Analysis Date2015-12-24 12:27:29
MD56186a9e7a2d72807685c07c624aaa9de
SHA1d62acc7fd9c6e52e1825c5db6de72fa3a6440d6e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4d45cea78f3ab9f4fead024bd33ce5a1 sha1: 4f574f1ea1198062053208332d2fbfd95fb1563d size: 59392
Section.rdata md5: b6f626c36f35902475f8149097675376 sha1: 23de5ae8c94087d3d33b45310aba913eba34d067 size: 20992
Section.data md5: e6d38ab08a9fe9cbad2d493ca324a0c0 sha1: 41675827a2fa71ab58afa301fe7a2dde3c720ca4 size: 15360
Section.rsrc md5: c9903124f6672cbe53350b50befa903d sha1: 9058adc1386437f2026b3025ae0579b87ebc7251 size: 512
Section.text md5: 67ab7afe9b79924535fd9c79b061ba87 sha1: cb3bd6c8a8d9373f76042c46b81d16f9959365a2 size: 111616
Timestamp2013-04-14 15:26:01
Pdb pathc:\winter\Set\Bottom\Up\value\wild\industry\Support\nearcare.pdb
PackerMicrosoft Visual C++ ?.?
PEhash78b2c9aa66be69f3985786817238fe5e4031db5d
IMPhashb2498eed3c3aa5befc085379b8319a74
AVAd-AwareTrojan.Gamarue.AP
AVGrisoft (avg)Downloader.Generic13.APRF
AVCAT (quickheal)Worm.Gamarue.r5
AVIkarusTrojan-Downloader.Win32.Andromeda
AVAvira (antivir)BDS/Androm.EB.103
AVK7Trojan-Downloader ( 0043f6bc1 )
AVClamAVWin.Trojan.Gamarue-35
AVKasperskyTrojan.Win32.Generic
AVArcabit (arcavir)Trojan.Gamarue.AP
AVMalwareBytesTrojan.Downloader
AVDr. WebBackDoor.Andromeda.178
AVMcafeeRDN/Generic Downloader.x
AVBitDefenderTrojan.Gamarue.AP
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVEmsisoftTrojan.Gamarue.AP
AVMicroWorld (escan)Trojan.Gamarue.AP
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVRisingWorm.Win32.Gamarue.x
AVBullGuardTrojan.Gamarue.AP
AVFortinetW32/Kryptik.AYXG!tr
AVSymantecPacked.Dromedan!gen21
AVAuthentiumW32/Trojan.NETF-7216
AVTrend Microno_virus
AVFrisk (f-prot)W32/Trojan2.NWYN
AVTwisterSuspicious.2525@2FF0000@.mg
AVCA (E-Trust Ino)Win32/Gamarue.MKBZAUB
AVVirusBlokAda (vba32)BScope.Worm.Gamarue.2413
AVF-SecureTrojan.Gamarue.AP
AVZillya!Downloader.Andromeda.Win32.2944

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\ccrkuebx.scr\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\ccrkuebx.scr
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.158
DNSwww.update.microsoft.com.nsatc.net
Type: A
191.232.80.55
DNShzmksreiuojy.in
Type: A
195.22.28.197
DNShzmksreiuojy.in
Type: A
195.22.28.198
DNShzmksreiuojy.in
Type: A
195.22.28.199
DNShzmksreiuojy.in
Type: A
195.22.28.196
DNShzmksreiuojy.ru
Type: A
52.28.249.128
DNShzmksreiuojy.com
Type: A
52.28.249.128
DNShzmksreiuojy.biz
Type: A
52.28.249.128
DNShzmksreiuojy.nl
Type: A
176.58.104.168
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://8.8.8.8/xxxxxxxxx.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.in/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.ru/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.com/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.biz/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.nl/ldr.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.50.158:80
Flows TCP192.168.1.1:1032 ➝ 8.8.8.8:80
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1034 ➝ 195.22.28.197:80
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1036 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1038 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1040 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1042 ➝ 176.58.104.168:80

Raw Pcap

Strings
.
.
.
.
-e-
. 
\
CC.
 
.
D.
%2Tb
=4|J
                                 H
         (((((                  H
?H=a
h/GIAXc
         h((((                  H
h%%k
P5j=
,pcO
$S8C
^wZb
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0@ H(2
0SSSSS
0/$ $Z
1yEE$$
[2EwE"
33EE33/
3EEEEE
%%$3$M
3N3	EE
3UEE$$M
&3Z3;3
4EE33g
-4zbT|
}~%8%<
8VVVVV
a?33$$
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
An application has made an attempt to load the C runtime library incorrectly.
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<at9<rt,<wt
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.?AVCHandleMap@@
BC"&e&
B Od(l
C3?uTu
CloseHandle
CoCreateInstance
CoInitialize
CONOUT$
CorExitProcess
CoUninitialize
CreateFileA
- CRT not initialized
c:\winter\Set\Bottom\Up\value\wild\industry\Support\nearcare.pdb
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
DgCYfB
DOMAIN error
|Em/vE%%
En2GD 
EncodePointer
EnterCriticalSection
Euuuu3M
ExitProcess
February
F\= fA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
FVh0	A
GetACP
GetActiveWindow
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
guide six
GWh0	A
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
JanFebMarAprMayJunJulAugSepOctNovDec
January
jF<-uH
j`hhFA
j@j ^V
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
MessageBoxA
mh3t3i
Microsoft Visual C++ Runtime Library
.mixcrt
MM/dd/yy
Monday
mscoree.dll
MultiByteToWideChar
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
.nyGex
October
$O$$$EE
ole32.dll
Please contact the application's support team for more information.
PPPPPPPP
PrepareTape
Program: 
<program name unknown>
- pure virtual function call
QueryPerformanceCounter
`.rdata
ReadFile
REEEE{S
RnnCW_
RSDSKG
RtlUnwind
runtime error 
Runtime Error!
Saturday
September
SetEndOfFile
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SING error
SrdF_?
^SSSSS
Sunday
SunMonTueWedThuFriSat
t$$%%]
t^9(uZ
tD9(u@
TerminateProcess
@.text
tGHt.Ht&
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
@to@e@
t#SSUP
_tt333
ttECEa
t$<"u	3
Tuesday
;t$,v-
t$$VSS
t+WWVPV
tX%%EE
U[$=$33
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
UQPXY]Y[
URPQQh(\@
USER32.DLL
UTF-16LE
uu$$;$Q$
uuuDt%
VirtualAlloc
VirtualFree
VirtualProtect
v	N+D$
w3>3uu
Wednesday
WideCharToMultiByte
*'W`K?
<": %Wo
WriteConsoleA
WriteConsoleW
WriteFile
youkind
>=Yt/j
_^][YY
YYu-9D$
YYuTVWh*