Analysis Date2015-03-04 10:45:30
MD5006867f54c90ac9c4aecc4ef095dba4b
SHA16f672a86178843c4c10545b6c4fa8034b499372b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d29a313db4ef0f824897e81a469bc9ca sha1: 1c953281a9938c7d1099327e9f0d64c14433b471 size: 4608
Section.rdata md5: f9c5f79c2fb2108daebfc88982613605 sha1: 833b8cfbb769ca99542f01be90feeecc36f2098f size: 5632
Section.data md5: d39a965512d6dfb74386fdfba06720d1 sha1: 2a9a5dec5451ed21eced5b6194e0a838974cd175 size: 3584
Section.rsrc md5: 0be75f3858f943fad1e2ca77d7ff436d sha1: 2fa2485d9118ca09453e33002048177153b865a7 size: 11264
Timestamp2014-01-17 06:22:07
PackerMicrosoft Visual C++ 5.0
PEhash738f9477dc0e5552282a82f046f00d31f39e56fa
IMPhashf18981d59f0a91219b200ade795a1d47
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.1504665
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)Trojan.GenericKD.1504665
AVAuthentiumW32/Trojan.JJAM-4038
AVAvira (antivir)TR/Agent.BTAW
AVBullGuardTrojan.GenericKD.1504665
AVCA (E-Trust Ino)Win32/Upatre.ZcbPeUC
AVCAT (quickheal)TrojanPWS.Zbot.Gen
AVClamAVWin.Trojan.Generickd-107
AVDr. WebTrojan.Inject1.35383
AVEmsisoftTrojan.GenericKD.1504665
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVFortinetW32/Krptik.AIX!tr
AVFrisk (f-prot)W32/Trojan3.HEV
AVF-SecureTrojan.GenericKD.1504665
AVGrisoft (avg)Zbot.FAC
AVIkarusTrojan-Spy.Zbot
AVK7Trojan-Downloader ( 0048f6391 )
AVKasperskyTrojan.Win32.Generic
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesSpyware.Zbot
AVMcafeePWSZbot-FPX!006867F54C90
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVMicroWorld (escan)Trojan.GenericKD.1504665
AVRisingno_virus
AVSophosTroj/DwnLdr-LHS
AVSymantecDownloader.Upatre
AVTrend MicroTROJ_UPATRE.SM37
AVVirusBlokAda (vba32)Trojan.Bublik

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\updater.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\updater.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\updater.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSyestospain.com
Winsock DNSappsredeem.com

Network Details:

