Analysis Date2015-08-09 18:27:18
MD5e9a5ac908a075533eae02805edea4bc0
SHA189c11060a8bed9a589a090e02e63eb25f1521b0a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectiontext md5: 13ab25fe3bf7d7e5af08fd65c7841e27 sha1: b5da2775b5d7909fa980bca63d0bc5d890f7fc6e size: 2560
Section.data md5: d8e070058ee10e4f9c7ade419882ed2c sha1: f0117e36623d2148c53ba21db5a20d3a1fa6c15e size: 11776
Section.rsrc md5: 266abdb203999019c1bb2fbe1d3f43c0 sha1: 460d9d00931b7c8d19acf051841bc064bdd8265f size: 26112
Section.reloc md5: e6946c12a3282306eeb792ee1d2059fa sha1: ba0ae4644bace33b29ca46b1a3f83cc5b41c1c1c size: 512
Section.DAT md5: e98c51298b5e1114453469c02f6d6b2e sha1: 9c1c0f69b4076be76b3c262e38589b16b072c7d5 size: 512
Timestamp1997-10-28 22:08:58
PEhashfcc5aab56bee31ec645c989eebd1fea8fb919601
IMPhashc312bb98cf45e74c770b5ff6a8bd003b
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Agent.BJIS
AVDr. WebTrojan.Upatre.201
AVClamAVno_virus
AVArcabit (arcavir)Trojan.Agent.BJIS
AVBullGuardTrojan.Agent.BJIS
AVPadvishno_virus
AVVirusBlokAda (vba32)Trojan.AntiAV
AVCAT (quickheal)TrojanDwnldr.Upatre.MUE.A5
AVTrend MicroTROJ_UP.DB5F9D28
AVKasperskyTrojan-Downloader.Win32.Upatre.fmq
AVZillya!no_virus
AVEmsisoftTrojan.Agent.BJIS
AVIkarusTrojan.Injector
AVFrisk (f-prot)W32/Upatre.E.gen
AVAuthentiumW32/Upatre.E.gen
AVMalwareBytesSpyware.Dyre
AVMicroWorld (escan)Trojan.Agent.BJIS
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BL
AVK7no_virus
AVBitDefenderTrojan.Agent.BJIS
AVFortinetW32/Waski.F!tr
AVSymantecDownloader.Upatre!gen9
AVGrisoft (avg)Crypt4.TLF
AVEset (nod32)Win32/TrojanDownloader.Waski.F
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareTrojan.Agent.BJIS
AVTwisterTrojan.Generic.lbhj
AVAvira (antivir)TR/Kryptik.gtas
AVMcafeeUpatre-FABT!E9A5AC908A07
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zil7812.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zilinad.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\zilinad.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\zilinad.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS46.16.225.236
Winsock DNS81.7.109.65
Winsock DNS85.248.2.228
Winsock DNS95.80.123.41
Winsock DNS5.44.15.70
Winsock DNS128.0.85.11
Winsock DNS91.240.97.54
Winsock DNS46.151.130.90
Winsock DNSicanhazip.com

Network Details:

DNSicanhazip.com
Type: A
104.238.136.31
DNSicanhazip.com
Type: A
104.238.145.30
DNSicanhazip.com
Type: A
104.238.141.75
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
HTTP GEThttp://81.7.109.65:13400/WANS22/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Flows TCP192.168.1.1:1031 ➝ 104.238.136.31:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13400
Flows TCP192.168.1.1:1033 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1034 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1035 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1036 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1037 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1038 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1039 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1040 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1041 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1042 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1043 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1044 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1045 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1046 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1047 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1048 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1049 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1050 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1051 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1052 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1053 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1054 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1055 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1056 ➝ 91.240.97.54:443

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 74657874 2f2a2c20   Accept: text/*, 
0x00000020 (00032)   6170706c 69636174 696f6e2f 2a0d0a55   application/*..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e302028 57696e64 6f777320   la/5.0 (Windows 
0x00000050 (00080)   4e542036 2e313b20 72763a33 342e3029   NT 6.1; rv:34.0)
0x00000060 (00096)   20476563 6b6f2f32 30313030 31303120    Gecko/20100101 
0x00000070 (00112)   46697265 666f782f 33342e30 0d0a486f   Firefox/34.0..Ho
0x00000080 (00128)   73743a20 6963616e 68617a69 702e636f   st: icanhazip.co
0x00000090 (00144)   6d0d0a43 61636865 2d436f6e 74726f6c   m..Cache-Control
0x000000a0 (00160)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....

