Analysis Date2018-03-05 16:39:53
MD5aec87e7ed8085293b4c6ea92931f4a18
SHA1c70a607c74292f700e25a6972a1e0c87020bc7f0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f8b419e5da2f0cd0c0fed6637d9771d5 sha1: 3ab1374c484ab0cadfd8d38c614f19210818e35d size: 137216
Section.rdata md5: 578c9dfc9985167d6874d2c491012cb7 sha1: a07699d400532405c4542869dd5d1a1a28009779 size: 6144
Section.data md5: 1b1dc12e5f8fe04cb5293b5030cdf096 sha1: 85fed753fa1e81be866200fad8072d5cadcbdf1b size: 2560
Section.rsrc md5: b3149d1552f985df644d5f5185107dec sha1: c9052d1671e8bba0375381179252f69e28c2eaa8 size: 2048
Timestamp2006-07-02 17:45:24
PackerMicrosoft Visual C++ v6.0
PEhashf0fc0c122cbc8b5e295bce4c87ba5c159006f06d
IMPhashbfd7db883abb7f2ccb580757048a7191
AVF-SecureTrojan.GenericKD.2327286
AV360 SafeNo Virus
AVKasperskyNo Virus
AVRisingNo Virus
AVBullGuardTrojan.GenericKD.2327286
AVAvira (antivir)TR/Crypt.Xpack.190195
AVGrisoft (avg)Generic_r.ERQ
AVSymantecTrojan.Gen.2
AVClamAVNo Virus
AVWindows DefenderTrojan:Win32/Bulta!rfn
AVCA (E-Trust Ino)Trojan.GenericKD.2327286
AVFortinetError Scanning File
AVEset (nod32)Win32/Kryptik.DEYX
AVEmsisoftTrojan.GenericKD.2327286
AVNANOTrojan.Win32.Goo.dqltbs
AVArcabit (arcavir)Trojan.GenericKD.2327286
AVAd-AwareTrojan.GenericKD.2327286
AVMalwareBytesTrojan.Agent.ALTV
AVSUPERAntiSpywareNo Virus
AVPadvishNo Virus
AVIkarusTrojan.Win32.Crypt
AVTrend MicroNo Virus
AVFrisk (f-prot)No Virus
AVAuthentiumW32/Trojan.VHVK-5274
AVBitDefenderTrojan.GenericKD.2327286
AVCAT (quickheal)TrojanDownloader.Goo
AVMicrosoft Security EssentialsNo Virus
AVK7Error Scanning File
AVTwisterTrojanDldr.Goo.xso.dqbd
AVAlwil (avast)GenMalicious-KOE [Trj]
AVMcafeeNo Virus
AVZillya!Downloader.Goo.Win32.2120
AVDr. WebTrojan.DownLoad3.35231
AVMicroWorld (escan)Trojan.GenericKD.2327286
AVVirusBlokAda (vba32)TrojanDownloader.Goo

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\THX1138\AppData\Local\Temp\c70a607c74292f700e25a6972a1e0c87020bc7f0.exe

Creates MutexGlobal\MD7H82HHF7EH2D73
Creates Mutex
Creates Mutex
Creates Mutex
RegistryHKEY_CURRENT_USER\Software\NVIDIA Corporation\Global\nvUpdSrv\value ➝
15150410
RegistryHKEY_CURRENT_USER\Software\NVIDIA Corporation\Global\nvUpdSrv\GUID ➝
62206f2e-8775-41af-9739-4119f519522f

Network Details:

