-kingdom
united-states
Uruguay
user32.dll
USER32.dll
VC20XC00U
Venezuela
^VhxeA
VirtualAlloc
VirtualFree
Vtvj0j
VU|&W^
VWuBhheA
WaitForSingleObject
Wednesday
WideCharToMultiByte
WQj1Pj
WriteFile
"WWShteA
XRkVWWWWWW[
_^][YY
Zi=xW[
zu^SSS
z'(VG.