Analysis Date2015-10-23 05:42:32
MD5b0d065bcf3ccde7ab66d6fdf32f364c5
SHA15632cee4f51eced2708f8e243123cc6760af80f6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectioncode5 md5: c25728229b82814164f847211a33ce74 sha1: 1a67c659b5c35c3083c0eb433156b9d708a9dc80 size: 2560
Section.data md5: 24f9c75072c1a0ecb1063239cb01f0b7 sha1: 563bdd3a83973b8f765deaa0d7cb80ec7484b59b size: 11776
Section.rsrc md5: 2f0b57a1e3cd0e0b696f7f61b2e0ac6b sha1: 1624b9fb8b5953bf90c907b88a4350400dadd4d1 size: 26112
Section.reloc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.DAT md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp1997-10-28 22:08:58
PEhashfcc5aab56bee31ec645c989eebd1fea8fb919601
IMPhash87816ddeebac1e3baca406b07ec01a89
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Downloader.JRQL
AVDr. WebTrojan.Upatre.201
AVClamAVno_virus
AVArcabit (arcavir)Trojan.Downloader.JRQL
AVBullGuardTrojan.Downloader.JRQL
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVCAT (quickheal)TrojanDwnldr.Upatre.MUE.A5
AVTrend MicroTROJ_UP.DB5F9D28
AVKasperskyTrojan-Downloader.Win32.Upatre.fin
AVZillya!no_virus
AVEmsisoftTrojan.Downloader.JRQL
AVIkarusTrojan-Downloader.Upatre
AVFrisk (f-prot)W32/Upatre.E.gen!Eldorado
AVAuthentiumW32/Upatre.E.gen!Eldorado
AVMalwareBytesTrojan.Upatre
AVMicroWorld (escan)Trojan.Downloader.JRQL
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVK7Trojan-Downloader ( 0049d22b1 )
AVBitDefenderTrojan.Downloader.JRQL
AVFortinetW32/Waski.F!tr
AVSymantecDownloader.Upatre!gen9
AVGrisoft (avg)Downloader.Generic14.TJE
AVEset (nod32)Win32/TrojanDownloader.Waski.F
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareTrojan.Downloader.JRQL
AVTwisterTrojanDldr.Upatre.fin.bfji
AVAvira (antivir)TR/Kryptik.qgmnm
AVMcafeeUpatre-FABT!B0D065BCF3CC

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ASRUD974.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\UsqXgL7w.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\UsqXgL7w.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\UsqXgL7w.exe

Network Details:

DNSicanhazip.com
Type: A
104.238.145.30
DNSicanhazip.com
Type: A
104.238.136.31
DNSicanhazip.com
Type: A
104.238.141.75
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
HTTP GEThttp://81.7.109.65:13385/TUSR22/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
Flows TCP192.168.1.1:1031 ➝ 104.238.145.30:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13385
Flows TCP192.168.1.1:1033 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1034 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1035 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1036 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1037 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1038 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1039 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1040 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1041 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1042 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1043 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1044 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1045 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1046 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1047 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1048 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1049 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1050 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1051 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1052 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1053 ➝ 109.196.204.142:443
Flows TCP192.168.1.1:1054 ➝ 109.196.204.142:443
Flows TCP192.168.1.1:1055 ➝ 109.196.204.142:443
Flows TCP192.168.1.1:1056 ➝ 109.196.204.142:443
Flows TCP192.168.1.1:1057 ➝ 188.123.54.111:443
Flows TCP192.168.1.1:1058 ➝ 188.123.54.111:443
Flows TCP192.168.1.1:1059 ➝ 188.123.54.111:443
Flows TCP192.168.1.1:1060 ➝ 188.123.54.111:443
Flows TCP192.168.1.1:1061 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1062 ➝ 85.248.2.228:443

