Analysis Date2016-01-28 13:28:31
MD53225b7980d47f4cb71bf94e27b9c2436
SHA1c482da39e32bffcbba8ddee111e06b278c24fdc4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8faeaea680be8443a4af0f9756d4a397 sha1: 00c712df5dbe2ff074df2812665dd878f6f897fc size: 22528
Section.rdata md5: 2b846fa0c18df0d577e3b31378e88a8b sha1: 96bd0a77a2f033d7b1ddfda61b1fecaebb239f0a size: 2048
Section.data md5: 60b982de5fb7191e6db339c9a2c41d34 sha1: 335f4fdcc50a700b6e3b39a147e9bebe11cec1da size: 10752
Section.rsrc md5: 54f8a76d6633e4bec5ad23429c2fe013 sha1: a7349390da21de8bd1d4ad83c60d407b7ecf1bb9 size: 60416
Timestamp2013-07-13 13:04:07
VersionLegalCopyright: Copyright Akiz© 1983
InternalName: Dalem
FileVersion: 6, 2, 1, 1
CompanyName: House
PrivateBuild: Lepi
LegalTrademarks: Derko©
Comments: Zemal
ProductName: Zile
SpecialBuild: Apol
ProductVersion: 2, 1, 3, 2
FileDescription: Ziro
OriginalFilename: Sabor
PackerMicrosoft Visual C++ v6.0
PEhashcbd9e2d95c8f48e9fcc19615a3641ca0ebbe9cb3
IMPhash9d6cc344bd6cf9b3a1a58080690fe70f
AVRisingWorm.Win32.Gamarue.j
AVMcafeeW32/Worm-FKU!Gamarue
AVAvira (antivir)Worm/Gamarue.llgwb
AVTwisterTrojan.C36A64C5A2716296
AVAd-AwareGen:Variant.Symmi.26024
AVAlwil (avast)Downloader-TWY [Trj]
AVEset (nod32)Win32/Injector.ALPK
AVGrisoft (avg)BackDoor.Generic17.ADYC
AVSymantecPacked.Dromedan!gen7
AVFortinetNo Virus
AVBitDefenderGen:Variant.Symmi.26024
AVK7Trojan ( 004481bf1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVMicroWorld (escan)Gen:Variant.Symmi.26024
AVMalwareBytesBackdoor.Bot
AVAuthentiumW32/Gamarue.B.gen!Eldorado
AVFrisk (f-prot)W32/Gamarue.B.gen!Eldorado
AVIkarusTrojan-Dropper.Win32.Gamarue
AVEmsisoftGen:Variant.Symmi.26024
AVZillya!Backdoor.Androm.Win32.1537
AVKasperskyTrojan.Win32.Generic
AVTrend MicroWORM_GAMARUE.SMV
AVCAT (quickheal)Worm.Gamarue.A5
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Wauchos.2183
AVBullGuardGen:Variant.Symmi.26024
AVArcabit (arcavir)Gen:Variant.Symmi.26024
AVClamAVWin.Trojan.Gamarue-28
AVDr. WebBackDoor.Andromeda.178
AVF-SecureTrojan-Downloader:W32/Wauchos.F
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\ccrkpam.com\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\ccrkpam.com
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSwww.update.microsoft.com.nsatc.net
Type: A
191.232.80.55
DNSwww.update.microsoft.com
Type: A
DNSmorphed.ru
Type: A
DNSamnsreiuojy.ru
Type: A
Flows TCP192.168.1.1:1031 ➝ 134.170.58.222:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1034 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53

Raw Pcap

Strings