Analysis Date2016-01-06 04:05:13
MD5cccfee2a111d868072a2ef77dff87a19
SHA113079c79cd2d469a7b43773190cd0a07eeaf0071

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8522a0511323d944013298ecfbc538e5 sha1: 8d866b8373899c297dcfc4a7b688fdfdcf5ea9aa size: 4096
Section.rdata md5: f959a51dc85e74108083e6c43a03b021 sha1: 257bffef2b199e69cca957e6c57b303cbb07c2e2 size: 1536
Section.data md5: c97afff042b07c9edc60eabeab09efed sha1: 8114fcd24c31f5a2ae766e861f0ec602045fc185 size: 512
Section.rsrc md5: ab7a267a1e28d5250968ade7aeff640e sha1: 5677c6e58e9c3561ab9873aae10e15d2ad886814 size: 8192
Timestamp2013-11-12 19:47:20
PackerBorland Delphi 3.0 (???)
PEhash4256bca32f22108a7e38d6b541cc1627b049a1a7
IMPhash77bc4c94329925fab055077cd2ff036a
AVCA (E-Trust Ino)Win32/Upatre.MQCcGMD
AVRisingTrojan.DL.Win32.Waski.g
AVMcafeeDownloader-FSH!CCCFEE2A111D
AVAvira (antivir)TR/Dldr.Upatre.D
AVTwisterTrojan.B57656AFBE9988E2
AVAd-AwareTrojan.GenericKDV.1397324
AVAlwil (avast)Crypt-QDX [Trj]
AVEset (nod32)Win32/TrojanDownloader.Small.ABH
AVGrisoft (avg)Generic_r.DEJ
AVSymantecDownloader
AVFortinetW32/Bublik.AEOV!tr
AVBitDefenderTrojan.GenericKDV.1397324
AVK7Trojan-Downloader ( 0040f7f11 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.E
AVMicroWorld (escan)Trojan.GenericKDV.1397324
AVMalwareBytesTrojan.Email.FA
AVAuthentiumW32/Trojan.EZNV-1891
AVFrisk (f-prot)W32/Trojan3.GLZ
AVIkarusTrojan-Spy.Zbot
AVEmsisoftTrojan.GenericKDV.1397324
AVZillya!Trojan.Bublik.Win32.12611
AVKasperskyTrojan.Win32.Bublik.bkiu
AVTrend MicroTROJ_UPATRE.SMBX
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVVirusBlokAda (vba32)TrojanDownloader.Small
AVBullGuardTrojan.GenericKDV.1397324
AVArcabit (arcavir)Trojan.GenericKDV.1397324
AVClamAVWin.Trojan.Bublik-434
AVDr. WebTrojan.DownLoad.64693
AVF-SecureTrojan.GenericKDV.1397324

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\defi.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\defi.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\defi.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNScid2012.com
Winsock DNSmatteblackpaint.com
Winsock DNSsacprocessserving.com

Network Details:

DNScid2012.com
Type: A
174.121.8.194
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.209.90.81
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
107.23.160.218
DNSmatteblackpaint.com
Type: A
DNSsacprocessserving.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 174.121.8.194:443
Flows TCP192.168.1.1:1032 ➝ 174.121.8.194:443
Flows TCP192.168.1.1:1033 ➝ 174.121.8.194:443
Flows TCP192.168.1.1:1034 ➝ 174.121.8.194:443
Flows TCP192.168.1.1:1035 ➝ 54.209.90.81:443
Flows TCP192.168.1.1:1036 ➝ 54.209.90.81:443
Flows TCP192.168.1.1:1037 ➝ 54.209.90.81:443
Flows TCP192.168.1.1:1038 ➝ 54.209.90.81:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings