Analysis Date2015-02-04 03:24:25
MD5e45b41539bb08b210d77769653ba6445
SHA1ecc1911f67946476abbd6f0fb7ff400440aab84c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fb829372ec3ee0af33f0926f363d7112 sha1: 14778c57cccd85aaaa4b60606e26e6f01653cbc7 size: 24064
Section.rdata md5: bed60c9116dbff6d06b51530a732c0c9 sha1: 6dba0bb21c48c914a32e00be24ec402203667819 size: 5120
Section.data md5: fc40238f44ce66a60a99356986da33b0 sha1: 0928cebfe17822695eba64287aaf0e0b1f0b2028 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 2873fee5d906a44bca0052325a3f8b2c sha1: 52cc1b0c84d5f6021b7a2adee114a32887575f4c size: 10752
Timestamp2014-05-11 20:03:42
VersionLegalCopyright:
FileVersion:
CompanyName:
ProductName:
ProductVersion:
FileDescription:
PackerNullsoft PiMP Stub -> SFX
PEhash8405784372cc308067bcf55ff7caa784559f1c77
IMPhashe160ef8e55bb9d162da4e266afd9eef3
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.2089196
AVAlwil (avast)Injector-CDY [Trj]:Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.2089196:Trojan.Generic.12023941
AVAuthentiumW32/Trojan.FQNZ-3482
AVAvira (antivir)Worm/Gamarue.A.842
AVBullGuardTrojan.GenericKD.2089196
AVCA (E-Trust Ino)Win32/Gamarue.eXHWdAC
AVCAT (quickheal)Backdoor.Androm.r5
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.2089196
AVEset (nod32)Generik.IKTVKBL
AVFortinetno_virus
AVFrisk (f-prot)W32/Trojan5.KWK
AVF-SecureTrojan.GenericKD.2089196
AVGrisoft (avg)Inject2.BAZZ
AVIkarusTrojan.Win32.Inject
AVK7Trojan ( 004af9031 )
AVKasperskyBackdoor.Win32.Androm.fess
AVMalwareBytesTrojan.Agent
AVMcafeeRDN/Generic BackDoor!b2i
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Trojan.GenericKD.2089196
AVRisingno_virus
AVSophosTroj/Bredo-AOL
AVSymantecTrojan.Gen
AVTrend MicroTROJ_SPNR.38KG14
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsl2.tmp\battler.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\diazos\battler.s
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsl2.tmp\battler.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsl2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse1.tmp
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe
Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\4033585203 ➝
C:\Documents and Settings\All Users\msrhmucm.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSsellincrack.su
Winsock DNSpoppingx.com
Winsock DNSbaggindope.com
Winsock DNSbaggindope.su
Winsock DNSsellincrack.com

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\4033585203 ➝
C:\Documents and Settings\All Users\msrhmucm.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
Creates Filepipe\2600651871
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Winsock DNSsellincrack.su
Winsock DNSbaggindope.com
Winsock DNSbaggindope.su
Winsock DNSsellincrack.com

Process
↳ C:\WINDOWS\Explorer.EXE

Network Details:

DNSupdate.microsoft.com.nsatc.net
Type: A
65.55.138.126
DNSupdate.microsoft.com.nsatc.net
Type: A
65.54.51.250
DNSpoppingx.com
Type: A
5.149.251.132
DNSupdate.microsoft.com
Type: A
DNSbaggindope.su
Type: A
DNSbaggindope.com
Type: A
DNSsellincrack.su
Type: A
DNSsellincrack.com
Type: A
HTTP POSThttp://poppingx.com/and/gate.php
User-Agent: Mozilla/4.0
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1037 ➝ 65.55.138.126:80
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1042 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1044 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1047 ➝ 5.149.251.132:80

