Analysis Date2015-11-18 23:38:06
MD574940906c36fd068cd8fd5bb7f376320
SHA152ea9ee8ff4d8a320c7b6686636c0f8b2b26edc5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: db6ca3f722e177d3af08146011d55d3c sha1: e430e8ff1259f286c958819d25346fb12ee3513e size: 8192
Section.rdata md5: 2e5385030afa47d614ab4b477410cc84 sha1: 01bbb260309d349f53d92404a0b7f98f557a5e4f size: 3072
Section.data md5: f9b97598a14a5ba4d20ec4873996ee48 sha1: adf6f64c1653dd42c86d1100de90c4d8f6a5a209 size: 512
Section.rsrc md5: 819fa1927d04c92cfd1ab038100e3d7d sha1: fd687b20f9a8c36fa71db9912adeabaa12f5d41a size: 20480
Timestamp2014-12-08 00:08:58
PackerMicrosoft Visual C++ v6.0
PEhash016e1049ef9a3b9841887f0cbfda8c938c9e7b56
IMPhash2d8f0e156f65831ac60da5af7b3b626d
AVMcafeeRDN/Generic Downloader.x
AVAuthentiumW32/Trojan.KWAT-1527
AVPadvishno_virus
AVRisingno_virus
AVGrisoft (avg)Cryptic.EWW
AVMalwareBytesTrojan.Upatre
AVTrend MicroTROJ_UPATRE.SM37
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVClamAVWin.Trojan.Upatre-3817
AVCA (E-Trust Ino)no_virus
AVAd-AwareTrojan.Upatre.Gen.3
AVEset (nod32)Win32/Kryptik.DPCE
AVBitDefenderTrojan.Upatre.Gen.3
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVIkarusTrojan-Downloader.Win32.Upatre
AVKasperskyTrojan-Downloader.Win32.Upatre.cmzj
AVCAT (quickheal)Trojan.Kadena.B4
AVBullGuardTrojan.Upatre.Gen.3
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVDr. WebTrojan.DownLoader14.44819
AVF-SecureTrojan-Downloader:W32/Upatre.P
AVFrisk (f-prot)no_virus
AVTwisterTrojan.DOMG.gqku
AVAvira (antivir)TR/Dldr.Upatre.MU
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVSymantecDownloader.Upatre!gen5
AVFortinetW32/Kryptik.DQAA!tr
AVK7Trojan ( 004c7e4a1 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre!rfn
AVAd-AwareTrojan.Upatre.Gen.3
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVEmsisoftTrojan.Upatre.Gen.3
AVZillya!Downloader.Upatre.Win32.41265
AVRisingno_virus
AVTwisterTrojan.DOMG.gqku
AVAvira (antivir)TR/Dldr.Upatre.MU
AVMcafeeRDN/Generic Downloader.x
AVGrisoft (avg)Cryptic.EWW
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre!rfn
AVEset (nod32)Win32/Kryptik.DPCE
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVSymantecDownloader.Upatre!gen5
AVK7Trojan ( 004c7e4a1 )
AVBitDefenderTrojan.Upatre.Gen.3
AVFortinetW32/Kryptik.DQAA!tr
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Trojan.KWAT-1527
AVIkarusTrojan-Downloader.Win32.Upatre
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dittunu.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dittunu.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\dittunu.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS81.93.205.218
Winsock DNS96.46.103.232
Winsock DNS68.70.242.203
Winsock DNS81.93.205.251
Winsock DNS84.246.161.47
Winsock DNS81.90.175.7
Winsock DNS217.168.210.122
Winsock DNS38.65.142.12
Winsock DNSicanhazip.com
Winsock DNS87.229.109.250

Network Details:

DNSicanhazip.com
Type: A
64.182.208.184
DNSicanhazip.com
Type: A
64.182.208.185
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.36 (KHTML, like Gecko) Chrome/44.0.2456.82 Safari/535.36
HTTP GEThttp://38.65.142.12:12509/MIW/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.36 (KHTML, like Gecko) Chrome/44.0.2456.82 Safari/535.36
Flows TCP192.168.1.1:1031 ➝ 64.182.208.184:80
Flows TCP192.168.1.1:1032 ➝ 38.65.142.12:12509
Flows TCP192.168.1.1:1033 ➝ 84.246.161.47:443
Flows TCP192.168.1.1:1034 ➝ 84.246.161.47:443
Flows TCP192.168.1.1:1035 ➝ 84.246.161.47:443
Flows TCP192.168.1.1:1036 ➝ 84.246.161.47:443
Flows TCP192.168.1.1:1037 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1038 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1039 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1040 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1041 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1042 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1043 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1044 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1045 ➝ 81.93.205.218:443
Flows TCP192.168.1.1:1046 ➝ 81.93.205.218:443
Flows TCP192.168.1.1:1047 ➝ 81.93.205.218:443
Flows TCP192.168.1.1:1048 ➝ 81.93.205.218:443
Flows TCP192.168.1.1:1049 ➝ 81.93.205.251:443
Flows TCP192.168.1.1:1050 ➝ 81.93.205.251:443
Flows TCP192.168.1.1:1051 ➝ 81.93.205.251:443
Flows TCP192.168.1.1:1052 ➝ 81.93.205.251:443
Flows TCP192.168.1.1:1053 ➝ 87.229.109.250:443
Flows TCP192.168.1.1:1054 ➝ 87.229.109.250:443
Flows TCP192.168.1.1:1055 ➝ 87.229.109.250:443
Flows TCP192.168.1.1:1056 ➝ 87.229.109.250:443
Flows TCP192.168.1.1:1057 ➝ 96.46.103.232:443
Flows TCP192.168.1.1:1058 ➝ 96.46.103.232:443
Flows TCP192.168.1.1:1059 ➝ 96.46.103.232:443
Flows TCP192.168.1.1:1060 ➝ 96.46.103.232:443

Raw Pcap

Strings