Analysis Date2015-06-06 02:50:16
MD5bce7ef6bd0fbd9eeb80b43d2b11ef215
SHA1c7a6be9a6fcc8626300aa648e067bf81924b7905

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 760b12671978a32dcb5f06d1fbe2997b sha1: 7477156ae342abeed59cbf9f7691ce1de7e4667d size: 94208
Section.rdata md5: b02554328f75d2be89bd60a2c35de9df sha1: 5fd1a7c6de7c04c3714b57306ac53b2412a8cd93 size: 8192
Section.data md5: 1edfe1057648978b393dc7acec8f13b8 sha1: 8e47479f029f743dc5e7b82a4b8b22cf28142fef size: 12288
Section.rsr md5: 9730b67d8cad89d1a8e063b162c26f9a sha1: 22f9e8cdd21f9260ced3833f591043659a81707a size: 16384
Timestamp2015-05-22 13:18:15
PEhash87ae56023bd3d376eaf4b44159897e9b3b27cc30
IMPhash367f3ba5c24206bc327dad05fb4ccbd7
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.ZPACK.Gen7
AVTwisterTrojanDldr.Zurgop.BK.tpgz
AVAd-AwareGen:Variant.Zbot.166
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Injector.CBOG
AVGrisoft (avg)Inject2.CFER
AVSymantecno_virus
AVFortinetW32/Injector.CBJI!tr
AVBitDefenderGen:Variant.Zbot.166
AVK7no_virus
AVMicrosoft Security EssentialsDDoS:Win32/Nitol.C
AVMicroWorld (escan)Gen:Variant.Kazy.622044
AVMalwareBytesTrojan.Upnoda
AVAuthentiumW32/Trojan.NIJU-5731
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Injector
AVEmsisoftGen:Variant.Zbot.166
AVZillya!no_virus
AVKasperskyno_virus
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Zbot.166
AVArcabit (arcavir)Gen:Variant.Zbot.166
AVClamAVno_virus
AVDr. WebTrojan.PWS.Panda.8360
AVF-SecureGen:Variant.Zbot.166

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value ➝
21150524\\x00
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\MD7H82HHF7EH2D73

Network Details:

HTTP GEThttp://204.74.99.100:30124/stat?uid=100&downlink=1111&uplink=1111&id=00184F15&statpass=bpass&version=21150524&features=30&guid=4bd4668b-285d-4616-96bd-01e3595ebe6f&comment=21150524&p=0&s=
User-Agent:
HTTP GEThttp://204.74.99.100:30124/stat?uid=100&downlink=1111&uplink=1111&id=0018630A&statpass=bpass&version=21150524&features=30&guid=4bd4668b-285d-4616-96bd-01e3595ebe6f&comment=21150524&p=0&s=
User-Agent:
HTTP GEThttp://5.135.181.123:27571/stat?uid=100&downlink=1111&uplink=1111&id=001876B2&statpass=bpass&version=21150524&features=30&guid=4bd4668b-285d-4616-96bd-01e3595ebe6f&comment=21150524&p=0&s=
User-Agent:
HTTP GEThttp://173.236.140.15:16577/stat?uid=100&downlink=1111&uplink=1111&id=00188A59&statpass=bpass&version=21150524&features=30&guid=4bd4668b-285d-4616-96bd-01e3595ebe6f&comment=21150524&p=0&s=
User-Agent:
HTTP GEThttp://78.157.209.207:53127/stat?uid=100&downlink=1111&uplink=1111&id=00189E00&statpass=bpass&version=21150524&features=30&guid=4bd4668b-285d-4616-96bd-01e3595ebe6f&comment=21150524&p=0&s=
User-Agent:
HTTP GEThttp://178.60.205.163:25549/stat?uid=100&downlink=1111&uplink=1111&id=0018B1A7&statpass=bpass&version=21150524&features=30&guid=4bd4668b-285d-4616-96bd-01e3595ebe6f&comment=21150524&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 204.74.99.100:30124
Flows TCP192.168.1.1:1031 ➝ 204.74.99.100:30124
Flows TCP192.168.1.1:1032 ➝ 204.74.99.100:30124
Flows TCP192.168.1.1:1033 ➝ 5.135.181.123:27571
Flows TCP192.168.1.1:1034 ➝ 173.236.140.15:16577
Flows TCP192.168.1.1:1035 ➝ 78.157.209.207:53127
Flows TCP192.168.1.1:1036 ➝ 178.60.205.163:25549

