Analysis Date2015-09-15 18:46:57
MD50164c2fa9383168b95a1e9b086fbb64b
SHA103cae8ea9777a5eda1b68124bbdb17c8b009a903

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 84bf3314084a9cc9ee881ff3d17d34ea sha1: 1130f68cfa4daed4bbb8c97eaf367f8e680bbae8 size: 4096
Section.rdata md5: e427ae3b8eec09decfe18c9fbd73cd1a sha1: ff830f78534333ed57c3d336cfeb07bf1032e720 size: 2560
Section.data md5: 4925f0b46d0228a2b03540db87308674 sha1: 6ad221082e802ac83526481cc69bfec1f06778bc size: 512
Section.rsrc md5: ec1b3b60a57cd01c30be4cdcfa39b47d sha1: 24bec424d5dc15eae8ed3e1786360ce2a109294b size: 10240
Timestamp2014-01-16 08:44:12
PackerMicrosoft Visual C++ 5.0
PEhash8a38f1635c5039d239b518a820e1854a1ce452cc
IMPhashc626dccf7fb6f72d572fabe34daf0ccc
AVRisingno_virus
AVCA (E-Trust Ino)Win32/Upatre.JKdQLED
AVF-SecureTrojan-Downloader:W32/Upatre.I
AVDr. WebTrojan.DownLoad3.28161
AVClamAVWin.Trojan.Zbot-33468
AVArcabit (arcavir)Trojan.Downloader.Zbot.F
AVBullGuardTrojan.Downloader.Zbot.F
AVPadvishno_virus
AVVirusBlokAda (vba32)Trojan.Bublik
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVTrend MicroTROJ_UPATRE.SMBX
AVKasperskyTrojan.Win32.Bublik.burg
AVZillya!Trojan.Bublik.Win32.12899
AVEmsisoftTrojan.Downloader.Zbot.F
AVIkarusTrojan-Spy.Zbot
AVFrisk (f-prot)W32/Trojan3.HED
AVAuthentiumW32/Trojan.OBJT-4628
AVMalwareBytesSpyware.Zbot
AVMicroWorld (escan)Trojan.Downloader.Zbot.F
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVK7Trojan-Downloader ( 0040f7f11 )
AVBitDefenderTrojan.Downloader.Zbot.F
AVFortinetW32/Waski.A!tr
AVSymantecDownloader.Upatre
AVGrisoft (avg)Downloader.Generic13.BUKD
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVAlwil (avast)Zbot-TCT [Trj]
AVAd-AwareTrojan.Downloader.Zbot.F
AVTwisterTrojan.E4676C3B69A95DDF
AVAvira (antivir)TR/Yarwi.B.130
AVMcafeeDownloader-FSH!0164C2FA9383

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\codecupdate.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\codecupdate.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\codecupdate.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSgwentpressurewashers.co.uk
Winsock DNSarchitectureschoolswiki.com

Network Details:

DNSgwentpressurewashers.co.uk
Type: A
64.50.166.122
DNSarchitectureschoolswiki.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 64.50.166.122:443
Flows TCP192.168.1.1:1032 ➝ 64.50.166.122:443
Flows TCP192.168.1.1:1033 ➝ 64.50.166.122:443
Flows TCP192.168.1.1:1034 ➝ 64.50.166.122:443
Flows TCP192.168.1.1:1035 ➝ 64.50.166.122:443
Flows TCP192.168.1.1:1036 ➝ 64.50.166.122:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings