Analysis Date2015-03-17 12:33:17
MD5bccec86498e0dd5917241ce3b2c27bd1
SHA1728eb50b43d2d30d0ccf66b393c4eae30fb8b014

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ac4b6435609e5a7fa9de9819b472d952 sha1: 8c96536a8b1926f2a0a5bb2535655f0eb4870264 size: 3584
Section.rdata md5: b242d93ad50d04afd5b49d9c281bb6ef sha1: e5ea99c88996471298a1c0c8fc904f9e7faa06a1 size: 2048
Section.data md5: ec34998f1be4e22e29e08fe07ec4863f sha1: 8ecc045ab3bcc261660f77fcaac3a2faf4b7f647 size: 1024
Section.rsrc md5: 6ea40bef2ced814d75c6876efa8828f4 sha1: cce463db9ccc56e5f2d79a06e231557c3d79fcf2 size: 4608
Timestamp2013-11-18 08:29:22
PackerBorland Delphi 3.0 (???)
PEhashe5733ecd55d2d31c3f25beab63ed732b48800552
IMPhash5f15908da5076b9866aa29d4bc303edd
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.1407887
AVAlwil (avast)Crypt-QFA [Trj]
AVArcabit (arcavir)Trojan.GenericKD.1407887
AVAuthentiumW32/Trojan.WDZF-0817
AVAvira (antivir)TR/Yarwi.AD.4
AVBullGuardTrojan.GenericKD.1407887
AVCA (E-Trust Ino)Win32/Upatre.N
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVClamAVWin.Trojan.Generickd-80
AVDr. WebTrojan.DownLoad3.30628
AVEmsisoftTrojan.GenericKD.1407887
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVFortinetW32/Waski.A!tr.dldr
AVFrisk (f-prot)W32/Trojan3.GNI
AVF-SecureTrojan.GenericKD.1407887
AVGrisoft (avg)Crypt_s.ETJ
AVIkarusTrojan-Spy.Win32.Zbot
AVK7Trojan-Downloader ( 0040f6c11 )
AVKaspersky 2015Trojan-PSW.Win32.Tepfer.utee
AVMalwareBytesTrojan.Inject.RRE
AVMcafeeDownloader-FSH!BCCEC86498E0
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVMicroWorld (escan)Trojan.GenericKD.1407887
AVRisingTrojan.DL.Win32.Waski.a
AVSophosTroj/Zbot-GXQ
AVSymantecDownloader
AVTrend MicroTROJ_UPATRE.SM2
AVVirusBlokAda (vba32)Trojan.Bublik

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\gine.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\gine.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\gine.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSloadoutpress.com
Winsock DNSwww.cecileduquesne.com
Winsock DNSarcdesign.info

Network Details:

DNSloadoutpress.com
Type: A
204.11.56.45
DNSarcdesign.info
Type: A
217.160.173.70
DNSwww.cecileduquesne.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1032 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1033 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1034 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1035 ➝ 217.160.173.70:443