Raw Pcap
0x00000000 (00000)   504f5354 202f616e 642f6761 74652e70   POST /and/gate.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a436f6e   hp HTTP/1.1..Con
0x00000020 (00032)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000030 (00048)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000040 (00064)   6d2d7572 6c656e63 6f646564 0d0a436f   m-urlencoded..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 0d0a486f 73743a20   illa/4.0..Host: 
0x00000080 (00128)   706f7070 696e6778 2e636f6d 0d0a436f   poppingx.com..Co
0x00000090 (00144)   6e74656e 742d4c65 6e677468 3a203734   ntent-Length: 74
0x000000a0 (00160)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000b0 (00176)   206e6f2d 63616368 650d0a50 7261676d    no-cache..Pragm
0x000000c0 (00192)   613a206e 6f2d6361 6368650d 0a0d0a6b   a: no-cache....k
0x000000d0 (00208)   515a6642 574e612b 4a646135 58313448   QZfBWNa+Jda5X14H
0x000000e0 (00224)   6e6e4f36 72646267 6b74434e 6e663850   nnO6rdbgktCNnf8P
0x000000f0 (00240)   35796262 67766e50 6449724d 4f497347   5ybbgvnPdIrMOIsG
0x00000100 (00256)   6a562b39 6d33536a 6857494d 2f47380a   jV+9m3SjhWIM/G8.
0x00000110 (00272)   4c563631 446b343d 0a                  LV61Dk4=.


Strings
 " "0x\
.E
000004e4
!1Aa
#+3;CScs
CompanyName
FileDescription
FileVersion
LegalCopyright
msctls_progress32
MS Shell Dlg
ProductName
ProductVersion
StringFileInfo
SysListView32
Translation
VarFileInfo
VS_VERSION_INFO
*?|<>/":
1]`6>	<
1v~fi\
;2v\ll
=<:2::zetu
3&3iLV
3B0YdWtG
|3J9%c
3-S##p
4ZsB g
55\Fzaf
5do {#
`5|{us
6"-=-/
<#6/v_lK
6Wf(R`n
7#.7.?
)7w~}3
8915qIbA
89Jqxt
8s\r\v
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
AppendMenuA
AP("S3\
?'~^|A|y
BeginPaint
CallWindowProcA
CharNextA
CharPrevA
CheckDlgButton
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
... %d%%
@+d+";8
=D9S(b
@.data
D$$+D$
D$,+D$$P
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
DialogBoxParamA
DispatchMessageA
_>(>dO
D$(Ph,
DrawTextA
D;rPiX
D$,SPS
~{dzOT
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
f~]-g>:
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
FreeLibrary
FS5mTM
f!w3dE
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
g!\,G`
G/Gio~
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
G-v7}j<d
hEprYh
hh	k#;Qh
hMdf0s
http://nsis.sf.net/NSIS_Error
HtVHtHH
HU.]jDR
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
-I+N{*
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu`
InvalidateRect
ip=/Qv
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
!j.{GK
JM\iAa
k6AgMV
KERNEL32
KERNEL32.dll
)Ku>Me\+
\%kZZh
lFJ}u(
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
+LUkw2
M3VV,S2"R
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
More information at:
MoveFileA
MoveFileExA
MulDiv
MultiByteToWideChar
my.'Y0
.ndata
NSIS Error
~nsu.tmp
NullsoftInst
NulluN	E
ole32.dll
OleInitialize
OleUninitialize
OpenClipboard
OpenProcessToken
PeekMessageA
PostQuitMessage
PPPPPP
qc/2Gl
	-qF[o
Qn8O(+
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
RemoveDirectoryA
[Rename]
rh7`~$
RichEd20
RichEd32
RichEdit
RichEdit20A
s\8n9"
sB^"JM
ScreenToClient
,S~Eai
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetEnvironmentVariableA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
shMoam
ShowWindow
	:.sL2
softuW
Software\Microsoft\Windows\CurrentVersion
SQSSSPW
suJ= I3
SystemParametersInfoA
!This program cannot be run in DOS mode.
_^[t	P
TrackPopupMenu
#Tw	\'
T.yyjU
U3KPqB
Usa>W8
USER32.dll
%u.%u%s%s
V3;&Jy
,v4*BQ
verifying installer: %d%%
VerQueryValueA
VERSION.dll
v*mpm;
v#VhB+@
)vx(adv#
WaitForSingleObject
WriteFile
WritePrivateProfileStringA
wsprintfA
X4e~-qH
xLo|}R
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b0</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
}\x-U+
y{a <JO
!*yhok
|-yUJzZN
,/ZvY^