Analysis Date2016-11-15 19:03:39
MD5e82eb6fddb34aa42e58448c5c161efd8
SHA14c3833cf219afb8bfae379305d3196603bf9250c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 020fed93b357e0bde1a193f4c0558f80 sha1: 46bdf93ab52ac060f53f35e302ce194cf3cf6d94 size: 10240
Section.data md5: 1b73ce98820e4adcda9a301a145a0bc3 sha1: 0906732e535fafc178596fb6fdff6735f1d01f66 size: 3072
Section.xcpad md5: sha1: size:
Section.idata md5: sha1: size:
Section.reloc md5: 4338c6405212561091ff364f9032fa88 sha1: 8c0a748e3e8a7310dacdca71932fc9f22e20cf17 size: 1024
Section.rsrc md5: 27094e14de42b975631c313a3a517791 sha1: d0b2400e7f9875f6f0b2dd1bcb63b222687fbb46 size: 20480
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
PackerMicrosoft Visual C 2.0
PEhash
IMPhashec5885042cc2b33d72a078126ecee5b3
AV360 SafeNo Virus
AVAd-AwareTrojan.Upatre.Gen.3
AVAlwil (avast)?
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVAuthentiumW32/Upatre.CC.gen!Eldorado
AVAvira (antivir)TR/Yarwi.bntdj
AVBitDefenderTrojan.Upatre.Gen.3
AVBullGuardTrojan.Upatre.Gen.3
AVCA (E-Trust Ino)Trojan.Upatre.Gen.3
AVCAT (quickheal)Trojan.Kadena.B4
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader22.18365
AVEmsisoftTrojan.Upatre.Gen.3
AVEset (nod32)Win32/Kryptik.DQXG
AVF-SecureTrojan.Upatre.Gen.3
AVFortinetW32/Kryptik.DQAA!tr
AVFrisk (f-prot)W32/Upatre.CC.gen!Eldorado
AVGrisoft (avg)Generic_s.FAG
AVIkarusTrojan.VB.Crypt
AVK7Trojan ( 004ce6cb1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Upatre
AVMcafeeUpatre-FACH!E82EB6FDDB34
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVMicrosoft Security EssentialsNo Virus
AVRisingNo Virus
AVSUPERAntiSpywareTrojan.Agent/Gen-Upatre
AVSymantecDownloader.Upatre!gen5
AVTrend MicroTROJ_UPATRE.SM37
AVTwisterTrojan.Girtk.DQXG.pnmo
AVVirusBlokAda (vba32)No Virus
AVWindows DefenderTrojanDownloader:Win32/Upatre!rfn
AVZillya!Downloader.CTBLocker.Win32.12

Runtime Details:

Screenshot

Process
↳ C:\4c3833cf219afb8bfae379305d3196603bf9250c.exe

Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\4c3833cf219afb8bfae379305d3196603bf9250c.exe
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\serizay.exe

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 74657874 2f2a2c20   Accept: text/*, 
0x00000020 (00032)   6170706c 69636174 696f6e2f 2a0d0a55   application/*..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e302028 57696e64 6f777320   la/5.0 (Windows 
0x00000050 (00080)   4e542036 2e312920 4170706c 65576562   NT 6.1) AppleWeb
0x00000060 (00096)   4b69742f 3533352e 33362028 4b48544d   Kit/535.36 (KHTM
0x00000070 (00112)   4c2c206c 696b6520 4765636b 6f292043   L, like Gecko) C
0x00000080 (00128)   68726f6d 652f3434 2e302e32 3435352e   hrome/44.0.2455.
0x00000090 (00144)   38312053 61666172 692f3533 352e3336   81 Safari/535.36
0x000000a0 (00160)   0d0a486f 73743a20 63686563 6b69702e   ..Host: checkip.
0x000000b0 (00176)   64796e64 6e732e6f 72670d0a 43616368   dyndns.org..Cach
0x000000c0 (00192)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000d0 (00208)   6368650d 0a0d0a                       che....

