Analysis Date2015-10-15 12:51:59
MD58d05beb4133bc226fdd51ca1b39df4f5
SHA1c30a2401b7a97edc75ccf76b17c3b25a9c3cbe23

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2a86b8b919c9d8aa04e678dbbaddd160 sha1: 5d32e2861c9a11012d822c3ba1324e02a9e69383 size: 10752
Section.rdata md5: e788909ec8696720b13681e424722f64 sha1: 84d524d7a3ca3551b9ccd9770686641d7f9a6d23 size: 1024
Section.data md5: 225c18d94fba518e62cbb57ce5d5293f sha1: 0d640875688b8e18b86bfcd18d8eeb88102f9d07 size: 512
Section.rsrc md5: d51dc5c1e459b5d3b9ecbfcb4ee410ae sha1: 34145ab2b2c52360e81373f34c0ae416b76a6b5e size: 26112
Timestamp2013-01-10 09:52:23
VersionLegalCopyright: Copyright Divine© 2012
InternalName: CheckSum Fixer
FileVersion: 1, 0, 0, 1
CompanyName: Divine
PrivateBuild:
LegalTrademarks: Divine©
Comments:
ProductName: Divine CRC CheckSum Fixer
SpecialBuild:
ProductVersion: 1, 0, 1, 1
FileDescription: CRC CheckSum Fixer
OriginalFilename: CheckSum Fixer.exe
PackerBorland Delphi 3.0 (???)
PEhash3fc800ead75e557092a09507dd22eecddc62a8c6
IMPhashd97d17d9a641a3b5a61211b49db88104
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Gamarue.1
AVDr. WebBackDoor.Andromeda.22
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Gamarue.1
AVBullGuardGen:Variant.Gamarue.1
AVPadvishWorm.Win32.Gamarue.V61
AVVirusBlokAda (vba32)TrojanDownloader.Andromeda
AVCAT (quickheal)Worm.Gamarue.B
AVTrend MicroBKDR_ANDROM.SMB
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Gamarue.1
AVIkarusTrojan-Downloader.Win32.Andromeda
AVFrisk (f-prot)W32/Andromeda.D.gen!Eldorado
AVAuthentiumW32/Andromeda.D.gen!Eldorado
AVMalwareBytesBackdoor.Agent.RS
AVMicroWorld (escan)Gen:Variant.Gamarue.1
AVMicrosoft Security EssentialsTrojanDropper:Win32/Gamarue.F
AVK7Trojan ( 001d712b1 )
AVBitDefenderGen:Variant.Gamarue.1
AVFortinetW32/Injector.ABED!tr
AVSymantecno_virus
AVGrisoft (avg)Worm/Generic_r.KA
AVEset (nod32)Win32/Injector.ABED
AVAlwil (avast)Dropper-gen [Drp]
AVAd-AwareGen:Variant.Gamarue.1
AVTwisterTrojan.82DBF1A739918C53
AVAvira (antivir)TR/Dldr.Andromeda.gse
AVMcafeeBackDoor-FANY!8D05BEB4133B

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexDBWinMutex

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msqoivexo.exe\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msqoivexo.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\C30A24~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.158
DNSwww.update.microsoft.com.nsatc.net
Type: A
157.55.240.94
DNSxjpakmdcfuqe.in
Type: A
178.79.190.156
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.254
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.231
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.252
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.253
DNSxjpakmdcfuqe.com
Type: A
72.5.65.112
DNSxjpakmdcfuqe.nl
Type: A
176.58.104.168
DNSwww.update.microsoft.com
Type: A
DNSxjpakmdcfuqe.biz
Type: A
HTTP POSThttp://31.200.244.37/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.in/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.ru/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.com/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.nl/l.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.50.158:80
Flows TCP192.168.1.1:1032 ➝ 31.200.244.37:80
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1034 ➝ 178.79.190.156:80
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1036 ➝ 195.22.26.254:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1038 ➝ 72.5.65.112:80
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1041 ➝ 176.58.104.168:80

Raw Pcap

Strings