Analysis Date2015-12-07 16:42:56
MD57dfc23cd227ebad119c4ad2d214139a0
SHA18940a0a6c7bf8fba6d2fed278458d5ce626f54e1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 59e685099e35cb8589f60bf3fb698dab sha1: 967e01e75044a98dcd6843c39e93ada6b6827f30 size: 8192
Section.rdata md5: c9b071ea421074224537726e98a185aa sha1: 959d8bd59baec5221825567af20bce19941a314d size: 2560
Section.data md5: a7567e26bdceb4ed010da1ae3015a7f7 sha1: f65b410b05f5c94f70e38da9f5c0979794afaaca size: 2048
Section.rsrc md5: 40f53b0f17170a876a851e7fbec2752e sha1: 068a37ae3e573895f86e0a4535b6951cae7f66bf size: 18944
Timestamp2013-01-19 03:56:08
PackerMicrosoft Visual C 2.0
PEhashdb72151026d1a6e340bb6c49cf77f68bf3e8239e
IMPhash4d91d64d5fe987a306d567d036d8975e
AVVirusBlokAda (vba32)no_virus
AVTrend MicroTROJ_UPATRE.SMJL
AVCAT (quickheal)Trojan.Kadena.B4
AVTrend MicroTROJ_UPATRE.SMJL
AVMalwareBytesTrojan.Upatre
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVMcafeeUpatre-FACH!7DFC23CD227E
AVEmsisoftTrojan.Upatre.Gen.3
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BL
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Kadena.B4
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVFrisk (f-prot)W32/Upatre.AK.gen!Eldorado
AVTwisterTrojan.Girtk.DLHZ.twqn
AVAvira (antivir)TR/Dldr.Upatre.LW
AVMalwareBytesTrojan.Upatre
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVBullGuardTrojan.Upatre.Gen.3
AVGrisoft (avg)Generic_s.ETH
AVRisingTrojan.DL.Win32.Upatre.aam
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVF-SecureTrojan.Upatre.Gen.3
AVAuthentiumW32/Upatre.AK.gen!Eldorado
AVIkarusTrojan-Downloader.Upatre
AVEset (nod32)Win32/Kryptik.DLFU
AVBitDefenderTrojan.Upatre.Gen.3
AVFortinetW32/Waski.A!tr.dldr
AVK7Trojan ( 004c53c01 )
AVZillya!Downloader.Upatre.Win32.32394
AVClamAVno_virus
AVAd-AwareTrojan.Upatre.Gen.3
AVSymantecDownloader.Upatre!gen5
AVEmsisoftTrojan.Upatre.Gen.3
AVMcafeeUpatre-FACH!7DFC23CD227E
AVIkarusTrojan-Downloader.Upatre
AVAvira (antivir)TR/Dldr.Upatre.LW
AVTwisterTrojan.Girtk.DLHZ.twqn
AVKasperskyTrojan.Win32.Generic
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVFrisk (f-prot)W32/Upatre.AK.gen!Eldorado
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVDr. WebTrojan.Upatre.2684
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Upatre.Gen.3
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BL
AVBullGuardTrojan.Upatre.Gen.3
AVDr. WebTrojan.Upatre.2684
AVGrisoft (avg)Generic_s.ETH

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RealInstallTemp.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\realxlag.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\realxlag.exe
Creates MutexBi

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\realxlag.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexBi
Winsock DNS96.46.99.215
Winsock DNS104.174.123.66
Winsock DNS178.222.250.35
Winsock DNS188.120.194.101
Winsock DNS95.143.130.63
Winsock DNSicanhazip.com

Network Details:

DNSicanhazip.com
Type: A
64.182.208.184
DNSicanhazip.com
Type: A
64.182.208.185
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
HTTP GEThttp://188.120.194.101:13072/12/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
HTTP GEThttp://188.120.194.101:13072/12/COMPUTER-XXXXXX/41/1/2/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Flows TCP192.168.1.1:1031 ➝ 64.182.208.184:80
Flows TCP192.168.1.1:1032 ➝ 188.120.194.101:13072
Flows TCP192.168.1.1:1033 ➝ 104.174.123.66:443
Flows TCP192.168.1.1:1034 ➝ 104.174.123.66:443
Flows TCP192.168.1.1:1035 ➝ 104.174.123.66:443
Flows TCP192.168.1.1:1036 ➝ 104.174.123.66:443
Flows TCP192.168.1.1:1037 ➝ 188.120.194.101:13072
Flows TCP192.168.1.1:1038 ➝ 96.46.99.215:443
Flows TCP192.168.1.1:1039 ➝ 96.46.99.215:443
Flows TCP192.168.1.1:1040 ➝ 96.46.99.215:443
Flows TCP192.168.1.1:1041 ➝ 96.46.99.215:443
Flows TCP192.168.1.1:1042 ➝ 96.46.99.215:443
Flows TCP192.168.1.1:1043 ➝ 96.46.99.215:443
Flows TCP192.168.1.1:1044 ➝ 96.46.99.215:443
Flows TCP192.168.1.1:1045 ➝ 96.46.99.215:443
Flows TCP192.168.1.1:1046 ➝ 95.143.130.63:443
Flows TCP192.168.1.1:1047 ➝ 95.143.130.63:443
Flows TCP192.168.1.1:1048 ➝ 95.143.130.63:443
Flows TCP192.168.1.1:1049 ➝ 95.143.130.63:443
Flows TCP192.168.1.1:1050 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1051 ➝ 178.222.250.35:443

Raw Pcap

Strings