Analysis Date2015-11-14 16:17:40
MD51e34bce2455653ee41ad28a81f9a0c69
SHA14f8038109ef2fc45dbabaae00a0c64f5e8b70a43

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4d1519e5bdeb9ac7ff1c5393caa8dc12 sha1: bbe745260f3ace153fb97373ed8c18cf86d5c1ea size: 5120
Section.rdata md5: 52105ac21dfe92c51a35b37acdd2388b sha1: 8d51ada06dac25fa92e608f5c2cbc927d8c04ce0 size: 1536
Section.data md5: e46d0482c852030a6bb0286aaee466d6 sha1: df1efb279e5ba950ed8f1f37b931b3510b6306fc size: 2560
Section.rsrc md5: ff3ed383a70e009960574d5509992ee6 sha1: c5450ed81912952da3662a6b0be4f8eba9656d23 size: 8192
Timestamp2013-12-06 10:20:26
PackerMicrosoft Visual C++ v6.0
PEhashaa0844406777615aae0fd4f006d39857f74bda4c
IMPhashaae67ce64da17e7d673a29db67ee7a12
AVF-SecureTrojan-Downloader:W32/Upatre.I
AVAuthentiumW32/Trojan.ZXBF-9105
AVMalwareBytesTrojan.Dropper.Z
AVDr. WebTrojan.DownLoad3.28161
AVGrisoft (avg)Generic35.APFQ
AVMalwareBytesTrojan.Dropper.Z
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVMicroWorld (escan)Trojan.GenericKD.1441706
AVTrend MicroTROJ_UPATRE.SMBX
AVClamAVWin.Trojan.Bublik-525
AVAd-AwareTrojan.GenericKD.1441706
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVBitDefenderTrojan.GenericKD.1441706
AVMicroWorld (escan)Trojan.GenericKD.1441706
AVAvira (antivir)TR/Yarwi.B.51
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVFortinetW32/Waski.A!tr
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.J
AVIkarusTrojan-Downloader.Win32.Upatre
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)Trojan.Bublik
AVArcabit (arcavir)Trojan.GenericKD.1441706
AVMcafeeDownloader-FSH!1E34BCE24556
AVTwisterTrojan.A768AE018E443A95
AVAvira (antivir)TR/Yarwi.B.51
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVSymantecDownloader.Upatre!gen5
AVFortinetW32/Waski.A!tr
AVK7Trojan-Downloader ( 0048f6391 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.J
AVRisingno_virus
AVMcafeeDownloader-FSH!1E34BCE24556
AVTwisterTrojan.A768AE018E443A95
AVAd-AwareTrojan.GenericKD.1441706
AVGrisoft (avg)Generic35.APFQ
AVSymantecDownloader.Upatre!gen5
AVBitDefenderTrojan.GenericKD.1441706
AVK7Trojan-Downloader ( 0048f6391 )
AVAuthentiumW32/Trojan.ZXBF-9105
AVFrisk (f-prot)W32/Trojan3.GRV
AVEmsisoftTrojan.GenericKD.1441706
AVZillya!Trojan.Bublik.Win32.12658
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.1441706
AVCA (E-Trust Ino)Win32/Upatre.CC
AVRisingno_virus
AVIkarusTrojan-Downloader.Win32.Upatre
AVFrisk (f-prot)W32/Trojan3.GRV

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hupdater.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\hupdater.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\hupdater.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSadoraacc.com
Winsock DNSwahidexpress.com

Network Details:

DNSwahidexpress.com
Type: A
103.15.74.65
DNSadoraacc.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 103.15.74.65:443
Flows TCP192.168.1.1:1032 ➝ 103.15.74.65:443
Flows TCP192.168.1.1:1033 ➝ 103.15.74.65:443
Flows TCP192.168.1.1:1034 ➝ 103.15.74.65:443
Flows TCP192.168.1.1:1035 ➝ 103.15.74.65:443
Flows TCP192.168.1.1:1036 ➝ 103.15.74.65:443

Raw Pcap

Strings