Analysis Date2016-01-24 12:12:44
MD5b3dad26e96e309f0eda9a4847607d638
SHA13ed2d4dcf14ad532190f7977614cc9201060a462

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9a13982b2d4f9a0d11c38303a15ed874 sha1: e716183327e2592ec1e1976c8a61688574dcee89 size: 6144
Section.rdata md5: f0c791b7a01c1af7476b9114f630f86f sha1: 1d74c769f3266d112fbfd99e06624cbddbfa7d72 size: 1536
Section.data md5: 308f2f2d626c29c61e6944c619d36bf1 sha1: 9d49af9013e6a959c3dc786c07e7154f8e4d9ba2 size: 512
Section.rsrc md5: 320a63c0552666c12f361d403bd803b5 sha1: da20a8f355a94e57d8e8adb1b834d44d411a046a size: 10240
Section.reloc md5: 1c6bd8f15b2d6e1575f05000eaa15adb sha1: 6694ebea140138563a76062c6828f1476956917c size: 512
Timestamp2014-02-05 03:58:40
PEhashb6248038e0af3e67a33a86bcc7288619ab5ee56f
IMPhash7772dfa3e3a72b92db47c13e7be36e20
AVCA (E-Trust Ino)Win32/Upatre.IHNQSfC
AVRisingNo Virus
AVMcafeeDownloader-FSH!B3DAD26E96E3
AVAvira (antivir)TR/Yarwi.B.175
AVTwisterTrojan.48B2FFB2E5D67CFC
AVAd-AwareTrojan.GenericKD.1559553
AVAlwil (avast)Agent-AUID [Trj]
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVGrisoft (avg)Generic35.BQZI
AVSymantecBackdoor.Trojan
AVFortinetW32/Waski.AC!tr
AVBitDefenderTrojan.GenericKD.1559553
AVK7Trojan-Downloader ( 0040f7f11 )
AVMicrosoft Security EssentialsNo Virus
AVMicroWorld (escan)Trojan.GenericKD.1559553
AVMalwareBytesTrojan.Email.FakeDoc
AVAuthentiumW32/Trojan.ARNH-0894
AVEmsisoftTrojan.GenericKD.1559553
AVFrisk (f-prot)W32/Trojan3.HKX
AVIkarusTrojan-Downloader.Win32.Upatre
AVZillya!Downloader.Injecter.Win32.5152
AVKasperskyTrojan-Downloader.Win32.Injecter.jir
AVTrend MicroTROJ_UPATRE.SM37
AVVirusBlokAda (vba32)TrojanDownloader.Injecter
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVBullGuardTrojan.GenericKD.1559553
AVArcabit (arcavir)Trojan.GenericKD.1559553
AVClamAVWin.Trojan.Upatre-2359
AVDr. WebTrojan.DownLoad3.28161
AVF-SecureTrojan-Downloader:W32/Upatre.I

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\trueupdater.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\trueupdater.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\trueupdater.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSoilwellme.com
Winsock DNSnewz24x.com

Network Details:

DNSoilwellme.com
Type: A
182.18.143.140
DNSnewz24x.com
Type: A
HTTP GEThttp://oilwellme.com/images/banners/pdf.enc
User-Agent: Updates downloader
HTTP GEThttp://oilwellme.com/images/banners/pdf.enc
User-Agent: Updates downloader
Flows TCP192.168.1.1:1031 ➝ 182.18.143.140:80
Flows TCP192.168.1.1:1032 ➝ 182.18.143.140:80

Raw Pcap

Strings