HTTP GEThttp://108.163.252.250:48105/stat?uid=100&downlink=1111&uplink=1111&id=0001676F&statpass=bpass&version=15150410&features=30&guid=8b92d71b-d96b-4940-8ded-48d6c1be5ed4&comment=15150410&p=0&s=
User-Agent:
HTTP GEThttp://96.127.146.114:27042/stat?uid=100&downlink=1111&uplink=1111&id=00017B45&statpass=bpass&version=15150410&features=30&guid=8b92d71b-d96b-4940-8ded-48d6c1be5ed4&comment=15150410&p=0&s=
User-Agent:
HTTP GEThttp://193.224.177.4:18532/stat?uid=100&downlink=1111&uplink=1111&id=00018EDD&statpass=bpass&version=15150410&features=30&guid=8b92d71b-d96b-4940-8ded-48d6c1be5ed4&comment=15150410&p=0&s=
User-Agent:
HTTP GEThttp://178.33.248.60:46612/stat?uid=100&downlink=1111&uplink=1111&id=0001A2A3&statpass=bpass&version=15150410&features=30&guid=8b92d71b-d96b-4940-8ded-48d6c1be5ed4&comment=15150410&p=0&s=
User-Agent:
HTTP GEThttp://205.186.143.129:21583/stat?uid=100&downlink=1111&uplink=1111&id=0001B63B&statpass=bpass&version=15150410&features=30&guid=8b92d71b-d96b-4940-8ded-48d6c1be5ed4&comment=15150410&p=0&s=
User-Agent:
HTTP GEThttp://65.60.1.90:11982/stat?uid=100&downlink=1111&uplink=1111&id=0001CA11&statpass=bpass&version=15150410&features=30&guid=8b92d71b-d96b-4940-8ded-48d6c1be5ed4&comment=15150410&p=0&s=
User-Agent:
HTTP GEThttp://85.92.138.200:18150/stat?uid=100&downlink=1111&uplink=1111&id=0001DDA9&statpass=bpass&version=15150410&features=30&guid=8b92d71b-d96b-4940-8ded-48d6c1be5ed4&comment=15150410&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 108.163.252.250:48105
Flows TCP192.168.1.1:1032 ➝ 96.127.146.114:27042
Flows TCP192.168.1.1:1033 ➝ 193.224.177.4:18532
Flows TCP192.168.1.1:1034 ➝ 178.33.248.60:46612
Flows TCP192.168.1.1:1035 ➝ 205.186.143.129:21583
Flows TCP192.168.1.1:1036 ➝ 65.60.1.90:11982
Flows TCP192.168.1.1:1037 ➝ 85.92.138.200:18150

Raw Pcap

Strings
.
..'..A.2..{.h
$
.....T
*j
Sga.k..$..
...."A.`...N~...{..Y.h~..,.CF`1...q0...
....c.
....
...p...}..Q
.u.h.P3../fY`..I.j....
..m.z.......hP.;Jv.tXz..~xChR.
.............
....U,,2MYX..ft).,F.Lf.....UT|.*o.....-..)..G
.
.].P..E..^...CX0..I...[<
?..E....
..|Dxo...b
8+R.tV... ?...v..><Bs~Ot.R..p.....E;.n.NxX..t`~..M.+
8..7$=^b.p.]....[.L;o
.XZ.#...o8..C.|Y1...t...D.Q.|X.G.i.Q}2Z|.`.6....-..OG6..Q.9..9`@@...."E..d.>B:......."\..~..8.-.
.]..G..x@..,H.s.
4......h....b
......=R..
.p
.$.4h..P.,Yf.
K.fS.........E...}$%R....I....[...@....Y.
...r.g..
h2
..<[.R..N_*
dd:
.{
..
5Lna,.VV+........aD....5...
f/
:..l!.4K....
...
Q..F.6..@.0...

