Analysis Date2015-10-12 07:19:40
MD5322b3b83d15bf3bbc0f9a5e73a21f656
SHA184878ef916fb301e74e5cc525f455f2e83724c28

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1da0f7882094d16c97edaf4ede7b78aa sha1: 8f59bb06cdd0e3e54c19c701c40b46fab99b3fb5 size: 7680
Section.rdata md5: 643698877a5a1355dcfbb7745507a387 sha1: 45b96c996a35bf6094b762fb5b625b1da47868a7 size: 3584
Section.data md5: ab3de6f7592c4b6c1d7e18cdee5829ad sha1: e312be76634f188365780be2bdb68b50ef9ad97e size: 3584
Section.rsrc md5: d4c2d3342a424470c812bb701e7aa58e sha1: 725ce7a0cfd0a25ba01b2ac740ef84757bf310f7 size: 17920
Timestamp2014-07-07 16:57:08
PackerMicrosoft Visual C++ 5.0
PEhashbd181da794f402b5d01c5fc41cbbe05ce74e503d
IMPhash01aefc9d437bd8b9d4cb55e49b1dc2ff
AVRisingTrojan.Win32.Kryptik.af
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Upatre.Gen.3
AVDr. WebTrojan.Upatre.1133
AVClamAVno_virus
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVBullGuardTrojan.Upatre.Gen.3
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Kadena.B4
AVTrend MicroTROJ_UP.9EED1BD4
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftTrojan.Upatre.Gen.3
AVIkarusTrojan-Downloader.Win32.Upatre
AVFrisk (f-prot)W32/Dalexis.O.gen!Eldorado
AVAuthentiumW32/Dalexis.O.gen!Eldorado
AVMalwareBytesTrojan.Upatre
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.G
AVK7Trojan ( 004c1ed91 )
AVBitDefenderTrojan.Upatre.Gen.3
AVFortinetW32/Waski.A!tr
AVSymantecDownloader.Upatre!gen5
AVGrisoft (avg)Generic_s.FBW
AVEset (nod32)Win32/Kryptik.DHXT
AVAlwil (avast)Dyre-K [Trj]
AVAd-AwareTrojan.Upatre.Gen.3
AVTwisterno_virus
AVAvira (antivir)TR/AD.Yarwi.Y.1430
AVMcafeeDownloader-FASG!322B3B83D15B

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\santdebas.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF4112.tmp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\santdebas.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\santdebas.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS91.211.17.201
Winsock DNS178.253.216.40
Winsock DNS178.22.222.89
Winsock DNS212.200.112.6
Winsock DNS176.221.77.21
Winsock DNS178.79.58.16
Winsock DNS178.79.58.18
Winsock DNS178.222.250.35
Winsock DNSicanhazip.com

Network Details:

DNSicanhazip.com
Type: A
104.238.141.75
DNSicanhazip.com
Type: A
104.238.136.31
DNSicanhazip.com
Type: A
104.238.145.30
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
HTTP GEThttp://91.211.17.201:13350/TIK12/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Flows TCP192.168.1.1:1031 ➝ 104.238.141.75:80
Flows TCP192.168.1.1:1032 ➝ 91.211.17.201:13350
Flows TCP192.168.1.1:1033 ➝ 178.79.58.18:443
Flows TCP192.168.1.1:1034 ➝ 178.79.58.18:443
Flows TCP192.168.1.1:1035 ➝ 178.79.58.18:443
Flows TCP192.168.1.1:1036 ➝ 178.79.58.18:443
Flows TCP192.168.1.1:1037 ➝ 178.253.216.40:443
Flows TCP192.168.1.1:1038 ➝ 178.253.216.40:443
Flows TCP192.168.1.1:1039 ➝ 178.253.216.40:443
Flows TCP192.168.1.1:1040 ➝ 178.253.216.40:443
Flows TCP192.168.1.1:1041 ➝ 176.221.77.21:443
Flows TCP192.168.1.1:1042 ➝ 176.221.77.21:443
Flows TCP192.168.1.1:1043 ➝ 176.221.77.21:443
Flows TCP192.168.1.1:1044 ➝ 176.221.77.21:443
Flows TCP192.168.1.1:1045 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1046 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1047 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1048 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1049 ➝ 212.200.112.6:443
Flows TCP192.168.1.1:1050 ➝ 212.200.112.6:443
Flows TCP192.168.1.1:1051 ➝ 212.200.112.6:443
Flows TCP192.168.1.1:1052 ➝ 212.200.112.6:443
Flows TCP192.168.1.1:1053 ➝ 178.79.58.16:443
Flows TCP192.168.1.1:1054 ➝ 178.79.58.16:443
Flows TCP192.168.1.1:1055 ➝ 178.79.58.16:443
Flows TCP192.168.1.1:1056 ➝ 178.79.58.16:443

Raw Pcap

Strings