Analysis Date2015-05-10 15:05:54
MD542e0febc14f8d5a4acf20abb7d5538af
SHA1d0b45ca775cd323606eea8e287dceee726ecc607

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 31a279faf70559e66e2d1cff233a7c31 sha1: ce4d7903d53652f1534e647d556a2fff13d1a2c9 size: 188416
Section.rsrc md5: 2721b81c95a58b7c5b187165efbaab71 sha1: f4d58acdb938e6e91049429523164b34d96d9bd6 size: 50944
Timestamp2001-05-21 05:10:21
VersionLegalCopyright: Copyright Radume© 2013
InternalName: Zdravka
FileVersion: 2, 1, 3, 2
CompanyName: Hause
PrivateBuild: Kizbow
LegalTrademarks: Gioka©
Comments: Preshin
ProductName: Drenzag
SpecialBuild: Mortlina
ProductVersion: 5, 1, 8, 4
FileDescription: Darko
OriginalFilename: Koda
PackerUPX -> www.upx.sourceforge.net
PEhash4417941153076e0d30effd63808e64027b5700c7
IMPhash4ad8d64c899ffa4fc72d6bb5097c45ad
AVAd-AwareGen:Variant.Kazy.299377
AVAlwil (avast)Downloader-TAS [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.299377
AVAuthentiumW32/Andromeda.J.gen!Eldorado
AVAvira (antivir)no_virus
AVBitDefenderGen:Variant.Kazy.299377
AVBullGuardGen:Variant.Kazy.299377
AVCA (E-Trust Ino)Win32/Gamarue.HI
AVCAT (quickheal)Malware.Generic.Pdpu621115.heur
AVClamAVWin.Trojan.Agent-782881
AVDr. WebBackDoor.IRC.NgrBot.42
AVEmsisoftGen:Variant.Kazy.299377
AVEset (nod32)Win32/Bundpil.A worm
AVFortinetW32/Injector.AFHI!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.299377
AVGrisoft (avg)Downloader.Generic13.BSXI
AVIkarusWorm.Win32.Dorkbot
AVK7Trojan ( 0040f5ff1 )
AVKasperskyTrojan-Downloader.Win32.Andromeda.guq
AVMalwareBytesTrojan.Ranver
AVMcafeeno_virus
AVMicrosoft Security EssentialsWorm:Win32/Dorkbot.I
AVMicroWorld (escan)Gen:Variant.Kazy.299377
AVPadvishWorm.Win32.Gamarue.I1
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterVirus.40B30DE4711DA5A1
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Wauchos.2183

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\0000000B ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\ImageBase ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\_install_\msiexec.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\01.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\01.tmp

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\_install_\msiexec.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\ccuaqehrw.cmd\\x00
RegistryHKEY_CURRENT_USER\Software\IMAGE_FILE_HEADER ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\ccuaqehrw.cmd
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\03.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\02.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\04.tmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexCCC
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex3227095050
Creates MutexTLS
Winsock DNSb.sobea.in
Winsock DNSa.sobea.in
Winsock DNSc.sobea.in

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.221
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNShzmksreiuojy.in
Type: A
195.22.26.231
DNShzmksreiuojy.in
Type: A
195.22.26.252
DNShzmksreiuojy.in
Type: A
195.22.26.253
DNShzmksreiuojy.in
Type: A
195.22.26.254
DNShzmksreiuojy.ru
Type: A
195.22.26.253
DNShzmksreiuojy.ru
Type: A
195.22.26.254
DNShzmksreiuojy.ru
Type: A
195.22.26.231
DNShzmksreiuojy.ru
Type: A
195.22.26.252
DNShzmksreiuojy.biz
Type: A
52.28.3.6
DNShzmksreiuojy.nl
Type: A
176.58.104.168
DNSwww.update.microsoft.com
Type: A
DNShzmksreiuojy.com
Type: A
HTTP POSThttp://8.8.8.8/xxxxxxxxx.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.in/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.ru/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.biz/ldr.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 134.170.58.221:80
Flows TCP192.168.1.1:1032 ➝ 8.8.8.8:80
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1034 ➝ 195.22.26.231:80
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1036 ➝ 195.22.26.253:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1040 ➝ 52.28.3.6:80
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53