0x00000000 (00000)   47455420 2f57414e 5332322f 434f4d50   GET /WANS22/COMP
0x00000010 (00016)   55544552 2d585858 5858582f 302f3531   UTER-XXXXXX/0/51
0x00000020 (00032)   2d535033 2f302f20 48545450 2f312e31   -SP3/0/ HTTP/1.1
0x00000030 (00048)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000040 (00064)   7a696c6c 612f352e 30202857 696e646f   zilla/5.0 (Windo
0x00000050 (00080)   7773204e 5420362e 313b2072 763a3334   ws NT 6.1; rv:34
0x00000060 (00096)   2e302920 4765636b 6f2f3230 31303031   .0) Gecko/201001
0x00000070 (00112)   30312046 69726566 6f782f33 342e300d   01 Firefox/34.0.
0x00000080 (00128)   0a486f73 743a2038 312e372e 3130392e   .Host: 81.7.109.
0x00000090 (00144)   36353a31 33343030 0d0a4361 6368652d   65:13400..Cache-
0x000000a0 (00160)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x000000b0 (00176)   650d0a0d 0a                           e....

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
1uaChn
+[2u{o3er
3\caJR
93}kWsy
9?b5%8
AB@CGF
AmpFactorToDB
(|A;S)$
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AtlAxAttachControl
AtlComPtrAssign
atl.dll
authz.dll
AuthzFreeAuditEvent
AuthziAllocateAuditParams
AuthziFreeAuditEventType
AuthziFreeAuditParams
AuthziFreeAuditQueue
AuthziInitializeAuditEvent
AuthziInitializeAuditEventType
AuthziInitializeAuditParams
AuthziInitializeAuditParamsFromArray
AuthziInitializeAuditParamsWithRM
AuthziInitializeAuditQueue
AuthziLogAuditEvent
AuthziModifyAuditEvent
AuthziModifyAuditEventType
AuthziModifyAuditQueue
AuthziSourceAudit
avicap32.DLL
B@CFG"
B@CGFw
B.data
C^AD6+
capCreateCaptureWindowA
capGetDriverDescriptionA
CFGMGR32.dll
CM_Add_Empty_Log_Conf
CM_Add_Empty_Log_Conf_Ex
CM_Add_IDA
CM_Add_ID_ExA
CM_Add_ID_ExW
CM_Add_IDW
CM_Add_Range
CM_Add_Res_Des
CM_Add_Res_Des_Ex
CM_Connect_MachineA
CM_Connect_MachineW
CM_Create_DevNodeA
CMP_Init_Detection
c;M.Z=
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CreateMutexA
DecodePointer
DNSAPI.dll
DnsQuery_A
DnsQueryConfig
DnsQueryConfigAllocEx
DnsQueryConfigDword
DnsQueryExA
DnsQueryExUTF8
DnsQueryExW
DnsQuery_UTF8
DnsQuery_W
DnsRecordBuild_UTF8
DnsRecordBuild_W
DnsRecordCompare
DnsRecordCopyEx
DnsRecordListFree
DnsRecordSetCompare
DnsRecordSetCopyEx
DsGetDcCloseW
DsGetDcNameA
DsGetDcNameW
DsGetDcNameWithAccountA
DsGetDcNameWithAccountW
DsGetDcNextA
DsGetDcNextW
DsGetDcOpenA
DsGetDcOpenW
DsGetDcSiteCoverageA
DsGetDcSiteCoverageW
DsGetForestTrustInformationW
DsGetSiteNameA
DsGetSiteNameW
ExitProcess
GetCommandLineA
GetCommState
GetOEMCP
GetWindowsDirectoryA
h.dllhtsrv
I+Ihvr
IsRasmanProcess
j	~\ay
kernel32.dll
*k\R#G
#l3\Gl
MprAdminInterfaceCreate
mprapi.dll
msvcrt.dll
/M(V_O{
N5!\E^
NDdeApi.dll
NDdeGetErrorStringA
netapi32.dll
NOKHJI
!&O_6F
pstorec.dll
PStoreCreateInstance
quartz.dll
RasActivateRoute
RasActivateRouteEx
RasAddConnectionPort
RasAddNotification
RasAllocateRoute
RasBundleClearStatistics
RasBundleClearStatisticsEx
RasBundleGetPort
RasBundleGetStatistics
RasBundleGetStatisticsEx
RasCompressionGetInfo
RasCompressionSetInfo
RasConnectionEnum
RasConnectionGetStatistics
RasCreateConnection
RasDeAllocateRoute
RasDestroyConnection
RasDeviceConnect
rasman.dll
REGAPI.dll
RegBuildNumberQuery
RegCdCreateA
RegCdCreateW
RegCdDeleteA
RegCdDeleteW
RegCdEnumerateA
RegCdEnumerateW
RegCdQueryA
RegCdQueryW
RegCloseServer
RegConsoleShadowQueryA
RegConsoleShadowQueryW
RegDefaultUserConfigQueryA
RegDefaultUserConfigQueryW
.reloc
</requestedExecutionLevel>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false">
</requestedPrivileges>
<requestedPrivileges>
S&9T/7
</security>
<security>
SetErrorMode
SetFilePointer
!This program cannot be run in DOS mode.
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
uem3JRh\sys
W*e51d
-X}`&(]2
xB2j!5J1
X,UR6s
\z|fY3