040904b0
140, 151, 51, 206
33, 166, 147, 22
Comments
CompanyName
DMT and Associates
FileDescription
FileVersion
gripped
hacked
harriers
holder
illegitimately
imaged
inclination
InternalName
ketchup
LegalCopyright
LegalTrademarks
lifestyles
metaphors
monies
neediest
numerate
octant
odin
OriginalFilename
panics
passivity
perfected
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
3AoEr 
3@ee$e
$3HoPr$
3Le$eA
3 oot@
3@rL e
3u@t$ L
4b'A	9
5zRich
7j:90.&
 A3H$rDo
a5ue=2y
@A$AH@
A AtrA P@
_acmdln
AddJobW
_adjust_fdiv
aebY2L
a*	g{$&
@$$AHE
AoeeAP
APDHPLt$E
apkUapuBc
APuPHo
AttachThreadInput
bBc dR
CallMsgFilterW
CFEonCYUj
CharNextExA
ChildWindowFromPointEx
CLUSAPI.dll
ClusterRegSetKeySecurity
cnIhRbBdt
CoInternetCombineUrl
CoInternetCreateZoneManager
comdlg32.dll
_controlfp
CopyRect
CopyStgMedium
CountClipboardFormats
CreatePipe
CreateWindowExA
czm%m.
D3EA3DL
$DAAALH
@.data
DceErrorInqTextW
DdeConnect
$ @D$E
DE3ooH
@@ DE3u
DefFrameProcW
DeleteMenu
DeletePrinterDriverExA
DH3HD3e
DhlVWfuVYNh
DialogBoxParamW
DLbigXLg
DLo$P3t
DouAHer
DrH@AEr$
D+RMVP
@DtAtu3
DuAu@eu  @
Due3A@
d;xH{D
ebnTCS
EDLu3H
e_%ECY
$eeED$PP
EEe$PE$
E erP$
E@HPE$
eIWHyKNFhX
EoAHAt
Eo H@D
Eo @ut
EPfxcBDGPW
E$PH$uP
$ePtou
ePttHru 
Er3ot 
$Er@A$3 
 ete3r
EtEteeE  @e@r
eT$'o%&
eu @3E
EuHu L
_except_handler3
fCBFLG
FindFirstFileW
FindMimeFromData
FindResourceA
FindWindowA
f)[))iVu
FnpPfJEB
FrameRect
FreeDDElParam
FreeLibraryAndExitThread
GetClassInfoA
GetClusterNetworkKey
GetConsoleCP
GetDesktopWindow
GetFileAttributesExA
GetKeyboardState
GetKeyNameTextW
__getmainargs
GetModuleHandleA
GetOpenFileNameW
GetPrivateProfileIntA
GetProfileIntW
GetStartupInfoA
GetStartupInfoW
GetSubMenu
GetWindowLongA
GetWindowTextLengthW
GetWindowTextW
gNBcmx
  @@@H
HAeHEe
H$$DA3HP3t $
HeapDestroy
HH E AEH
HHLruou
HLuu@DE
HtDuHDo
H@trD 
HuDtt3
hvldHuCAQBJ
\/iBz!
iLGEHIq
_initterm
I_RpcNsBindingSetEntryNameA
I_RpcSsDontSerializeContext
IsCharAlphaA
IsChild
IsDialogMessageA
IsRectEmpty
IUnknown_AddRef_Proxy
JsRAeBQcF
JyUODOMg
KERNEL32.dll
Ki^T(P
	*K>nY
L3ouuHe$@r 
L3ro3LL
@L@@A@
LA@or3@
L$AuerD
 LDeLD
LDet3A
LDLEor A3
lDMLlS
LD$PPo
lfJC}c
$LLPDeL
LLtr$r @
LoadMenuIndirectA
lo?b`p~
Lo eoeoEE
L$$P@HoA$
LtAE 3
L t or
lWWWBmEdyvH
MA$&"a
MessageBoxIndirectW
midiOutGetErrorTextW
MPR.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjectsEx
Msi.dll
MSVCRT.dll
NDRCContextUnmarshall
NdrConformantVaryingArrayBufferSize
NdrConformantVaryingStructFree
NdrConvert2
NdrEncapsulatedUnionMarshall
NdrFixedArrayBufferSize
NdrFullPointerXlatInit
NdrGetDcomProtocolVersion
NdrInterfacePointerFree
NdrInterfacePointerUnmarshall
NdrNonConformantStringBufferSize
