Norassie | Joachim De Zutter
March 2018

Filesize: 1743058
SHA256: 8f0950dec254dd7d15897c0fea557c21e334bce404c2acfaa1b1291c2eda901d
SHA1: ef229e23512633aa1b173f2cedfc25ce4988bc8c
MD5: 7a01eeed73e0988289920efb3031fe1b
https://www.virustotal.com/#/file/8f0950dec254dd7d15897c0fea557c21e334bce404c2acfaa1b1291c2eda901d

String found in memory during dynamic analysis:

AC=Norassie&PrID=Norassie&PrSub=Norassie&RS=S&TK=738805&tpl=8516&UpTimeMins=12&isDebugged=0&RepCnt=1&UID=525400C918278BD2&UIDNEW=525400C918278BD2&MGUID=31d23633-a492-4347-95ea-a6b57780e3fb&MSID=842925246-1303643608-113007714&USID=S-1-5-21-842925246-1303643608-113007714-500&SIDUID=323E04BE4DB405D806BC5C62F06B8BD2&MAC_L=AMD%20PCNET%20Family%20PCI%20Ethernet%20Adapter%20-%20Packet%20Scheduler%20Miniport%3A525400C91827%3A10.0.2.15%3A6%3A1&SDT=20180321110002228&VMC=GGL&isVMDef=1&PE_MODE=DLL&lit=736781&idsc=7&DEP_MOD=2&isUacOn=1&uac_lvl=-1&isAdmin=1&isUserAdmin=1&isSessionUser=1&RName=C%3A%5CDocuments%20and%20Settings%5CAdministrator%5CDesktop%5Cquarantine%5C8f0950dec254dd7d15897c0fea557c21e334bce404c2acfaa1b1291c2eda901d.exe&imgArgs=&token=&OSLang=en&OSPlat=1&OSVer=5.1&isWinSrvr=0&OSVerErr=0&OSSPVer=3&OSBuild=2600&OSFullVer=5.1.0.2600.0&OSName=Microsoft%20Windows%20XP&OSx64=0&isRemoteSession=0&IsMousePresent=1&PPN=cmd.exe&imgDT=20180321104744000&imgSZ=1743058&pid=1652&CheckSum=0&isProxy=0&isVpn=0&vpnInfo=&sys_bios=BOCHS%20%20-%201&sys_manf=&sys_prod=&cpu_name=QEMU%20Virtual%20CPU%20version%202.5%2B&cpu_logCores=1&sys_volID=F06B8BD2&cpuid_name=QEMU%20Virtual%20CPU%20version%202.5%2B&cpuid_pid=0781ABFD00000663&winID=eec87ee684eab692d3c7e8ef4da3581d&HostParamsMS=5438&mdl_ttl=50&mdl_codes=&mdl_names=&mdl_dbver=13&prc_codes=&prc_names=&prc_dbver=16&prc_num=19&MemPhA=821&MemPhT=1023&MemVirA=1971&MemVirT=2047&KernelVer=7.43.3.7045&IRVER=7.43&BRW=IEXPLORE.EXE&IEVer=8.0.6001.18702&BRW_CERT=Microsoft%20Corporation&RR=2&CarrierName=&CHNL=&PadTotal=6325&PadSize=0&PadVer=4&c_ver=1.0.7.53908&_makeDate=20180310004502322&_makerVer=3.21.3.7150&_isDbg=0&iHostVer=5.19&bHostVer=8.01&hostBuild=7045&svnRev=89643&svnPath=%5CDownloaders%5CNorassie%5CNorassie%5Ctrunk%5CRelease_Unsigned_water.ini&tmpDirSts=1&scr_MonCnt=1&gpu_names=,NetMeeting%20driver,RDPDD%20Chained%20DD&scr_HSzMM=320&scr_VSzMM=240&scr_HRes=800&scr_VRes=600&scr_dpi=96

Sent HTTP POST request with encrypted data to portal.cetiweniy-fun.com through WININET.DLL!HttpSendRequestA