Analysis Date2015-03-17 11:27:16
MD5bab92660cc94084d85bc592264560080
SHA15966003aba51e37f1093b2443ba13ff1e274a161

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ccd6872bf8a30fde0aaef880f6fcab5c sha1: a5e4c50204b2bbe28fd22ab4612069ca0ddc8709 size: 6144
Section.data md5: 006ed4262cd7ae5ded103716a5888458 sha1: 3184fc68cd0ba37ef74f3f86bfd1caedbd5febc8 size: 2048
Section.rdata md5: 6b3988de8f9320f645cf1b02d635f5c8 sha1: 2b88d99bea8aff01ba90edbac807da88e11e6bb1 size: 2560
Section.idata md5: c172974ed6f2dd740abed3a81271b941 sha1: bdd328d3ed06a1f8139fb1d4caf29c748da1580d size: 1536
Section.rsrc md5: 8d585c9cb53383587360245d758df751 sha1: b49f1ff80ef341b3933e07a7861b1d912ae45192 size: 5120
Timestamp2004-05-20 05:59:45
PEhash40798a0e07c1975eae2f4f2f97c0981897c04949
IMPhash641a435995118d1e23b199af0b58ecfd
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.1510678
AVAlwil (avast)Waski-C [Cryp]
AVArcabit (arcavir)Trojan.GenericKD.1510678
AVAuthentiumW32/Trojan.FLQZ-0982
AVAvira (antivir)TR/Dldr.Upatre.A.66
AVBullGuardTrojan.GenericKD.1510678
AVCA (E-Trust Ino)Win32/Upatre.CG
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVClamAVWin.Trojan.Generickd-339
AVDr. WebTrojan.DownLoad3.28161
AVEmsisoftTrojan.GenericKD.1510678
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVFortinetW32/Kryptik.CF!tr
AVFrisk (f-prot)W32/Trojan3.HFT
AVF-SecureTrojan.GenericKD.1510678
AVGrisoft (avg)Zbot.FCP
AVIkarusTrojan-Spy.Zbot
AVK7Trojan-Downloader ( 0048f6391 )
AVKaspersky 2015Trojan-Downloader.Win32.Agent.hdyf
AVMalwareBytesTrojan.Email.FakeDoc
AVMcafeeBackDoor-FBPV!BAB92660CC94
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVMicroWorld (escan)Trojan.GenericKD.1510678
AVRisingno_virus
AVSophosTroj/Kryptik-CF
AVSymantecTrojan.Zbot
AVTrend MicroTROJ_UPATRE.LZ
AVVirusBlokAda (vba32)TrojanDownloader.Agent

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSnbc-mail.com
Winsock DNSfindenglish.com

Network Details:

DNSfindenglish.com
Type: A
204.11.56.45
DNSnbc-mail.com
Type: A
200.74.243.170
Flows TCP192.168.1.1:1031 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1032 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1033 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1034 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1035 ➝ 200.74.243.170:443
Flows TCP192.168.1.1:1036 ➝ 200.74.243.170:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
.
C:\0827f33265a83f172410c3c067f3b907d92a1f72f7757e21d0c81af258ecb99b
C:\1Cusb7QJ.exe
C:\3eAYuCuz.exe
C:\3f9f3aa2ce12e60aba2561c9aab2ea7d9be6316b01239cd680293db9469da568
C:\60bc76bacde561f4600c512f43a4b60dd9b68377e1fe279fa5bd92a4b1943b59
C:\8CExQBvZ.exe
C:\9041b9d09abfaf5088711b7697fc323901432e18e577a9aeb765fe6c021365ab
C:\90d175d0d0c34278d18a23e937606d1d8869f8298fb4818c92e2d1d8d3f7ba33
Cancel
C:\bXfHiwVs.exe
C:\C7oI0TTx.exe
C:\cCmwwO30.exe
C:\d0970bce9f7d11912d65e2bc873f0cad0de9dd103df2b23a56ad7bb4f1e58f67
C:\D2II856D.exe
C:\d62feb4c861e60cf4e319b124d3792a0ea3d8fe2fe641f08f73db00fdd0052b0
C:\dEw8YGVu.exe
C:\DOCUME~1\admin\LOCALS~1\Temp\Rar$EX00.031\Scan_001_293987112.exe
C:\E8_iuAhu.exe
C:\EIq6LTse.exe
C:\EOu4UHp5.exe
C:\f0ab1fd80cd4a3c576a87340e96fe544f5acd19d71e2b90f8e1f92fcb53c3085
C:\F1LP7o15.exe
C:\f3cQQd21.exe
C:\fcf25d804edb219541484d66e19174ebc1cdd69d68a400ca48069624d52502c0
C:\gf218iKv.exe
C:\GQqTKoFc.exe
C:\HiNRzcax.exe
C:\iMd4iMod.exe
C:\JCowfoWL.exe
C:\MAjWwc9T.exe
C:\MF8dO5vA.exe
C:\opEXcjc7.exe
C:\PO529L7i.exe
C:\PZIKhYEM.exe
C:\QnxCNv3F.exe
C:\rd2h5Lxi.exe
C:\rxgf7GFK.exe
C:\u8XMsdN7.exe
C:\V0T6QldE.exe
C:\w7nwXYoH.exe
E&xit
&File
&Help
MS Shell Dlg
&New 
~~~~~~~~
*++++++(,-.//,0 1234256++++++78
22222222222222222222222222222222222222222222222222222222222222222222222222222222=
-2NO ;;; PQRS
3eLp,lWoN
7oLd7iMrLrdEcA
7oLd.u]sZr,
9T`aaa
9TTTTT
A1d5e#[YGGGGGGfgQ_	
;      (<=>?@<->A@BA@C<     * DE
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
BeginPaint
bGGGGGGHIW^c[Z
BiYmX.OlW
CheckMenuItem
CloseClipboard
CreateCaret
CreateDirectoryW
CreateMenu
DestroyCaret
EmptyClipboard
EnableMenuItem
/eQWTnOobP]oNA
E	txjYh
ExitProcess
F]ePLTb]a]y
#F=FFFFF
FFFFFFF
FFFF=FFFFFF
FFFFFFFFFF=
FFFFFFFFFFF
FindWindowA
fl?8Z`et
FlashWindow
fVMsu2
GetClientRect
GetClipboardData
GetClipboardOwner
GetCursorPos
GetKeyboardLayout
GetKeyboardState
GetMessageA
GetMessageTime
GetModuleHandleA
GetScrollInfo
GetSystemMenu
G;;;;;;HI
GlobalLock
GlobalUnlock
GPt;rZc,dOrPs^
HeapAlloc
HideCaret
HPa[C]eLtP
.idata
iGGGGGUjkXclcVmmnfodpqrUGUGGUfsQtu	
}iiiiiii~
InvalidateRect
IsBadReadPtr
IsWindow
IsZoomed
J1KL-5M@5M
kernel32.dll
LoadIconA
MessageBoxIndirectA
MsgWaitForMultipleObjects
;o^t<uTt8e^sLgP
PostMessageA
.rdata
RegisterClassA
RegisterClipboardFormatA
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
;R:F?O=
?rLn^lLtPMPs^aRe
.rPa_eBiYdZw0x,
rPcZrO ]eN
ScreenToClient
    </security>
    <security>
SetCaretPos
SetClassLongA
SetClipboardData
SetKeyboardState
SetScrollInfo
SetWindowPos
SetWindowTextA
ShowCaret
S`n>hTnP
!This program cannot be run in DOS mode.
ToAsciiEx
ToUnicodeEx
TrackPopupMenu
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
ttttFFFFFFFFFFFF
	||||	u
U;;;;;;HVW0XYZ0[\]5AX^HO;;;;O;[Q_
uO''Eg
user32.dll
VPjkrZ
W'fl:;E`YtU
WinHelpA
wUUUUUUUjxrUrjyyzrrzorUUUUUUUfs{F
XcTSPnOS_rTnRA
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>