DNSappsredeem.com
Type: A
8.5.1.32
DNSyestospain.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 8.5.1.32:443
Flows TCP192.168.1.1:1032 ➝ 8.5.1.32:443
Flows TCP192.168.1.1:1033 ➝ 8.5.1.32:443
Flows TCP192.168.1.1:1034 ➝ 8.5.1.32:443
Flows TCP192.168.1.1:1035 ➝ 8.5.1.32:443
Flows TCP192.168.1.1:1036 ➝ 8.5.1.32:443
Flows TCP192.168.1.1:1037 ➝ 8.5.1.32:443
Flows TCP192.168.1.1:1038 ➝ 8.5.1.32:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
C:\0AqHQd5n.exe
C:\0d4e8b4ae5bf64fddac645ca97a0814b65aa638b67bec5f8dc229bd6f3a39dc1
C:\118f34a681a2f84ffea04cf7759705fd79ab5fa116ec0c439e5925b09e599af5
C:\17130721.exe
C:\17130803.exe
C:\1moS2mrZ.exe
C:\2ft82Tpn.exe
C:\38WEMyb4.exe
C:\3BBG7Nht.exe
C:\56S5yEYl.exe
C:\5b6e005215281dc1eb417940e317c82cbe1751f13eb374b4dc3fb91b6eca236c
C:\5IFceTD4.exe
C:\6aEU4SKW.exe
C:\779e8f0ccdb1967859893f09ab5759e018a535aa5de8f388b97558c4e11c6337
C:\77jxFLaX.exe
C:\7aL0wScx.exe
C:\7Z5PxxiL.exe
C:\9060cc557b63394566c9003a0a663bbe9445ecb1466215a8647108d3ea936ec0
C:\90a824b48d3b9102ca51793bbc9d1457c9bb7e37b81c0c9e867bf5e1ebecaf6e
C:\95urSCiF.exe
C:\9L8f8qXV.exe
C:\9MMhYeeX.exe
C:\9taBdQRO.exe
C:\9TyrnCAz.exe
C:\a4eQ8Ybn.exe
C:\AqvRZh55.exe
C:\AtLF1ZFg.exe
C:\BDdVkh9P.exe
C:\btvZeljX.exe
C:\caNCbh3P.exe
C:\_CJvKDQN.exe
C:\CksFALD3.exe
C:\cwyGIs5F.exe
C:\DnL94buP.exe
C:\DoUjCcSq.exe
C:\DZaefVz0.exe
C:\EBzt4B89.exe
C:\ep26KGCb.exe
C:\ewnKJXcC.exe
C:\EzfBnJiM.exe
C:\F7uw8K6F.exe
C:\G0pSz8aq.exe
C:\iI3cuAUV.exe
C:\IMvC6LxQ.exe
C:\iNfjjcM9.exe
C:\iwy_HKBo.exe
C:\jC6pA086.exe
C:\jgXf2IjX.exe
C:\jpyMPCZI.exe
C:\kCf0TQbG.exe
C:\KIckQOgh.exe
C:\KkqxnUL9.exe
C:\KXEHTNhE.exe
C:\L2ezxK8S.exe
C:\laqBHMVI.exe
C:\lww9hafy.exe
C:\MM5bFJEr.exe
C:\nLaLrUJ3.exe
C:\nSqDzQFR.exe
C:\ntKchB5z.exe
C:\O1wnkcCd.exe
C:\OJIQD_Qj.exe
C:\Oo74Rwm0.exe
C:\oPMG9c9j.exe
C:\pkdYDf4k.exe
C:\PUGwnLmn.exe
C:\qK6IzYTP.exe
C:\rhw_7iDm.exe
C:\RyNrjKTV.exe
C:\s3gF59Dx.exe
C:\sItKLxnw.exe
C:\SKnStBlP.exe
C:\TIaN7mNC.exe
C:\TnBh0Hp0.exe
C:\U19FMqDO.exe
C:\ujZq5pDq.exe
C:\UPvsLTnE.exe
c:\ut1w3x\f9n2ml.exe
C:\_V6hVKU9.exe
C:\v7kAv25E.exe
C:\vqfGOjrT.exe
C:\wCkQIY7v.exe
C:\WD47Hrj2.exe
C:\WfWaPf7x.exe
C:\wN6hloFi.exe
C:\WtfHU86p.exe
C:\x5oz0pd6.exe
C:\X82gV6CC.exe
C:\xpw0rDfr.exe
C:\ycRAAo1O.exe
C:\_yKMJUNq.exe
C:\YpqcMQfL.exe
c:\z9vauc\jbdl2g.exe
C:\zLV_rcig.exe
C:\ZSiqVm7M.exe
C:\zt5a0txa.exe
msvfw32.dll
Vezeziyahu
WINMM.dll
Zelmupno
585?Z5l5
_adjust_fdiv
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADC
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
_controlfp
CreateWindowExW
@.data
DefWindowProcW
DispatchMessageW
_except_handler3
ExitProcess
GetCurrentProcess
GetMessageW
GetModuleHandleW
GetProcessAffinityMask
GetStartupInfoW
GetSystemInfo
_initterm
KERNEL32.dll
LoadLibraryExW
`L`OCe
MoveWindow
MSVCRT.dll
__p__commode
__p__fmode
pQJufS
`.rdata
RegisterClassExW
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
RichES
    </security>
    <security>
__set_app_type
__setusermatherr
!This program cannot be run in DOS mode.
TranslateMessage
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
UnhandledExceptionFilter
USER32.dll
VVRRRRh
_wcmdln
__wgetmainargs
_XcptFilter