Analysis Date2015-12-01 00:29:08
MD5aeed49226faa73140476a8a7b1bae815
SHA163b34d6806bb74e340740043b878afae95c981c9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 41572849562f41b5f2ca509b5818404e sha1: adf7fbac47af478fcdbfb0464b25d67da20cfc67 size: 9216
Section.rdata md5: e69e20a714f04c0e32c68a2faf7d767f sha1: b6cc92db928ce5f187a6c84a1f3cc63dc8bbf991 size: 5120
Section.data md5: 63ac302024b33d3d1c281024eb76ff1b sha1: cc7af296f72f96eb1b91a137e85d51d5f4f049cc size: 2048
Section.rsrc md5: 71657520c769d131c3ce9939c9aac36d sha1: 78283e217a13455b8017835885f8d90debe56a5a size: 14336
Timestamp1986-05-24 09:54:55
PackerMicrosoft Visual C 2.0
PEhash00be251133c84773cf76b00cf2085f5b6ba4c45c
IMPhash0fae9e28967c8220863a3d68ac7e8f97
AVMalwareBytesTrojan.Email.Upatre
AVZillya!Downloader.CTBLocker.Win32.12
AVTwisterno_virus
AVEmsisoftTrojan.Upatre.Gen.3
AVTrend MicroTROJ_UPATRE.SMJK
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVBullGuardTrojan.Upatre.Gen.3
AVSymantecDownloader.Upatre!gen5
AVAvira (antivir)TR/Qudamah.wbpbp
AVGrisoft (avg)Crypt4.XQE
AVBitDefenderTrojan.Upatre.Gen.3
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVFortinetW32/Kryptik.DIZF!tr
AVClamAVno_virus
AVBitDefenderTrojan.Upatre.Gen.3
AVAlwil (avast)Crypt-SAL [Trj]
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVAd-AwareTrojan.Upatre.Gen.3
AVSymantecDownloader.Upatre!gen5
AVEmsisoftTrojan.Upatre.Gen.3
AVAvira (antivir)TR/Qudamah.wbpbp
AVAd-AwareTrojan.Upatre.Gen.3
AVGrisoft (avg)Crypt4.XQE
AVK7Trojan ( 004bf22f1 )
AVClamAVno_virus
AVKasperskyTrojan-Downloader.Win32.Upatre.gwk
AVFortinetW32/Kryptik.DIZF!tr
AVAuthentiumW32/Upatre.Q.gen!Eldorado
AVMalwareBytesTrojan.Email.Upatre
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Kadena.B4
AVMcafeeDownloader-FASG!AEED49226FAA
AVDr. WebTrojan.DownLoader13.43828
AVMcafeeDownloader-FASG!AEED49226FAA
AVEset (nod32)Win32/Kryptik.DGUK
AVDr. WebTrojan.DownLoader13.43828
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Upatre.Q.gen!Eldorado
AVPadvishno_virus
AVTrend MicroTROJ_UPATRE.SMJK
AVK7Trojan ( 004bf22f1 )
AVRisingTrojan.Win32.Kryptik.af
AVBullGuardTrojan.Upatre.Gen.3
AVKasperskyTrojan-Downloader.Win32.Upatre.gwk
AVRisingTrojan.Win32.Kryptik.af
AVFrisk (f-prot)no_virus
AVIkarusTrojan-Downloader.Upatre
AVZillya!Downloader.CTBLocker.Win32.12

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PRTY8D97.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\prityviewer.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\prityviewer.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\prityviewer.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS91.211.17.201
Winsock DNS38.124.169.178
Winsock DNS173.216.240.56
Winsock DNS38.124.169.187
Winsock DNS176.108.102.76
Winsock DNS188.231.34.130
Winsock DNS109.86.226.85
Winsock DNSicanhazip.com
Winsock DNS38.123.202.3

Network Details:

