Analysis Date2015-11-16 20:16:17
MD5c0c8d2ba140c14816597b00ed9d6e200
SHA14e1d4dfa8116ab65bbb958253e3fe6d90464b666

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f9ad6b317e746b66179a47674b868225 sha1: f47626ec5b57c799befc46963b65a233bfe128b2 size: 55808
Section.data md5: 3f76e19ac39b5213ee832664be5b065d sha1: 484603e3a31b7aeda1b354fa463fbf0825cd0f96 size: 5120
Section.rsrc md5: 801e1442d4d290faf0cdf80c71f48de9 sha1: ede347ce58eac8368cdeace147b9798318d91bb0 size: 6144
Timestamp2014-04-24 20:11:33
PackerMicrosoft Visual C++ ?.?
PEhash93fd1e2ae66e64096889adba2c4be5834c392211
IMPhash5d0530dec67800fdf5904df75adbbcf9
AVF-SecureTrojan:W32/Agent.DUVZ
AVAuthentiumW32/A-b1164738!Eldorado
AVMalwareBytesTrojan.Upatre
AVDr. WebTrojan.DownLoad3.32950
AVEset (nod32)Win32/TrojanDownloader.Tiny.NKK
AVMalwareBytesTrojan.Upatre
AVEset (nod32)Win32/TrojanDownloader.Tiny.NKK
AVMicroWorld (escan)Gen:Variant.Strictor.55615
AVTrend MicroTROJ_UPATRE.SMJG
AVClamAVWin.Trojan.Zbot-33796
AVAvira (antivir)TR/Crypt.XPACK.Gen7
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVBitDefenderGen:Variant.Strictor.55615
AVMicroWorld (escan)Gen:Variant.Strictor.55615
AVAvira (antivir)TR/Crypt.XPACK.Gen7
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVFortinetW32/Tiny.NKK!tr
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Zemot.C
AVIkarusTrojan-Downloader.Win32.zbot
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)TrojanDropper.Demp
AVArcabit (arcavir)Gen:Variant.Strictor.55615
AVRisingno_virus
AVMcafeePWSZbot-FTY!C0C8D2BA140C
AVTwisterTrojanDldr.Tiny.NKK.cmuk
AVAd-AwareGen:Variant.Strictor.55615
AVGrisoft (avg)Downloader.Generic13.CCDV
AVSymantecDownloader.Ponik
AVK7Trojan-Downloader ( 004993d51 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Zemot.C
AVRisingno_virus
AVMcafeePWSZbot-FTY!C0C8D2BA140C
AVTwisterTrojanDldr.Tiny.NKK.cmuk
AVAd-AwareGen:Variant.Strictor.55615
AVGrisoft (avg)Downloader.Generic13.CCDV
AVSymantecDownloader.Ponik
AVBitDefenderGen:Variant.Strictor.55615
AVK7Trojan-Downloader ( 004993d51 )
AVAuthentiumW32/A-b1164738!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Variant.Strictor.55615
AVZillya!Downloader.Tiny.Win32.3378
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Strictor.55615
AVCA (E-Trust Ino)Win32/Zbot.VXGFUP
AVFortinetW32/Tiny.NKK!tr
AVIkarusTrojan-Downloader.Win32.zbot
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_1563640.cab
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\4e1d4dfa8116ab65bbb958253e3fe6d90464b666.doc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Opera/9.25 (Windows NT 6.0; U; en)
Flows TCP192.168.1.1:1031 ➝ 134.170.58.222:80

Raw Pcap

Strings