Analysis Date2015-09-27 04:59:49
MD5503e43ba432a1a7cc8aa1cbf933f0b69
SHA1c40fefbb601bf535a8f98c4a5a28a760daa2e00b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d88ab40f2a5389c79b9a18a4427b074b sha1: 3d4b635b6f4ab78baf6db2824611f8946b7dd22b size: 31744
Section.rdata md5: 593f1ed3d5ef7a5154a5ed2e64909c8c sha1: e04d4cbe6342a3dfc0e19104d8111c0708523429 size: 15360
Section.data md5: 9cdd072d249de88c451022afdf42e43c sha1: 84cd1f08f5fbdd30d5b4b82bcd6fb3e1ffc49625 size: 9984
Timestamp2009-01-22 17:04:26
Pdb path@
PackerMicrosoft Visual C++ 5.0
PEhashd31ecdd5c6be30d478d51fa31196fa5e0d0f5c17
IMPhashd71385a36f3ece46e335abdfdd5e1914
AVAuthentiumW32/Trojan.PSTD-9354
AVMcafeeno_virus
AVPadvishno_virus
AVFrisk (f-prot)W32/Trojan2.OAQL
AVFortinetW32/Zbot.PKJO!tr
AVAvira (antivir)Worm/Gamarue.A.541
AVTrend Microno_virus
AVVirusBlokAda (vba32)Backdoor.Androm
AVClamAVWin.Trojan.9125644-2
AVCA (E-Trust Ino)Win32/Gamarue.IP
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVBitDefenderTrojan.Generic.9125644
AVEset (nod32)Win32/TrojanDownloader.Wauchos.A
AVTwisterTrojan.Generic.ptcw
AVZillya!Downloader.Wauchos.Win32.485
AVKasperskyTrojan.Win32.Generic
AVCAT (quickheal)Worm.Gamarue.r3
AVBullGuardTrojan.Generic.9125644
AVArcabit (arcavir)Trojan.Generic.9125644
AVDr. WebBackDoor.Andromeda.22
AVF-SecureTrojan.Generic.9125644
AVMalwareBytesTrojan.Downloader.W
AVMicroWorld (escan)Trojan.Generic.9125644
AVIkarusTrojan.SuspectCRC
AVK7Trojan ( 001d712b1 )
AVSymantecno_virus
AVGrisoft (avg)BackDoor.Generic16.CITK
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareTrojan.Generic.9125644
AVEmsisoftTrojan.Generic.9125644
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\mseisie.com\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\mseisie.com
Deletes FileC:\C40FEF~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
191.232.80.55
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.158
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.254
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.231
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.252
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.253
DNSanam0rph.su
Type: A
195.22.26.253
DNSanam0rph.su
Type: A
195.22.26.254
DNSanam0rph.su
Type: A
195.22.26.231
DNSanam0rph.su
Type: A
195.22.26.252
DNSorzdwjtvmein.in
Type: A
195.22.26.254
DNSorzdwjtvmein.in
Type: A
195.22.26.231
DNSorzdwjtvmein.in
Type: A
195.22.26.252
DNSorzdwjtvmein.in
Type: A
195.22.26.253
DNSygiudewsqhct.in
Type: A
52.28.249.128
DNSbdcrqgonzmwuehky.nl
Type: A
176.58.104.168
DNSsomicrososoft.ru
Type: A
193.201.224.46
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://xdqzpbcgrvkj.ru/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://anam0rph.su/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://orzdwjtvmein.in/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://ygiudewsqhct.in/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://bdcrqgonzmwuehky.nl/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://somicrososoft.ru/in.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 191.232.80.55:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1033 ➝ 195.22.26.254:80
Flows UDP192.168.1.1:1034 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1035 ➝ 195.22.26.253:80
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1037 ➝ 195.22.26.254:80
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1039 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1041 ➝ 176.58.104.168:80
Flows UDP192.168.1.1:1042 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1043 ➝ 193.201.224.46:80

Raw Pcap

Strings
.....

DaDG
epal
meen
 method, pro
o.e 
rg D
RGe -
rNeA
sSsi
syee
Week Cha
y?I@
3Rj5d@
3Y;uAW
7a9){|
_adjust_fdiv
a-,Ect
aUUXSS
bA0+MM$$GGj2
c ivysi, 
Cjj$$$$$
_controlfp
CreateFileW
C:\wear\Dark\wash\but\solve\Party\held\believethis.pdb
@.data
Dmo/?s
DSS_YMM
$e~$$$
e, bsd 
EeaDe-
eec  ulh 
;EFEU$
Efuu|A@
e Tpnyi
$$eUUMM
eW) rnk,Yi
_except_handler3
  - eyEhL I
 faprM
fKr,w 
fLeTr s
FMMUfMM
F$$nxjj
Fri icri  
F vI3I
GetLocalTime
GetModuleHandleW
GetStartupInfoW
GetVolumeInformationW
GGPMM^ 
 G  rc
GUUo{|K7*
h Sn(d
IgOoC.R
 i hd- at
_initterm
iot  ia
Itauidigpt
$$$$jj
jj$$GG
jj*GSG$
jjXUUb
jVrjUU
KERNEL32.dll
 k,He 
,lInir
lu$e-$
l(ye R
lz@mo)
memcpy
memset
MM3+?*JR
MM$$GG
MMjjjju
MMM~$$
MMOMCMuC"u
;MMSSGGSdS
MMuuGGG]
MMWM^lMS
MM*wUU5
MS;Pxv
MSVCRT.dll
MtMjQ/j$$
,MTMM/M
m$$w:$
NiOottmx
n pSc.n
nuu$$SS
NzUU90
o h db
  OIOe
on, sm
o o. s
o rd;s
__p__commode
__p__fmode
Qm" zF&
r Acon
Rcsit 
`.rdata
r rrsw
rtdSlr
$|r$uCUuSSZ
%[R@[X
ScriptApplyDigitSubstitution
ScriptApplyLogicalWidth
ScriptBreak
ScriptCacheGetHeight
ScriptFreeCache
ScriptGetGlyphABCWidth
ScriptIsComplex
ScriptItemize
ScriptJustify
ScriptLayout
ScriptPlace
ScriptRecordDigitSubstitution
ScriptShape
ScriptStringAnalyse
ScriptStringCPtoX
ScriptStringFree
ScriptStringGetLogicalWidths
ScriptStringGetOrder
ScriptStringOut
ScriptString_pLogAttr
ScriptStringValidate
ScriptStringXtoCP
ScriptTextOut
ScriptXtoCP
__set_app_type
SetSystemTimeAdjustment
__setusermatherr
SGG;N1
SjejSSv
srfnea
@s@sLC
SSSUUMM
Su$5$SS>
$s`$UUh-x 
tc scMoe
!This program cannot be run in DOS mode.
tSb-rg
t$ub-et
tx3F3_x,
u$$D#MMY=
Uio R 
UK}U$$T
U$/$MMH
USP10.dll
UTKUGG
$$UU$$
$U-U$$
uu$f$U'XUuu
$$$$UUG"Gu
$UUI7-
$$uu$$M
$$UUM"M
uuMMSSU
UUoUuu>$$(
v HeSo
VirtualProtectEx
_wcmdln
__wgetmainargs
$w$GxG
$$#wUU
W(zMMUU
+_:@=x
@x7%t+$M
_XcptFilter
x$$UUS
yGMMug
$y}$MM
Yroter
$$$ZUU6jj