Analysis Date2015-11-18 21:29:32
MD52ce811ee8e55170695a06e6f625cfb40
SHA1fd9ffc8e8151bcc32baf92e2041699e4c046167f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 909f71dd1585f984893ceaa661a6bb1f sha1: 27286dd7cb640d1a836ffaf0fc1da8a79b1514af size: 24576
Section.rdata md5: 821a48e1631120793c31e8782b09b0f6 sha1: 0a77cda32266084dcf573cd66c5499daa5ce6409 size: 4096
Section.data md5: d1c4fb5c3eb73fb76988214fd24ab350 sha1: 7267e8189ec97230b5ffbbb3b9d75aee92b831ed size: 12288
Section.rsrc md5: 1c2b7d69acdc88f3ab03621bb6be1101 sha1: d6e980a95209533f0fc53da7e26d247ddaef62fd size: 36864
Timestamp2013-08-30 06:46:14
VersionLegalCopyright: Rebiz
InternalName: Zifon
FileVersion: 6, 2, 4, 4
CompanyName: Nilem
PrivateBuild: Efendir
LegalTrademarks: Akamer
Comments: Jetar
ProductName: Lapor
SpecialBuild: Sipes
ProductVersion: 3, 2, 5, 6
FileDescription: Baler
OriginalFilename: Dabuz
PackerInstaller VISE Custom
PEhash619e4f8b7cb97dd0fd1dd68e5542a7a202fad4c8
IMPhash5fe5ebb86d2ac164edc530f21cf2b4e8
AVRisingTrojan.DL.Win32.Wauchos.b
AVMcafeePWSZbot-FEF!2CE811EE8E55
AVAvira (antivir)TR/Spy.ZBot.ppfx.1
AVTwisterTrojan.192297F624E8CB0E
AVAd-AwareTrojan.Gamarue.CJ
AVAlwil (avast)Downloader-UGC [Trj]
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVGrisoft (avg)PSW.Generic11.CJKF
AVSymantecTrojan.Gen
AVFortinetW32/Injector.ALYX!tr
AVBitDefenderTrojan.Gamarue.CJ
AVK7Riskware ( 0040eff71 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVMicroWorld (escan)Trojan.Gamarue.CJ
AVMalwareBytesTrojan.Email.Bot
AVAuthentiumW32/A-29b5cead!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusBackdoor.Win32.Androm
AVEmsisoftTrojan.Gamarue.CJ
AVZillya!Trojan.Injector.Win32.211625
AVKasperskyTrojan-Downloader.Win32.Injecter.jno
AVTrend MicroWORM_GAMARUE.SMJ
AVCAT (quickheal)Worm.Gamarue.A4
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Wauchos.2183
AVPadvishWorm.Win32.Gamarue.MS11
AVBullGuardTrojan.Gamarue.CJ
AVArcabit (arcavir)Trojan.Gamarue.CJ
AVClamAVWin.Trojan.Gamarue-25
AVDr. WebBackDoor.Andromeda.178
AVF-SecureTrojan.Gamarue.CJ
AVCA (E-Trust Ino)Win32/Gamarue.IJ
AVRisingTrojan.DL.Win32.Wauchos.b
AVMcafeePWSZbot-FEF!2CE811EE8E55
AVAvira (antivir)TR/Spy.ZBot.ppfx.1
AVTwisterTrojan.192297F624E8CB0E
AVAd-AwareTrojan.Gamarue.CJ
AVAlwil (avast)Downloader-UGC [Trj]
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVGrisoft (avg)PSW.Generic11.CJKF
AVSymantecTrojan.Gen
AVFortinetW32/Injector.ALYX!tr
AVBitDefenderTrojan.Gamarue.CJ
AVK7Riskware ( 0040eff71 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVMicroWorld (escan)Trojan.Gamarue.CJ
AVMalwareBytesTrojan.Email.Bot
AVAuthentiumW32/A-29b5cead!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusBackdoor.Win32.Androm

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wupdmgr.exe

Process
↳ C:\WINDOWS\system32\wupdmgr.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\ccfqvc.com\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\ccfqvc.com
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
191.232.80.55
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwww.update.microsoft.com
Type: A
DNSrestless.su
Type: A
DNSpacifista.ru
Type: A
Flows TCP192.168.1.1:1031 ➝ 191.232.80.55:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1034 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53

Raw Pcap

Strings