Analysis Date2016-11-15 04:02:09
MD580be6787572f2c49e5f8fbf7802e19ed
SHA1e66b2051523dfec3b9ce0de2aeb9cd6c4223a134

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4770af2f3e47ed34327fbd7e56adfe1c sha1: 664915538a366eb66e2b6e310f059cbb5732f750 size: 24576
Section.data md5: d5458a6bd9ea64c9e25e41a24edc82d8 sha1: 7d9d4d5f3dc89766601d740e95c08f0b7eabd4e6 size: 4096
Section.xcpad md5: sha1: size:
Section.idata md5: sha1: size:
Section.reloc md5: sha1: size:
Section.rsrc md5: 2a82087463aeeea59005f3f27c420257 sha1: 5f27e3af2a83efa43cb8b71b5089e4900e665771 size: 81920
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
PackerMicrosoft Visual C++ v6.0
PEhash
IMPhash977babce4039e5d0e6e58ca1c95a4799
AV360 SafeTrojan.Win32.Agent.FN
AVAd-AwareGen:Variant.Symmi.28546
AVAlwil (avast)?
AVArcabit (arcavir)Gen:Variant.Symmi.28546
AVAuthentiumW32/Trojan.KYQA-2633
AVAvira (antivir)TR/Samca.lpoxy
AVBitDefenderGen:Variant.Symmi.28546
AVBullGuardGen:Variant.Symmi.28546
AVCA (E-Trust Ino)Gen:Variant.Symmi.28546
AVCAT (quickheal)Worm.Gamarue.A5
AVClamAVWin.Trojan.Agent-1109687
AVDr. WebBackDoor.Andromeda.178
AVEmsisoftGen:Variant.Symmi.28546
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVF-SecureTrojan-Downloader:W32/Wauchos.F
AVFortinetW32/Wauchos.LB!tr
AVFrisk (f-prot)W32/Trojan2.OAPW
AVGrisoft (avg)Downloader.Small.IZA
AVIkarusTrojan-Downloader.Small
AVK7Trojan ( 0001140e1 )
AVKasperskyBackdoor.Win32.Androm.deu
AVMalwareBytesTrojan.Email.Bot
AVMcafeeW32/Worm-FKO!80BE6787572F
AVMicroWorld (escan)Gen:Variant.Symmi.28546
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVPadvishWorm.Win32.Gamarue.SameMsiexec1
AVRisingNo Virus
AVSUPERAntiSpywareTrojan.Agent/Gen-FalComp
AVSymantecDownloader.Dromedan
AVTrend MicroWORM_GAMARUE.SMV
AVTwisterTrojan.3F06E5417E4C04E9
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Wauchos.2183
AVWindows DefenderWorm:Win32/Gamarue.F
AVZillya!Backdoor.Androm.Win32.2864

Runtime Details:

Screenshot

Process
↳ C:\e66b2051523dfec3b9ce0de2aeb9cd6c4223a134.exe

Creates FileC:\WINDOWS\system32\wupdmgr.exe

Process
↳ C:\e66b2051523dfec3b9ce0de2aeb9cd6c4223a134.exe

Process
↳ C:\WINDOWS\system32\wupdmgr.exe

Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\E66B20~1.EXE
Creates FileC:\DOCUME~1\All Users\Local Settings\Temp\ccyotrqf.com
Creates FileC:\WINDOWS\system32\wupdmgr.exe
Creates FileC:\DOCUME~1\All Users\Local Settings\Temp\ccyotrqf.com
Creates Mutex
Creates MutexRasPbFile
Creates Mutex1423186185
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\6409 ➝
C:\DOCUME~1\All Users\Local Settings\Temp\ccyotrqf.com\\x00

Network Details:


Raw Pcap

Strings
_^[]
tzVS
GIt%
t/Ku
^[_]
XSVW
_9=<
YYh
<"u%
F<"t
t9UW
?=t"U
QQS3
PSSW
8"uD
8"uF@
8"u,
-Lp@
@@f9
@@f9
=Dp@
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
DSUVWh
_^][
SVWUj
]_^[
t.;t$$t(
VC20XC00U
SVWU
tEVU
t3x<
]_^[
hds@
h`s@
h8s@
j?I_
u	9}
=dp@
ulSj
uY;]
pD#U
j #M
j?^;
90tr
0B=p
Wj@Y3
t7SW

@AA;
VWuBh
uFWWj
"WWSh
9} u
E WW
tMWWS
t@9}
VSh
%lp@
SVWt
_^[]
runtime error
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
LoadLibraryA
GetProcAddress
KERNEL32.dll
wsprintfA
MessageBoxA
USER32.dll
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
HeapAlloc
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
HeapDestroy
HeapCreate
VirtualFree
HeapFree
RtlUnwind
WriteFile
VirtualAlloc
HeapReAlloc
GetCPInfo
GetACP
GetOEMCP
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
HUFF
Protection
System informations not available!
___DDDqqq__________________wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww______lllDDD___
eeejjjfffcccaaafffdddddddddbbbbbbfffffffffffffffffffffffffffffffffffffffffffffffffffbbbdddfffccccccddd___
ooowww
ddd___
aaa___
___SSS
kkk~}}
kkk~}}
kkk~}}
kkk~}}
kkk~}|
kkk~}}
kkk~}|
Faiggg
kkk~}}
^^^ooo
kkk~}|
```ooo
kkk~}}
```ooo
kkk~}}
```ooo
kkk~}}
```ooo
kkk~}}
```ooo
kkk~}|
```ooo
kkk~}}
```ooo
kkk~}|
```ooo
kkk~}}
```ooo
kkk~}|
```ooo
kkk~}}
```ooo
kkk~}|
```ooo
kkk~}}
```ooo
kkk~}}
```ooo
kkk~}}
```ooo
kkk~}}
```ooo
kkk~}|
```ooo
kkk~}}
>>>OZ[
```ooo
kkk~}|
```ooo
kkk~}}
```ooo
kkk~||
```ooo
kkk~}}
```ooo
kkk~||
```ooo
kkk~}|
```ooo
kkk~||
```ooo
kkk}||
```ooo
kkk}}|
___SSS
fff~~~
______
aaa???
ccclll
OOOlllvvvvvvtttssstttrrsssssssssssssssssssssssssssssssssssssssssstsssssssstssttttttttttttttttuuuvvvyyyttt]]]
GGGhhhhhhjjjcccffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffcccfff```aaaWWW
96PA
uMd0
nL|#
2617728422PA
gm,z
|_.W
!yl9
NSNh"DM
cXKS
,6f=
cgBS~j%
'5(V
B(V[
IVgp
4_kr
}ye%
WRRQ
9|Bo-
iZ'i
/Bm*+,
Qt:/
s)uVgU
t{[b
9X1^f46
svX;wv[d6
yb1C
G!v$
