Analysis Date2015-02-04 03:27:39
MD59825d78ce7204b02727b80d4e662fcc9
SHA1fadea8ce6afbf2ef91292ff0fd3ba9661e216ae2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e50f4a1111bafdc813b1f7ec153b8ea9 sha1: d76ecf708f8d7fa01b6b2b67d87d5f51c3cdbd48 size: 23552
Section.rdata md5: 640f709ec19b4ed0455a4c64e5934d5e sha1: d6d6f4b1df06241f6513312657979c184006a044 size: 4608
Section.data md5: 54c75104a38a6f79dc7a8d3b020a9139 sha1: 27a00068376a93d3d30f81f065267042898dfdbb size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 004c6a537c806e81eaeb232452d1ac4c sha1: a47e19d91c675e5c56c88b597d1a6709261a7742 size: 8192
Timestamp2014-11-15 11:35:01
VersionLegalCopyright: © 2008-2014 TeamSpeak Systems GmbH
FileVersion: 3.0.16.2
CompanyName: TeamSpeak Systems GmbH
ProductName: TeamSpeak 3 Client
ProductVersion: 3.0.16.2
FileDescription: TeamSpeak 3 Client
PackerNullsoft PiMP Stub -> SFX
PEhashbd0cc7366ee60c62365cc166daecbcaac762505a
IMPhashe160ef8e55bb9d162da4e266afd9eef3
AV360 Safeno_virus
AVAd-AwareTrojan.Nsis.Androm.4:Trojan.Generic.12224992
AVAlwil (avast)Malware-gen:Trojan-gen:Win32:Malware-gen:Win32:Trojan-gen
AVArcabit (arcavir)Trojan.Nsis.Androm.4_Trojan.Generic.12224992:Trojan.Generic.12224992
AVAuthentiumW32/Trojan.RPPJ-0388
AVAvira (antivir)TR/Fareit.A.416
AVBullGuardTrojan.Nsis.Androm.4:Trojan.Generic.12224992
AVCA (E-Trust Ino)Win32/Tnega.XAXB!suspicious
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Nsis.Androm.4:Trojan.Generic.12224992
AVEset (nod32)Win32/Injector.BPMT
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)Ransomer.DTZ
AVIkarusTrojan.Win32.Inject
AVK7Trojan ( 004b104b1 )
AVKasperskyno_virus
AVMalwareBytesTrojan.ZBAgent.NS
AVMcafeeRDN/Ransom!em
AVMicrosoft Security EssentialsRansom:Win32/Denisca.A
AVMicroWorld (escan)Trojan.Nsis.Androm.4[ZP]
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsm2.tmp\rhinoceroses.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rhinoceroses.ttw
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsm2.tmp\rhinoceroses.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsc1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsm2.tmp
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\UpdSysDrvNamxz ➝
vulobeni.exe
Creates Processsvchost.exe

Process
↳ svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdSysDrvX32z ➝
"C:\Documents and Settings\Administrator\Application Data\UpdSysDrv32Xz\vulobeni.exe"
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\UpdSysDrv32Xz\vulobeni.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Processwmic.exe nicconfig where IPEnabled=true call SetDNSServerSearchOrder (37.10.116.208,8.8.4.4)
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbokdajy.pw

Process
↳ wmic.exe nicconfig where IPEnabled=true call SetDNSServerSearchOrder (37.10.116.208,8.8.4.4)

RegistryHKEY_CURRENT_USER\SOFTWARE\\Microsoft\\Wbem\\WMIC\WMICLC ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Wbem\\WMIC\mofcompstatus ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\Autorecover MOFs timestamp ➝
130675137477968750\\x00
Creates FileC:\WINDOWS\system32\WBEM\AutoRecover\88744D2A29102FC88ECF505DD2E984FC.mof
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tmp4.tmp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tmp3.tmp
Creates FileC:\WINDOWS\system32\WBEM\Logs\mofcomp.log
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\tmp3.tmp

Network Details:

DNSbokdajy.pw
Type: A

Raw Pcap

Strings
 " "0x\
E
000004e4
 2008-2014 TeamSpeak Systems GmbH
3.0.16.2
3f333
CompanyName
fff3f
FileDescription
FileVersion
LegalCopyright
msctls_progress32
MS Shell Dlg
ProductName
ProductVersion
StringFileInfo
SysListView32
TeamSpeak 3 Client
TeamSpeak Systems GmbH
Translation
VarFileInfo
VS_VERSION_INFO
*?|<>/":
00\Mpv
10Xn1Y
{>1sGo
1Z%`=2
1`?Z3~
=2bjtun
-2[\E[
2kjfNo2
3H<)<K
3O/ady
@3r;0F
3".RuE+9
4s-Sjgb
(51N9"
6L_lT}
,&6l M
7j=ZId
7T;rmz
80"tO|1
 ~<85F
,*(9	W
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
A'G}1- 
:AHaCc
AppendMenuA
AvG&Wl
AZsQr~
b1S]xj
=?b6,i
>,)/b8
Bb8RQA
BeginPaint
Bi?,2V
BP^D6X#
bqtN}-a
^>*(c=
CallWindowProcA
CharNextA
CharPrevA
CheckDlgButton
Cl9egQ|
CloseClipboard
CloseHandle
CoCreateInstance
+cok~3
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
Cwv"q 
... %d%%
+;dA4n
@.data
D$$+D$
D$,+D$$P
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
DialogBoxParamA
DispatchMessageA
D)=:&Jv
dLLeAS
D$(Ph,
dQq`Kak
DrawTextA
D$,SPS
,dXD?P
E9 m+S
e`?Eg)
'E@/*g
~e%;JzNh:
e.#^K9o
EL>0~A
;:eM{{B
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
ephH  
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
/	Euh[
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
F1>eBU
f5SjOn
fF)"*S
ffWx^&
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
FreeLibrary
$.fUj0
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
G(j`+ 
GJ;Xah
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
.gn/DQ]
guq}kK
gZVx>FY*
H2H7V/j
H#EzUa
\H+F_r
,Hg\Z9
hlArF$M
hn5z#b
http://nsis.sf.net/NSIS_Error
i=cqpF=
IHN,N=)
ild5PG
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu`
InvalidateRect
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
Iy"h4p
[Jb:b$6
\}	"jIs
"Jm*s|
\j+}n;I2D
j,% _q
jQ'T%$
JY6}B@GO
\JyN//W
k7mgMV
KERNEL32
KERNEL32.dll
|`KH=T
K&x!&|t_
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
MessageBoxIndirectA
MGGuH 
}M^i04
\Microsoft\Internet Explorer\Quick Launch
More information at:
MoveFileA
MoveFileExA
MulDiv
MultiByteToWideChar
.ndata
niP}i"
NSIS Error
~nsu.tmp
NullsoftInstH
NulluN	E
NYe4eq
" o7$r@k
oA2}{r
OhMMO,
!oj^_O
ole32.dll
OleInitialize
OleUninitialize
OpenClipboard
OpenProcessToken
ot0-v5
O=xb9J
|PDF3A
p@dv#^
PeekMessageA
PostQuitMessage
PPPPPP
ppv"0_'
pS+@Z]
'pT+>O
q>a9P9
qEjEUm
Q&,\r9x
qu-e/t
{)_r9?
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
RemoveDirectoryA
[Rename]
rf4Z9b
RichEd20
RichEd32
RichEdit
RichEdit20A
<R$m%=
rm5ZLj
R	u;x;{E
R	xJKu&
S92ml<n0
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetEnvironmentVariableA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
softuW
Software\Microsoft\Windows\CurrentVersion
=@S)Pc+K
SQSSSPW
-_sW#S
SystemParametersInfoA
!This program cannot be run in DOS mode.
_^[t	P
TrackPopupMenu
Trq`Y|o
Tssq+t
u49-L7B
{U;g_2HpO
ukdAtrk
UnRLa+
USER32.dll
US	]?v[g
%u.%u%s%s
U@Zig"
verifying installer: %d%%
VerQueryValueA
VERSION.dll
v#VhB+@
|v^'Za
WaitForSingleObject
WriteFile
WritePrivateProfileStringA
wsprintfA
:-/]w;v
X5n<vr=
X6QKJ~bk
x|@l(ji
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b0</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
X.-nD>
x,o2/Y'
x&O6,ZVf
+X."Po
X>	#q/
X~U[|ieKk
Y...........
~Y0?x~
y=b]gl
y'^gH"cU~|R
YG#Y{7T
yHwi*7 
YYYYYYYYYYY
y[Zd0mV
_z6E{Y3
&z`bmG
Z`?O[l(