Analysis Date2015-12-25 19:11:04
MD507d9f2971382a0a052d4a756e782a6d0
SHA13ddfa8ef5a8359857d67e894ad9bc770703d0810

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c5134adce1c1193a895ac93b41fd2676 sha1: 10c91a507f03ce57553f7d8e5f344ff78dcebcf3 size: 13824
Section.rdata md5: 47f8543611bf7fa34e75bae07e5bb84d sha1: ee4160c7f75ba9ae73274a9d9a1a2bed85f3636e size: 4096
Section.data md5: 6540ccd80095dcea0da3f4d3a5f1e9e4 sha1: 4ccdd7d1c0d53bea45c95da24a03c8cbd375d74a size: 1024
Section.rsrc md5: 4e08aebcfd3372da8c16f4b72e7fa9d4 sha1: 0a76cd09222b98e8719f5466287b9d8a02ad209b size: 20480
Timestamp2013-04-23 17:16:44
VersionLegalCopyright: Copyright 2014-2015 Barondos
InternalName: SlenOS Utility
FileVersion: 1.0.8.4
CompanyName: SlenOS
ProductName: SlenOS
ProductVersion: 1.0.8.4
FileDescription: SlenOS
OriginalFilename: Slen.exe
PackerMicrosoft Visual C++ v6.0
PEhash0aaededb55a8b7f1ea5bee86b6bc85788e1f0937
IMPhashf45d33cfdbdacaa4f25d7c6d82ec1830
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVFortinetW32/Monlin.AB!tr
AVMicroWorld (escan)Trojan.Upatre.GD
AVGrisoft (avg)Generic_s.FIL
AVAvira (antivir)TR/Dldr.Upatre.RN
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Kryptik.Win32.790307
AVDr. WebTrojan.DownLoader16.20541
AVAd-AwareTrojan.Upatre.GD
AVTwisterTrojan.Girtk.DWFP.nyaf
AVFrisk (f-prot)W32/Upatre.CT.gen!Eldorado
AVBullGuardTrojan.Upatre.GD
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BX
AVF-SecureTrojan.Upatre.GD
AVRisingno_virus
AVTrend MicroTROJ_UPATRE.SMDE
AVVirusBlokAda (vba32)no_virus
AVClamAVno_virus
AVIkarusTrojan-Downloader.Win32.Upatre
AVK7Trojan ( 004ceecc1 )
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVAuthentiumW32/Upatre.CT.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVMalwareBytesTrojan.Upatre
AVMcafeeUpatre-FACH!07D9F2971382
AVEmsisoftTrojan.Upatre.GD
AVSymantecDownloader.Upatre!gen5
AVBitDefenderTrojan.Upatre.GD
AVArcabit (arcavir)Trojan.Upatre.GD
AVEset (nod32)Win32/Kryptik.DVZB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processsvchost.exe

Process
↳ svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS67.207.229.215
Winsock DNS197.149.90.166
Winsock DNS67.222.201.61
Winsock DNS72.175.10.116
Winsock DNS63.248.156.246
Winsock DNS209.27.49.117
Winsock DNS208.117.68.78
Winsock DNS64.111.36.52
Winsock DNSicanhazip.com

Network Details:

DNSicanhazip.com
Type: A
64.182.208.184
DNSicanhazip.com
Type: A
64.182.208.185
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.37 (KHTML, like Gecko) Chrome/41.0.2273.88 Safari/537.37 OPR/29.0.1751.48
HTTP GEThttp://197.149.90.166:12101/7UK21/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.37 (KHTML, like Gecko) Chrome/41.0.2273.88 Safari/537.37 OPR/29.0.1751.48
Flows TCP192.168.1.1:1031 ➝ 64.182.208.184:80
Flows TCP192.168.1.1:1032 ➝ 197.149.90.166:12101
Flows TCP192.168.1.1:1033 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1034 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1035 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1036 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1037 ➝ 67.207.229.215:443
Flows TCP192.168.1.1:1038 ➝ 67.207.229.215:443
Flows TCP192.168.1.1:1039 ➝ 67.207.229.215:443
Flows TCP192.168.1.1:1040 ➝ 67.207.229.215:443
Flows TCP192.168.1.1:1041 ➝ 63.248.156.246:443
Flows TCP192.168.1.1:1042 ➝ 63.248.156.246:443
Flows TCP192.168.1.1:1043 ➝ 63.248.156.246:443
Flows TCP192.168.1.1:1044 ➝ 63.248.156.246:443
Flows TCP192.168.1.1:1045 ➝ 72.175.10.116:443
Flows TCP192.168.1.1:1046 ➝ 72.175.10.116:443
Flows TCP192.168.1.1:1047 ➝ 72.175.10.116:443
Flows TCP192.168.1.1:1048 ➝ 72.175.10.116:443
Flows TCP192.168.1.1:1049 ➝ 208.117.68.78:443
Flows TCP192.168.1.1:1050 ➝ 208.117.68.78:443
Flows TCP192.168.1.1:1051 ➝ 208.117.68.78:443
Flows TCP192.168.1.1:1052 ➝ 208.117.68.78:443
Flows TCP192.168.1.1:1053 ➝ 67.222.201.61:443
Flows TCP192.168.1.1:1054 ➝ 67.222.201.61:443
Flows TCP192.168.1.1:1055 ➝ 67.222.201.61:443
Flows TCP192.168.1.1:1056 ➝ 67.222.201.61:443

Raw Pcap

Strings