Analysis Date2015-11-12 12:23:27
MD5c49f1d874e576d6725261e65f45f972e
SHA161eb4b5d8bf207208b43cab6a55f9b5993752f34

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 458af5eed02c6e244e6b95abbe36f7ec sha1: 4631862121e5db7bedebd3500a6cd1ed59f5b098 size: 9216
Section.rdata md5: a48707c3141744d8c29a88bd17230f3c sha1: ac63e1801b285c0a2c884394b84e8d0e60953c04 size: 3072
Section.data md5: 27281e75252dddeacfa068783ce6a403 sha1: 550f8ea71537cf4c5ee423a5accb071c467223ab size: 2048
Section.rsrc md5: 938ad42ff294168de5aad2d7cdd0866e sha1: 068784a019d330278892eba97526f541149b1006 size: 18432
Timestamp2091-10-18 21:37:14
PackerMicrosoft Visual C 2.0
PEhash3190ab2da43d0331e452be2c7270bbc5f51466cc
IMPhash1d0e22050bd5d9bb8fe615757289537b
AVRisingTrojan.Win32.Kryptik.af
AVMcafeeDownloader-FASG!C49F1D874E57
AVAvira (antivir)TR/Crypt.Xpack.314453
AVTwisterNo Virus
AVAd-AwareTrojan.Upatre.Gen.3
AVAlwil (avast)Crypt-SAL [Trj]
AVEset (nod32)Win32/Kryptik.DGNJ
AVGrisoft (avg)Generic_s.EOO
AVSymantecDownloader.Upatre!gen5
AVFortinetW32/Waski.A!tr
AVBitDefenderTrojan.Upatre.Gen.3
AVK7Trojan ( 004c16241 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVMalwareBytesTrojan.Upatre.PDF
AVAuthentiumW32/Upatre.O.gen!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusTrojan.VB.Crypt
AVEmsisoftTrojan.Upatre.Gen.3
AVZillya!No Virus
AVKasperskyTrojan-Downloader.Win32.Upatre.fvt
AVTrend MicroTROJ_UPATRE.SMJP
AVCAT (quickheal)Trojan.Kadena.B4
AVVirusBlokAda (vba32)No Virus
AVPadvishNo Virus
AVBullGuardTrojan.Upatre.Gen.3
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVClamAVNo Virus
AVDr. WebTrojan.Upatre.2249
AVF-SecureTrojan.Upatre.Gen.3
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\reachF846.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\reachviewerpdf.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\reachviewerpdf.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\reachviewerpdf.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS81.163.87.7
Winsock DNS176.106.121.140
Winsock DNS91.240.97.71
Winsock DNS176.106.122.31
Winsock DNS80.87.220.102
Winsock DNS81.7.109.65
Winsock DNS85.248.2.228
Winsock DNS188.123.54.111
Winsock DNSicanhazip.com

Network Details:

DNSicanhazip.com
Type: A
64.182.208.184
DNSicanhazip.com
Type: A
64.182.208.185
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
HTTP GEThttp://81.7.109.65:13414/MSI11B/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
Flows TCP192.168.1.1:1031 ➝ 64.182.208.184:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13414
Flows TCP192.168.1.1:1033 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1034 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1035 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1036 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1037 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1038 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1039 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1040 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1041 ➝ 176.106.121.140:443
Flows TCP192.168.1.1:1042 ➝ 176.106.121.140:443
Flows TCP192.168.1.1:1043 ➝ 176.106.121.140:443
Flows TCP192.168.1.1:1044 ➝ 176.106.121.140:443
Flows TCP192.168.1.1:1045 ➝ 81.163.87.7:443
Flows TCP192.168.1.1:1046 ➝ 81.163.87.7:443
Flows TCP192.168.1.1:1047 ➝ 81.163.87.7:443
Flows TCP192.168.1.1:1048 ➝ 81.163.87.7:443
Flows TCP192.168.1.1:1049 ➝ 188.123.54.111:443
Flows TCP192.168.1.1:1050 ➝ 188.123.54.111:443
Flows TCP192.168.1.1:1051 ➝ 188.123.54.111:443
Flows TCP192.168.1.1:1052 ➝ 188.123.54.111:443
Flows TCP192.168.1.1:1053 ➝ 176.106.122.31:443
Flows TCP192.168.1.1:1054 ➝ 176.106.122.31:443
Flows TCP192.168.1.1:1055 ➝ 176.106.122.31:443
Flows TCP192.168.1.1:1056 ➝ 176.106.122.31:443

Raw Pcap

Strings

Close
Download
jjjh
MyBestClassex
RadionSpectrumApplication
Save
Update
Upload
"""""""
"""#"""
""$"$""
"&)%#!
0""'0	-/,
00@E0d
00hEhj@
0@0hjE@Ej0
00@jjhh
;0>4BLB<"D9*
0 =DG	
0E@Ej@@E
@0Ehhh0j
@0h0Ej
0h@EE@
0@h@@h
0hjh@hhjE
1G*?%&
)3,"8 
*#5C?,99
#&69 7
6!DE*94DF
+)7?G<
7KK:7<$
_acmdln_dll
B8?$:+;@
"""BB""
""$BD""
BestMainClass
BestMyApplication
button
CloseHandle
_commode_dll
CreateFileA
CreateWindowExA
CRTDLL.dll
@.data
"""DB""
DefWindowProcA
DialogBoxParamA
DispatchMessageA
E0@hjjj0hh00E
EE0EEh
EE0jEE0j0hE
E@Ejh@
@Eh0EEE@
Eh0@Ej
E@h@Ej
EhhEEj
Ehjhh@0E
E@@jhh
Ej@@hh@
E!MM+*
EndDialog
_fmode_dll
GetClientRect
GetCurrentDirectoryA
GetLastError
__GetMainArgs
GetMessageA
GetModuleHandleA
GetStartupInfoA
!G>IE&5
_global_unwind2
h@@@0@
h00E0EEE
h0EE0j
h0EjE@j
hE000@
hEhE@Ejj
hEhh@E
hh@E00
hh@jjjhh
hj@h@jjjj
 I)-;#*6
I"6'	#%
_initterm
J32IAA 
jdh0Y@
jE00hhh
@@@j@@@h
@j@h@h@00
jhhE00
jj@Ehj
K +29;
KERNEL32.dll
		LBC	+?6I>
LoadAcceleratorsA
LoadCursorA
LoadIconA
LoadLibraryA
LoadLibraryW
LoadStringA
_local_unwind2
Megator
owu"3(I=B`
PathCompactPathExA
PathFileExistsA
PathFindExtensionA
PathFindFileNameA
PathIsDirectoryA
PathMatchSpecA
PostQuitMessage
`.rdata
ReadFile
RegisterClassExA
riched32.DLL
richedit
SendMessageA
SHLWAPI.dll
ShowWindow
static
!This program cannot be run in DOS mode.
TranslateAcceleratorA
TranslateMessage
UpdateWindow
USER32.dll
VC20XC00U
_XcptFilter
xI=.0@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security>    <requestedPrivileges>     <requestedExecutionLevel  level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>