Analysis Date2015-09-07 06:58:00
MD57bccac8bb797e90aba962fb2df3464d1
SHA142a471483bb6dcc5ff8e66354d35ab292cdd8b6d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectioncode md5: be9eb3bd72bf80628966d821ff93ee29 sha1: b88a0aa63a3661e973d2e6feb84ada488918464e size: 2560
Section.data md5: 6039c644fb85d7f28c59b68ea7a622d5 sha1: 3eebe1b009bb37f1ad513fc0d14974a90ac97755 size: 11776
Section.rsrc md5: 0a51fd476250ae7d86df5c84d2f95be7 sha1: db1292d2fc37b660cf2cd621acac4d7b21d4b6c1 size: 27136
Section.reloc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.DAT md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp1997-10-28 22:08:58
PEhash8abce3cd4971f83e7dc7c7e621c1a159e244e7c1
IMPhashbb993a486057964d5a9655d0992159ef
AVRisingno_virus
AVMcafeeUpatre-FAAR!7BCCAC8BB797
AVAvira (antivir)TR/Kryptik.xezfrt
AVTwisterTrojanDldr.Upatre.fig.xmzx
AVAd-AwareGen:Variant.Kazy.638240
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/Kryptik.DGAK
AVGrisoft (avg)Generic_s.EOB
AVSymantecDownloader.Upatre!gen9
AVFortinetW32/Waski.F!tr
AVBitDefenderGen:Variant.Kazy.638240
AVK7Riskware ( 0040eff71 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BL
AVMicroWorld (escan)Gen:Variant.Kazy.638240
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Upatre.E.gen!Eldorado
AVFrisk (f-prot)W32/Upatre.E.gen!Eldorado
AVIkarusTrojan.Injector
AVEmsisoftGen:Variant.Kazy.638240
AVZillya!Trojan.Kryptik.Win32.717402
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanDwnldr.Upatre.MUE.A5
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.638240
AVArcabit (arcavir)Gen:Variant.Kazy.638240
AVClamAVno_virus
AVDr. WebTrojan.Upatre.201
AVF-SecureGen:Variant.Kazy.638240
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\yovaxis.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xiss7AA1.txt
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\yovaxis.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\yovaxis.exe

Network Details:

DNSicanhazip.com
Type: A
104.238.136.31
DNSicanhazip.com
Type: A
104.238.145.30
DNSicanhazip.com
Type: A
104.238.141.75
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
HTTP GEThttp://81.7.109.65:13365/SATAS21/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Flows TCP192.168.1.1:1031 ➝ 104.238.136.31:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13365
Flows TCP192.168.1.1:1033 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1034 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1035 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1036 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1037 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1038 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1039 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1040 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1041 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1042 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1043 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1044 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1045 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1046 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1047 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1048 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1049 ➝ 91.240.97.45:443
Flows TCP192.168.1.1:1050 ➝ 91.240.97.45:443
Flows TCP192.168.1.1:1051 ➝ 91.240.97.45:443
Flows TCP192.168.1.1:1052 ➝ 91.240.97.45:443
Flows TCP192.168.1.1:1053 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1054 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1055 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1056 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1057 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1058 ➝ 91.240.97.66:443

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 74657874 2f2a2c20   Accept: text/*, 
0x00000020 (00032)   6170706c 69636174 696f6e2f 2a0d0a55   application/*..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e302028 57696e64 6f777320   la/5.0 (Windows 
0x00000050 (00080)   4e542036 2e313b57 4f573634 29204170   NT 6.1;WOW64) Ap
0x00000060 (00096)   706c6557 65624b69 742f3533 372e3336   pleWebKit/537.36
0x00000070 (00112)   20284b48 544d4c2c 206c696b 65204765    (KHTML, like Ge
0x00000080 (00128)   636b6f29 0d0a486f 73743a20 6963616e   cko)..Host: ican
0x00000090 (00144)   68617a69 702e636f 6d0d0a43 61636865   hazip.com..Cache
0x000000a0 (00160)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000b0 (00176)   68650d0a 0d0a                         he....

0x00000000 (00000)   47455420 2f534154 41533231 2f434f4d   GET /SATAS21/COM
0x00000010 (00016)   50555445 522d5858 58585858 2f302f35   PUTER-XXXXXX/0/5
0x00000020 (00032)   312d5350 332f302f 20485454 502f312e   1-SP3/0/ HTTP/1.
0x00000030 (00048)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000040 (00064)   6f7a696c 6c612f35 2e302028 57696e64   ozilla/5.0 (Wind
0x00000050 (00080)   6f777320 4e542036 2e313b57 4f573634   ows NT 6.1;WOW64
0x00000060 (00096)   29204170 706c6557 65624b69 742f3533   ) AppleWebKit/53
0x00000070 (00112)   372e3336 20284b48 544d4c2c 206c696b   7.36 (KHTML, lik
0x00000080 (00128)   65204765 636b6f29 0d0a486f 73743a20   e Gecko)..Host: 
0x00000090 (00144)   38312e37 2e313039 2e36353a 31333336   81.7.109.65:1336
0x000000a0 (00160)   350d0a43 61636865 2d436f6e 74726f6c   5..Cache-Control
0x000000b0 (00176)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
\2LgHIR-
	3qH+P!Y[
5&f,(&R?0
ACKMIOz
|ACKMIz
ACUIProviderInvokeUI
AmpFactorToDB
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
B.data
BmQueryBounds
BmRelease
BmSaveToStream
|CAKMIz
CF^k.B
CheckNetDrive
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
ConnectDlgProc
cQJXhu
CreatePipe
CryptUIDlgCertMgr
CryptUIDlgFreeCAContext
CryptUIDlgSelectCA
CryptUIDlgSelectCertificateA
CryptUIDlgSelectCertificateFromStore
CryptUIDlgSelectCertificateW
CryptUIDlgSelectStoreA
CryptUIDlgSelectStoreW
CryptUIDlgViewContext
CryptUIDlgViewCRLA
CryptUIDlgViewCRLW
CryptUIDlgViewCTLA
CryptUIDlgViewCTLW
CryptUIDlgViewSignerInfoA
CryptUIDlgViewSignerInfoW
CRYPTUI.dll
c?(!T?%
DefCreate
DefCreateFromClip
DefCreateFromFile
DefCreateFromTemplate
DefCreateInvisible
DefLoadFromStream
DibChangeData
DibClone
DibCopy
DibDraw
DibEnumFormat
DNSAPI.dll
DnsQuery_A
DnsQueryConfig
DnsQueryConfigAllocEx
DnsQueryConfigDword
DnsQueryExA
DnsQueryExUTF8
DnsQueryExW
DnsQuery_UTF8
DnsQuery_W
DnsRecordBuild_UTF8
DnsRecordBuild_W
DnsRecordCompare
DnsRecordCopyEx
DnsRecordListFree
DnsRecordSetCompare
DnsRecordSetCopyEx
DUserCastClass
DUserDeleteGadget
duser.DLL
.>|D-W
ekk*vj
EnumCalendarInfoW
ExitProcess
fBC1CN
fmifs.dll
g3Ed[.
GetCommandLineA
GetCommState
GetOEMCP
GetVersionExW
GetWindowsDirectoryA
gPHS!W
hDHolQ
heio.h2\sbhtem3h\sys
?|i$H_
IsRasmanProcess
]J%8kE9\|hxb
J h#[(
kernel32.dll
lGnf$1
lpk.dll
LpkEditControl
LpkGetCharacterPlacement
MprAdminInterfaceCreate
mprapi.dll
msvcrt.dll
nPf|4d
olecli32.dll
^?PBr?
PdhCreateSQLTablesW
pdh.dll
PdhEnumLogSetNamesA
PdhEnumLogSetNamesW
PdhEnumMachinesA
PdhEnumMachinesHA
PdhEnumMachinesHW
PdhEnumMachinesW
PdhEnumObjectItemsA
PdhEnumObjectItemsHA
PdhEnumObjectItemsHW
PdhEnumObjectItemsW
PdhEnumObjectsA
PdhEnumObjectsHA
PdhEnumObjectsHW
PdhEnumObjectsW
PdhExpandCounterPathA
pstorec.dll
PStoreCreateInstance
quartz.dll
QueryDeviceInformation
QueryDosDeviceA
RasActivateRoute
RasActivateRouteEx
RasAddConnectionPort
RasAddNotification
RasAllocateRoute
RasBundleClearStatistics
RasBundleClearStatisticsEx
RasBundleGetPort
RasBundleGetStatistics
RasBundleGetStatisticsEx
RasCompressionGetInfo
RasCompressionSetInfo
RasConnectionEnum
RasConnectionGetStatistics
RasCreateConnection
RasDeAllocateRoute
RasDestroyConnection
RasDeviceConnect
rasman.dll
RcOM~I
REGAPI.dll
RegBuildNumberQuery
RegCdCreateA
RegCdCreateW
RegCdDeleteA
RegCdDeleteW
RegCdEnumerateA
RegCdEnumerateW
RegCdQueryA
RegCdQueryW
RegCloseServer
RegConsoleShadowQueryA
RegConsoleShadowQueryW
RegDefaultUserConfigQueryA
RegDefaultUserConfigQueryW
.reloc
</requestedExecutionLevel>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false">
</requestedPrivileges>
<requestedPrivileges>
rMG!}+
</security>
<security>
!This program cannot be run in DOS mode.
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t@:;V4R\x
u@Oy.4
u=wE?B
v_][_+
W>y\Ki%>
;xSmLMcr
Y0*xVei
( _Y][SQ
Y][SQ3
YX!Jai