Analysis Date2016-11-15 09:30:56
MD5c5c4ed2fdde7623e4832aabc691c9977
SHA1f278914cad8d6bf469211cad1f90fc6b05bfd4c6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a3e1ce6e0f137852446165856a8e7045 sha1: 065709db243457d504a0cd1baf1253d54b9da3df size: 19456
Section.data md5: f859f3e20b63fac333f0da1cfcaef96c sha1: 4e7e9f1e381b3d29223c6d529543120d9bb27a6f size: 2048
Section.xcpad md5: sha1: size:
Section.idata md5: sha1: size:
Section.reloc md5: sha1: size:
Section.rsrc md5: c56c8b813e9c244f0064febc3beb8e08 sha1: 8d896befe537b098749031dc876acd959d995435 size: 67072
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
PackerInstaller VISE Custom
PEhash
IMPhashde1d6cbe23c278509e0a7f5966a20354
AV360 SafeWorm.Win32.Gamarue.V
AVAd-AwareGen:Variant.Symmi.22996
AVAlwil (avast)?
AVArcabit (arcavir)Gen:Variant.Symmi.22996
AVAuthentiumW32/A-49bf794c!Eldorado
AVAvira (antivir)TR/Rogue.22761
AVBitDefenderGen:Variant.Symmi.22996
AVBullGuardGen:Variant.Symmi.22996
AVCA (E-Trust Ino)Gen:Variant.Symmi.22996
AVCAT (quickheal)Worm.Gamarue.B
AVClamAVWin.Trojan.Downloader-61798
AVDr. WebBackDoor.Andromeda.178
AVEmsisoftGen:Variant.Symmi.22996
AVEset (nod32)Win32/Injector.AIOX
AVF-SecureTrojan-Downloader:W32/Wauchos.F
AVFortinetW32/Kryptik.BBYD!tr
AVFrisk (f-prot)No Virus
AVGrisoft (avg)Dropper.Generic8.BBQY
AVIkarusTrojan-Downloader.Win32.Andromeda
AVK7Trojan ( 0043b77a1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeDownloader-FOS!C5C4ED2FDDE7
AVMicroWorld (escan)Gen:Variant.Symmi.22996
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.AJ
AVPadvishNo Virus
AVRisingTrojan.Win32.Read.a
AVSUPERAntiSpywareTrojan.Agent/Gen-Dofoil
AVSymantecDownloader.Dromedan
AVTrend MicroWORM_GAMARUE.SMJ
AVTwisterTrojan.D875EDBFBC8E8805
AVVirusBlokAda (vba32)SScope.Worm.Gamarue.2713
AVWindows DefenderWorm:Win32/Gamarue.AJ
AVZillya!Downloader.Andromeda.Win32.3263

Runtime Details:

Screenshot

Process
↳ C:\f278914cad8d6bf469211cad1f90fc6b05bfd4c6.exe

Creates FileC:\WINDOWS\WindowsShell.Manifest

Network Details:


Raw Pcap

Strings
h(s@
h4p@
h(s@
j*j;
j/jb
jcj!j
jUjO
j!jc
QjNj
jFj(
}vj*h
j	jA
jAj>j$
tYj8jbj
jHja
jhj!
j	jE
tZj0j\jM
j!j%
j-jW
jcj
j%j(
j4j*
j\j3j
QWj[j
jEjw
=0p@
j9jdj
j1jRjE
h`"@
XSVW
Yt4^
YYh p@
<"u%
F<"t
t9UW
?=t"U
QQS3
PSSW
8"uD
8"uF@
8"u,
-D`@
@@f9
@@f9
=<`@
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
DSUVWh
_^][
8MZu
t>j,P
Yt0@
SVWUj
]_^[
t.;t$$t(
VC20XC00U
SVWU
tEVU
t3x<
]_^[
=4s@
A=pt@
=4s@
hhc@
5d`@
uiSj
uY;]
pD#U
j #M
j?^;
SUVWu
-t`@
=pt@
=tt@
5tt@
_^][
5tt@
Y;5tt@
QQSV
sN;E
u%C@
Y;5t
90tr
Wj@Y3
t7SW

@AA;
Vt6P
<Xt
u,9E
^_[3
^[_3
VWuBh
tzVS
GIt%
t/Ku
uFWWj
"WWSh
9} u
E WW
tMWWS
t@9}
VSh
h(d@
%l`@
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
LoadLibraryA
GetProcAddress
GetTickCount
GetModuleFileNameA
KERNEL32.dll
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
HeapAlloc
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
HeapFree
RtlUnwind
WriteFile
VirtualAlloc
HeapReAlloc
GetCPInfo
GetACP
GetOEMCP
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
}Svo}Gbtu}MpbeMjcsbszB}ouemm/emm}xjojofu/emm}pmf43/emm}tifmm43/emm}HfuNpevmfIboemfB}XsjufQspdfttNfnpsz}DsfbufQspdfttX}TfuUisfbeDpoufyu}HfuUisfbeDpoufyu}SftvnfUisfbe}GjoeSftpvsdfB}MpbeSftpvsdf}Tj{fpgSftpvsdf}WjsuvbmBmmpdFy}OuVonbqWjfxPgTfdujpo}DpoujovfEfcvhFwfou}XbjuGpsEfcvhFwfou}SfbeQspdfttNfnpsz}DsfbufUppmifmq43Tobqtipu}Npevmf43Gjstu}PvuqvuEfcvhTusjohB}DmptfIboemf}FyjuQspdftt}HfuDvssfouQspdftt}DsfbufUisfbe}XbjuGpsTjohmfPckfdu}TfuGjmfBuusjcvuftX}JoufsofuPqfoB}JoufsofuPqfoVsmB}JoufsofuSfbeGjmf}EfmfufVsmDbdifFousz}JoufsofuDmptfIboemf}HmpcbmGsff}HmpcbmBmmpd}TfuVoiboemfeFydfqujpoGjmufs}NvmujCzufUpXjefDibs}TIHfuTqfdjbmGpmefsQbuiX}DpJojujbmj{f}DpDsfbufJotubodf}mtusdqzX}mtusdbuX}HfuNpevmfGjmfObnfX
Read
kernel32.dll
GetProcAddress
5>Cv
Vku=JPM_l
!<Vd
*?<Wol
DawWv
BUjq
+vbSp
eW@
T6j=I
hw1^s
[OY4
(QPg
p&h*
&D#rpp
vV@J
T<'^
O&V9
)D5K
#1G&
	?02<
md,bR
a)s(xy
SoHe
jLfXg
&xk'
v;vfUb
rAg/V%
al.-
{i\X
+-~zz
,`s{
^#Z;
#vzv
KD@Y-
\]7M\
o#k6@
YJ7O
SbE<
(lwtc
6B1i
[)b>
VNE#v
sr$(p8
j$c|H(#2
Z1}?
a9R[
z\ q8}
6|*n
&-i=;
FC;U
B4XY
K-Yu
~YlT
|iTB^
wL}#
_'i.
 7TY
3X+_
3%O<
P{[>w
	FY:Y
[>sf
3=QW^
9Cckx
*Nrkj
d(Z?
=?5b=<
PAgJR
W@H7
Z`P_
X1yy
r(\2
Lz?Vh
\}H+
 8MQ
:{U3
PVo?
QE}|
}	Z:1
|9Wn
^Hl8
U8yP
xVL4a+
uze"
mf"j
:uF&a
k:L7`s
,53@
"[,B
<4q]
V_g4
2F#L
rz6l
@P$N
+ESf
&`w!
 9'Ty
^' @L
qx!vp
geuje
!v[r0j
}]B$Q
9T*$N
	;R<}
JXT!n
5l"?
)!Hr
4-TU_K
=zIT
#V\B
By B
	;tV
6y8A
TxzmK
8zhxD
.4?G
i_(;
D:TTl
hxhS
;Iw9
bu+2
z01t)
9lNL
uc;H1}
8qCc+`x
B/4:
"MBA
DZBZ@u
H]Vw
PBe^
(=yg]
^=5Dm
MkR:
D=bn%
Pj)y
@V:g
&,4b
e&%q
R/FV
'N3s
.-Rf
bCU,
#n)|O
P)HD
)M'B6
D<k;
YA<{
Y';+
C%+b
qigV
$KIkbO'
%>'Q4
8qXa
\%2_}
uO%S
-|d4
L']v#
-#9?
"thZ
'`n3
!5Fa
&9mC)!@
};EQ9
k@f;l
YY'O3e'
#&JF
t,-M
&buys
-: y
,I/^`
ojs}
|5*)
r^js
vd*D
!}%'Y
r:Y6
$@)v
LyH.
Q0P%k
|z!5
i :TE
mtjmyu
c_92Nn
'P6d
g?iz
s:d!
p?o^
Af.z4|
>_W}m5z<
slTp~
	L	6
OR".
<Y"{
[>.Um&
	YSw
Z=F)q8/
B^G8){kcn
<M<J
2%@,
oEYW
80l(
%G'8
}9Y6-`1
"U|3
foed
bXsN
/=>l_;
p?h6
[C%g$
LK#:
N8z|B
7#@V
-r	$
6Es{
JhWX2
oIL3
c7{G
)*-H
jRU4p
*U3O
UEQS
#j3?
qA>j
.\Fut
(0C@
URT?
Y06u"D
Iro(
X2c4B\
WA)LA+
	WWy~
o#.$
/RmG
s8X&
,-TN
xqdI$O
S.Ro
!tLk
L6NmA
Wm:)"
dIQ<
H(S&z
7p%j
6rCQ
SCmQ
%2Hr
TRRDyY
EO>H,9
gHdF
u(@;
A5V&
Qu\t*#=N
XOF9
'&/clm
7u6E
bd(nEH
XQqF
51QB=+y
XArf
8H=$
'/P-
20aPp
fmS.)
-9^hA
@3*T
pwD_B3/
e!jJ{
"J	G
1X#n
)N*sZ
h~X8""
QPsZ
H5N4b
c{;+
)`*4
Xl&D
uqDe
S1 YM
,anz
p~QZ
#8_/
A-M]
H7NH
hflO
:]:U
<ocG
}<1I
5|X*
*[Jk$
j-vs
vgZQ
fWdk
*Th65G
S@K;
ALy=+
(e'q
i@QCC
Rl!*<gI
H_6%
zEYg
5n_afi
g*%&?c
P6}H
OiV~p
l`Co
j+ 6
(t)I
~Goj
0Gi{
l[(PX
8/'r
xT1M
]?L~g
>mi`U
qAb?
r\A=
n|S"
&M`)
CB[l
H.}mrD
}A]O!
9$cz>,
mgmH
`KSPSV
xXV_
S`I"u
zn#S(o	W
I8hD
=Zo-_Uc
q{zo
Drd6
jGaE
7hCa
H72
(Y[~4
y~hw
A,,i
w4gi
j{)=
Em[#
aV^1
	C~!G
;v[t
kKU&F
|e)
}xF2
bwQ@
!z{2?
w	,[
"qK)1
[0QX
5<%!40
po|2
_X=u
hA~v
sJOy
AY_e1
pwY
Sq"i
4;u08
fT^Q
0Q-B~
<VGX5
R%l#
o/i`
h)C:U
#)t7