0x00000000 (00000)   47455420 2f4b3232 2f434f4d 50555445   GET /K22/COMPUTE
0x00000010 (00016)   522f302f 35312d53 50332f30 2f454d46   R/0/51-SP3/0/EMF
0x00000020 (00032)   42454a4c 42444246 45204854 54502f31   BEJLBDBFE HTTP/1
0x00000030 (00048)   2e310d0a 55736572 2d416765 6e743a20   .1..User-Agent: 
0x00000040 (00064)   4d6f7a69 6c6c612f 352e3020 2857696e   Mozilla/5.0 (Win
0x00000050 (00080)   646f7773 204e5420 362e3129 20417070   dows NT 6.1) App
0x00000060 (00096)   6c655765 624b6974 2f353335 2e333620   leWebKit/535.36 
0x00000070 (00112)   284b4854 4d4c2c20 6c696b65 20476563   (KHTML, like Gec
0x00000080 (00128)   6b6f2920 4368726f 6d652f34 342e302e   ko) Chrome/44.0.
0x00000090 (00144)   32343535 2e383120 53616661 72692f35   2455.81 Safari/5
0x000000a0 (00160)   33352e33 360d0a48 6f73743a 2039332e   35.36..Host: 93.
0x000000b0 (00176)   3138352e 342e3930 3a313233 35360d0a   185.4.90:12356..
0x000000c0 (00192)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000d0 (00208)   6f2d6361 6368650d 0a0d0a              o-cache....


Strings
I+Yt
e1~8
{DJh
W3v8
y6*E+
[DW+
(m1NX
DX04
d3vp
GF8!+
Y1~\
3EOA
3N(J
1vHz
]1vL
,K(E31
U11u
GOFh
3EOA
^]Gf
S&I+
^]Gf
3v4J
7GQm
^uGFP
Ah%G
3#+j
UWQ_
FFFF
t	VW
IIII
IIII
Virt^_
ZJFRF
^NNNN
GHHGH
^H9E
_^[]
/un8H
</uy8A
jdhP[@
h@U@
hLU@
51U@
j h,
j<h,
hpU@
51U@
@h`U@
hhU@
51U@
@hTD@
51U@
@hUD@
hpU@
51U@
hhU@
hXD@
ht3@
%0@@
%,@@
%(@@
%$@@
% @@
%4@@
VC20XC00U
SVWU
t:VU
t(x1
]_^[
K(XEY4VLR3l>7/
NppHelpAbsentWarning
DocReloadWarning
AO-DF6.1_Vh>Hgj%
ZJ1KHJgB#.^D=
 HIGiOFe6kkSif2.*
thought of it since then - that he had a charm
DispatchMessageA
TranslateMessage
GetMessageA
RegisterClassExA
LoadCursorA
LoadIconA
LoadStringA
UpdateWindow
ShowWindow
CreateWindowExA
PostMessageA
PostQuitMessage
DefWindowProcA
DestroyWindow
EndPaint
DrawTextA
GetClientRect
BeginPaint
SendMessageA
USER32.dll
GlobalSize
SizeofResource
CreateThread
WaitForSingleObject
GlobalAlloc
FindNextFileW
Sleep
FindFirstFileW
FindClose
LoadLibraryA
GetModuleHandleA
KERNEL32.dll
InitCommonControlsEx
COMCTL32.dll
GradientFill
AlphaBlend
MSIMG32.dll
??3@YAXPAX@Z
??2@YAPAXI@Z
_exit
_XcptFilter
exit
_acmdln_dll
_initterm
__GetMainArgs
_commode_dll
_fmode_dll
CRTDLL.dll
_global_unwind2
_local_unwind2
GetStartupInfoA
Z[ikAPCr\nOe_WWPZaU
CannotMoveDoc
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-+.,:?&@=/%#()
9	?	(	M	&	@
doZhWlERLY]MpqSAGsN\QCUh\SAjPO
QVenXiFgeGEsATR
Magnetick
Charge Window App
EXIT
button
edit
static
richedit
ABCDEFG
riched32.dll
ffffff
aGGDDV
tttDP`
twGD``awwGtu
PawwwGE
PffffffWP
GtwwwP
www30www
wwwwwx
wwwwr
wwwwww
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
	<assemblyIdentity version="1.0.4.37"
		processorArchitecture="X86"
		name="COOTEK"
		type="win32"/>
	<description>COOTEK</description>
	<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
		<security>
			<requestedPrivileges>
				<requestedExecutionLevel
					level="asInvoker"
					uiAccess="false"/>
				</requestedPrivileges>
		</security>
	</trustInfo>
</assembly>
=(=3=;=A=K=p=~=
?*?/?7?<?D?a?f?n?s?
010A0J0W0
1$1I1]1y1
2#2)262A2F2_2r2w2
2@3F3N3T3Z3`3f3@4F4
4!4%4-45494