Raw Pcap
0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30313834 46313526 73746174 70617373   0184F15&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d32   =bpass&version=2
0x00000050 (00080)   31313530 35323426 66656174 75726573   1150524&features
0x00000060 (00096)   3d333026 67756964 3d346264 34363638   =30&guid=4bd4668
0x00000070 (00112)   622d3238 35642d34 3631362d 39366264   b-285d-4616-96bd
0x00000080 (00128)   2d303165 33353935 65626536 6626636f   -01e3595ebe6f&co
0x00000090 (00144)   6d6d656e 743d3231 31353035 32342670   mment=21150524&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30313836 33304126 73746174 70617373   018630A&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d32   =bpass&version=2
0x00000050 (00080)   31313530 35323426 66656174 75726573   1150524&features
0x00000060 (00096)   3d333026 67756964 3d346264 34363638   =30&guid=4bd4668
0x00000070 (00112)   622d3238 35642d34 3631362d 39366264   b-285d-4616-96bd
0x00000080 (00128)   2d303165 33353935 65626536 6626636f   -01e3595ebe6f&co
0x00000090 (00144)   6d6d656e 743d3231 31353035 32342670   mment=21150524&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30313837 36423226 73746174 70617373   01876B2&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d32   =bpass&version=2
0x00000050 (00080)   31313530 35323426 66656174 75726573   1150524&features
0x00000060 (00096)   3d333026 67756964 3d346264 34363638   =30&guid=4bd4668
0x00000070 (00112)   622d3238 35642d34 3631362d 39366264   b-285d-4616-96bd
0x00000080 (00128)   2d303165 33353935 65626536 6626636f   -01e3595ebe6f&co
0x00000090 (00144)   6d6d656e 743d3231 31353035 32342670   mment=21150524&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30313838 41353926 73746174 70617373   0188A59&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d32   =bpass&version=2
0x00000050 (00080)   31313530 35323426 66656174 75726573   1150524&features
0x00000060 (00096)   3d333026 67756964 3d346264 34363638   =30&guid=4bd4668
0x00000070 (00112)   622d3238 35642d34 3631362d 39366264   b-285d-4616-96bd
0x00000080 (00128)   2d303165 33353935 65626536 6626636f   -01e3595ebe6f&co
0x00000090 (00144)   6d6d656e 743d3231 31353035 32342670   mment=21150524&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30313839 45303026 73746174 70617373   0189E00&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d32   =bpass&version=2
0x00000050 (00080)   31313530 35323426 66656174 75726573   1150524&features
0x00000060 (00096)   3d333026 67756964 3d346264 34363638   =30&guid=4bd4668
0x00000070 (00112)   622d3238 35642d34 3631362d 39366264   b-285d-4616-96bd
0x00000080 (00128)   2d303165 33353935 65626536 6626636f   -01e3595ebe6f&co
0x00000090 (00144)   6d6d656e 743d3231 31353035 32342670   mment=21150524&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30313842 31413726 73746174 70617373   018B1A7&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d32   =bpass&version=2
0x00000050 (00080)   31313530 35323426 66656174 75726573   1150524&features
0x00000060 (00096)   3d333026 67756964 3d346264 34363638   =30&guid=4bd4668
0x00000070 (00112)   622d3238 35642d34 3631362d 39366264   b-285d-4616-96bd
0x00000080 (00128)   2d303165 33353935 65626536 6626636f   -01e3595ebe6f&co
0x00000090 (00144)   6d6d656e 743d3231 31353035 32342670   mment=21150524&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..


Strings