Analysis Date2016-01-27 15:05:00
MD5f4f3e5969af94e33ee8e4d18feaa5670
SHA18aea186ed706201e2097f23568e656505f06706b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 910db2c1f9b8f5bed222d1b7c2effce9 sha1: 14d54d9e995e2c416d3fe7d9a7e74bea8564f88d size: 11776
Section.data md5: 3ae5e6dbe902d4a78c6b7d113151a91a sha1: fd3d0c15755b1b4a31facf464b31ac858541af1b size: 512
Section.rsrc md5: 5391f11b5901808561118f1cbbe9866c sha1: 10e8a343c9a63d471c646fcc18e56fea19bbf87d size: 20480
Timestamp2014-01-26 17:02:24
VersionLegalCopyright:
InternalName:
FileVersion: 1.1.2.17
CompanyName: GOOTEK
LegalTrademarks:
ProductName: GOOTEK
ProductVersion: 2.17
FileDescription: GOOTEK
OriginalFilename:
PackerMicrosoft Visual C++ v6.0
PEhash1768ac844387ed19ea4e1d93d9c16e0b74c0619a
IMPhashbde0195bb7d98c1a7a65e76bc001f0f2
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeUpatre-FACH!F4F3E5969AF9
AVAvira (antivir)TR/Yarwi.cjamnc
AVTwisterNo Virus
AVAd-AwareTrojan.Agent.BLIB
AVAlwil (avast)Crypt-SDL [Trj]
AVEset (nod32)Win32/Kryptik.DREE
AVGrisoft (avg)Generic_s.FAJ
AVSymantecDownloader.Upatre!gen5
AVFortinetNo Virus
AVBitDefenderTrojan.Agent.BLIB
AVK7Trojan ( 004c94df1 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre!rfn
AVMicroWorld (escan)Trojan.Agent.BLIB
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Upatre.CG.gen!Eldorado
AVEmsisoftTrojan.Agent.BLIB
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVZillya!Trojan.Kryptik.Win32.803996
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_UPATRE.SM37
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)Trojan.Kadena.B4
AVBullGuardTrojan.Agent.BLIB
AVArcabit (arcavir)Trojan.Agent.BLIB
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader15.7889
AVF-SecureTrojan.Agent.BLIB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\irvigline.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\irvigline.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\irvigline.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\checkip.dyndns[1].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS94.154.107.172
Winsock DNS188.255.243.105
Winsock DNS194.106.166.22
Winsock DNS68.70.242.203
Winsock DNS81.90.175.7
Winsock DNS64.111.36.52
Winsock DNS178.222.250.35
Winsock DNScheckip.dyndns.org

Network Details:

DNScheckip.dyndns.com
Type: A
216.146.38.70
DNScheckip.dyndns.com
Type: A
91.198.22.70
DNScheckip.dyndns.com
Type: A
216.146.43.70
DNScheckip.dyndns.org
Type: A
HTTP GEThttp://checkip.dyndns.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.36 (KHTML, like Gecko) Chrome/44.0.2455.81 Safari/535.36
Flows TCP192.168.1.1:1031 ➝ 216.146.38.70:80
Flows TCP192.168.1.1:1032 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1033 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1034 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1035 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1036 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1037 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1038 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1039 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1040 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1041 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1042 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1043 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1044 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1045 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1046 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1047 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1048 ➝ 94.154.107.172:443
Flows TCP192.168.1.1:1049 ➝ 94.154.107.172:443
Flows TCP192.168.1.1:1050 ➝ 94.154.107.172:443
Flows TCP192.168.1.1:1051 ➝ 94.154.107.172:443
Flows TCP192.168.1.1:1052 ➝ 194.106.166.22:443
Flows TCP192.168.1.1:1053 ➝ 194.106.166.22:443
Flows TCP192.168.1.1:1054 ➝ 194.106.166.22:443
Flows TCP192.168.1.1:1055 ➝ 194.106.166.22:443

Raw Pcap

Strings