NdrNonEncapsulatedUnionUnmarshall
NdrNsGetBuffer
NDRSContextMarshall
NdrServerCall2
NdrServerContextMarshall
NdrServerMarshall
NdrSimpleStructMarshall
NdrUserMarshalMarshall
NdrVaryingArrayMarshall
NdrXmitOrRepAsFree
nKvONjSeqj
#'NM9>8<-
NotifyWinEvent
ntte])`
o@3e3t
_< OCH
@o$ELuA@tA
oH@EtD
OLEAUT32.dll
ooLtLAe
oPE@rt@o
o$PPPu
orHP L
ou3$uE
ouELPo
{O+z<)c
$P$3Er 
PAAtD@
@PAPD@E
PArtD$
PathMakeSystemFolderW
PathRemoveBlanksA
P{C110
__p__commode
PdhCollectQueryData
PdhComputeCounterStatistics
pdh.dll
PdhEnumMachinesW
PdhEnumObjectItemsW
PdhExpandCounterPathW
PdhFormatFromRawValue
PdhLookupPerfNameByIndexA
PE  H 
PEt oL
__p__fmode
pKwXxCV
PLuLer
PourL3r
PPEteA
PrP@uuHH
qjqimue
qpnURJ
	/\/%R
RASAPI32.dll
RasEditPhonebookEntryA
RasEnumEntriesA
RasGetProjectionInfoW
RasRenameEntryA
`.rdata
rDAuD@
r e@D@H
reuuLE
r$H3DP
rHLA3D3
$$r Hr$ooHL
'rmX-I02H
roeHLE
roeutHE
RpcBindingReset
RpcBindingSetAuthInfoExW
RpcBindingSetOption
RpcImpersonateClient
RpcMgmtEnableIdleCleanup
RpcMgmtInqComTimeout
RpcNetworkInqProtseqsW
RpcNsBindingInqEntryNameA
RpcNsBindingInqEntryNameW
RPCRT4.dll
RpcServerRegisterAuthInfoW
RpcServerUseAllProtseqsEx
RpcServerUseProtseqExA
RpcSsDisableAllocate
RpcSsDontSerializeContext
r@@PEH
RQBLFTlbL
@@@  rt3uA$r
:r}WLgkjjF
ScreenToClient
ScrollWindow
SendMessageTimeoutA
SendMessageW
__set_app_type
SetClusterName
SetDlgItemTextW
SetupAddSectionToDiskSpaceListW
SETUPAPI.dll
SetupDecompressOrCopyFileW
SetupDiBuildDriverInfoList
SetupDiCreateDeviceInfoW
SetupDiCreateDevRegKeyW
SetupDiGetActualSectionToInstallW
SetupDiGetClassDevsExW
SetupDiGetDeviceInfoListDetailA
SetupDiGetDeviceInstallParamsW
SetupDiGetDeviceInterfaceDetailW
SetupDiInstallDevice
SetupDiRemoveDeviceInterface
SetupFreeSourceListA
SetupFreeSourceListW
SetupGetFileCompressionInfoA
SetupGetMultiSzFieldA
SetupGetSourceInfoW
SetupOpenMasterInf
SetupPromptForDiskW
SetupQueryInfVersionInformationW
SetupQuerySourceListA
SetupQueueCopyW
SetupQueueRenameSectionA
SetupQueueRenameSectionW
SetupRemoveFromSourceListA
SetupRemoveFromSourceListW
SetupRemoveInstallSectionFromDiskSpaceListA
SetupSetSourceListW
__setusermatherr
SHLWAPI.dll
SHRegGetBoolUSValueW
t 3Per 
!This program cannot be run in DOS mode.
tr@Aet
TranslateAcceleratorW
trEP$P
[!{Tu=
tu@oA@
u3PP@u H
uArPPLH
uo$o@H
u PEtrr
u$Po oLrt
urlmon.dll
USER32.dll
utEPu$
u}^*	u
}Uv =7
VsssUMIi
VyUFKYHC
+"wEa+
WINMM.dll
WINSPOOL.DRV
WNetAddConnection3W
WNetAddConnectionA
WNetConnectionDialog
WNetDisconnectDialog
WNetGetNetworkInformationA
WNetGetUniversalNameW
WNetOpenEnumW
wuqwO0F
wvsprintfA
_XcptFilter
.=xO~=Q
xywNrC
@Yf!l@
YNsqQvC
yPqnijxIIO
YShVvtR
?]^ZPd
`}zTdO