Flows TCP192.168.1.1:1036 ➝ 217.160.173.70:443
Flows TCP192.168.1.1:1037 ➝ 217.160.173.70:443
Flows TCP192.168.1.1:1038 ➝ 217.160.173.70:443
Flows TCP192.168.1.1:1039 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1040 ➝ 204.11.56.45:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
Y
C:\05b01375490e225527aab8d53e552d7d4946f98456e3c3d42d6dd4b96a2f304f
C:\0tGBkHGk.exe
C:\10Iatv4j.exe
C:\1682cf1c9b8bde52e6e370851878f20ae5e5a93b8247ba5496e58a81e14d1f76
C:\_1eY7czP.exe
C:\26e0b27d457b15a701a719b35fa9207d79f180efdf608a0c0595af225d6a9d30
C:\2b2e535df33c158ffb960eaf4cc6ca37625508a5e66c7dd1d09202ced9af69c9
C:\31254e24eb68c6c83db8e112113a977d34a85b5db397ab7b49ac255d2ecc1c90
C:\3MNKX6wD.exe
C:\42onmJJ9.exe
C:\4e4830e3cfb8744f86e9b8e3870cb9d4d93dd9b899fb99e683aba1beffebd2c5
C:\56bJs6p_.exe
C:\5dabe7d9eb410798f6d6046c3fbfab21ce8b79babd7c1157fbf6e1f6c7112a23
C:\5vZuFpFH.exe
C:\63bc09a70116a59c0108c98ce7b3a6cece2dc8ba032c2817dd81de3132917038
C:\6_mHDLCc.exe
C:\6_ms2Qj0.exe
C:\6oJtPZDs.exe
C:\723UMP_H.exe
C:\7E_MpB5l.exe
c:\7h8vbj\py8jco.exe
C:\8dGmyoaJ.exe
C:\8VNESKD_.exe
C:\8xK1GDcV.exe
C:\965Rex1s.exe
C:\97Wiiahh.exe
C:\9IdoRJZi.exe
C:\a1RUe0Bb.exe
C:\a4f5c2a615fa0164692b53ef2117c5e1bdc244d531a5d1f28d2c5fe5422d1067
C:\abdMO7N7.exe
C:\adf89699405e5bf32752a3034a92369b1244726ad46fe0ccc622242f149dba46
C:\aFqhf_9x.exe
C:\aSnwF0vk.exe
C:\AVPtgVRO.exe
C:\aXaoJz3a.exe
C:\BUAWBKE9.exe
C:\BYWADsq4.exe
C:\c7c4d0a818822fa6dcdd398947d1c906446305c4e363ba34fd15cc1c7e7701a8
C:\ClXMJ3Jz.exe
C:\CXwKYohw.exe
C:\dlBOj0eE.exe
C:\DMXXc9b9.exe
C:\DOCUME~1\cuckoo\LOCALS~1\Temp\b9a4f5fd5c6793593cf1dcd50206fe55913f8ed8
C:\dpb385_0.exe
C:\DQmJcr40.exe
c:\dzeb7j\13rlte.exe
C:\e1Jttl00.exe
C:\e5fb4b83b4e1cb263f476b9098409880c770da9b7bd8c5653072edf21005876d
C:\F9BUzbN9.exe
C:\FAsx1x80.exe
C:\fc555185080b84a063ee681829428ffd39c1e95a4403c1fcea90255636e32ef3
C:\FeDixRK6.exe
C:\fTnlP3Zs.exe
C:\fvkm7VPB.exe
C:\fWNVKZ_t.exe
C:\g1Y_AVvU.exe
C:\G8BeNRkQ.exe
C:\GAj05QLD.exe
C:\GgssZ92Y.exe
C:\GnEQ_J0V.exe
C:\Gx5xN0QE.exe
C:\GxG1axD5.exe
C:\H6Wmlp3X.exe
C:\HdKxFQJ_.exe
C:\hL7f7F1E.exe
C:\hmiSuppO.exe
C:\i64A0u4i.exe
C:\iyILNLVG.exe
C:\J0wDAsMq.exe
C:\JC1PjKpA.exe
C:\JeWUEQOk.exe
C:\JFznnsUc.exe
C:\jI1Kw2oB.exe
C:\JJUZAVBQ.exe
C:\JlKL9XDa.exe
C:\JNwwVesU.exe
C:\JTTrc_RK.exe
C:\JZ0VN6y9.exe
C:\KDAQtO5g.exe
C:\kg4MtJd6.exe
C:\kIeGbWk5.exe
C:\kL5ck2XE.exe
C:\KNRzkQVH.exe
C:\KQFs3hYk.exe
C:\kuuO4TbQ.exe
