Analysis Date2015-12-18 07:12:25
MD56bd3fd91f6c1c51f757a7cfb1b4e9743
SHA122f3f82d20f3763cfc4aa08c34dd07c8f591c403

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bfa4798d345d8bb51c2c90621e64b97f sha1: f7b92deab4614660439eacba7cb20d2d76ff8619 size: 6144
Section.data md5: 4eafa9e84f3140ee37651fca277d823d sha1: 4bff3190386d105fa7c911ac0419c00e2a095c51 size: 2048
Section.rdata md5: 46ad7f68c8b098b40ef03e1e63f89245 sha1: 8a3cf8c79108c9b4bc3d5d4e4c7f71ddac079ae7 size: 2560
Section.idata md5: c172974ed6f2dd740abed3a81271b941 sha1: bdd328d3ed06a1f8139fb1d4caf29c748da1580d size: 1536
Section.rsrc md5: 4192b273809435a07258ff5a05f81357 sha1: 7f94981ff38589f3e61277259296181802ca2cdb size: 5120
Timestamp2004-05-20 07:31:44
PEhash86f54a7ff3c1451fa1ffd627d39147b3b2405508
IMPhash641a435995118d1e23b199af0b58ecfd
AVDr. WebTrojan.DownLoad3.28161
AVIkarusTrojan-Spy.Zbot
AVVirusBlokAda (vba32)TrojanDownloader.Agent
AVK7Trojan ( 0040f7411 )
AVArcabit (arcavir)Gen:Variant.Kazy.327844
AVGrisoft (avg)Downloader.Generic13.BUUD
AVTwisterTrojan.4AB5E8975EC4806A
AVCA (E-Trust Ino)Win32/Upatre.CI
AVBullGuardGen:Variant.Kazy.327844
AVClamAVno_virus
AVMcafeeDownloader-FBU!6BD3FD91F6C1
AVBitDefenderGen:Variant.Kazy.327844
AVMicroWorld (escan)Gen:Variant.Kazy.327844
AVMalwareBytesTrojan.Email.FakeDoc
AVRisingno_virus
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVTrend MicroTROJ_UPATRE.SMZ3
AVZillya!Downloader.Agent.Win32.184004
AVAuthentiumW32/Trojan.TZVO-3908
AVKasperskyTrojan-Downloader.Win32.Agent.hdyf
AVFortinetW32/Kryptik.CF!tr
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVSymantecTrojan.Zbot
AVAd-AwareGen:Variant.Kazy.327844
AVFrisk (f-prot)W32/Trojan2.OASR
AVEmsisoftGen:Variant.Kazy.327844
AVF-SecureGen:Variant.Kazy.327844
AVAvira (antivir)TR/Downloader.Gen7
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVAlwil (avast)Waski-C [Cryp]

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSthisisyourwife.co.uk
Winsock DNSacupuncturetrainingwiki.com

Network Details:

DNSthisisyourwife.co.uk
Type: A
64.50.166.122
DNSacupuncturetrainingwiki.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 64.50.166.122:443
Flows TCP192.168.1.1:1032 ➝ 64.50.166.122:443
Flows TCP192.168.1.1:1033 ➝ 64.50.166.122:443
Flows TCP192.168.1.1:1034 ➝ 64.50.166.122:443
Flows TCP192.168.1.1:1035 ➝ 64.50.166.122:443
Flows TCP192.168.1.1:1036 ➝ 64.50.166.122:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings