Analysis Date2015-10-05 12:00:10
MD5314bdd0aca91e4249b4701dd9a54e295
SHA1f0ae6523a6030430cd646a638cb49dab5557148c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6f9bf6885d26e2ba04a373cdc86a9a3f sha1: d754a9627f7b356b50b3ac79bb0bed18e5c8fdbf size: 45056
Section.rdata md5: 9aa7ddeaf362143eccab7cab42849cc9 sha1: e37685de9f2a64fc2fc63a4b2fb074dd8b145f7b size: 20992
Section.data md5: 2483264bf684772710ebfddcf9e911da sha1: 76c5cd905a22bc6447a04bfe0479b4e7bba41861 size: 15360
Section.rsrc md5: 31bc5ba38ed96d34676813a6c227f071 sha1: 012ab527f0eab328e730bbb155504282eccdaaa2 size: 512
Section.text md5: c7086cce1310c9f35e2075dcbc8dda6d sha1: e27ed1597fdcd9ebd3c5a84af4c60e54fb5357a0 size: 64512
Timestamp2013-04-14 15:26:03
Pdb pathc:\rail\lot\and\meat\name\For\port\villagestore.pdb
PEhasha9edb776c04f5f238962bc8b94defea092d63ea2
IMPhash0c7c7eb1ac4729e480cc1db17f22f7e0
AVCA (E-Trust Ino)Win32/Ramnit.C
AVRisingWin32.Mgr.a
AVMcafeeW32/Ramnit.a
AVAvira (antivir)W32/Ramnit.C
AVTwisterVirus.60E8000000005D8BC5.mg
AVAd-AwareTrojan.Gamarue.CF
AVAlwil (avast)RmnDrp:Win32:RmnDrp
AVEset (nod32)Win32/Ramnit.H virus
AVGrisoft (avg)Win32/Zbot.G
AVSymantecW32.Ramnit.B!inf
AVFortinetW32/Ramnit.C
AVBitDefenderTrojan.Gamarue.CF
AVK7Virus ( 002fe95d1 )
AVMicrosoft Security EssentialsVirus:Win32/Ramnit.I
AVMicroWorld (escan)Trojan.Gamarue.CF
AVMalwareBytesno_virus
AVAuthentiumW32/Ramnit.D
AVFrisk (f-prot)W32/Ramnit.D
AVIkarusTrojan.Inject
AVEmsisoftTrojan.Gamarue.CF
AVZillya!Virus.Nimnul.Win32.1
AVKasperskyVirus.Win32.Nimnul.a
AVTrend MicroPE_RAMNIT.DEN
AVCAT (quickheal)W32.Ramnit.BA
AVVirusBlokAda (vba32)SScope.Trojan.CLR.2407
AVPadvishVirus.Win32.nimnul.a
AVBullGuardTrojan.Gamarue.CF
AVArcabit (arcavir)Trojan.Gamarue.CF
AVClamAVW32.Ramnit-1
AVDr. WebBackDoor.Andromeda.178
AVF-SecureTrojan.Gamarue.CF

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\f0ae6523a6030430cd646a638cb49dab5557148cmgr.exe
Creates ProcessC:\f0ae6523a6030430cd646a638cb49dab5557148cmgr.exe
Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\f0ae6523a6030430cd646a638cb49dab5557148cmgr.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\bebb_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1144 -e 132 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 176

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\cczcftq.pif\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\cczcftq.pif
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutex3227095050

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 176

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1144 -e 132 -g

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.157
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNShzmksreiuojy.in
Type: A
195.22.28.197
DNShzmksreiuojy.in
Type: A
195.22.28.198
DNShzmksreiuojy.in
Type: A
195.22.28.199
DNShzmksreiuojy.in
Type: A
195.22.28.196
DNShzmksreiuojy.ru
Type: A
52.28.249.128
DNShzmksreiuojy.com
Type: A
52.28.249.128
DNShzmksreiuojy.biz
Type: A
52.28.249.128
DNShzmksreiuojy.nl
Type: A
176.58.104.168
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://8.8.8.8/xxxxxxxxx.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.in/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.ru/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.com/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.biz/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.nl/ldr.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.50.157:80
Flows TCP192.168.1.1:1032 ➝ 8.8.8.8:80
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1034 ➝ 195.22.28.197:80
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1036 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1038 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1040 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1042 ➝ 176.58.104.168:80

Raw Pcap

Strings