Raw Pcap
0x00000000 (00000)   504f5354 202f7878 78787878 7878782e   POST /xxxxxxxxx.
0x00000010 (00016)   70687020 48545450 2f312e31 0d0a486f   php HTTP/1.1..Ho
0x00000020 (00032)   73743a20 382e382e 382e380d 0a557365   st: 8.8.8.8..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f342e30 0d0a436f 6e74656e 742d5479   /4.0..Content-Ty
0x00000050 (00080)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000060 (00096)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000070 (00112)   636f6465 640d0a43 6f6e7465 6e742d4c   coded..Content-L
0x00000080 (00128)   656e6774 683a2038 340d0a43 6f6e6e65   ength: 84..Conne
0x00000090 (00144)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x000000a0 (00160)   75707163 68437338 7646544b 464f566d   upqchCs8vFTKFOVm
0x000000b0 (00176)   6e494b47 4977694c 7258387a 554e3638   nIKGIwiLrX8zUN68
0x000000c0 (00192)   54337971 76685175 32547165 74516e33   T3yqvhQu2TqetQn3
0x000000d0 (00208)   71497937 51366270 54664455 74594966   qIy7Q6bpTfDUtYIf
0x000000e0 (00224)   745a3333 4e526746 4b514567 396d5933   tZ33NRgFKQEg9mY3
0x000000f0 (00240)   71773d3d                              qw==

0x00000000 (00000)   504f5354 202f6c64 722e7068 70204854   POST /ldr.php HT
0x00000010 (00016)   54502f31 2e310d0a 486f7374 3a20687a   TP/1.1..Host: hz
0x00000020 (00032)   6d6b7372 6569756f 6a792e69 6e0d0a55   mksreiuojy.in..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038340d 0a436f6e   -Length: 84..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 73387646 544b464f   ..upqchCs8vFTKFO
0x000000b0 (00176)   566d6e49 4b474977 694c7258 387a554e   VmnIKGIwiLrX8zUN
0x000000c0 (00192)   36385433 79717668 51753254 71657451   68T3yqvhQu2TqetQ
0x000000d0 (00208)   6e337149 79375136 62705466 44557459   n3qIy7Q6bpTfDUtY
0x000000e0 (00224)   4966745a 33334e52 67464b51 4567396d   IftZ33NRgFKQEg9m
0x000000f0 (00240)   59337177 3d3d                         Y3qw==

0x00000000 (00000)   504f5354 202f6c64 722e7068 70204854   POST /ldr.php HT
0x00000010 (00016)   54502f31 2e310d0a 486f7374 3a20687a   TP/1.1..Host: hz
0x00000020 (00032)   6d6b7372 6569756f 6a792e72 750d0a55   mksreiuojy.ru..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038340d 0a436f6e   -Length: 84..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 73387646 544b464f   ..upqchCs8vFTKFO
0x000000b0 (00176)   566d6e49 4b474977 694c7258 387a554e   VmnIKGIwiLrX8zUN
0x000000c0 (00192)   36385433 79717668 51753254 71657451   68T3yqvhQu2TqetQ
0x000000d0 (00208)   6e337149 79375136 62705466 44557459   n3qIy7Q6bpTfDUtY
0x000000e0 (00224)   4966745a 33334e52 67464b51 4567396d   IftZ33NRgFKQEg9m
0x000000f0 (00240)   59337177 3d3d                         Y3qw==

0x00000000 (00000)   504f5354 202f6c64 722e7068 70204854   POST /ldr.php HT
0x00000010 (00016)   54502f31 2e310d0a 486f7374 3a20687a   TP/1.1..Host: hz
0x00000020 (00032)   6d6b7372 6569756f 6a792e62 697a0d0a   mksreiuojy.biz..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000040 (00064)   6c6c612f 342e300d 0a436f6e 74656e74   lla/4.0..Content
0x00000050 (00080)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000060 (00096)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000070 (00112)   6c656e63 6f646564 0d0a436f 6e74656e   lencoded..Conten
0x00000080 (00128)   742d4c65 6e677468 3a203834 0d0a436f   t-Length: 84..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000000a0 (00160)   0a0d0a75 70716368 43733876 46544b46   ...upqchCs8vFTKF
0x000000b0 (00176)   4f566d6e 494b4749 77694c72 58387a55   OVmnIKGIwiLrX8zU
0x000000c0 (00192)   4e363854 33797176 68517532 54716574   N68T3yqvhQu2Tqet
0x000000d0 (00208)   516e3371 49793751 36627054 66445574   Qn3qIy7Q6bpTfDUt
0x000000e0 (00224)   59496674 5a33334e 5267464b 51456739   YIftZ33NRgFKQEg9
0x000000f0 (00240)   6d593371 773d3d                       mY3qw==


