Analysis Date2015-10-14 22:19:34
MD552416611be6bde38d6f99baf231b4f54
SHA156f3d3cc52d47e62c8c50865ddc32443c240d549

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 87e6f5297088bee5465900427f008173 sha1: 6db6d347c89e9f11e5b27cf5c53669e0bd0656d4 size: 6144
Section.data md5: f1ab2370a364765cc01820a3d76a41eb sha1: a4d996a9b0fb0dd7596ff39134925b46637b7774 size: 2048
Section.rdata md5: 01462bbaa54d603bfa3454feccb63fd6 sha1: 3644b510638233ef5a7a8412f53612d28c36dd85 size: 2560
Section.idata md5: c172974ed6f2dd740abed3a81271b941 sha1: bdd328d3ed06a1f8139fb1d4caf29c748da1580d size: 1536
Section.rsrc md5: adc39a152be102eb7a041e991a6d202c sha1: 76189e9a0c3b080a0c8dcac8bfa0acf0dcd1001a size: 5120
Timestamp2004-05-20 06:02:07
PEhash86f54a7ff3c1451fa1ffd627d39147b3b2405508
IMPhash641a435995118d1e23b199af0b58ecfd
AVRisingError Scanning File
AVCA (E-Trust Ino)Win32/Upatre.CH
AVF-SecureTrojan.GenericKD.1510674
AVDr. WebTrojan.DownLoad3.28161
AVClamAVWin.Trojan.Generickd-2709
AVArcabit (arcavir)Trojan.GenericKD.1510674
AVBullGuardTrojan.GenericKD.1510674
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVTrend MicroTROJ_UPATRE.SMZ3
AVKasperskyTrojan-Downloader.Win32.Agent.hdyf
AVZillya!Downloader.Agent.Win32.184143
AVEmsisoftTrojan.GenericKD.1510674
AVIkarusTrojan-Spy.Zbot
AVFrisk (f-prot)W32/Trojan3.HFU
AVAuthentiumW32/Trojan.OEJC-5872
AVMalwareBytesTrojan.Email.FakeDoc
AVMicroWorld (escan)Trojan.GenericKD.1510674
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVK7Trojan ( 0040f7411 )
AVBitDefenderTrojan.GenericKD.1510674
AVFortinetW32/Kryptik.CF!tr
AVSymantecTrojan.Zbot
AVGrisoft (avg)Downloader.Generic13.BUTM
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVAlwil (avast)Waski-C [Cryp]
AVAd-AwareTrojan.GenericKD.1510674
AVTwisterTrojanDldr.Waski.A.netu
AVAvira (antivir)TR/Dldr.Upatre.A.67
AVMcafeeBackDoor-FBPV!52416611BE6B

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSfindlawenforcement.com
Winsock DNSperfectablets.com

Network Details:

DNSperfectablets.com
Type: A
8.8.8.8
DNSfindlawenforcement.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 8.8.8.8:443
Flows TCP192.168.1.1:1032 ➝ 8.8.8.8:443
Flows TCP192.168.1.1:1033 ➝ 8.8.8.8:443
Flows TCP192.168.1.1:1034 ➝ 8.8.8.8:443
Flows TCP192.168.1.1:1035 ➝ 8.8.8.8:443
Flows TCP192.168.1.1:1036 ➝ 8.8.8.8:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings