Analysis Date2015-03-18 00:37:51
MD5a7b1e4c67b8747a4303545bf5140be43
SHA151c0f8d42d6cc13ec8f393622f38fbf7ec38619d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7cdc4b968f8cf0d1698f36b568329816 sha1: 3dc4a66e8d7aec8e0add5e20c9a37284ace6d608 size: 3584
Section.data md5: e0bcb2183d951b6601c50c3f6b373b5c sha1: b8d37fa871c09490f3968d92a501b60da21c181f size: 2560
Section.rsrc md5: 3504e961f4a086d7dc0f18c9cd8b728c sha1: b096fcfa156f6138a9ed0bcb0bfc32a47b04f40b size: 8192
Timestamp2013-11-29 10:12:02
PEhash040a307af7d6621cc34b36ce3cd33f36022ead8b
IMPhashf6d3b47abe7b0b2ed1a0851cadc8d405
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.1429572
AVAlwil (avast)Agent-ASJU [Trj]
AVArcabit (arcavir)Trojan.GenericKD.1429572
AVAuthentiumW32/Trojan.CAOR-2299
AVAvira (antivir)TR/Yarwi.A.9
AVBullGuardTrojan.GenericKD.1429572
AVCA (E-Trust Ino)Win32/Upatre.aFVFXdC
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVClamAVWin.Trojan.Generickd-76
AVDr. WebTrojan.DownLoad3.28161
AVEmsisoftTrojan.GenericKD.1429572
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVFortinetW32/Krptik.AIU!tr
AVFrisk (f-prot)W32/Trojan3.GQH
AVF-SecureTrojan-Downloader:W32/Upatre.I
AVGrisoft (avg)Zbot.EBK
AVIkarusTrojan-Spy.Win32.Zbot
AVK7Trojan-Downloader ( 0048f6391 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-FSH!A7B1E4C67B87
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVMicroWorld (escan)Trojan.GenericKD.1429572
AVRisingno_virus
AVSophosTroj/Zbot-HAY
AVSymantecTrojan.Pidief
AVTrend MicroTROJ_UPATRE.SMBX
AVVirusBlokAda (vba32)Trojan.Bublik

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\updater.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\updater.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\updater.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSe4ad.com
Winsock DNSgreenvegi.com

Network Details:

