Analysis Date2015-02-03 21:29:42
MD5076ecbdadde50979e4293b8a1e6c9347
SHA1cab8d9e6a90255cc27e1b7176aea4863db3b10d0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 55c76e7b5591573181abff34b1c33688 sha1: 36f081db696861d2ca5f9e5d9e9d0c63199611e8 size: 32768
Section.rdata# md5: 40c47c79fa358b94d8c2b7d7b04bc637 sha1: 9202b8bb141db9b99de4fc1f722c097fad8fb963 size: 12288
Section.data* md5: 9862e39d2197ea06b35235ec52b9e4b0 sha1: c10bbeb83bc95cf55b33196ef09b371a9dbe24be size: 4096
Section.rsrc md5: d2c1957749f9b29f40b9ef4fa29d503e sha1: e6878572a7c997f9b553bf23e9ece7d1eed25796 size: 4096
Timestamp1974-09-01 08:31:53
PackerMicrosoft Visual C++ v6.0
PEhash086aa26be2256abfaea0185c41ae662a321e970d
IMPhash4753ccc78832b9f680dadee9a2cd6d1a
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.12306377
AVAlwil (avast)no_virus
AVArcabit (arcavir)Trojan.Generic.12306377
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.ZPACK.122808
AVBullGuardTrojan.Generic.12306377
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Generic.12306377
AVEset (nod32)Win32/Glupteba.M
AVFortinetW32/Goo.M!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.12306377
AVGrisoft (avg)Zbot.VWG
AVIkarusno_virus
AVK7Trojan ( 004b21fd1 )
AVKasperskyTrojan-Downloader.Win32.Goo.qvm
AVMalwareBytesTrojan.Agent.EOPEGen
AVMcafeePWSZbot-FAFF!076ECBDADDE5
AVMicrosoft Security EssentialsTrojan:Win32/Carberp.I
AVMicroWorld (escan)Trojan.Generic.12306377
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value ➝
14141205\\x00
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\MD7H82HHF7EH2D73

Network Details:

HTTP GEThttp://213.192.92.3:53109/stat?uid=100&downlink=1111&uplink=1111&id=00016A0F&statpass=bpass&version=14141205&features=30&guid=9215bca0-dbbb-4599-a456-ff090ca86218&comment=14141205&p=0&s=
User-Agent:
HTTP GEThttp://89.35.149.198:35535/stat?uid=100&downlink=1111&uplink=1111&id=00017DE5&statpass=bpass&version=14141205&features=30&guid=9215bca0-dbbb-4599-a456-ff090ca86218&comment=14141205&p=0&s=
User-Agent:
HTTP GEThttp://103.247.220.132:27092/stat?uid=100&downlink=1111&uplink=1111&id=000191BB&statpass=bpass&version=14141205&features=30&guid=9215bca0-dbbb-4599-a456-ff090ca86218&comment=14141205&p=0&s=
User-Agent:
HTTP GEThttp://37.203.143.244:48775/stat?uid=100&downlink=1111&uplink=1111&id=0001A553&statpass=bpass&version=14141205&features=30&guid=9215bca0-dbbb-4599-a456-ff090ca86218&comment=14141205&p=0&s=
User-Agent:
HTTP GEThttp://88.98.49.1:58046/stat?uid=100&downlink=1111&uplink=1111&id=0001B8EB&statpass=bpass&version=14141205&features=30&guid=9215bca0-dbbb-4599-a456-ff090ca86218&comment=14141205&p=0&s=
User-Agent:
HTTP GEThttp://31.24.124.134:21999/stat?uid=100&downlink=1111&uplink=1111&id=0001CC82&statpass=bpass&version=14141205&features=30&guid=9215bca0-dbbb-4599-a456-ff090ca86218&comment=14141205&p=0&s=
User-Agent:
HTTP GEThttp://188.165.195.121:51633/stat?uid=100&downlink=1111&uplink=1111&id=0001E039&statpass=bpass&version=14141205&features=30&guid=9215bca0-dbbb-4599-a456-ff090ca86218&comment=14141205&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 213.192.92.3:53109
Flows TCP192.168.1.1:1031 ➝ 213.192.92.3:53109
Flows TCP192.168.1.1:1032 ➝ 89.35.149.198:35535
Flows TCP192.168.1.1:1033 ➝ 103.247.220.132:27092
Flows TCP192.168.1.1:1034 ➝ 37.203.143.244:48775
Flows TCP192.168.1.1:1035 ➝ 88.98.49.1:58046
Flows TCP192.168.1.1:1036 ➝ 31.24.124.134:21999
Flows TCP192.168.1.1:1037 ➝ 188.165.195.121:51633

Raw Pcap

Strings
. R
080a04b0
154, 162, 234, 132
39, 218, 18, 136
CompanyName
EHFd
FileDescription
FileVersion
InternalName
IQwAWAU0
LegalCopyright
LegalTrademarks
orchestrations
OriginalFilename
panther
PFU LIMITED
preamble rated
PrivateBuild
ProductName
ProductVersion
referred
remap marginals
repined radiocarbon
retries.exe
rimmed (C) postcodes
VS_VERSION_INFO
""" "" 
""""  
3;;d,l
$)3p?0@X
&4):.a~
_acmdln
ActivateKeyboardLayout
AddAce
_adjust_fdiv
ADVAPI32.dll
AreAnyAccessesGranted
auxGetVolume
BackupWrite
ChangeServiceConfig2A
CloseClusterGroup
CloseClusterNode
CloseDriver
CLUSAPI.dll
ClusterGroupControl
c+n@N1h
CoMarshalInterThreadInterfaceInStream
_controlfp
CreateWindowExA
)D0o.LR
@.data
DdePostAdvise
DefWindowProcA
DestroyWindow
e5Mb q#4'
EnumDependentServicesW
e#_Uub
_except_handler3
ExtTextOutA
`f````
`f`````
"f%>;(
FailClusterResource
ffffffffffff``
fffffffffffff
ffffffffffffff``
)fHKht 
FileTimeToDosDateTime
FindAtomW
FormatMessageA
f$p*M/G
]frZ1V
GDI32.dll
GetClusterGroupKey
GetClusterNetworkKey
GetClusterNodeState
GetClusterQuorumResource
GetClusterResourceNetworkName
GetConsoleOutputCP
GetCurrentPositionEx
GetDriverModuleHandle
GetFileAttributesExA
__getmainargs
GetModuleHandleA
GetNamedSecurityInfoW
GetObjectType
GetOldestEventLogRecord
GetSecurityDescriptorDacl
GetSecurityDescriptorLength
GetSecurityInfo
GetStartupInfoA
GetStartupInfoW
GetTrusteeFormW
GetTrusteeNameW
GetUserDefaultLCID
GetUserNameW
IIDFromString
IMAGEHLP.dll
IMM32.dll
ImmGetIMEFileNameW
InitializeSecurityDescriptor
_initterm
IsTokenRestricted
IsValidSid
KERNEL32.dll
KzN	e8
LoadCursorFromFileW
L$,RPVQ
LsaCreateTrustedDomainEx
LsaDeleteTrustedDomain
LsaLookupSids
LsaRetrievePrivateData
	.lx%r
LZ32.dll
LZInit
LZRead
MakeAbsoluteSD
mciSendCommandA
midiInReset
mixerGetDevCapsW
mmioAdvance
mmioClose
modernised
MSVCRT.dll
OfflineClusterResource
!O:f{q<
ole32.dll
PathCanonicalizeA
PathIsUNCServerA
PathMakePrettyA
PathParseIconLocationA
PathRemoveBackslashW
pcgd%)/
__p__commode
__p__fmode
P^K/rv
QqZG8N
QueryServiceLockStatusA
`.rdata
RegEnumKeyW
RegisterClassExA
RegisterEventSourceW
RegisterFormatEnumerator
RegQueryMultipleValuesW
RegQueryValueA
RemoveClusterResourceNode
RemovePrivateCvSymbolic
ResumeClusterNode
ResUtilIsPathValid
ResUtilResourcesEqual
RESUTILS.dll
ResUtilStopService
ResUtilVerifyService
__set_app_type
SetFileSecurityA
SETUPAPI.dll
SetupDecompressOrCopyFileA
SetupDiBuildClassInfoListExW
SetupDiClassNameFromGuidExA
SetupDiCreateDeviceInterfaceRegKeyA
SetupDiDestroyClassImageList
SetupDiGetClassDevPropertySheetsA
SetupDiGetClassDevsW
SetupDiGetINFClassW
SetupDiMoveDuplicateDevice
SetupDiRemoveDeviceInterface
SetupGetBinaryField
SetupGetIntField
SetupGetLineTextW
SetupGetSourceFileLocationW
SetupInstallFileExW
SetupOpenMasterInf
SetupPromptForDiskW
SetupQueueCopySectionA
SetupQueueDeleteSectionW
SetupQueueRenameA
SetupSetDirectoryIdExW
__setusermatherr
SHDeleteKeyA
SHLWAPI.dll
SHRegQueryInfoUSKeyW
StartServiceCtrlDispatcherW
StrCSpnIW
!This program cannot be run in DOS mode.
)*TJs{<
uQ$XLO
urlmon.dll
USER32.dll
Vw\,("
Vz^[ej
waveOutGetVolume
WINMM.dll
Wm}ez	l{y
_XcptFilter
>/"	Xn
zBAj_l