DNSicanhazip.com
Type: A
64.182.208.184
DNSicanhazip.com
Type: A
64.182.208.185
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
HTTP GEThttp://91.211.17.201:13445/WSB22/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Flows TCP192.168.1.1:1031 ➝ 64.182.208.184:80
Flows TCP192.168.1.1:1032 ➝ 91.211.17.201:13445
Flows TCP192.168.1.1:1033 ➝ 38.124.169.187:443
Flows TCP192.168.1.1:1034 ➝ 38.124.169.187:443
Flows TCP192.168.1.1:1035 ➝ 38.124.169.187:443
Flows TCP192.168.1.1:1036 ➝ 38.124.169.187:443
Flows TCP192.168.1.1:1037 ➝ 188.231.34.130:443
Flows TCP192.168.1.1:1038 ➝ 188.231.34.130:443
Flows TCP192.168.1.1:1039 ➝ 188.231.34.130:443
Flows TCP192.168.1.1:1040 ➝ 188.231.34.130:443
Flows TCP192.168.1.1:1041 ➝ 173.216.240.56:443
Flows TCP192.168.1.1:1042 ➝ 173.216.240.56:443
Flows TCP192.168.1.1:1043 ➝ 173.216.240.56:443
Flows TCP192.168.1.1:1044 ➝ 173.216.240.56:443
Flows TCP192.168.1.1:1045 ➝ 176.108.102.76:443
Flows TCP192.168.1.1:1046 ➝ 176.108.102.76:443
Flows TCP192.168.1.1:1047 ➝ 176.108.102.76:443
Flows TCP192.168.1.1:1048 ➝ 176.108.102.76:443
Flows TCP192.168.1.1:1049 ➝ 109.86.226.85:443
Flows TCP192.168.1.1:1050 ➝ 109.86.226.85:443
Flows TCP192.168.1.1:1051 ➝ 109.86.226.85:443
Flows TCP192.168.1.1:1052 ➝ 109.86.226.85:443
Flows TCP192.168.1.1:1053 ➝ 38.124.169.178:443
Flows TCP192.168.1.1:1054 ➝ 38.124.169.178:443
Flows TCP192.168.1.1:1055 ➝ 38.124.169.178:443
Flows TCP192.168.1.1:1056 ➝ 38.124.169.178:443

Raw Pcap

Strings

Download
Load
Save
Update
Upload
?,)&!=
/<	#<?
(/!?#,>
	&+ ./
 +0+#=
"#0> -?,(
%>&007
+*0%!*3
 )(1)/
- "'+1
	-$'-1
<100;:
&14:6%
.17	602
*	1?8+
#  2<<--
$>	->&23
	!23+"
#. 24?
*;#	26
$27 /0
2975!+*
%-	3&%
*?	%31
++)	3'"3
,"34,2
<3'-.7
'> /:),4
	==:4>=-(,;
41+*.2
'432 <
4#=%'79
/5:;'%'&-.
	($52=
&;!+55=%83)
(5"7,.6
#)*6'!
* 6$.&3
)(6"616
672229
%&(7$"
+=	-7+
7/-&-)"
7$:&?/ 
	&&7"3
 7-9*(3;%)4)&-
"8),:-
871854
:!88	/$!>$
9,!	4<!
972!!3
	9N\[O>
_acmdln_dll
BeginPaint
button
_commode_dll
CreateWindowExA
CRTDLL.dll
@.data
DDDDDDD
DDFfdDD
DefWindowProcA
DialogBoxParamA
DispatchMessageA
DrawTextA
DtomK[kkS
EndDialog
EndPaint
E{SjEk
F&DDD%d
_fmode_dll
F"RRR%d
FVfffRd
GetClientRect
GetLastError
__GetMainArgs
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetStartupInfoA
_global_unwind2
_initterm
jbPPWh
jdhHn@
{{{jj{
{jjEkE{E
jmEkmj
KERNEL32.dll
k{k{EjE
kmESmkE{
km{{mj
k{S{{Em{kj{
kSjEmk
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
_local_unwind2
mk{{{S{
m{kS{E
ow}pw}ow}qp
_p5sPC
PathCompactPathExA
PathFileExistsA
PathFindExtensionA
PathFindFileNameA
PathIsDirectoryA
PathMatchSpecA
Pj@PWShtg@
PostQuitMessage
`.rdata
RegisterClassExA
RICHED32.DLL
richedit
Rkj+No
SEkjm{
SendMessageA
SHLWAPI.dll
SimpleProgramA
SimpleWindow1
S{jjjj
S{jjmE
Sj{kSm
SkmjE{
{SSEES
{SSSmm
static
!This program cannot be run in DOS mode.
tomK[^
TranslateMessage
USER32.dll
VC20XC00U
w{xxzx
wzxwzxknljmkjnljmk
_XcptFilter
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security>    <requestedPrivileges>     <requestedExecutionLevel  level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>
xzzjmkjmkyzy