C:\Ld5UZsMa.exe
C:\lqVFYI7N.exe
C:\LX0hBJmS.exe
C:\lxpOh2Et.exe
C:\lZwdYkB5.exe
C:\Mboztamy.exe
C:\MjZjDd8o.exe
C:\mnJ_NeMF.exe
C:\mpxENkWx.exe
C:\mSu8GnRY.exe
C:\N8HkFcRF.exe
C:\NDVAJUaf.exe
C:\ObG4SnZS.exe
C:\oCOtiDyc.exe
C:\ODOdvTZn.exe
C:\OQovCKkX.exe
C:\Ou5u5r2a.exe
C:\paw7As2B.exe
C:\Px_PhLBG.exe
c:\pzaek7\ouqmsi.exe
C:\q2oS1ZKR.exe
C:\QjjxdB4O.exe
C:\quch5_9C.exe
C:\qWZK2YW7.exe
C:\r1bubfYU.exe
C:\rcftPicC.exe
C:\roR5prxE.exe
C:\se5aN00y.exe
C:\sjqwywaE.exe
C:\sM8forPV.exe
C:\sNsggYbv.exe
C:\SoHH_Bix.exe
C:\srh3B4ev.exe
C:\ssWy7UK8.exe
C:\T5583acz.exe
C:\t7MDn8Kb.exe
C:\tVkve5Cq.exe
C:\uBGNOCZ3.exe
C:\uiq98ybB.exe
C:\Un3HOHPq.exe
C:\Users\System Administrator\AppData\Local\Temp\Temp1_MSG00056.zip\MSG00057.exe
C:\UUecq9sS.exe
C:\v5prRYnO.exe
C:\vfjDBvxC.exe
C:\vGldK1JS.exe
C:\VgqNxNk1.exe
C:\VQeYMUTU.exe
C:\VSHJm8Hc.exe
C:\Vt3uow8p.exe
C:\VZbjz3a0.exe
C:\woOCQKfQ.exe
C:\Wy7K2M7l.exe
C:\XG1iXx3L.exe
C:\Xi8m82Bn.exe
C:\XUtqSgpI.exe
C:\xXOYq2R9.exe
C:\ybDrwODb.exe
C:\ybJb59WW.exe
C:\YrjAG8ua.exe
C:\YurJPpMy.exe
C:\Z5bGn_j6.exe
C:\zfApHlZz.exe
C:\zHZ8C6Sa.exe
C:\zWLtPaYY.exe
0=JF>)i#
1nln= a=g!(
1,.ZQ4
2<C6D'
3/Q_Uq
3v?&DVp
/ `3We
 `6:'o
 6o<CP
789;;<
7E0Ck*^
7>FIGa U
9N=tX"
a< 8jV&
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
a#)vH[N./
>?&@;B
":B.Efp5k>9
bottleneck
button
contact us to learn more
CreateFileA
CreateWindowExA
\cY.pCuwi2,;-
@.data
DefWindowProcA
DeleteFileA
DispatchMessageW
/;:Ei_
E-X-tHnC
@E@ZWWZ
/f4jS8
fDeD7\
f@GqWI
FindClose
FindFirstFileA
FindNextFileA
GetClassLongA
GetKeyboardState
GetMessageW
GetModuleHandleA
GetProcessHeap
)Gj!V)8
graphical
HeapAlloc
HeapFree
?HO1]	
h?`o%D!9#^b
hWE@WS
HYrr_#MG
hZ@@hW
).,icu
ijklmnopqrTst
j 9_A%(
J"j>It
J;q%]4!$u%IvH
k`aAGe
KERNEL32.dll
L(9#PCc
leading
l;f<hc.&
LoadBitmapA
LoadIconA
&l	<(Phr
L*&(u+.
MA&wAFa^*
MessageBoxA
m	m?"Ar`YY
m<qmC<rfhg2
N0E:Yc]f;27@
NGt%PO
o`b[h<
p0Og6t
Ph$@;sZ
PostMessageA
PostQuitMessage
r+\8A(.CIC)
r*bodb
Rc;3y[
`.rdata
ReadFile
RegisterClassExA
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
&rtEbt3
    </security>
    <security>
SendMessageA
SetFilePointer
Sl)$dl`W9M
&Sofqfv
static
successive
s<Z>RR
TaMXgiXm%`^(^BC*eg
t-CD<JHh6Mi_Cu?u
!This program cannot be run in DOS mode.
tkE!@j
tM?+.?
Tn#?c8=/S
TranslateMessage
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
#u0kN+
u/8F]`7q
(U,"E4k!L@
USER32.dll
Vg/>hC?qaM
VTl9(rY?9(Du
VWAAf9
WriteFile
WV4">vgl;QuuuD4m<K
wxxz{|}~
_XWRjUYh