Analysis Date2015-03-16 12:16:04
MD59d625dccc57cad2e1419d2d4d3bc8d41
SHA18c5b09392cdc7986add782911a465ef0428d7b7e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7cdc4b968f8cf0d1698f36b568329816 sha1: 3dc4a66e8d7aec8e0add5e20c9a37284ace6d608 size: 3584
Section.data md5: e0bcb2183d951b6601c50c3f6b373b5c sha1: b8d37fa871c09490f3968d92a501b60da21c181f size: 2560
Section.rsrc md5: 3504e961f4a086d7dc0f18c9cd8b728c sha1: b096fcfa156f6138a9ed0bcb0bfc32a47b04f40b size: 8192
Timestamp2013-11-29 10:12:02
PEhash040a307af7d6621cc34b36ce3cd33f36022ead8b
IMPhashf6d3b47abe7b0b2ed1a0851cadc8d405
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.1429572
AVAlwil (avast)Agent-ASJU [Trj]
AVArcabit (arcavir)Trojan.GenericKD.1429572
AVAuthentiumW32/Trojan.CAOR-2299
AVAvira (antivir)TR/Yarwi.A.9
AVBullGuardTrojan.GenericKD.1429572
AVCA (E-Trust Ino)Win32/Upatre.aFVFXdC
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVClamAVWin.Trojan.Generickd-76
AVDr. WebTrojan.DownLoad3.28161
AVEmsisoftTrojan.GenericKD.1429572
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVFortinetW32/Krptik.AIU!tr
AVFrisk (f-prot)W32/Trojan3.GQH
AVF-SecureTrojan-Downloader:W32/Upatre.I
AVGrisoft (avg)Zbot.EBK
AVIkarusTrojan-Spy.Win32.Zbot
AVK7Trojan-Downloader ( 0048f6391 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-FSH!9D625DCCC57C
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVMicroWorld (escan)Trojan.GenericKD.1429572
AVRisingno_virus
AVSophosTroj/Zbot-HAY
AVSymantecTrojan.Pidief
AVTrend MicroTROJ_UPATRE.SMBX
AVVirusBlokAda (vba32)Trojan.Bublik

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\updater.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\updater.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\updater.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSe4ad.com
Winsock DNSgreenvegi.com

Network Details:

