| Analysis Date | 2015-08-25 11:56:15 |
|---|---|
| MD5 | 076ae76dcd0946ff913a9ce033e0ca55 |
| SHA1 | dd4a55571b94d24703ad06476cbce9413e2f9ecf |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: 85190e8eb1c8d72ebbccf4639eb9421d sha1: 1edcbb6cf9e4261af6966e117265392162ba548e size: 20480 | |
| Section | .rdata md5: 856ccaa7d78f278a01048093d6f7c9d5 sha1: 6ec8d859481d211bf5bc2a8d2d68d523943c4f60 size: 8192 | |
| Section | .data md5: 4805e103b08e96a4fe517035f700d11c sha1: 45574152397be199b10a4cd19d9031883a1d7f26 size: 73728 | |
| Section | .rsrc md5: ea23e02cf615a6ed482c9a8fdfe9d9a2 sha1: a94993f5a5323356fd606116df5baa1740cae3be size: 61440 | |
| Timestamp | 2015-03-26 08:29:35 | |
| Version | LegalCopyright: Copyright (C) 2014 InternalName: FileVersion: 6.1.7600.16385 CompanyName: Microsoft Corporation. All rights reserved. PrivateBuild: LegalTrademarks: Comments: ProductName: SpecialBuild: ProductVersion: 6, 1, 7600, 16385 FileDescription: OriginalFilename: | |
| Packer | Microsoft Visual C++ v6.0 | |
| PEhash | 7a455bf3e32667bd260962ba1a41d317bed38388 | |
| IMPhash | 4f3d6df29aed03d098d53c60e71d6007 | |
| AV | Rising | no_virus |
| AV | CA (E-Trust Ino) | no_virus |
| AV | F-Secure | Gen:Variant.Symmi.54335 |
| AV | Dr. Web | no_virus |
| AV | ClamAV | Win.Trojan.Agent-921401 |
| AV | Arcabit (arcavir) | Gen:Variant.Symmi.54335 |
| AV | BullGuard | Gen:Variant.Symmi.54335 |
| AV | Padvish | no_virus |
| AV | VirusBlokAda (vba32) | BScope.Trojan.SvcHorse.01643 |
| AV | CAT (quickheal) | no_virus |
| AV | Trend Micro | BKDR_PLUGX.DUKNR |
| AV | Kaspersky | Backdoor.Win32.Gulpix.vir |
| AV | Zillya! | Backdoor.Gulpix.Win32.220 |
| AV | Emsisoft | Gen:Variant.Symmi.54335 |
| AV | Ikarus | Backdoor.Win32.Gulpix |
| AV | Frisk (f-prot) | W32/Backdoor2.HYZO |
| AV | Authentium | W32/Backdoor.STWT-5492 |
| AV | MalwareBytes | no_virus |
| AV | MicroWorld (escan) | Gen:Variant.Symmi.54335 |
| AV | Microsoft Security Essentials | Trojan:Win32/Skeeyah.A!bit |
| AV | K7 | Riskware ( 0040eff71 ) |
| AV | BitDefender | Gen:Variant.Symmi.54335 |
| AV | Fortinet | W32/Gulpix.VIR!tr.bdr |
| AV | Symantec | Backdoor.Korplug |
| AV | Grisoft (avg) | BackDoor.Generic19.CAQ |
| AV | Eset (nod32) | Win32/Korplug.GZ |
| AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
| AV | Ad-Aware | Gen:Variant.Symmi.54335 |
| AV | Twister | W32.Korplug.GZ.rvmf |
| AV | Avira (antivir) | BDS/Gulpix.167936.2 |
| AV | Mcafee | no_virus |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps.dll |
|---|---|
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps_user.dat |
| Creates Process | C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps.dll", ShadowPlay 84 |
| Creates Mutex | Fast |
Process
↳ C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps.dll", ShadowPlay 84
| Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
|---|---|
| Registry | HKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝ NULL |
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
| Creates File | PIPE\lsarpc |
| Creates File | \Device\Afd\Endpoint |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
| Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
| Creates Mutex | WininetConnectionMutex |
| Creates Mutex | c:!documents and settings!administrator!cookies! |
| Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
| Creates Mutex | nvdisps_event |
| Winsock DNS | 27.255.94.74 |
Network Details:
| HTTP POST | http://27.255.94.74:443/update?id=000b2088 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1) |
|---|---|
| Flows TCP | 192.168.1.1:1031 ➝ 27.255.94.74:443 |
| Flows TCP | 192.168.1.1:1031 ➝ 27.255.94.74:443 |
Raw Pcap
0x00000000 (00000) 504f5354 202f7570 64617465 3f69643d POST /update?id= 0x00000010 (00016) 30303062 32303838 20485454 502f312e 000b2088 HTTP/1. 0x00000020 (00032) 310d0a41 63636570 743a202a 2f2a0d0a 1..Accept: */*.. 0x00000030 (00048) 48536573 73696f6e 3a20300d 0a485374 HSession: 0..HSt 0x00000040 (00064) 61747573 3a20300d 0a485369 7a653a20 atus: 0..HSize: 0x00000050 (00080) 36313435 360d0a48 536e3a20 310d0a55 61456..HSn: 1..U 0x00000060 (00096) 7365722d 4167656e 743a204d 6f7a696c ser-Agent: Mozil 0x00000070 (00112) 6c612f34 2e302028 636f6d70 61746962 la/4.0 (compatib 0x00000080 (00128) 6c653b20 4d534945 20362e30 3b205769 le; MSIE 6.0; Wi 0x00000090 (00144) 6e646f77 73204e54 20352e31 3b202e4e ndows NT 5.1; .N 0x000000a0 (00160) 45542043 4c522032 2e302e35 30373237 ET CLR 2.0.50727 0x000000b0 (00176) 3b205356 31290d0a 486f7374 3a203237 ; SV1)..Host: 27 0x000000c0 (00192) 2e323535 2e39342e 37340d0a 436f6e74 .255.94.74..Cont 0x000000d0 (00208) 656e742d 4c656e67 74683a20 300d0a43 ent-Length: 0..C 0x000000e0 (00224) 6f6e6e65 6374696f 6e3a204b 6565702d onnection: Keep- 0x000000f0 (00240) 416c6976 650d0a43 61636865 2d436f6e Alive..Cache-Con 0x00000100 (00256) 74726f6c 3a206e6f 2d636163 68650d0a trol: no-cache.. 0x00000110 (00272) 0d0a ..
Strings