Analysis Date2015-10-27 02:29:52
MD5ebf157abfe656d87e43a63ca91507996
SHA1c55d36abdea37cfc58d788e4efbef4111eaeb986

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 85190e8eb1c8d72ebbccf4639eb9421d sha1: 1edcbb6cf9e4261af6966e117265392162ba548e size: 20480
Section.rdata md5: 856ccaa7d78f278a01048093d6f7c9d5 sha1: 6ec8d859481d211bf5bc2a8d2d68d523943c4f60 size: 8192
Section.data md5: 4805e103b08e96a4fe517035f700d11c sha1: 45574152397be199b10a4cd19d9031883a1d7f26 size: 73728
Section.rsrc md5: 844b623502f8219f25e94a8b4e96cc58 sha1: 74b444fc15719f8369007267886f3565a1204e66 size: 61440
Timestamp2015-03-26 08:29:35
VersionLegalCopyright: Copyright (C) 2014
InternalName:
FileVersion: 6.1.7600.16385
CompanyName: Microsoft Corporation. All rights reserved.
PrivateBuild:
LegalTrademarks:
Comments:
ProductName:
SpecialBuild:
ProductVersion: 6, 1, 7600, 16385
FileDescription:
OriginalFilename:
PackerMicrosoft Visual C++ v6.0
PEhash7a455bf3e32667bd260962ba1a41d317bed38388
IMPhash4f3d6df29aed03d098d53c60e71d6007
AVRisingno_virus
AVMcafeeBackDoor-FCWB!EBF157ABFE65
AVAvira (antivir)TR/AD.Plugx.M.5
AVTwisterW32.Korplug.GZ.rvmf
AVAd-AwareGen:Variant.Symmi.54335
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Korplug.GZ
AVGrisoft (avg)BackDoor.Generic19.CAQ
AVSymantecBackdoor.Korplug
AVFortinetW32/Gulpix.BJ!tr.bdr
AVBitDefenderGen:Variant.Symmi.54335
AVK7Riskware ( 0040eff71 )
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.54335
AVMalwareBytesno_virus
AVAuthentiumW32/Backdoor.STWT-5492
AVFrisk (f-prot)W32/Backdoor2.HYZO
AVIkarusno_virus
AVEmsisoftGen:Variant.Symmi.54335
AVZillya!Backdoor.Gulpix.Win32.220
AVKasperskyBackdoor.Win32.Gulpix.vir
AVTrend MicroBKDR_PL.F46286AF
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)BScope.Trojan.SvcHorse.01643
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.54335
AVArcabit (arcavir)Gen:Variant.Symmi.54335
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureGen:Variant.Symmi.54335
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps_user.dat
Creates ProcessC:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps.dll", ShadowPlay 84
Creates MutexFast

Process
↳ C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps.dll", ShadowPlay 84

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexnvdisps_event
Winsock DNS211.226.71.4

Network Details:

HTTP POSThttp://211.226.71.4:443/update?id=002e4098
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows TCP192.168.1.1:1031 ➝ 211.226.71.4:443
Flows TCP192.168.1.1:1031 ➝ 211.226.71.4:443

Raw Pcap
0x00000000 (00000)   504f5354 202f7570 64617465 3f69643d   POST /update?id=
0x00000010 (00016)   30303265 34303938 20485454 502f312e   002e4098 HTTP/1.
0x00000020 (00032)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000030 (00048)   48536573 73696f6e 3a20300d 0a485374   HSession: 0..HSt
0x00000040 (00064)   61747573 3a20300d 0a485369 7a653a20   atus: 0..HSize: 
0x00000050 (00080)   36313435 360d0a48 536e3a20 310d0a55   61456..HSn: 1..U
0x00000060 (00096)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000070 (00112)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000080 (00128)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000090 (00144)   6e646f77 73204e54 20352e31 3b202e4e   ndows NT 5.1; .N
0x000000a0 (00160)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a203231   ; SV1)..Host: 21
0x000000c0 (00192)   312e3232 362e3731 2e340d0a 436f6e74   1.226.71.4..Cont
0x000000d0 (00208)   656e742d 4c656e67 74683a20 300d0a43   ent-Length: 0..C
0x000000e0 (00224)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000f0 (00240)   416c6976 650d0a43 61636865 2d436f6e   Alive..Cache-Con
0x00000100 (00256)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000110 (00272)   0d0a                                  ..


Strings