Analysis Date2015-11-15 16:57:00
MD5bf9cef3a77d806c4489cc406920ffc60
SHA17192e536e0cbaa4753297feb77007672e8e8253f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1cfe640fb916f9e71e2f42ce9463b6e6 sha1: d3cefe831eba88d17380b6e877f968ab01e72878 size: 6144
Section.rdata md5: 5991a0937ea1c73a6ea7d2b50760dccf sha1: b09ba9081a37296905432830e2b7a3f680249f52 size: 1536
Section.data md5: 36f425ac30a34478057dae27a1407f15 sha1: 27c149c9c2f3499e5e8e775de3eeba3e88845640 size: 512
Section.rsrc md5: d312230fc901e21ad5d01f3359ba6e14 sha1: 9a3ea68fc338ca5068121b66142c23539c4c2819 size: 10240
Section.reloc md5: 5941791c6b31ac52e41a5ea0912259d3 sha1: 953eb4ea14eb81b605c22a5b1c6a2a709e64de33 size: 512
Timestamp2014-02-05 03:55:00
PEhash2394682c218c1f7651bd92f22a4a09342e6bc7ab
IMPhash7772dfa3e3a72b92db47c13e7be36e20
AVMcafeeDownloader-FSH!BF9CEF3A77D8
AVMcafeeDownloader-FSH!BF9CEF3A77D8
AVCA (E-Trust Ino)Win32/Tnega.GXNWZHB
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVCA (E-Trust Ino)Win32/Tnega.GXNWZHB
AVMicroWorld (escan)Trojan.GenericKD.1559549
AVMicroWorld (escan)Trojan.GenericKD.1559549
AVArcabit (arcavir)Trojan.GenericKD.1559549
AVPadvishDownloader.Win32.Injecter.ji_Generic
AVPadvishDownloader.Win32.Injecter.ji_Generic
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVRisingno_virus
AVRisingno_virus
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVSophosTroj/Upatre-S
AVAd-AwareTrojan.GenericKD.1559549
AVSymantecDownloader.Upatre
AVSymantecDownloader.Upatre
AVClamAVWin.Trojan.Generickd-68
AVTrend MicroTROJ_UPATRE.SMBB
AVTrend MicroTROJ_UPATRE.SMBB
AVClamAVWin.Trojan.Generickd-68
AVTwisterTrojan.4EB8D0DD116B77B2
AVTwisterTrojan.4EB8D0DD116B77B2
AVAuthentiumW32/Trojan.QXZZ-7823
AVVirusBlokAda (vba32)TrojanDownloader.Injecter
AVVirusBlokAda (vba32)TrojanDownloader.Injecter
AVDr. WebTrojan.DownLoad3.28161
AVZillya!Downloader.Injecter.Win32.5149
AVZillya!Downloader.Injecter.Win32.5149
AVDr. WebTrojan.DownLoad3.28161
AVAuthentiumW32/Trojan.QXZZ-7823
AVEmsisoftTrojan.GenericKD.1559549
AVEmsisoftTrojan.GenericKD.1559549
AVAlwil (avast)Zbot-TCT [Trj]
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVAvira (antivir)TR/Yarwi.B.176
AVFortinetW32/Waski.AC!tr
AVFortinetW32/Waski.AC!tr
AVAvira (antivir)TR/Yarwi.B.176
AVFrisk (f-prot)W32/Trojan3.HKY
AVFrisk (f-prot)W32/Trojan3.HKY
AVAlwil (avast)Zbot-TCT [Trj]
AVF-SecureTrojan-Downloader:W32/Upatre.I
AVF-SecureTrojan-Downloader:W32/Upatre.I
AVBitDefenderTrojan.GenericKD.1559549
AVGrisoft (avg)Generic35.BQYO

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbsitacademy.com
Winsock DNSwahidexpress.com

Network Details:

DNSbsitacademy.com
Type: A
69.30.205.243
DNSwahidexpress.com
Type: A
103.15.74.65
HTTP GEThttp://bsitacademy.com/img/events/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://wahidexpress.com/scripts/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://bsitacademy.com/img/events/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://wahidexpress.com/scripts/ie.enc
User-Agent: Updates downloader
Flows TCP192.168.1.1:1031 ➝ 69.30.205.243:80
Flows TCP192.168.1.1:1032 ➝ 103.15.74.65:80
Flows TCP192.168.1.1:1033 ➝ 69.30.205.243:80
Flows TCP192.168.1.1:1034 ➝ 103.15.74.65:80

Raw Pcap

Strings