Analysis Date2015-11-23 06:54:36
MD57d9fc1cb9389ffacf274bfa0af862086
SHA14b3cbd45ecc87c728dd64cf6e2505d2e4e640c0b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fc380bcebd472b6197d31e7cbbabc9cd sha1: c09ac786b3ecd5b96dfcb2a4d728eab02b210dbd size: 5632
Section.rdata md5: 0f858a083cde293bce96b9d1b2c5e32f sha1: e78e789fbabf5f1f69b55f086f6663963c42eb8c size: 1024
Section.data md5: f9fb3ad05a6858eb50d1715a1565800f sha1: c9b3a764a95ecb282f4a03d11bcdb94e3a168add size: 1024
Section.rsrc md5: 1ff8a510695e646dfbd20f00bb5a8bad sha1: fdabbabbabce7abd4a43d4de4c1b4970994c90f0 size: 10240
Timestamp2014-02-04 13:30:20
PEhash7152fbf6cb47699e677f076f8d4406e2cbf9d380
IMPhash683692d4746aa100a2b6043db7fe5945
AVRisingno_virus
AVMcafeeDownloader-FSH!7D9FC1CB9389
AVAvira (antivir)TR/Yarwi.AD.113
AVTwisterTrojan.F35F81E351AAA33A
AVAd-AwareTrojan.Upatre.Gen.3
AVAlwil (avast)Crypt-QOI [Trj]
AVEset (nod32)Win32/TrojanDownloader.Waski.B
AVGrisoft (avg)Crypt_s.FLS
AVSymantecDownloader.Upatre
AVFortinetW32/Waski.A!tr
AVBitDefenderTrojan.Upatre.Gen.3
AVK7Trojan-Downloader ( 004941701 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Trojan.KXIT-7014
AVFrisk (f-prot)W32/Trojan3.HLL
AVIkarusTrojan-Spy.Zbot
AVEmsisoftTrojan.Upatre.Gen.3
AVZillya!Trojan.Zbot.Win32.147710
AVKasperskyTrojan-Spy.Win32.Zbot.rmia
AVTrend MicroTROJ_UPATRE.SM37
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVVirusBlokAda (vba32)TrojanSpy.Zbot
AVPadvishno_virus
AVBullGuardTrojan.Upatre.Gen.3
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVClamAVWin.Trojan.Zbot-36363
AVDr. WebTrojan.DownLoad3.28161
AVF-SecureTrojan-Downloader:W32/Upatre.I
AVCA (E-Trust Ino)Win32/Upatre.OYbQVLB
AVRisingno_virus
AVMcafeeDownloader-FSH!7D9FC1CB9389
AVAvira (antivir)TR/Yarwi.AD.113
AVTwisterTrojan.F35F81E351AAA33A
AVAd-AwareTrojan.Upatre.Gen.3
AVAlwil (avast)Crypt-QOI [Trj]
AVEset (nod32)Win32/TrojanDownloader.Waski.B
AVGrisoft (avg)Crypt_s.FLS
AVSymantecDownloader.Upatre
AVFortinetW32/Waski.A!tr
AVBitDefenderTrojan.Upatre.Gen.3
AVK7Trojan-Downloader ( 004941701 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Trojan.KXIT-7014
AVFrisk (f-prot)W32/Trojan3.HLL
AVIkarusTrojan-Spy.Zbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdigitalitics.com
Winsock DNSheadstartcms.net

Network Details:

DNSheadstartcms.net
Type: A
75.98.175.85
DNSdigitalitics.com
Type: A
HTTP GEThttp://headstartcms.net/driedmango.net/image/data/banner1/10UKp.enc
User-Agent: Updates downloader
Flows TCP192.168.1.1:1031 ➝ 75.98.175.85:80

Raw Pcap

Strings