Analysis Date2015-11-03 23:11:13
MD5bc86f9b88d34cc02986109ba2d0eba8e
SHA157ddd11ee7ee793ddc5953a35ec7fe61e1a5ecea

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 437a3a0df74c6d315dacfa92bb316bb3 sha1: 4eb741bcc02e924394146b591813dd93c926fe5d size: 3584
Section.code md5: 6770eaf16b1fa1a072d68091db239b69 sha1: 0a67691b3f7ad9ff31eebb9c3b9f851acb61f257 size: 512
Section.data md5: 57f5c48195917e9cb31c02be508eb95b sha1: 8149ba90ca34af1b80db110b3dc3e06198723592 size: 7680
Section.idata md5: 92026532075ae2b437cdc864b99c590c sha1: ab92df010afb71e17e77e8f8e22e82675953ddc8 size: 2560
Section.rsrc md5: 046ec9f649212246e19792d8ce49ae9f sha1: 26cf1c076f95ee9a5c86afda72e81ee823209f1f size: 5632
Timestamp2003-09-17 01:37:06
VersionLegalCopyright: Copyright (C) 2011
InternalName: go.exe
FileVersion: 5.1.1.1
CompanyName: MS Corp
SpecialBuild:
LegalTrademarks:
FileDescrsiption: go.exe
Comments:
ProductName: Go
ProductVersion: 5.1.1.1
PrivateBuild:
OriginalFilename: go.exe
PackerProgram Protector XP v1.0
PEhash5222599857d62f4f5e345f65797cf6f8c86c28f1
IMPhash92a943ee4a19b671211e8e896bab8035
AVRisingTrojan.Win32.Upatre.b
AVCA (E-Trust Ino)Win32/Upatre.TNfJfeD
AVF-SecureTrojan.GenericKD.1386759
AVDr. WebTrojan.DownLoad3.28161
AVClamAVWin.Trojan.Generickd-440
AVArcabit (arcavir)Trojan.GenericKD.1386759
AVBullGuardTrojan.GenericKD.1386759
AVPadvishno_virus
AVVirusBlokAda (vba32)Trojan.Bublik
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVTrend MicroTROJ_UPATRE.SM37
AVKasperskyTrojan-Downloader.Win32.Small.cwrr
AVZillya!no_virus
AVEmsisoftTrojan.GenericKD.1386759
AVIkarusTrojan.Patched_c
AVFrisk (f-prot)W32/Trojan3.GKY
AVAuthentiumW32/Trojan.AYUR-2029
AVMalwareBytesTrojan.Dropper
AVMicroWorld (escan)Trojan.GenericKD.1386759
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVK7Trojan-Downloader ( 00457c511 )
AVBitDefenderTrojan.GenericKD.1386759
AVFortinetW32/Kryptik.PK!tr
AVSymantecTrojan.Zbot
AVGrisoft (avg)Patched_c.BHFC
AVEset (nod32)Win32/TrojanDownloader.Small.AAB
AVAlwil (avast)Agent-ASRB [Trj]
AVAd-AwareTrojan.GenericKD.1386759
AVTwisterTrojan.8EFD10AD67CD60B3
AVAvira (antivir)TR/Yarwi.A.1077
AVMcafeeDownloader-FVS!BC86F9B88D34

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSseminyak-italian.com
Winsock DNSindowines.net

Network Details:

DNSseminyak-italian.com
Type: A
198.1.84.100
DNSindowines.net
Type: A
198.1.84.101
Flows TCP192.168.1.1:1031 ➝ 198.1.84.100:443
Flows TCP192.168.1.1:1032 ➝ 198.1.84.100:443
Flows TCP192.168.1.1:1033 ➝ 198.1.84.100:443
Flows TCP192.168.1.1:1034 ➝ 198.1.84.100:443
Flows TCP192.168.1.1:1035 ➝ 198.1.84.101:443
Flows TCP192.168.1.1:1036 ➝ 198.1.84.101:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings