Analysis Date2015-10-22 09:28:51
MD5b7b732f95dfc0ceebc607594e5d91faf
SHA1ec6a854bd41d44dd8616b7cbfb75f54870569ff9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 281888ebf0ee39524abd778dd8a8da04 sha1: c3b4759d0dfbb51724e459127a907823179deea3 size: 24576
Section.rdata md5: a4cae2e6e74d73dd10d040e028ad4760 sha1: d096a43d1695b976b64a14980adaa1f1c7a06b5a size: 4096
Section.data md5: 11849ffb195d4170f0d8b38474a04f54 sha1: 9a0f9224ec685a1e219130c4ba4649b9e79a9198 size: 4096
Section.rsrc md5: f75dbfb2f1484c2efc73b5cfafe25c42 sha1: e74be28603370d2721095941a05be6c1be4decf5 size: 94208
Timestamp2013-08-14 16:55:10
VersionLegalCopyright: Zileg
InternalName: Rapiz
FileVersion: 1, 6, 2, 3
CompanyName: Lampi
PrivateBuild: Delim
LegalTrademarks: Zapaz
Comments: Zepac
ProductName: Daber
SpecialBuild: Fizar
ProductVersion: 4, 8, 2, 6
FileDescription: Zefir
OriginalFilename: Moreg
PackerMicrosoft Visual C++ v6.0
PEhash10f70dcdb30b4545581d77626e359a2df3f8c64b
IMPhash977babce4039e5d0e6e58ca1c95a4799
AVRisingWorm.Win32.Gamarue.h
AVMcafeeW32/Worm-FKO!Gamarue
AVAvira (antivir)TR/Kryptik.1625441
AVTwisterTrojan.7AFE40719B82FAF4
AVAd-AwareGen:Variant.Symmi.28546
AVAlwil (avast)Small-HTYZ [Trj]
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVGrisoft (avg)Downloader.Small.IYU
AVSymantecDownloader.Dromedan
AVFortinetW32/Injector.AKSZ!tr
AVBitDefenderGen:Variant.Symmi.28546
AVK7Trojan-Downloader ( 0043f6bc1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVMicroWorld (escan)Gen:Variant.Symmi.28546
AVMalwareBytesTrojan.Email.Bot
AVAuthentiumW32/Trojan.RFCU-3445
AVFrisk (f-prot)W32/Trojan2.OAQB
AVIkarusTrojan-Downloader.Small
AVEmsisoftGen:Variant.Symmi.28546
AVZillya!Backdoor.Androm.Win32.2969
AVKasperskyTrojan.Win32.Generic
AVTrend MicroWORM_GAMARUE.SMV
AVCAT (quickheal)Trojan.Generic.02432
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Wauchos.2183
AVPadvishWorm.Win32.Gamarue.SameMsiexec1
AVBullGuardGen:Variant.Symmi.28546
AVArcabit (arcavir)Gen:Variant.Symmi.28546
AVCA (E-Trust Ino)no_virus
AVClamAVWin.Trojan.Agent-722259
AVDr. WebBackDoor.Andromeda.178
AVF-SecureTrojan-Downloader:W32/Wauchos.F

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wupdmgr.exe

Process
↳ C:\WINDOWS\system32\wupdmgr.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\ccudulwm.com\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\ccudulwm.com
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.157
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwww.update.microsoft.com
Type: A
DNSrestlesz.su
Type: A
DNSdevicesta.ru
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.50.157:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1034 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53

Raw Pcap

Strings