Analysis Date2015-10-24 12:13:01
MD5128639ea777111dbc32c77746a52f67a
SHA12abed0c05b357f0fb4c09da4b327418680115acc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 76ecbcace7376d698f2b0754004dd318 sha1: c4f6f04ad43c36e55466903fac7f86e7fd458f7e size: 6144
Section.rdata md5: 7e0d6c21516f3d91b7404a3e39f5e938 sha1: 5adcb0af486e3d9bdbfc4ba8715fabf7356d6943 size: 4096
Section.data md5: 9609638799602e9d64ec706e08d7670f sha1: f2bf3b202071a35f728766abee18a5ec30a642cd size: 2048
Section.rsrc md5: 7eac0286b4929ba3cd33d2ae7eff4198 sha1: 7d4b75bf5528df518d7632f4d9aa01ead1159fc7 size: 19968
Timestamp2013-08-26 09:31:28
PackerMicrosoft Visual C 2.0
PEhashf0254163396cc975a66ac694a20d074f92c8815b
IMPhash012c63bb5f7f1ff21471f621b5d79f47
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Downloader.JRTI
AVDr. WebTrojan.DownLoader13.28248
AVClamAVno_virus
AVArcabit (arcavir)Trojan.Downloader.JRTI
AVBullGuardTrojan.Downloader.JRTI
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVCAT (quickheal)Trojan.Kadena.B4
AVTrend MicroTROJ_UP.9EED1BD4
AVKasperskyTrojan-Downloader.Win32.Upatre.aetm
AVZillya!Trojan.Kryptik.Win32.807879
AVEmsisoftTrojan.Downloader.JRTI
AVIkarusTrojan.VB.Crypt
AVFrisk (f-prot)W32/Dalexis.Q.gen!Eldorado
AVAuthentiumW32/Dalexis.Q.gen!Eldorado
AVMalwareBytesTrojan.Upatre
AVMicroWorld (escan)Trojan.Downloader.JRTI
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVK7Trojan ( 004c29131 )
AVBitDefenderTrojan.Downloader.JRTI
AVFortinetW32/Kryptic.ABGK!tr
AVSymantecDownloader.Upatre!gen5
AVGrisoft (avg)Crypt_s.IMB
AVEset (nod32)Win32/Kryptik.DIGI
AVAlwil (avast)GenMalicious-KNL [Trj]
AVAd-AwareTrojan.Downloader.JRTI
AVTwisterno_virus
AVAvira (antivir)TR/Dldr.Upatre.KN
AVMcafeeDownloader-FASG!128639EA7771
AVRisingTrojan.Win32.Kryptik.af

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Xulantar.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\InstallXul.tmp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Xulantar.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Xulantar.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\295a_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1352 -e 156 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 200

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 200

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1352 -e 156 -g

Network Details:


Raw Pcap

Strings