Strings
..
.
~kf
5
....
..
.+
e.
.=.B
.j.
L..
...
.
~kf
5
....
..
.+
e.
.=.B
.j.
L..
.
040904b0
 2013
2, 1, 3, 2
5, 1, 8, 4
Comments
CompanyName
Copyright Radume
Darko
Drenzag
FileDescription
FileVersion
Gioka
Hause
InternalName
Kizbow
Koda
LegalCopyright
LegalTrademarks
Mortlina
OriginalFilename
Preshin
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
Zdravka
0hellExDu
0nbEy~-
0{@ vc!
,)1=3L2
19%Emt"
1B}W5}L
1He-a2
!1jn[H
=1[mP}
1NB3Ph
1o}i]4n
22'qMa
`2bBak
2]eJ ~
&=>2f"Pu
%2n_	j
&2o{l%B4\]
2"oUEl&
$*	2rL8-
'/2u<[
{#3fLHo
3*[.l[@
3n_cR	s
3r/dcgK
<3S;SX
	)3vK2t
46d,60
4Fl"jd
,[$4w,
4 "Ykfmx
5AUN#a
5Mf^M~
*5xK	5c
.<5 Z[
6/+=*=
6d['|g
\/6KNQ
@6s>k.pS
6]>V!>
6Wp}tx
7:8;><697142-0.+,+(*)&('$&%"$#"#"!#" "! "! "!!#""$#$%%&('())*,+-/.132586:<;7:9
7E#vJ6y
7P]E:Xj
7px!-9|
*_7TPR
]7Uz842
83a.o 
85Qr#j
&#8"oE0
|8'/Yi"
9k]D@Q
9+l{v/
]&9TK'
9W!s7qb
9YWvoA
`9z~+9D
a0h,E/
a#7\W\
AbSSb"
a`CJi:[
[aDX `
Ae8e\h
aecbfd]`_TXV375
.a_f6@
~~ahbRE
aL*NNj
AM5]eo
A=StdHa(
axO$Mu
_a[ y	
b]bQ)[
bdcw$sR~
? bDo[
BFDjnl
bj?}\t',
b:@P]p
b~qU$ju
	[b^S~>1
)bV9i*
b vsH0
?B|xxC
:[=^C*
C1_7}-
c5|t_p
cETD9A
)@c,>G
	C]|@G>`m]
CharLowerA
c/Ka])4Dkp
[CMCb8
c#*oqF1EJ
C^Po'Z
C!	"S<}
cS_dF8
$%,**dA
_d#E>*
d%(\-G
@Dh+S<
dkU2Ik
;/DLv`
dQEA%,
(Dv&N[
dYTE!%
&>&(E<
'eB0PD
EcPID)
/e,G68
[eHSk2V
EIG]a_osqy}{y}{
ERs9^{Wm
E*UNP~
(e?V]6
ExitProcess
,faS{}
!fAUP>
_F COiY
Ff^X'th\
$#F]gSl
FJHFJHNRPQUSPTRrvt
fK'+TD$5
Flkzkq
~FZ3XA
GB|A9W
GetModuleFi
GetProcAddress
GetProcAddressm0
>"GGhVe
=/gH,>
 )'g	LMp
Gm_hk}
G=v)ip?
[gVObjec
gv-wF$
G$W',}
.gwqNB
'H\|0+
Hb,8tb
\h<D7BVU
Hgg^{n
H*iQD_
hPbLL^
(HU9~[
huWSI7]
HU==%X
"HWRG6K
&[&i2%
i#70`2
"*iAP_@
i{aQ/S
iE;nVR
*[IEWVL
Ihi<m>
I<N3Ur7
{ip;}1
 ip!;h&
IPn)r\
i.SR7ad;
I@Uko)
'iV%H^
$IX7J=
ixG0g/
/j=2_+
J3Cy2o
j)<"7tcK
j!anb/Js
,"j==b
~jGwGv
j?j1,%Nu
''JjvO
J:Nc+ :
jnGO):
j=!TcU
j="TcU
}/<ju43\
~jU7;a
J@VCpH
  JXTU
JyvuwJD
JZ_EA@
K4effI
k4zLfE
% \k/9(>Xi7
k&dO&1