DNSe4ad.com
Type: A
204.11.56.45
DNSgreenvegi.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1032 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1033 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1034 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1035 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1036 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1037 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1038 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1039 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1040 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1041 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1042 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1043 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1044 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1045 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1046 ➝ 204.11.56.45:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
J
&About
button
C:\06df11a2867ac78b479a513edc9e5cc6d8ab2b01d1e4f52036d9f86a79e0ad02
C:\0eM8_XLS.exe
C:\10f94be0c5cf4853a006f113af7bc57df71f266d0bb8ce39caf1d21c50c80bd0
C:\1f565454e33d5d3667bbdff09adc6d69aa77c5497f7bb86916cb06f6b53972ab
C:\1f9586f429ac58d648cda6ae8daea8450238476837aea3a2c4bdc74c5e1e9c75
C:\1jPClq9c.exe
C:\1oFTz8hD.exe
C:\39eaa37bbef37cfce7a97710afef5fe5f6eff7b9e5c5e1101dd96ce5bdda7ee8
C:\5A1WT2b5.exe
C:\6hyr1eTp.exe
C:\803a7ce775864d7be16b2d20a6e9fd1ee561fce35838111e90e8972c9b0a7300
C:\8b2bb64243cf0045af7dc91fa1e71e880c986f6f2b74fec58e79fb4beb6598ae
C:\8ijpG5dp.exe
C:\8IOtm9z1.exe
C:\8xgGtMkX.exe
C:\9184d8f34041317776d700d0650647861238845da3986be6b94c9dba313e89fd
C:\955d1eb05c69197004f80db8891bdd51e432d43a71e4e4d3b3c58ed788a8992d
C:\9gJNOo8L.exe
C:\9J8fm44n.exe
C:\a74d4163176e0ae2953bc1f655da03b726084359f21b0142b69b20b720ba9644
C:\AHcwczoA.exe
C:\B2LI98Cf.exe
C:\B5PXzQOz.exe
C:\baobqekT.exe
C:\BL9TA9Cc.exe
C:\Buv3fHTQ.exe
C:\bYItyPCv.exe
C:\C6_PFuC3.exe
C:\C7_JNt14.exe
C:\CADzR7ak.exe
C:\cE_wdGGl.exe
C:\ChkChgN1.exe
C:\cMka5Tyu.exe
C:\D57jxCU_.exe
C:\eHESv7RF.exe
C:\EPgLKdUE.exe
C:\fEBdWkJh.exe
C:\fQzLJwM6.exe
C:\fwvXBgC8.exe
C:\gAwBUjYO.exe
C:\GypsCsnt.exe
C:\H0fZOilo.exe
C:\HC4l963G.exe
C:\Hf5B77RN.exe
C:\HPeSUDx3.exe
C:\ieqRqrYa.exe
C:\ixhCUfVV.exe
C:\JxCYYKrs.exe
C:\k0ajaPbO.exe
C:\KOukne4U.exe
C:\K_VTZXkE.exe
C:\KyB7QP0X.exe
C:\LAvnqxEl.exe
C:\LIIDoR9b.exe
C:\ljZ_F6DZ.exe
C:\lQO1ghhj.exe
C:\MagJk0Hc.exe
C:\Mfjz2DNb.exe
C:\mnyZFSsZ.exe
C:\nsiMXFId.exe
C:\nZC8_ib6.exe
C:\ohwlVr1J.exe
C:\Ol2zVsYc.exe
C:\op2kbhB2.exe
C:\oRNErRrJ.exe
C:\P6e9AgPf.exe
C:\PcGutxna.exe
C:\qDTONlNm.exe
C:\_qG0Q4gW.exe
c:\qi1len\mnvjqg.exe
C:\qluZp44w.exe
C:\QMuhoOpC.exe
C:\Rar3nliO.exe
C:\rDFiMGWt.exe
C:\rLHfUMVK.exe
C:\RVGzOtfS.exe
C:\sd0Iu_3O.exe
C:\SuI_ChSD.exe
C:\t0FTonTJ.exe
C:\TAtBclJO.exe
C:\tKYbx32B.exe
C:\u_01YHqX.exe
C:\urFOiBKk.exe
C:\Users\Peter\AppData\Local\Temp\Temp1_RA3216091.zip\RA29112013.exe
C:\UzDlub0P.exe
C:\vahoghCu.exe
C:\vAn4j76R.exe
C:\VRN_x4Jz.exe
C:\XN7hm7jP.exe
C:\xxAP3vJ7.exe
C:\xXbykKAC.exe
C:\Y4vNW5dc.exe
C:\YfUhgP8F.exe
C:\yX9oS9RU.exe
C:\Z6a25pDZ.exe
C:\znzDUGDR.exe
C:\Zs7MFFIV.exe
Delete 1:
Dindom
edit
&Exit
&File
&Help
Lyrik
&Open
Quit
&Save
Start
static
Tropik
Weta
[1JM-7
3<7?Z(
^3^=)R
4L3G":9Q	S^
&5>/%;3$/G4
^5NZ,LQC
)8K5S{
8MccaM
)8=%SC
9)E)@ 
9 EEG@99)PG
9@ EG  @P 9G
9EPE9 PE9
9 G@J#
9)PEP9)G
9@)@PPE
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AVWAf9
AW2)@6OH&@`=
]^BBU`
/B,K>'\^
CreateFileW
CreatePen
CreateWindowExW
`.data
DefWindowProcW
DeleteFileW
DispatchMessageW
D%>)XY--
<E)6U&'9
)EE E E
'EE"T'UMI8]2"&cPXWCTA1
EGG9GG@
EI	*GQ8PT,G7!X
FindClose
FindFirstFileW
FindNextFileW
F:(M?9%1]S(I
G99PGGGE
GDI32.dll
GetMessageW
GetModuleHandleW
GetStartupInfoA
)G G)E
G,L0=6
  GP GP
HtHHtA-
-[__I+
I,	^&Y ]
;IZO#T9
(K'Eb;
KERNEL32.dll
K	O!`8=FD
KU<ZH#T	!
LoadCursorW
LoadIconW
L[U6# 
OO-b+/)
P99  @
P9E@E@9)E
P9E)E9EE
P@9P)9E
P@G)G9
PMH:Z*a-
PostMessageA
PR*N7 ]%]*
Q]:#3 ''0&^QO
ReadFile
RegisterClassExW
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
\R!FMQ"\>
    </security>
    <security>
SetFilePointer
ShowWindow
'&S'L#07
S/P;9O
^(T6@6AC2C)
	TA1N&
!This program cannot be run in DOS mode.
TranslateMessage
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
UpdateWindow
USER32.dll
'!$).(VA7DR*
VIA6]]
WWPPPPh
X!A<>9
XT_"C$;H!Y[6
xxxyyy
zTPW|l
+`ZVG=`
\Z'X*1GE