Analysis Date2015-06-12 11:27:10
MD56d34219ea15c7e2a9efcfc3978f84f8a
SHA1fbf368b96966b9dd0680a568dd7c92a3b65e483a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5bbfef51e84b1c10b5579bbfa9726b24 sha1: 3e6befe7d71c88e8bdcfdb19283033af37f6da6c size: 151552
Section.rdata md5: de4127e924bc65504abdb1c04049ade2 sha1: 587c2523a6f46a0efd6e9f501ec5ea8379357ae0 size: 8192
Section.data md5: 42acee3d2b92d09bbc7228e5b20980e3 sha1: ead3e0f814286075745db4e1a074c73a2512e6be size: 12288
Section.rsrc md5: b299131810d7603ce2bc3d295f85e03a sha1: 3dc1ad60f23d1edcc361389d244e03ecfb611d28 size: 4096
Timestamp2029-12-09 18:23:04
PackerMicrosoft Visual C++ v6.0
PEhashfa4c0e6fe3ff7ba9d172d4e78c8f98328be774c8
IMPhashf6c5434741fbbe48ba3c47fdd6c01a3d
AVCA (E-Trust Ino)Win32/Carberp.CAWZCWB
AVF-SecureTrojan.Generic.12521713
AVDr. WebTrojan.DownLoad3.35231
AVClamAVno_virus
AVArcabit (arcavir)Trojan.Generic.12521713
AVBullGuardTrojan.Generic.12521713
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyPacked.Win32.Krap.ae
AVZillya!no_virus
AVEmsisoftTrojan.Generic.12521713
AVIkarusPacker.Win32.Krap
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Trojan.ZYOY-8923
AVMalwareBytesTrojan.Agent.EOPEGen
AVMicroWorld (escan)Trojan.Generic.12521713
AVMicrosoft Security EssentialsTrojan:Win32/Carberp.I
AVK7Trojan ( 004b3d451 )
AVBitDefenderTrojan.Generic.12521713
AVFortinetW32/Krap.AE!tr
AVSymantecTrojan.Gen
AVGrisoft (avg)Crypt3.BRWF
AVEset (nod32)Win32/Kryptik.CUZP
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareTrojan.Generic.12521713
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.Gen4
AVMcafeeRDN/Generic.dx!d2r
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value ➝
15150110\\x00
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\MD7H82HHF7EH2D73

Network Details:

HTTP GEThttp://5.154.230.67:16493/stat?uid=100&downlink=1111&uplink=1111&id=00016B86&statpass=bpass&version=15150110&features=30&guid=58c56317-1417-4d3f-9d91-ad770e78b81e&comment=15150110&p=0&s=
User-Agent:
HTTP GEThttp://173.199.177.172:31780/stat?uid=100&downlink=1111&uplink=1111&id=00017F4D&statpass=bpass&version=15150110&features=30&guid=58c56317-1417-4d3f-9d91-ad770e78b81e&comment=15150110&p=0&s=
User-Agent:
HTTP GEThttp://70.32.107.132:19796/stat?uid=100&downlink=1111&uplink=1111&id=000192E4&statpass=bpass&version=15150110&features=30&guid=58c56317-1417-4d3f-9d91-ad770e78b81e&comment=15150110&p=0&s=
User-Agent:
HTTP GEThttp://109.104.94.2:11754/stat?uid=100&downlink=1111&uplink=1111&id=0001A67C&statpass=bpass&version=15150110&features=30&guid=58c56317-1417-4d3f-9d91-ad770e78b81e&comment=15150110&p=0&s=
User-Agent:
HTTP GEThttp://188.241.11.246:35535/stat?uid=100&downlink=1111&uplink=1111&id=0001BA13&statpass=bpass&version=15150110&features=30&guid=58c56317-1417-4d3f-9d91-ad770e78b81e&comment=15150110&p=0&s=
User-Agent:
HTTP GEThttp://184.154.33.154:30351/stat?uid=100&downlink=1111&uplink=1111&id=0001CDBB&statpass=bpass&version=15150110&features=30&guid=58c56317-1417-4d3f-9d91-ad770e78b81e&comment=15150110&p=0&s=
User-Agent:
HTTP GEThttp://188.138.90.41:49996/stat?uid=100&downlink=1111&uplink=1111&id=0001E152&statpass=bpass&version=15150110&features=30&guid=58c56317-1417-4d3f-9d91-ad770e78b81e&comment=15150110&p=0&s=
User-Agent:
HTTP GEThttp://173.199.177.172:31780/stat?uid=100&downlink=1111&uplink=1111&id=0001F4EA&statpass=bpass&version=15150110&features=30&guid=58c56317-1417-4d3f-9d91-ad770e78b81e&comment=15150110&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 5.154.230.67:16493
Flows TCP192.168.1.1:1031 ➝ 5.154.230.67:16493
Flows TCP192.168.1.1:1032 ➝ 173.199.177.172:31780
Flows TCP192.168.1.1:1033 ➝ 70.32.107.132:19796
Flows TCP192.168.1.1:1034 ➝ 109.104.94.2:11754
Flows TCP192.168.1.1:1035 ➝ 188.241.11.246:35535
Flows TCP192.168.1.1:1036 ➝ 184.154.33.154:30351
Flows TCP192.168.1.1:1037 ➝ 188.138.90.41:49996
Flows TCP192.168.1.1:1038 ➝ 173.199.177.172:31780