-|kE#N
KERNEL32.DLL
<kernel32.dllG
KfxstRp
kj5q*z
KjQ7m 
komEIG
KOMmqo
kr({`L
KRW`6%(
}kXzXu
#l4Q9	
$l5~{y
l>^8.{u
LAib=k
`lFcP=H
L}<G1`
LibraryTWaitForS
LoadLibraryA
\LQ	fj
L[=*} t
l'u,di
LwSCz)Ko
lZ?IFwI
M9Yj^|
;<*mf`
m[m]CL
_m	n!7
MOwlXb
MQOsxv
MQOtxv
MQOtyw
MQOuyw
MQOvzx
m&SAx-
)MU\Q 
M~(!&v
MXFDA]
"mxoy-~
n0dX:O
n(2!WxY
N6UZ#z
NameA&LoadC
n\DI/`
nHo	|gt
N#Js*O}
n\NZjB
NQOvzx
&=NR{|
NRPw{y
ns?F6\
NTHxs"
~*nxV:
_N/ZH"
?*o3K}T
o4t`":6
o?9|kf
o@;aVa
o@bXi=
OBz{K,Sw+
oErjaqu
 oFYy4
o>m(=VVu
os7r%u
OSQuyw
?o]"t=
oWS|ks}(|
	#OW+Zq
o;Y}}_J
p,]#%-
@P2bHF
p6fPA200PdDBCwgdxzH
pb]A/1
Pf3Y+J
|PJkqT
p)k^#&\Ny
P'l2jr
pO{R O
PSRuyw
[~ps[xq
ptrNRP
PTRuyw
_$pz~Cd
$pZD4z
Q8/YdH
QfJ-|[
>Q.	FW
#q/{,]i
Q%]&j	
|QLTR8
]QPRoS
;!QQ`*
qT]10F
Q^T^`ds
Qw}*v3
@Q/$x[G?\>
<#R6SHf
R7^}zD
r[*)>b
r^bM*sg
RnESj3
rPcu%?5Z
/:@r*R
RR=re5
RUSimkrwurvtqvtqusptrptrosqosqnrpnrpmqomqomqomqonrpnrposqosqptrptrqusqutrvtrvtimkRVT
~RxKS8
Ryid1o
s8H>F0
SHELL32.dll
ShellExecuteA
"sHt[(
-Sik0S
s$ inOCl
SizeofResource{
s;&	^P
St 49/
|St6TQ
sUtcg8
sxvPTRQUSNRPFJHMQO
t5bf8o
T-(5uB
t7|.O2[
	T8pbCb
T9id0t
_t.b4o
}t{BA=s{{
{t[@!$c
~\(T,C)
TF{&x!
!tH4nL
!This program cannot be run in DOS mode.
tobc}*
ToF3+OY
\t~QF<
t\RmqU
=TvGEh[
Tx*/4[
TXV\`^bfdaec
u:0$fEi
u4&8$=
u7N]\4f
u$=$Gji
Ul$pA?
Upla"*Tk
:UQ?rhc
USER32.dll
uywPTR
@%?#`V
V2%deP8io
V4HV7y
}V`9a^
V~#Bq:iHyL
VirtualAlloc
VirtualFree
VirtualProtect
V]j`*]\
&v_ka5p
v?k{aJ
_!"vRkxHH
VT9h.VH
v$+wDY+8ew
{\vwL"
vzxPSR
w2#f^HM
W2iQ=|^
-W4491
W9*|0L{$
*w;+Dvly
w_Dwd\
W,e0AGX
Wh _E ~
	W/{x9&
<w_XCp;
>wXhBg4CN
w{yPTR
w{yRVT
w	]y,XM
w{zRVT
\X1b.8
`X&22#
X8>KV=t?
,xc&+e}
X!j1z#
X!`K8|
XkNhOST"q
XPTPSW
x)sV<9p>*
x{yRVT
x|zPTR
x{zPTR
( _ YD
@YDA%_
y;F)BBuHR
yJnc:$
YO>NAqg
$&YP.iaD
( YPT_D
y}{PTR
y}{QTS
yVgGBLhf
.y~W)A)l
 ]yWQM
yy+j>rJ
YY=@k54
y}{y}{psr]a_FJH
z3s1n1
zAj3jh0
Zd1l>F
Z*>+f_a
ZHLl,C
zK[tAP
Z	l`4~#,
znPj38
Zo!@	T
z	Pm^a*
~_Z+@s
z&T%X,ihpVn
?zVEJo
ZXQ'a=HT