Analysis Date2018-02-06 22:22:00
MD561458cc2fe3327bf7850260c6863264e
SHA1c33d93cc24344e63a20562e3875e816b9dcc018b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 990a613526d31f7f81c42a8634687e3e sha1: d0a6a7fbf4d0879fa2d10eeb547b2c4eecc17af0 size: 77824
Section.rdata md5: 8e90f10dafffedb9ae9d54cb9432bafa sha1: bf2023541f8c2ef6a4d98be0030f360e1637ef4a size: 8192
Section.data md5: 81b040634aea6c480ae771c56be18f6b sha1: 92754de0eb4362012e9c295e091c2e68739140da size: 16384
Section.tls md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: b423dadb3cf84ac09d643017b90b4438 sha1: 665bc1c810301621e80d50ff0153f12748c84dae size: 8192
Timestamp2014-03-17 08:28:37
VersionFileDescription: DieSonne Software
Comments: DieSonne Software
CompanyName: DieSonne Software, GmbH.
PackerMicrosoft Visual C++ v6.0
PEhash6a343ca2ef9566e5d5e92c9ca55a0234ee568dbc
IMPhashb2805e97bcab3fbbb7a11d5ce3f48e8b
AVArcabit (arcavir)Trojan.Agent.BCDE
AVAuthentiumW32/Trojan.GBEC-4665
AVGrisoft (avg)Error Scanning File
AVAvira (antivir)TR/Agent.loiuenana
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVAd-AwareTrojan.Agent.BCDE
AVBitDefenderTrojan.Agent.BCDE
AVBullGuardTrojan.Agent.BCDE
AVClamAVNo Virus
AVDr. WebBackDoor.Andromeda.267
AVEmsisoftTrojan.Agent.BCDE
AVMicroWorld (escan)Trojan.Agent.BCDE
AVCA (E-Trust Ino)Trojan.Agent.BCDE
AVFortinetW32/Dofoil.QTZ!tr
AVFrisk (f-prot)W32/Trojan3.HTV
AVF-SecureTrojan:W32/Agent.DUTX
AVIkarusTrojan-Downloader.Win32.Dofoil
AVK7Error Scanning File
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeePWSZbot-FTY!Gamarue
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.I
AVNANOTrojan.Win32.Androm.cvzdwg
AVEset (nod32)Win32/TrojanDownloader.Wauchos.Z
AVPadvishNo Virus
AVCAT (quickheal)Worm.Gamarue.I5
AVRising0x5698f741
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecBackdoor.Trojan
AVTrend MicroBKDR_ANDROM.WSDO
AVTwisterBackdoor.F91377D5BC36B4DF
AVVirusBlokAda (vba32)Backdoor.Androm
AVWindows DefenderWorm:Win32/Gamarue.I
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\THX1138\AppData\Local\Temp\c33d93cc24344e63a20562e3875e816b9dcc018b.exe

Creates File\??\Nsi
Creates FileC:\Users\THX1138\AppData\Local\Temp\c33d93cc24344e63a20562e3875e816b9dcc018b.exe

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.157
DNSeriksiversen.ru
Type: A
195.22.26.253
DNSeriksiversen.ru
Type: A
195.22.26.252
DNSeriksiversen.ru
Type: A
195.22.26.231
DNSeriksiversen.ru
Type: A
195.22.26.254
DNSjuliussdietz.ru
Type: A
195.22.26.252
DNSjuliussdietz.ru
Type: A
195.22.26.231
DNSjuliussdietz.ru
Type: A
195.22.26.254
DNSjuliussdietz.ru
Type: A
195.22.26.253
DNSupdate.microsoft.com
Type: A
DNScaptioncodes.ru
Type: A
DNSfulldag.ru
Type: A
DNSmantos.su
Type: A
HTTP POSThttp://eriksiversen.ru/new2/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://juliussdietz.ru/new2/gate.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1036 ➝ 65.55.50.189:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1039 ➝ 195.22.26.253:80
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1042 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 195.22.26.252:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1048 ➝ 8.8.4.4:53

