Analysis Date2016-01-27 17:49:15
MD556dc54b7ae9d3ecf91f0284ffea67826
SHA1107f96e56f468d9e848514e602c9ea89b3ead002

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a5285a5dd876024394fb8a9f6ef952b4 sha1: 385bf64e015b15df81fd48d01693057561aadd43 size: 7168
Section.data md5: 16978ed5f570a567bc78a2b6468d5883 sha1: dac0ad2cb0e0c55af2c5cda1c5a2000cd3268fc8 size: 12288
Sectionrsrc6 md5: 151c23f574e16c18eccde417cfe48449 sha1: 217f73fac3750a580da91a9b4242ae22af502892 size: 27136
Timestamp1997-10-25 21:15:36
PEhash8b3d3367ff46ffc008814d91d9ed448f2b42093a
IMPhash1a82bbeeca5d8a93b74a0b00a0764b1d
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeUpatre-FACE!56DC54B7AE9D
AVAvira (antivir)TR/Crypt.Xpack.154688
AVTwisterTrojan.DOMG.hhhl
AVAd-AwareTrojan.Upatre.DG
AVAlwil (avast)Upatre-N [Trj]
AVEset (nod32)Win32/Kryptik.DNDR
AVGrisoft (avg)Crypt4.AZUJ
AVSymantecDownloader.Upatre!gen9
AVFortinetW32/Waski.F!tr
AVBitDefenderTrojan.Upatre.DG
AVK7Trojan ( 004c6a681 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVMicroWorld (escan)Trojan.Generic.15574844
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Trojan3.QML
AVFrisk (f-prot)W32/Trojan3.QML
AVIkarusTrojan-Downloader.Win32.Waski
AVEmsisoftTrojan.Upatre.DG
AVZillya!Trojan.Kryptik.Win32.745375
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_UPATRE.SMJU
AVCAT (quickheal)TrjnDwnlder.Upatre.MUE.BC3
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.Hlux
AVBullGuardTrojan.Upatre.DG
AVArcabit (arcavir)Trojan.Upatre.DG
AVClamAVWin.Trojan.Upatre-5676
AVDr. WebTrojan.DownLoader15.42594
AVF-SecureTrojan.Upatre.DG

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\amourdid.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\amourdid.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\amourdid.exe

Network Details:

DNSicanhazip.com
Type: A
45.32.200.23
DNSicanhazip.com
Type: A
104.238.162.182
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/538.36 (KHTML, like Gecko) Chrome/43.0.2457.82 Safari/538.36
HTTP GEThttp://93.93.194.202:13232/201/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/538.36 (KHTML, like Gecko) Chrome/43.0.2457.82 Safari/538.36
HTTP GEThttp://93.93.194.202:13232/201/COMPUTER-XXXXXX/41/1/2/
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/538.36 (KHTML, like Gecko) Chrome/43.0.2457.82 Safari/538.36
Flows TCP192.168.1.1:1031 ➝ 45.32.200.23:80
Flows TCP192.168.1.1:1032 ➝ 93.93.194.202:13232
Flows TCP192.168.1.1:1033 ➝ 95.143.132.118:443
Flows TCP192.168.1.1:1034 ➝ 95.143.132.118:443
Flows TCP192.168.1.1:1035 ➝ 95.143.132.118:443
Flows TCP192.168.1.1:1036 ➝ 95.143.132.118:443
Flows TCP192.168.1.1:1037 ➝ 194.228.203.19:443
Flows TCP192.168.1.1:1038 ➝ 194.228.203.19:443
Flows TCP192.168.1.1:1039 ➝ 194.228.203.19:443
Flows TCP192.168.1.1:1040 ➝ 194.228.203.19:443
Flows TCP192.168.1.1:1041 ➝ 93.93.194.202:13232
Flows TCP192.168.1.1:1042 ➝ 173.248.29.43:443
Flows TCP192.168.1.1:1043 ➝ 173.248.29.43:443
Flows TCP192.168.1.1:1044 ➝ 173.248.29.43:443
Flows TCP192.168.1.1:1045 ➝ 173.248.29.43:443
Flows TCP192.168.1.1:1046 ➝ 109.86.226.85:443
Flows TCP192.168.1.1:1047 ➝ 109.86.226.85:443
Flows TCP192.168.1.1:1048 ➝ 109.86.226.85:443
Flows TCP192.168.1.1:1049 ➝ 109.86.226.85:443
Flows TCP192.168.1.1:1050 ➝ 24.220.92.193:443
Flows TCP192.168.1.1:1051 ➝ 24.220.92.193:443
Flows TCP192.168.1.1:1052 ➝ 24.220.92.193:443
Flows TCP192.168.1.1:1053 ➝ 24.220.92.193:443

Raw Pcap

Strings