Analysis Date2015-10-03 07:46:04
MD5b16bf873085a839631ab114e3e9e46a6
SHA182bee80c8c515961b846c9725424f648db6416f7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 87e6f5297088bee5465900427f008173 sha1: 6db6d347c89e9f11e5b27cf5c53669e0bd0656d4 size: 6144
Section.data md5: f1ab2370a364765cc01820a3d76a41eb sha1: a4d996a9b0fb0dd7596ff39134925b46637b7774 size: 2048
Section.rdata md5: 01462bbaa54d603bfa3454feccb63fd6 sha1: 3644b510638233ef5a7a8412f53612d28c36dd85 size: 2560
Section.idata md5: c172974ed6f2dd740abed3a81271b941 sha1: bdd328d3ed06a1f8139fb1d4caf29c748da1580d size: 1536
Section.rsrc md5: adc39a152be102eb7a041e991a6d202c sha1: 76189e9a0c3b080a0c8dcac8bfa0acf0dcd1001a size: 5120
Timestamp2004-05-20 06:02:07
PEhash86f54a7ff3c1451fa1ffd627d39147b3b2405508
IMPhash641a435995118d1e23b199af0b58ecfd
AVRisingno_virus
AVMcafeeBackDoor-FBPV!B16BF873085A
AVAvira (antivir)TR/Dldr.Upatre.A.67
AVTwisterTrojanDldr.Waski.A.netu
AVAd-AwareTrojan.GenericKD.1510674
AVAlwil (avast)Waski-C [Cryp]
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVGrisoft (avg)Downloader.Generic13.BUTM
AVSymantecTrojan.Zbot
AVFortinetW32/Kryptik.CF!tr
AVBitDefenderTrojan.GenericKD.1510674
AVK7Trojan ( 0040f7411 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVMicroWorld (escan)Trojan.GenericKD.1510674
AVMalwareBytesTrojan.Email.FakeDoc
AVAuthentiumW32/Trojan.OEJC-5872
AVFrisk (f-prot)W32/Trojan3.HFU
AVIkarusTrojan-Spy.Zbot
AVEmsisoftTrojan.GenericKD.1510674
AVZillya!Downloader.Agent.Win32.184143
AVKasperskyTrojan-Downloader.Win32.Agent.hdyf
AVTrend MicroTROJ_UPATRE.SMZ3
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.1510674
AVArcabit (arcavir)Trojan.GenericKD.1510674
AVClamAVWin.Trojan.Generickd-2709
AVDr. WebTrojan.DownLoad3.28161
AVF-SecureTrojan.GenericKD.1510674
AVCA (E-Trust Ino)Win32/Upatre.CH

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSfindlawenforcement.com
Winsock DNSperfectablets.com

Network Details:

DNSperfectablets.com
Type: A
8.8.8.8
DNSfindlawenforcement.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 8.8.8.8:443
Flows TCP192.168.1.1:1032 ➝ 8.8.8.8:443
Flows TCP192.168.1.1:1033 ➝ 8.8.8.8:443
Flows TCP192.168.1.1:1034 ➝ 8.8.8.8:443
Flows TCP192.168.1.1:1035 ➝ 8.8.8.8:443
Flows TCP192.168.1.1:1036 ➝ 8.8.8.8:443
Flows TCP192.168.1.1:1037 ➝ 8.8.8.8:443
Flows TCP192.168.1.1:1038 ➝ 8.8.8.8:443

Raw Pcap

Strings