Raw Pcap

Strings
t.
t.
@..
~.\
. 
C::::% BbmHpAadYySMI--r
040904b0
Comments
CompanyName
DieSonne Software
DieSonne Software, GmbH.
FileDescription
         (((((                  H
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
*******
28000 not possible .. fallback
abnormal program termination
america
american
american english
american-english
Argentina
August
Australia
australian
Austria
Basque
belgian
Belgium
britain
Canada
canadian
chinese
chinese-hongkong
chinese-simplified
chinese-singapore
chinese-traditional
Colombia
CompareStringA
CompareStringW
Costa Rica
CreateDirectoryA
CreateEventW
CreateMutexA
>Cu28V
@.data
dddd, MMMM dd, yyyy
December
DeleteCriticalSection
DeleteIpForwardEntry
DOMAIN error
Dominican Republic
dutch-belgian
E_CALL_2_GOT_US1
Ecuador
england
English
english-american
english-aus
english-belize
english-can
english-caribbean
english-ire
english-jamaica
english-nz
english-south africa
english-trinidad y tobago
english-uk
english-us
english-usa
EnterCriticalSection
EnumSystemLocalesA
EV_MMAC_RX_INDICATE_DELBA
e=&W[o=Y[
ExitProcess
FatalAppExitA
February
FileTimeToSystemTime
FindClose
FindFirstFileW
Finland
Finnish
F@j@Ph
- floating point not loaded
FlushFileBuffers
F PjPWj
F$PjQWj
F.PjRWj
F*PjTWj
F+PjUWj
F,PjVWj
F-PjWWj
France
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibraryAndExitThread
French
french-belgian
french-canadian
french-luxembourg
french-swiss
Friday
German
german-austrian
german-lichtenstein
german-luxembourg
german-swiss
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocaleInfoW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetTickCount
GetTimeZoneInformation
GetUserDefaultLCID
GetVersion
GetVersionExA
GetVersionExW
__GLOBAL_HEAP_SELECTED
great britain
Guatemala
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HHHHHHHHHH
HHtiHtGH
H:mm:ss
holland
hong-kong
HtHHt(
HtOHt)H
Iceland
Icelandic
InitializeCriticalSection
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchangeAdd
InterlockedIncrement
IPHLPAPI.DLL
irish-english
IsBadWritePtr
IsCharUpperA
IsDebuggerPresent
IsValidCodePage
IsValidLocale
italian-swiss
It[IItM
JanFebMarAprMayJunJulAugSepOctNovDec
January
KERNEL32.dll
LC_ALL
LC_COLLATE
LC_CTYPE
LCMapStringA
LCMapStringW
LC_MONETARY
LC_NUMERIC
LC_TIME
LeaveCriticalSection
lLfdp^
LoadLibraryA
Luxembourg
M/d/yy
MessageBoxA
Mexico
Microsoft Visual C++ Runtime Library
Monday
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
new-zealand
norwegian
norwegian-bokmal
norwegian-nynorsk
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
October
ogggio
^OjBr+
Panama
Paraguay
portuguese-brazilian
PPPPPPPP
pr china
pr-china
Program: 
<program name unknown>
puerto-rico
- pure virtual function call
Q0o`pVncbcH`'{
QQSVW3
QQSVWj
QueryPerformanceCounter
R\C|8==^W
`.rdata
ReadFile
ResetEvent
rid=%s assertsize=%u
RtlUnwind
runtime error 
Runtime Error!
RZU4ssjt
Saturday
September
Service Name
SetEnvironmentVariableA
SetFilePointer
SetHandleCount
SetLastError
SING error
slovak
south africa
south-africa
South Africa
south korea
south-korea
Spanish
spanish-argentina
spanish-bolivia
spanish-chile
spanish-colombia
spanish-costa rica
spanish-dominican republic
spanish-ecuador
spanish-el salvador
spanish-guatemala
spanish-honduras
spanish-mexican
spanish-modern
Spanish - Modern Sort
spanish-nicaragua
spanish-panama
spanish-paraguay
spanish-peru
spanish-puerto rico
Spanish - Traditional Sort
spanish-uruguay
spanish-venezuela
SS@SSPVSS
Sunday
SunMonTueWedThuFriSat
Sweden
Swedish
swedish-finland
Switzerland
tEj@Vh
TerminateProcess
!This program cannot be run in DOS mode.
Thursday
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tn<%t2
trinidad & tobago
TryEnterCriticalSection
t#SSUP
t.;t$$t(
Tuesday
t$$VSS
t/WWUPj
>:u#FV
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
>:uNFV
UnhandledExceptionFilter
united-kingdom
united-states
Uruguay
user32.dll
USER32.dll
VC20XC00U
Venezuela
VirtualAlloc
VirtualFree
Vtvj0j
VU|&W^
WaitForMultipleObjects
WaitForSingleObjectEx
Wednesday
WideCharToMultiByte
WQj1Pj
WriteFile
XRkVWWWWWW[
_X_V32_TX_ANS_1ST_S
_X_V32_TX_ANS_AC_AFTER_AA_DET
_^][YY
YYh(`A
Zi=xW[
zu^SSS
&zvHle