Analysis Date2015-10-05 00:37:22
MD50a15c7fed3f1c9f5601b2504e5c76851
SHA1edfcadeb64661e907df5e705a49044756d461db1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 85190e8eb1c8d72ebbccf4639eb9421d sha1: 1edcbb6cf9e4261af6966e117265392162ba548e size: 20480
Section.rdata md5: 856ccaa7d78f278a01048093d6f7c9d5 sha1: 6ec8d859481d211bf5bc2a8d2d68d523943c4f60 size: 8192
Section.data md5: 4805e103b08e96a4fe517035f700d11c sha1: 45574152397be199b10a4cd19d9031883a1d7f26 size: 73728
Section.rsrc md5: 2213db7b93a92058a0dc4c93821eccff sha1: e86aaadf14cdff5f5777331c53aa0ad96fd3c4e8 size: 61440
Timestamp2015-03-26 08:29:35
VersionLegalCopyright: Copyright (C) 2014
InternalName:
FileVersion: 6.1.7600.16385
CompanyName: Microsoft Corporation. All rights reserved.
PrivateBuild:
LegalTrademarks:
Comments:
ProductName:
SpecialBuild:
ProductVersion: 6, 1, 7600, 16385
FileDescription:
OriginalFilename:
PackerMicrosoft Visual C++ v6.0
PEhash7a455bf3e32667bd260962ba1a41d317bed38388
IMPhash4f3d6df29aed03d098d53c60e71d6007
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.54335
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.54335
AVBullGuardGen:Variant.Symmi.54335
AVPadvishno_virus
AVVirusBlokAda (vba32)BScope.Trojan.SvcHorse.01643
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyBackdoor.Win32.Gulpix.vir
AVZillya!Backdoor.Gulpix.Win32.220
AVEmsisoftGen:Variant.Symmi.54335
AVIkarusTrojan.Win32.Korplug
AVFrisk (f-prot)W32/Backdoor2.HYZO
AVAuthentiumW32/Backdoor.STWT-5492
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.54335
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx!rfn
AVK7Riskware ( 0040eff71 )
AVBitDefenderGen:Variant.Symmi.54335
AVFortinetW32/Gulpix.BJ!tr.bdr
AVSymantecBackdoor.Korplug
AVGrisoft (avg)BackDoor.Generic19.CAQ
AVEset (nod32)Win32/Korplug.GZ
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Symmi.54335
AVTwisterW32.Korplug.GZ.rvmf
AVAvira (antivir)TR/AD.Plugx.M.3
AVMcafeeBackDoor-FCWB!0A15C7FED3F1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps_user.dat
Creates ProcessC:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps.dll", ShadowPlay 84
Creates MutexFast

Process
↳ C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Temp\nvdisps.dll", ShadowPlay 84

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexnvdisps_event
Winsock DNS103.237.74.129

Network Details:

DNScc.zzsoft.info
Type: A
103.237.74.129
HTTP POSThttp://103.237.74.129:443/update?id=002e2080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows TCP192.168.1.1:1031 ➝ 103.237.74.129:443

Raw Pcap
0x00000000 (00000)   504f5354 202f7570 64617465 3f69643d   POST /update?id=
0x00000010 (00016)   30303265 32303830 20485454 502f312e   002e2080 HTTP/1.
0x00000020 (00032)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000030 (00048)   48536573 73696f6e 3a20300d 0a485374   HSession: 0..HSt
0x00000040 (00064)   61747573 3a20300d 0a485369 7a653a20   atus: 0..HSize: 
0x00000050 (00080)   36313435 360d0a48 536e3a20 310d0a55   61456..HSn: 1..U
0x00000060 (00096)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000070 (00112)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000080 (00128)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000090 (00144)   6e646f77 73204e54 20352e31 3b202e4e   ndows NT 5.1; .N
0x000000a0 (00160)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a203130   ; SV1)..Host: 10
0x000000c0 (00192)   332e3233 372e3734 2e313239 0d0a436f   3.237.74.129..Co
0x000000d0 (00208)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x000000e0 (00224)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000f0 (00240)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x00000100 (00256)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000110 (00272)   0d0a0d0a                              ....


Strings