~/3t
p.*>?
N02$
pG6&P
:Uyl
>uQY
z%++
j2>gV7
b%Ol
:W\_w
"qLc
vwOu
;DbB
-K0I
M%C}
 NBO
:LUM
L0'6
/e|7
Fma&[g?
:Xo
jygZ
I7@8
:\8eV
sfk%`
e=wi
0@b>K
9|In+
Oe><
Vn+h
=%n|
TS78z
not7yM
bbK.F
Zl9(
aWN$'
aa;.
0a@vV
Vvgua
Lah~<
p0DX]i
S7";
X0EY]
[bFu
SxeYlu'H
C~K5
'])?
YM/}
]qR
(wm5
H&QD0
-)NS
9@h3
rh$W
a	jY
~+DW74V
NG8.
"~5I
`6Z5y~
[W,\
%x:F
IWCe
h2ca
^=un0
>KWm<
@BC(
xOW7M
\Resm
x\}E
zTav]
'yqk
@abK
&r\d}nWI
2:A;Fg
n+zC
]u-mf*
t{YD
401,
\ac<l
sPs^
AS5e
n0xY
u'Mg
>	k!
Q$whj
MbBh
X!0'
4A(o
WWJC[
$_OE
XUm+3Qnl
07hco
!G^W
<p?=
izn6{
bB9_
(sT1
GF;8
9?R#t|g9x
F%7"
{%[M
A700
!nv<
2]ZTV0
DlQ2`|=
wHx:
C3;oq
WOY@
!Nhs
VLT9VA'
thiz;
Uw`)
~q;*
,NGO
EF_0
B2b1
&$jJyX
6r\c
PUn"
3)!]
!?&F
\c0c
mg*s
[q8d^j
U{V4q
)@qa
j~JE4
@`Fc%+h
i99?>
`Ys_/U
D|	=L
SHnP
cer\O
.hg{
,E9p
r?/f
PIhi
7Nik
0D32
>qQ}~e
JG$.
(IBc
fK\J
w{(HA=
vK X
mt:=f
R}xB
B 279
j,H6y
LQ}xDyU
e$tQI
^Hao
Dw05{nNp
\7z)
cyl,.
=vz"n
c9Os
n7\<H
KF)"
Lj7{
ei31;
q&&HO
ZP"Q
F|T"+N6?
l7?`
6s,g
o@G\
hlU[(
6	jX
*	CO
3mFB
XjiL_U
cMLa
Oq4gt
	RbR
wU">
KHn<hn
&] '
[=U\cG
[~KeT~
=n3y
aqmq
	:yq
-ndB
@_W/m
GT$?
}TBg
`tA(P
C+_dRcKl
|pe(
%jyt=q
J-GT
f	cS^
7X8h
Yshi
wh3g
D~dkd4"
qIH}
	B6*
M-BB
4]6
|umSX*
P(Z@
K*T=[
]~O1Zr=
wS0'
{5&a{
1&:=
Pyt/)
P_k1J
xXsJMn
(8l=
Eiqn@
!HxF
6?'X
:!0Y2
g`I>_
(j*|
fI|{M
xL+n/
/> xq
=O0>
7gL;[
Sha6w
,w'#@
PKzO_
e:F:h
P~gF3GU
D0eiv
b5+h
Dh6F
JB _
j7!J
K	?{
XmSm
<7>{
ca^y
2^I~
PpUZC
GU@HF^
J.*8sc
g6.~E
n-Oy{
*cGV
#_Z[
d(gsq
wov%
RIq"
#$Q`S
CJ"M
[_-b
~1p[
tb)a
RKmW
`=-(
	{?_
zD#Wp
lBaf
l[0pH
NXiSn
9S*ZF
!1IT
ShsB!
EW5P
zZf*y
u[W2
|.a+`
.TKI
afk0
!s&)
aNol
5cll,z'
wefd^[
>r_o
W/+*
%F~,
,usS
,!DMS
*Uv.
d"W-4ex2
A?blu
l%[6
$^&mzK
tZ:/
8\sx.
[X}m
G	B$
i*r\Z
rfK<
p9@%+
b*DU
vT-5
#R}v
5<?P"
56R_Jtw
:@'^
}	 QO
%"7@
#n*R
Sw2]j.
&jxO
?d+i
+-<x
d10B
g1NN
Z+DTh
v!Xt`"z
Rm	P"
Ywf,
<@Hl
K.K'*;x
,I0&
N3U"
["v!]
VH<+
S[4$:
Fa/z{:
>]wO
n1|eu
^"/9
9y/i
'NsM
<uz3
]uIl
7cX5
'26[
}k0|KW
[ Sg
?U)R
{%3k0
KQKH,
/#v=
Po8t}k
/eo9z
$!}7C
hVFe+
jhNc+
y@dd5
Qf.8
Rs}3Xx
ZB9^
a`1d
e8}Pz
$D_%jH