Analysis Date2015-10-23 07:59:03
MD5573f753959c84cdca6d18ed1639e2813
SHA1283a6dea7aa60921dd4ca0ce87c858dece64dca8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectioncode md5: 23e88be3e808d55ba1897f6726561707 sha1: 386c026efc318fa4683fc9f93ad0025cd4659066 size: 3072
Section.data md5: 078be871ab422d8a847eed07561d8f58 sha1: 2aca1cc72823e13e2e9bc989ff154736dae99dc4 size: 10240
Section.RSRC md5: b3e6feefbc9cdbb3d3b5487f7660df19 sha1: 6034def330464e2ea481c6d2a95bd87bd44c37e5 size: 25600
Sectionreloc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.date md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Timestamp1997-10-28 22:08:58
PEhashe8b085e8ad8f5259c24959e59c0936a4bb527598
IMPhash5e8e445fddca714d61ff33328bf22117
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Upatre.AZ
AVDr. WebTrojan.Upatre.201
AVClamAVno_virus
AVArcabit (arcavir)Trojan.Upatre.AZ
AVBullGuardTrojan.Upatre.AZ
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVCAT (quickheal)TrojanDwnldr.Upatre.MUE.A5
AVTrend MicroTROJ_UPATRE.SMJU
AVKasperskyTrojan-Downloader.Win32.Upatre.ggi
AVZillya!Downloader.CTBLockerGen.Win32.7
AVEmsisoftTrojan.Upatre.AZ
AVIkarusTrojan.Crypt
AVFrisk (f-prot)W32/Upatre.E.gen!Eldorado
AVAuthentiumW32/Upatre.E.gen!Eldorado
AVMalwareBytesSpyware.Dyre
AVMicroWorld (escan)Trojan.Upatre.AZ
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BL
AVK7Trojan ( 004c123f1 )
AVBitDefenderTrojan.Upatre.AZ
AVFortinetW32/Waski.F!tr
AVSymantecDownloader.Upatre!gen9
AVGrisoft (avg)Downloader.Generic14.TVR
AVEset (nod32)Win32/TrojanDownloader.Waski.F
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareTrojan.Upatre.AZ
AVTwisterTrojanDldr.Upatre.gey.hfyd
AVAvira (antivir)TR/Dldr.Waski.vcxze
AVMcafeeUpatre-FABX!573F753959C8
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xaomi515.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xaomiz.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\xaomiz.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\xaomiz.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS81.7.109.65
Winsock DNS31.131.138.75
Winsock DNS91.240.97.64
Winsock DNS91.240.97.45
Winsock DNS5.44.15.70
Winsock DNS91.240.97.66
Winsock DNS128.0.85.11
Winsock DNS91.240.97.54
Winsock DNSicanhazip.com

Network Details:

DNSicanhazip.com
Type: A
104.238.141.75
DNSicanhazip.com
Type: A
104.238.136.31
DNSicanhazip.com
Type: A
104.238.145.30
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
HTTP GEThttp://81.7.109.65:13434/TS22/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
Flows TCP192.168.1.1:1031 ➝ 104.238.141.75:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13434
Flows TCP192.168.1.1:1033 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1034 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1035 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1036 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1037 ➝ 31.131.138.75:443
Flows TCP192.168.1.1:1038 ➝ 31.131.138.75:443
Flows TCP192.168.1.1:1039 ➝ 31.131.138.75:443
Flows TCP192.168.1.1:1040 ➝ 31.131.138.75:443
Flows TCP192.168.1.1:1041 ➝ 91.240.97.45:443
Flows TCP192.168.1.1:1042 ➝ 91.240.97.45:443
Flows TCP192.168.1.1:1043 ➝ 91.240.97.45:443
Flows TCP192.168.1.1:1044 ➝ 91.240.97.45:443
Flows TCP192.168.1.1:1045 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1046 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1047 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1048 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1049 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1050 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1051 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1052 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1053 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1054 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1055 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1056 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1057 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1058 ➝ 128.0.85.11:443