Raw Pcap
0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303136 42383626 73746174 70617373   0016B86&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31313026 66656174 75726573   5150110&features
0x00000060 (00096)   3d333026 67756964 3d353863 35363331   =30&guid=58c5631
0x00000070 (00112)   372d3134 31372d34 6433662d 39643931   7-1417-4d3f-9d91
0x00000080 (00128)   2d616437 37306537 38623831 6526636f   -ad770e78b81e&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 31302670   mment=15150110&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303137 46344426 73746174 70617373   0017F4D&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31313026 66656174 75726573   5150110&features
0x00000060 (00096)   3d333026 67756964 3d353863 35363331   =30&guid=58c5631
0x00000070 (00112)   372d3134 31372d34 6433662d 39643931   7-1417-4d3f-9d91
0x00000080 (00128)   2d616437 37306537 38623831 6526636f   -ad770e78b81e&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 31302670   mment=15150110&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303139 32453426 73746174 70617373   00192E4&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31313026 66656174 75726573   5150110&features
0x00000060 (00096)   3d333026 67756964 3d353863 35363331   =30&guid=58c5631
0x00000070 (00112)   372d3134 31372d34 6433662d 39643931   7-1417-4d3f-9d91
0x00000080 (00128)   2d616437 37306537 38623831 6526636f   -ad770e78b81e&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 31302670   mment=15150110&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303141 36374326 73746174 70617373   001A67C&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31313026 66656174 75726573   5150110&features
0x00000060 (00096)   3d333026 67756964 3d353863 35363331   =30&guid=58c5631
0x00000070 (00112)   372d3134 31372d34 6433662d 39643931   7-1417-4d3f-9d91
0x00000080 (00128)   2d616437 37306537 38623831 6526636f   -ad770e78b81e&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 31302670   mment=15150110&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303142 41313326 73746174 70617373   001BA13&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31313026 66656174 75726573   5150110&features
0x00000060 (00096)   3d333026 67756964 3d353863 35363331   =30&guid=58c5631
0x00000070 (00112)   372d3134 31372d34 6433662d 39643931   7-1417-4d3f-9d91
0x00000080 (00128)   2d616437 37306537 38623831 6526636f   -ad770e78b81e&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 31302670   mment=15150110&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303143 44424226 73746174 70617373   001CDBB&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31313026 66656174 75726573   5150110&features
0x00000060 (00096)   3d333026 67756964 3d353863 35363331   =30&guid=58c5631
0x00000070 (00112)   372d3134 31372d34 6433662d 39643931   7-1417-4d3f-9d91
0x00000080 (00128)   2d616437 37306537 38623831 6526636f   -ad770e78b81e&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 31302670   mment=15150110&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303145 31353226 73746174 70617373   001E152&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31313026 66656174 75726573   5150110&features
0x00000060 (00096)   3d333026 67756964 3d353863 35363331   =30&guid=58c5631
0x00000070 (00112)   372d3134 31372d34 6433662d 39643931   7-1417-4d3f-9d91
0x00000080 (00128)   2d616437 37306537 38623831 6526636f   -ad770e78b81e&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 31302670   mment=15150110&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303146 34454126 73746174 70617373   001F4EA&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31313026 66656174 75726573   5150110&features
0x00000060 (00096)   3d333026 67756964 3d353863 35363331   =30&guid=58c5631
0x00000070 (00112)   372d3134 31372d34 6433662d 39643931   7-1417-4d3f-9d91
0x00000080 (00128)   2d616437 37306537 38623831 6526636f   -ad770e78b81e&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 31302670   mment=15150110&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..


Strings