Analysis Date2015-10-03 08:35:09
MD50b4af7236137a8e7d2b9e7a7c76a1c3f
SHA1c3757cc2d512be273050bf3c8b14b268b7a3971b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2a86b8b919c9d8aa04e678dbbaddd160 sha1: 5d32e2861c9a11012d822c3ba1324e02a9e69383 size: 10752
Section.rdata md5: e788909ec8696720b13681e424722f64 sha1: 84d524d7a3ca3551b9ccd9770686641d7f9a6d23 size: 1024
Section.data md5: 225c18d94fba518e62cbb57ce5d5293f sha1: 0d640875688b8e18b86bfcd18d8eeb88102f9d07 size: 512
Section.rsrc md5: 7bccf8784f87ff7063a8e6a9b3beed8d sha1: 9159681cbc49203b4eb128fb58af573636746500 size: 26112
Timestamp2013-01-10 09:52:23
VersionLegalCopyright: Copyright Divine© 2012
InternalName: CheckSum Fixer
FileVersion: 1, 0, 0, 1
CompanyName: Divine
PrivateBuild:
LegalTrademarks: Divine©
Comments:
ProductName: Divine CRC CheckSum Fixer
SpecialBuild:
ProductVersion: 1, 0, 1, 1
FileDescription: CRC CheckSum Fixer
OriginalFilename: CheckSum Fixer.exe
PackerBorland Delphi 3.0 (???)
PEhash3fc800ead75e557092a09507dd22eecddc62a8c6
IMPhashd97d17d9a641a3b5a61211b49db88104
AVRisingno_virus
AVMcafeeBackDoor-FANY!0B4AF7236137
AVAvira (antivir)TR/Dldr.Andromeda.gse
AVTwisterTrojan.82DBF1A739918C53
AVAd-AwareGen:Variant.Gamarue.1
AVAlwil (avast)Dropper-gen [Drp]
AVEset (nod32)Win32/Injector.ABED
AVGrisoft (avg)Worm/Generic_r.KA
AVSymantecno_virus
AVFortinetW32/Injector.ABED!tr
AVBitDefenderGen:Variant.Gamarue.1
AVK7Trojan ( 001d712b1 )
AVMicrosoft Security EssentialsTrojanDropper:Win32/Gamarue.F
AVMicroWorld (escan)Gen:Variant.Gamarue.1
AVMalwareBytesBackdoor.Agent.RS
AVAuthentiumW32/Andromeda.D.gen!Eldorado
AVFrisk (f-prot)W32/Andromeda.D.gen!Eldorado
AVIkarusTrojan-Downloader.Win32.Andromeda
AVEmsisoftGen:Variant.Gamarue.1
AVZillya!Trojan.Injector.Win32.317806
AVKasperskyTrojan.Win32.Generic
AVTrend MicroBKDR_ANDROM.SMB
AVCAT (quickheal)Worm.Gamarue.B
AVVirusBlokAda (vba32)TrojanDownloader.Andromeda
AVPadvishWorm.Win32.Gamarue.V61
AVBullGuardGen:Variant.Gamarue.1
AVArcabit (arcavir)Gen:Variant.Gamarue.1
AVClamAVno_virus
AVDr. WebBackDoor.Andromeda.22
AVF-SecureGen:Variant.Gamarue.1
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexDBWinMutex

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msroyczi.pif\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msroyczi.pif
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\C3757C~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwww.update.microsoft.com.nsatc.net
Type: A
157.55.240.94
DNSxjpakmdcfuqe.in
Type: A
178.79.190.156
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.254
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.231
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.252
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.253
DNSxjpakmdcfuqe.com
Type: A
72.5.65.113
DNSxjpakmdcfuqe.com
Type: A
72.5.65.113
DNSxjpakmdcfuqe.nl
Type: A
176.58.104.168
DNSwww.update.microsoft.com
Type: A
DNSxjpakmdcfuqe.biz
Type: A
HTTP POSThttp://31.200.244.37/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.in/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.ru/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.com/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.nl/l.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.50.189:80
Flows TCP192.168.1.1:1032 ➝ 31.200.244.37:80
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1034 ➝ 178.79.190.156:80
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1036 ➝ 195.22.26.254:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1038 ➝ 72.5.65.113:80
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1041 ➝ 176.58.104.168:80

Raw Pcap

Strings