Analysis Date2015-03-17 20:29:25
MD5d4a5752c1c591ec36d45665adb2600cc
SHA13b35619370ad464814fcaaedbb641bf99ae272ed

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7cdc4b968f8cf0d1698f36b568329816 sha1: 3dc4a66e8d7aec8e0add5e20c9a37284ace6d608 size: 3584
Section.data md5: e0bcb2183d951b6601c50c3f6b373b5c sha1: b8d37fa871c09490f3968d92a501b60da21c181f size: 2560
Section.rsrc md5: 3504e961f4a086d7dc0f18c9cd8b728c sha1: b096fcfa156f6138a9ed0bcb0bfc32a47b04f40b size: 8192
Timestamp2013-11-29 10:12:02
PEhash358460833e3adae2f358038ddadcfefbbada50a6
IMPhashf6d3b47abe7b0b2ed1a0851cadc8d405
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.1429572
AVAlwil (avast)Agent-ASJU [Trj]
AVArcabit (arcavir)Trojan.GenericKD.1429572
AVAuthentiumW32/Trojan.CAOR-2299
AVAvira (antivir)TR/Yarwi.A.9
AVBullGuardTrojan.GenericKD.1429572
AVCA (E-Trust Ino)Win32/Upatre.aFVFXdC
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVClamAVWin.Trojan.Generickd-76
AVDr. WebTrojan.DownLoad3.28161
AVEmsisoftTrojan.GenericKD.1429572
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVFortinetW32/Krptik.AIU!tr
AVFrisk (f-prot)W32/Trojan3.GQH
AVF-SecureTrojan-Downloader:W32/Upatre.I
AVGrisoft (avg)Zbot.EBK
AVIkarusTrojan-Spy.Win32.Zbot
AVK7Trojan-Downloader ( 0048f6391 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-FSH!D4A5752C1C59
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVMicroWorld (escan)Trojan.GenericKD.1429572
AVRisingno_virus
AVSophosTroj/Zbot-HAY
AVSymantecTrojan.Pidief
AVTrend MicroTROJ_UPATRE.SMBX
AVVirusBlokAda (vba32)Trojan.Bublik

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\updater.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\updater.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\updater.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSe4ad.com
Winsock DNSgreenvegi.com

Network Details:

DNSe4ad.com
Type: A
204.11.56.45
DNSgreenvegi.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1032 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1033 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1034 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1035 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1036 ➝ 204.11.56.45:443