Raw Pcap

Strings
1T4VKTN
3\caJRhtem3h\sys
6fu(Yj
AB@CGF
ACUIProviderInvokeUI
AmpFactorToDB
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AtlAxAttachControl
AtlComPtrAssign
atl.dll
B@CFG"
B@CGFw
B.data
CFGMGR32.dll
CM_Add_Empty_Log_Conf
CM_Add_Empty_Log_Conf_Ex
CM_Add_IDA
CM_Add_ID_ExA
CM_Add_ID_ExW
CM_Add_IDW
CM_Add_Range
CM_Add_Res_Des
CM_Add_Res_Des_Ex
CM_Connect_MachineA
CM_Connect_MachineW
CM_Create_DevNodeA
CMP_Init_Detection
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CreateMutexA
CryptUIDlgCertMgr
CryptUIDlgFreeCAContext
CryptUIDlgSelectCA
CryptUIDlgSelectCertificateA
CryptUIDlgSelectCertificateFromStore
CryptUIDlgSelectCertificateW
CryptUIDlgSelectStoreA
CryptUIDlgSelectStoreW
CryptUIDlgViewContext
CryptUIDlgViewCRLA
CryptUIDlgViewCRLW
CryptUIDlgViewCTLA
CryptUIDlgViewCTLW
CryptUIDlgViewSignerInfoA
CryptUIDlgViewSignerInfoW
CRYPTUI.dll
DecodePointer
DNSAPI.dll
DnsQuery_A
DnsQueryConfig
DnsQueryConfigAllocEx
DnsQueryConfigDword
DnsQueryExA
DnsQueryExUTF8
DnsQueryExW
DnsQuery_UTF8
DnsQuery_W
DnsRecordBuild_UTF8
DnsRecordBuild_W
DnsRecordCompare
DnsRecordCopyEx
DnsRecordListFree
DnsRecordSetCompare
DnsRecordSetCopyEx
DsGetDcCloseW
DsGetDcNameA
DsGetDcNameW
DsGetDcNameWithAccountA
DsGetDcNameWithAccountW
DsGetDcNextA
DsGetDcNextW
DsGetDcOpenA
DsGetDcOpenW
DsGetDcSiteCoverageA
DsGetDcSiteCoverageW
DsGetForestTrustInformationW
DsGetSiteNameA
DsGetSiteNameW
DUserCastClass
DUserDeleteGadget
duser.DLL
ExitProcess
GetCommandLineA
GetCommState
GetOEMCP
GetVersionExW
GetWindowsDirectoryA
hq6.2y!
h#V!k<
IsRasmanProcess
i%VD+u
~kbg/V
kernel32.dll
	M1=kkFg-
MprAdminInterfaceCreate
mprapi.dll
msvcrt.dll
NDdeApi.dll
NDdeGetErrorStringA
netapi32.dll
NOKHJI
;@N{Yv
pstorec.dll
PStoreCreateInstance
quartz.dll
QueryDosDeviceA
RasActivateRoute
RasActivateRouteEx
RasAddConnectionPort
RasAddNotification
RasAllocateRoute
RasBundleClearStatistics
RasBundleClearStatisticsEx
RasBundleGetPort
RasBundleGetStatistics
RasBundleGetStatisticsEx
RasCompressionGetInfo
RasCompressionSetInfo
RasConnectionEnum
RasConnectionGetStatistics
RasCreateConnection
RasDeAllocateRoute
RasDestroyConnection
RasDeviceConnect
rasman.dll
REGAPI.dll
RegBuildNumberQuery
RegCdCreateA
RegCdCreateW
RegCdDeleteA
RegCdDeleteW
RegCdEnumerateA
RegCdEnumerateW
RegCdQueryA
RegCdQueryW
RegCloseServer
RegConsoleShadowQueryA
RegConsoleShadowQueryW
RegDefaultUserConfigQueryA
RegDefaultUserConfigQueryW
.reloc
</requestedExecutionLevel>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false">
</requestedPrivileges>
<requestedPrivileges>
</security>
<security>
!This program cannot be run in DOS mode.
tn`ef$
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
-'v=.3
W*e51d
wh.dllhtsrv
w+"ICX
Wj8(GT
x,#J#1