Raw Pcap

Strings
2	(n89
AddAuditAccessAce
AddAuditAccessAceEx
AddAuditAccessObjectAce
AddUsersToEncryptedFile
AdjustTokenGroups
AdjustTokenPrivileges
advapi32.dll
AllocateAndInitializeSid
AllocateLocallyUniqueId
AmpFactorToDB
AreAllAccessesGranted
AreAnyAccessesGranted
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AtlAxAttachControl
AtlComPtrAssign
atl.dll
authz.dll
AuthzFreeAuditEvent
AuthziAllocateAuditParams
AuthziFreeAuditEventType
AuthziFreeAuditParams
AuthziFreeAuditQueue
AuthziInitializeAuditEvent
AuthziInitializeAuditEventType
AuthziInitializeAuditParams
AuthziInitializeAuditParamsFromArray
AuthziInitializeAuditParamsWithRM
AuthziInitializeAuditQueue
AuthziLogAuditEvent
AuthziModifyAuditEvent
AuthziModifyAuditEventType
AuthziModifyAuditQueue
AuthziSourceAudit
avicap32.DLL
BackupEventLogA
BackupEventLogW
capCreateCaptureWindowA
capGetDriverDescriptionA
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CreateMutexA
D.data
DecodePointer
DNSAPI.dll
DnsQuery_A
DnsQueryConfig
DnsQueryConfigAllocEx
DnsQueryConfigDword
DnsQueryExA
DnsQueryExUTF8
DnsQueryExW
DnsQuery_UTF8
DnsQuery_W
DnsRecordBuild_UTF8
DnsRecordBuild_W
DnsRecordCompare
DnsRecordCopyEx
DnsRecordListFree
DnsRecordSetCompare
DnsRecordSetCopyEx
DsGetDcCloseW
DsGetDcNameA
DsGetDcNameW
DsGetDcNameWithAccountA
DsGetDcNameWithAccountW
DsGetDcNextA
DsGetDcNextW
DsGetDcOpenA
DsGetDcOpenW
DsGetDcSiteCoverageA
DsGetDcSiteCoverageW
DsGetForestTrustInformationW
DsGetSiteNameA
DsGetSiteNameW
ExitProcess
fVo{BP%6
GetCommandLineA
GetCommState
GetOEMCP
GetSystemDirectoryA
IsRasmanProcess
=JxVB+
K,3ZsN
kernel32.dll
><L!^:
MprAdminInterfaceCreate
mprapi.dll
msvcrt.dll
NDdeApi.dll
NDdeGetErrorStringA
netapi32.dll
Ov[}W%
pstorec.dll
PStoreCreateInstance
quartz.dll
RasActivateRoute
RasAllocateRoute
RasBundleClearStatistics
RasBundleClearStatisticsEx
RasBundleGetPort
RasBundleGetStatistics
RasBundleGetStatisticsEx
RasCompressionGetInfo
RasCompressionSetInfo
RasConnectionEnum
RasConnectionGetStatistics
RasCreateConnection
RasDeAllocateRoute
RasDestroyConnection
RasDeviceConnect
rasman.dll
RasPortSetInfo
RasSetDialParams
RasSetEapUserInfo
REGAPI.dll
RegBuildNumberQuery
RegCdCreateA
RegCdCreateW
RegCdDeleteA
RegCdDeleteW
RegCdEnumerateA
RegCdEnumerateW
RegCdQueryA
RegCdQueryW
RegCloseServer
RegConsoleShadowQueryA
RegConsoleShadowQueryW
RegDefaultUserConfigQueryA
RegDefaultUserConfigQueryW
@reloc
</requestedExecutionLevel>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false">
</requestedPrivileges>
<requestedPrivileges>
</security>
<security>
SetErrorMode
SetFilePointer
srv.Rh\cat
!This program cannot be run in DOS mode.
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
)vowvA
)y\)k8
zOa	Wy