Analysis Date2015-11-25 10:57:52
MD56ed02b64c698df71fd0d7fe947c38113
SHA14f259568244e7f771249435c790ce2b204df2f93

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 04cee814f1e0d00442b2911a498f938f sha1: 5bf458e7e9a5381f08304d88976f588db63f1d85 size: 27648
Section.rdata md5: b8732ab93f6a2201b92b44db6894b927 sha1: c95e3c52be6f001866bdb16a29e525179e59daf7 size: 13312
Section.data md5: 44ab6f728272283a5387b24c9689cb16 sha1: 0a7385ee6c513c6844ed8edfc23cd2e891f20a4a size: 3584
Section.rsrc md5: 56340c878452f0d0086b590ef9f0074b sha1: 53f442e77109cf5048ec7da6c3b2cc33544d5457 size: 19456
Section.reloc md5: ab046ed892b990d0747bcc985a2dff5d sha1: 52dfcd6d93860d7ee854f5ddcfc7cc9f1fa3a1b7 size: 4608
Timestamp2014-01-24 17:22:13
PackerMicrosoft Visual C++ 8
PEhashd7abd7388c1775177042c2462423ef85078cd5df
IMPhash9f4c6542128fba942a3b092c3a5337cf
AVRisingno_virus
AVMcafeeUpatre-FACH!6ED02B64C698
AVAvira (antivir)TR/Dldr.Upatre.MU
AVTwisterTrojan.Girtk.DPGO.khdt
AVAd-AwareTrojan.Upatre.Gen.3
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.DPGO
AVGrisoft (avg)Crypt4.BGJT
AVSymantecDownloader.Upatre!gen5
AVFortinetW32/Kryptik.DQAA!tr
AVBitDefenderTrojan.Upatre.Gen.3
AVK7Trojan ( 004c7f921 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre!rfn
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Upatre.BP.gen!Eldorado
AVFrisk (f-prot)W32/Upatre.BP.gen!Eldorado
AVIkarusTrojan.Win32.Crypt
AVEmsisoftTrojan.Upatre.Gen.3
AVZillya!Downloader.Upatre.Win32.45751
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_UPATRE.SM37
AVCAT (quickheal)Trojan.Kadena.B4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardTrojan.Upatre.Gen.3
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVClamAVno_virus
AVDr. WebTrojan.DownLoader16.48279
AVF-SecureTrojan.Upatre.Gen.3
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeUpatre-FACH!6ED02B64C698
AVAvira (antivir)TR/Dldr.Upatre.MU
AVTwisterTrojan.Girtk.DPGO.khdt
AVAd-AwareTrojan.Upatre.Gen.3
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.DPGO
AVGrisoft (avg)Crypt4.BGJT
AVSymantecDownloader.Upatre!gen5
AVFortinetW32/Kryptik.DQAA!tr
AVBitDefenderTrojan.Upatre.Gen.3
AVK7Trojan ( 004c7f921 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre!rfn
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Upatre.BP.gen!Eldorado
AVFrisk (f-prot)W32/Upatre.BP.gen!Eldorado
AVIkarusTrojan.Win32.Crypt

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\antifahib.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\antifahib.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\antifahib.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS94.154.107.172
Winsock DNS194.106.166.22
Winsock DNS96.46.103.232
Winsock DNS66.215.30.118
Winsock DNS68.70.242.203
Winsock DNS64.111.36.52
Winsock DNS178.222.250.35
Winsock DNS68.119.5.32
Winsock DNS38.65.142.12
Winsock DNSicanhazip.com

Network Details:

DNSicanhazip.com
Type: A
64.182.208.185
DNSicanhazip.com
Type: A
64.182.208.184
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 OPR/28.0.1750.48
HTTP GEThttp://38.65.142.12:12559/KK21/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 OPR/28.0.1750.48
Flows TCP192.168.1.1:1031 ➝ 64.182.208.185:80
Flows TCP192.168.1.1:1032 ➝ 38.65.142.12:12559
Flows TCP192.168.1.1:1033 ➝ 96.46.103.232:443
Flows TCP192.168.1.1:1034 ➝ 96.46.103.232:443
Flows TCP192.168.1.1:1035 ➝ 96.46.103.232:443
Flows TCP192.168.1.1:1036 ➝ 96.46.103.232:443
Flows TCP192.168.1.1:1037 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1038 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1039 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1040 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1041 ➝ 66.215.30.118:443
Flows TCP192.168.1.1:1042 ➝ 66.215.30.118:443
Flows TCP192.168.1.1:1043 ➝ 66.215.30.118:443
Flows TCP192.168.1.1:1044 ➝ 66.215.30.118:443
Flows TCP192.168.1.1:1045 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1046 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1047 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1048 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1049 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1050 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1051 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1052 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1053 ➝ 94.154.107.172:443
Flows TCP192.168.1.1:1054 ➝ 94.154.107.172:443
Flows TCP192.168.1.1:1055 ➝ 94.154.107.172:443
Flows TCP192.168.1.1:1056 ➝ 94.154.107.172:443
Flows TCP192.168.1.1:1057 ➝ 68.119.5.32:443
Flows TCP192.168.1.1:1058 ➝ 68.119.5.32:443
Flows TCP192.168.1.1:1059 ➝ 68.119.5.32:443
Flows TCP192.168.1.1:1060 ➝ 68.119.5.32:443
Flows TCP192.168.1.1:1061 ➝ 194.106.166.22:443
Flows TCP192.168.1.1:1062 ➝ 194.106.166.22:443

Raw Pcap

Strings