DNSe4ad.com
Type: A
204.11.56.45
DNSgreenvegi.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1032 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1033 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1034 ➝ 204.11.56.45:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
J
&About
button
C:\17754dff84d7af4dfe1c158d825d5a115127ea4fc2d00e60d0f5bebcda62d7d5
C:\1dURauWr.exe
C:\1e7859b1966c9b6ea038e6efad71de41dc35b0adfa439142e5b1452135aae7e1
C:\2ef5e6f738bf404be2c6cd1c5029a060e11aca25fbc1fa92dd2878d73c2a7a41
C:\3o4vsPAK.exe
C:\4_1je3Ye.exe
C:\49326fa530ab0d360ef3065e68e20f04472251c993f0e7ac1b0c4fb64b2a46d0
C:\49V1SlTE.exe
C:\59FO5SEq.exe
C:\59h0qbZe.exe
C:\5FQgJd0S.exe
C:\5oBFZuBn.exe
C:\5yU36GDo.exe
C:\62wkUrsS.exe
C:\6BoSk4oj.exe
C:\6iyckUb1.exe
C:\8pCiKHCU.exe
C:\9s5AsDTD.exe
C:\A6c6OvXk.exe
C:\AiH0l_Le.exe
C:\anhth02O.exe
C:\aO6lzRyd.exe
C:\C86IwMWV.exe
C:\cdebbeaf4801f83ea1cda5959dea37618929b6b986d45874efd40b6342e311a0
C:\csvhX9_i.exe
C:\CueuvKui.exe
C:\d0f6be07a5fa604fb7907b9f1f97fd5ddb799b1ae442635fc2cf3c48f9acb9cc
C:\da1544bb189f7ff60e6630728c786911450d649ca9e72a7450bfefee80144a3a
C:\DdetNzeW.exe
C:\do9jdO3q.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\B4bqoqZ2e.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D1fKCuFdy.exe
C:\e11a59aff67d08c7326969daab07d9af2efc160809dca22b88673884b943c03a
C:\F5BCFD6_.exe
C:\fc6ccae537f0d0875f25b44e3d1e8202bd47affa41936b368a6801cf938dedec
C:\FwxbECtI.exe
C:\G4a6HDmD.exe
C:\g4GYANaP.exe
C:\glFt6CbS.exe
C:\gmew1P10.exe
C:\HAsHmDvv.exe
C:\HSRuxJel.exe
C:\I1tsCRnS.exe
C:\Iq4fIY0L.exe
C:\IRpqQQf1.exe
C:\J2YfS9XJ.exe
C:\jhr30o\iqxzol.exe
C:\JjNqr1IA.exe
C:\JRY9bNzs.exe
C:\kSF4ZGG7.exe
C:\m1Z2cpbC.exe
C:\mEQRMzDv.exe
C:\MX1_hAGW.exe
C:\NJEPpKL3.exe
C:\n_wlgCy9.exe
C:\O1nDtieP.exe
C:\O2Pn0tIx.exe
C:\oSvbNq_5.exe
C:\PM3FRq8z.exe
C:\Q7Zid302.exe
C:\qajo92uU.exe
C:\R14gqeRc.exe
C:\Ro5Ct9Ui.exe
C:\RrwTd0jf.exe
C:\rUojGf2B.exe
C:\ScZQwpoU.exe
C:\T39mkmSP.exe
C:\TB_8HNoc.exe
C:\u6z0xp80.exe
C:\u9VvmEvA.exe
C:\uaG1geFf.exe
C:\uayPf2_u.exe
C:\uJsuv95Z.exe
C:\Umkz2xEU.exe
C:\Users\Peter\AppData\Local\Temp\Temp1_RA3216091.zip\RA29112013.exe
C:\vAzKI5qO.exe
C:\vb5hBSh5.exe
C:\VID137461411.exe
C:\wXoRLjg8.exe
C:\xDZd5y_R.exe
C:\Xfsu36QN.exe
C:\XTfQZBcC.exe
C:\YLPOcqhb.exe
C:\YNWBnycR.exe
C:\YQGnrffn.exe
C:\Z4jTtGhy.exe
C:\ZllBPjSB.exe
C:\ZN8DcFEg.exe
C:\ZNQcHUt9.exe
C:\Zu03VYqk.exe
C:\ZUCSahUv.exe
Delete 1:
Dindom
edit
&Exit
&File
&Help
Lyrik
&Open
Quit
&Save
Start
static
Tropik
Weta
[1JM-7
3<7?Z(
^3^=)R
4L3G":9Q	S^
&5>/%;3$/G4
^5NZ,LQC
)8K5S{
8MccaM
)8=%SC
9)E)@ 
9 EEG@99)PG
9@ EG  @P 9G
9EPE9 PE9
9 G@J#
9)PEP9)G
9@)@PPE
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AVWAf9
AW2)@6OH&@`=
]^BBU`
/B,K>'\^
CreateFileW
CreatePen
CreateWindowExW
`.data
DefWindowProcW
DeleteFileW
DispatchMessageW
D%>)XY--
<E)6U&'9
)EE E E
'EE"T'UMI8]2"&cPXWCTA1
EGG9GG@
EI	*GQ8PT,G7!X
FindClose
FindFirstFileW
FindNextFileW
F:(M?9%1]S(I
G99PGGGE
GDI32.dll
GetMessageW
GetModuleHandleW
GetStartupInfoA
)G G)E
G,L0=6
  GP GP
HtHHtA-
-[__I+
I,	^&Y ]
;IZO#T9
(K'Eb;
KERNEL32.dll
K	O!`8=FD
KU<ZH#T	!
LoadCursorW
LoadIconW
L[U6# 
OO-b+/)
P99  @
P9E@E@9)E
P9E)E9EE
P@9P)9E
P@G)G9
PMH:Z*a-
PostMessageA
PR*N7 ]%]*
Q]:#3 ''0&^QO
ReadFile
RegisterClassExW
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
\R!FMQ"\>
    </security>
    <security>
SetFilePointer
ShowWindow
'&S'L#07
S/P;9O
^(T6@6AC2C)
	TA1N&
!This program cannot be run in DOS mode.
TranslateMessage
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
UpdateWindow
USER32.dll
'!$).(VA7DR*
VIA6]]
WWPPPPh
X!A<>9
XT_"C$;H!Y[6
xxxyyy
zTPW|l
+`ZVG=`
\Z'X*1GE