Analysis Date | 2015-11-05 15:01:32 |
---|---|
MD5 | b060a7e5598790802d7b00abd6522d43 |
SHA1 | 872f0f9a329d3f1f82a748d4348b3125ba404d6d |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 437a3a0df74c6d315dacfa92bb316bb3 sha1: 4eb741bcc02e924394146b591813dd93c926fe5d size: 3584 | |
Section | .code md5: 6770eaf16b1fa1a072d68091db239b69 sha1: 0a67691b3f7ad9ff31eebb9c3b9f851acb61f257 size: 512 | |
Section | .data md5: 57f5c48195917e9cb31c02be508eb95b sha1: 8149ba90ca34af1b80db110b3dc3e06198723592 size: 7680 | |
Section | .idata md5: 92026532075ae2b437cdc864b99c590c sha1: ab92df010afb71e17e77e8f8e22e82675953ddc8 size: 2560 | |
Section | .rsrc md5: 046ec9f649212246e19792d8ce49ae9f sha1: 26cf1c076f95ee9a5c86afda72e81ee823209f1f size: 5632 | |
Timestamp | 2003-09-17 01:37:06 | |
Version | LegalCopyright: Copyright (C) 2011 InternalName: go.exe FileVersion: 5.1.1.1 CompanyName: MS Corp SpecialBuild: LegalTrademarks: FileDescrsiption: go.exe Comments: ProductName: Go ProductVersion: 5.1.1.1 PrivateBuild: OriginalFilename: go.exe | |
Packer | Program Protector XP v1.0 | |
PEhash | 8959da66eabb0ddf9080d01ff3fdac37d7090bcb | |
IMPhash | 92a943ee4a19b671211e8e896bab8035 | |
AV | CA (E-Trust Ino) | Win32/Upatre.TNfJfeD |
AV | F-Secure | Trojan.GenericKD.1386759 |
AV | Dr. Web | Trojan.DownLoad3.28161 |
AV | ClamAV | Win.Trojan.Generickd-440 |
AV | Arcabit (arcavir) | Trojan.GenericKD.1386759 |
AV | BullGuard | Trojan.GenericKD.1386759 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | Trojan.Bublik |
AV | CAT (quickheal) | TrojanDownloader.Upatre.A6 |
AV | Trend Micro | TROJ_UPATRE.SM37 |
AV | Kaspersky | Trojan-Downloader.Win32.Small.cwrr |
AV | Zillya! | no_virus |
AV | Emsisoft | Trojan.GenericKD.1386759 |
AV | Ikarus | Trojan.Patched_c |
AV | Frisk (f-prot) | W32/Trojan3.GKY |
AV | Authentium | W32/Trojan.AYUR-2029 |
AV | MalwareBytes | Trojan.Dropper |
AV | MicroWorld (escan) | Trojan.GenericKD.1386759 |
AV | Microsoft Security Essentials | TrojanDownloader:Win32/Upatre.A |
AV | K7 | Trojan-Downloader ( 00457c511 ) |
AV | BitDefender | Trojan.GenericKD.1386759 |
AV | Fortinet | W32/Kryptik.PK!tr |
AV | Symantec | Trojan.Zbot |
AV | Grisoft (avg) | Patched_c.BHFC |
AV | Eset (nod32) | Win32/TrojanDownloader.Small.AAB |
AV | Alwil (avast) | Agent-ASRB [Trj] |
AV | Ad-Aware | Trojan.GenericKD.1386759 |
AV | Rising | Trojan.Win32.Upatre.b |
AV | Twister | Trojan.8EFD10AD67CD60B3 |
AV | Avira (antivir) | TR/Yarwi.A.1077 |
AV | Mcafee | Downloader-FVS!B060A7E55987 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
---|---|
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe |
Creates File | PIPE\wkssvc |
Creates Process | "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe" |
Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | WininetConnectionMutex |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Winsock DNS | seminyak-italian.com |
Winsock DNS | indowines.net |
Network Details:
DNS | seminyak-italian.com Type: A 198.1.84.100 |
---|---|
DNS | indowines.net Type: A 198.1.84.101 |
Flows TCP | 192.168.1.1:1031 ➝ 198.1.84.100:443 |
Flows TCP | 192.168.1.1:1032 ➝ 198.1.84.100:443 |
Flows TCP | 192.168.1.1:1033 ➝ 198.1.84.100:443 |
Flows TCP | 192.168.1.1:1034 ➝ 198.1.84.100:443 |
Flows TCP | 192.168.1.1:1035 ➝ 198.1.84.101:443 |
Flows TCP | 192.168.1.1:1036 ➝ 198.1.84.101:443 |
Raw Pcap
Strings