Raw Pcap

Strings
J
&About
button
C:\1_Dg1YdS.exe
C:\1f9586f429ac58d648cda6ae8daea8450238476837aea3a2c4bdc74c5e1e9c75
C:\1fQ42F6I.exe
C:\2ebfbc61c0dc3d9762b7ac83add91bbc3a30d97b0db45d973dcc4e9623046e8d
C:\3776556efd102167b9be103c84a1703e7c8e5726749debfba64bd8b067a16ddd
C:\40tyRXPR.exe
C:\5phs3fRE.exe
C:\6b4fbd90539fdd22a0cd5d8ccc3d6af0ad162a531e7b4befb435dca41389f5fd
C:\6cd05395ded5ff7b2a69e43e97bb8adc434a48a8bc9d93911c24750db2df2f10
C:\803a7ce775864d7be16b2d20a6e9fd1ee561fce35838111e90e8972c9b0a7300
C:\8b2bb64243cf0045af7dc91fa1e71e880c986f6f2b74fec58e79fb4beb6598ae
C:\8xc7PlLi.exe
C:\8xgGtMkX.exe
C:\a4e5849adfbd108de7598c3fd92583aa5a7a262d0fe34a5f0445a6246bc87ea9
C:\AkNNXtyo.exe
C:\B0Mm2gmK.exe
C:\b249faca5dfe662d63a1629c7ffcaebe204c4d14ffc12ef4e82bac4deac44007
C:\b86fd24a1b3599ceeaf8a410e8e756f5fbe4404676db06b77ed56147420fb1cc
C:\baobqekT.exe
C:\bAoTzUmK.exe
C:\bCjYhFev.exe
C:\BDymBeTl.exe
C:\bmhCVQBJ.exe
C:\bn7MvuIt.exe
C:\BV9bfAor.exe
C:\BvE0koZZ.exe
C:\bxOlMeFV.exe
C:\C7_JNt14.exe
C:\cA_RU_S1.exe
C:\cc10e164e76ac6b7efe546a5387199a696050480474669c3433b58437fad1713
C:\cCQwTxeu.exe
C:\cMka5Tyu.exe
C:\CMZqothS.exe
C:\dnyj3kwQ.exe
C:\DOCUME~1\cuckoo\LOCALS~1\Temp\fdaf1dded95a5232181fc77cde2dc43d62259cf5
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\asVAaSU_J.exe
C:\DYgPzyi_.exe
C:\dYTsygFa.exe
C:\e214079029b3798b0aacd377b9dc3ca3240fa15c060708018a81116a18b39e5e
C:\E4rGrkv9.exe
C:\eHESv7RF.exe
C:\ep7LkRPr.exe
C:\EXavNywk.exe
C:\f3yeqjHR.exe
C:\FDGo2Sye.exe
C:\fI0TO5U7.exe
C:\fPbtxcnz.exe
C:\fPgw5o7R.exe
C:\fQzLJwM6.exe
C:\gDbGuvHs.exe
C:\gEmdnkw6.exe
C:\Gw8FcMhx.exe
C:\GYGPmadk.exe
C:\H2yeZzCK.exe
C:\H49cb3Hc.exe
C:\hiYdNMAY.exe
C:\hMdjgvhS.exe
C:\HpJbmmyE.exe
C:\hpZNty1G.exe
C:\i2fW_flK.exe
C:\ilBArcSr.exe
C:\IQ565erE.exe
C:\Is_rpFd3.exe
C:\j_QOu67I.exe
C:\JrfuYkiN.exe
C:\_JwQpfKF.exe
C:\JxCYYKrs.exe
C:\JzROMz8a.exe
C:\KH1NVqNw.exe
C:\knCwti37.exe
C:\KOMSxujL.exe
C:\KOukne4U.exe
C:\KyB7QP0X.exe
C:\LeEmW8hG.exe
C:\LIIDoR9b.exe
C:\lKJ3KuHx.exe
C:\LmRSXi4W.exe
C:\lveNRckL.exe
c:\mapp_start_folder\snowball.exe
C:\md6CzeVc.exe
C:\mnyZFSsZ.exe
C:\MoRxhYgu.exe
C:\nFbxiTLO.exe
C:\nREJvF8C.exe
C:\NsCBx9vn.exe
C:\nZC8_ib6.exe
C:\NzfjhMMM.exe
C:\Nzphp0yG.exe
C:\NztojHfx.exe
C:\Ol2zVsYc.exe
C:\oRNErRrJ.exe
C:\_ovGR6CM.exe
C:\Qb8uU9qI.exe
C:\qDTONlNm.exe
C:\rSnKUmUf.exe
C:\sbkint2I.exe
C:\sHT0jVC7.exe
C:\so9v6UxW.exe
C:\SuI_ChSD.exe
C:\SwUj7Yyy.exe
C:\SXPB8Yhu.exe
C:\_SXViVM3.exe
C:\SzAFnwFc.exe
C:\t0FTonTJ.exe
C:\T5aWARDl.exe
C:\tEo97G6L.exe
C:\TNs9f_0D.exe
C:\TUvjo2Op.exe
C:\_ty8CdOk.exe
C:\u0lgIFU0.exe
C:\ucUjtIA2.exe
C:\UkUsOTCJ.exe
C:\uNuIDzf_.exe
C:\uRno2xTK.exe
C:\Users\Peter\AppData\Local\Temp\Temp1_RA3216091.zip\RA29112013.exe
C:\UzDlub0P.exe
C:\vahoghCu.exe
C:\vAn4j76R.exe
C:\VCj7bEsL.exe
C:\vfbRM18p.exe
C:\vzeGnZrG.exe
C:\WaceGSet.exe
C:\WH8MjpoF.exe
C:\WIiEFHIS.exe
C:\wqFggy9R.exe
C:\wqK4Jpm9.exe
C:\Wtck9D0K.exe
C:\X2uoiMTJ.exe
C:\xeHaXbJh.exe
C:\XsLCif7d.exe
C:\xxAP3vJ7.exe
C:\y6jyi8H7.exe
C:\yvq0dqys.exe
C:\zg2IYBd5.exe
C:\ZiFWTPy6.exe
C:\Zsprw3Vk.exe
Delete 1:
Dindom
edit
&Exit
&File
&Help
Lyrik
&Open
Quit
&Save
Start
static
Tropik
Weta
[1JM-7
3<7?Z(
^3^=)R
4L3G":9Q	S^
&5>/%;3$/G4
^5NZ,LQC
)8K5S{
8MccaM
)8=%SC
9)E)@ 
9 EEG@99)PG
9@ EG  @P 9G
9EPE9 PE9
9 G@J#
9)PEP9)G
9@)@PPE
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AVWAf9
AW2)@6OH&@`=
]^BBU`
/B,K>'\^
CreateFileW
CreatePen
CreateWindowExW
`.data
DefWindowProcW
DeleteFileW
DispatchMessageW
D%>)XY--
<E)6U&'9
)EE E E
'EE"T'UMI8]2"&cPXWCTA1
EGG9GG@
EI	*GQ8PT,G7!X
FindClose
FindFirstFileW
FindNextFileW
F:(M?9%1]S(I
G99PGGGE
GDI32.dll
GetMessageW
GetModuleHandleW
GetStartupInfoA
)G G)E
G,L0=6
  GP GP
HtHHtA-
-[__I+
I,	^&Y ]
;IZO#T9
(K'Eb;
KERNEL32.dll
K	O!`8=FD
KU<ZH#T	!
LoadCursorW
LoadIconW
L[U6# 
OO-b+/)
P99  @
P9E@E@9)E
P9E)E9EE
P@9P)9E
P@G)G9
PMH:Z*a-
PostMessageA
PR*N7 ]%]*
Q]:#3 ''0&^QO
ReadFile
RegisterClassExW
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
\R!FMQ"\>
    </security>
    <security>
SetFilePointer
ShowWindow
'&S'L#07
S/P;9O
^(T6@6AC2C)
	TA1N&
!This program cannot be run in DOS mode.
TranslateMessage
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
UpdateWindow
USER32.dll
'!$).(VA7DR*
VIA6]]
WWPPPPh
X!A<>9
XT_"C$;H!Y[6
xxxyyy
zTPW|l
+`ZVG=`
\Z'X*1GE