Analysis Date2018-02-13 16:12:56
MD57943eb9d40c557e174d5eabdb872fb43
SHA18fd44aba45a349be9efb8f998b1052c11dbea3c4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectiontext md5: af5ba748df3acaa3a3d5acb6472e7089 sha1: 05323e86a75b27b5763f7e942b51905c42bce1c0 size: 2560
Section.data md5: 5f33677506776b334831a3ed54cb387c sha1: f2df18b21832c33af4b64e3ce7b28f54d1b37589 size: 11776
Section.rsrc md5: 3eeb96f91b91bb6017d7d0fa9ca0ec32 sha1: 46ba96c9e90ff045c9072dc544535de24deb1ed9 size: 26112
Section.reloc md5: 7144ec83d9bf3cad86c71e5bea796d9e sha1: a8843a768c22b971048e897e8e8d282d67e5bffb size: 512
Section.DAT md5: d6612377607fbe1d08ff2689f0d0e493 sha1: adebd8a8c2905053199deb78cd60548d079afd0c size: 512
Timestamp1997-10-28 22:08:58
PEhashfcc5aab56bee31ec645c989eebd1fea8fb919601
IMPhashc312bb98cf45e74c770b5ff6a8bd003b
AVArcabit (arcavir)Trojan.Agent.BJIS
AVAuthentiumW32/Upatre.E
AVGrisoft (avg)Win32/Cryptor
AVAvira (antivir)TR/Kryptik.gtas
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVAd-AwareTrojan.Agent.BJIS
AVBitDefenderTrojan.Agent.BJIS
AVBullGuardTrojan.Agent.BJIS
AVClamAVError Scanning File
AVDr. WebTrojan.Upatre.201
AVEmsisoftTrojan.Agent.BJIS
AVMicroWorld (escan)Trojan.Agent.BJIS
AVCA (E-Trust Ino)Error Scanning File
AVFortinetW32/Waski.F!tr
AVFrisk (f-prot)W32/Upatre.E
AVF-SecureTrojan.Agent.BJIS
AVIkarusError Scanning File
AVK7Trojan-Downloader ( 005073311 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Dyre
AVMcafeeUpatre-FABM!7943EB9D40C5
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVNANOTrojan.Win32.Upatre.dqzqvr
AVEset (nod32)Win32/TrojanDownloader.Waski.F
AVPadvishNo Virus
AVCAT (quickheal)TrojanDwnldr.Upatre.MUE.A5
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareTrojan.Agent/Gen-Upatre
AVSymantecDownloader.Upatre!gen9
AVTrend MicroTROJ_UP.DB5F9D28
AVTwisterTrojan.Generic.lbhj
AVVirusBlokAda (vba32)Trojan.AntiAV
AVWindows DefenderTrojanDownloader:Win32/Upatre
AVZillya!Downloader.Upatre.Win32.24755

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\THX1138\AppData\Local\Temp\8fd44aba45a349be9efb8f998b1052c11dbea3c4.exe

Creates FileC:\Windows\System32\catsrv.dll
Creates FileC:\Users\THX1138\AppData\Local\Temp\8fd44aba45a349be9efb8f998b1052c11dbea3c4.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\zil7812.tmp
Creates FileC:\Users\THX1138\AppData\Local\Temp\zil7812.tmp
Creates FileC:\Users\THX1138\AppData\Local\Temp\8fd44aba45a349be9efb8f998b1052c11dbea3c4.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\zilinad.exe

Process
↳ C:\Users\THX1138\AppData\Local\Temp\zilinad.exe

Creates FileC:\Windows\System32\catsrv.dll
Creates FileC:\Users\THX1138\AppData\Local\Temp\zilinad.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\zil7812.tmp
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\zilinad_RASAPI32\EnableFileTracing ➝
0
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\zilinad_RASAPI32\EnableConsoleTracing ➝
0
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\zilinad_RASAPI32\FileTracingMask ➝
4294901760
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\zilinad_RASAPI32\ConsoleTracingMask ➝
4294901760
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\zilinad_RASAPI32\MaxFileSize ➝
1048576
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\zilinad_RASAPI32\FileDirectory ➝
%windir%\tracing
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\zilinad_RASMANCS\EnableFileTracing ➝
0
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\zilinad_RASMANCS\EnableConsoleTracing ➝
0
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\zilinad_RASMANCS\FileTracingMask ➝
4294901760
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\zilinad_RASMANCS\ConsoleTracingMask ➝
4294901760
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\zilinad_RASMANCS\MaxFileSize ➝
1048576
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\zilinad_RASMANCS\FileDirectory ➝
%windir%\tracing
Creates MutexIESQMMUTEX_0_208

Network Details:

DNSicanhazip.com
Type: A
166.78.246.145
DNSicanhazip.com
Type: A
104.130.28.231
DNSicanhazip.com
Type: A
23.253.254.67
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
HTTP GEThttp://81.7.109.65:13401/WANS22/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Flows TCP192.168.1.1:1031 ➝ 166.78.246.145:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13401
Flows TCP192.168.1.1:1033 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1034 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1035 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1036 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1037 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1038 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1039 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1040 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1041 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1042 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1043 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1044 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1045 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1046 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1047 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1048 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1049 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1050 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1051 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1052 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1053 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1054 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1055 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1056 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1057 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1058 ➝ 46.151.130.90:443

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 74657874 2f2a2c20   Accept: text/*, 
0x00000020 (00032)   6170706c 69636174 696f6e2f 2a0d0a55   application/*..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e302028 57696e64 6f777320   la/5.0 (Windows 
0x00000050 (00080)   4e542036 2e313b20 72763a33 342e3029   NT 6.1; rv:34.0)
0x00000060 (00096)   20476563 6b6f2f32 30313030 31303120    Gecko/20100101 
0x00000070 (00112)   46697265 666f782f 33342e30 0d0a486f   Firefox/34.0..Ho
0x00000080 (00128)   73743a20 6963616e 68617a69 702e636f   st: icanhazip.co
0x00000090 (00144)   6d0d0a43 61636865 2d436f6e 74726f6c   m..Cache-Control
0x000000a0 (00160)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a476563 6b6f2f32 30313030 31303120   .Gecko/20100101 
0x00000070 (00112)   46697265 666f782f 33342e30 0d0a486f   Firefox/34.0..Ho
0x00000080 (00128)   73743a20 6963616e 68617a69 702e636f   st: icanhazip.co
0x00000090 (00144)   6d0d0a43 61636865 2d436f6e 74726f6c   m..Cache-Control
0x000000a0 (00160)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a476563 6b6f2f32 30313030 31303120   .Gecko/20100101 
0x00000070 (00112)   46697265 666f782f 33342e30 0d0a486f   Firefox/34.0..Ho
0x00000080 (00128)   73743a20 6963616e 68617a69 702e636f   st: icanhazip.co
0x00000090 (00144)   6d0d0a43 61636865 2d436f6e 74726f6c   m..Cache-Control
0x000000a0 (00160)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....


Strings
1uaChn
+[2u{o3er
3\caJR
93}kWsy
9?b5%8
AB@CGF
AmpFactorToDB
(|A;S)$
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AtlAxAttachControl
AtlComPtrAssign
atl.dll
authz.dll
AuthzFreeAuditEvent
AuthziAllocateAuditParams
AuthziFreeAuditEventType
AuthziFreeAuditParams
AuthziFreeAuditQueue
AuthziInitializeAuditEvent
AuthziInitializeAuditEventType
AuthziInitializeAuditParams
AuthziInitializeAuditParamsFromArray
AuthziInitializeAuditParamsWithRM
AuthziInitializeAuditQueue
AuthziLogAuditEvent
AuthziModifyAuditEvent
AuthziModifyAuditEventType
AuthziModifyAuditQueue
AuthziSourceAudit
avicap32.DLL
B@CFG"
B@CGFw
B.data
C^AD6+
capCreateCaptureWindowA
capGetDriverDescriptionA
CFGMGR32.dll
CM_Add_Empty_Log_Conf
CM_Add_Empty_Log_Conf_Ex
CM_Add_IDA
CM_Add_ID_ExA
CM_Add_ID_ExW
CM_Add_IDW
CM_Add_Range
CM_Add_Res_Des
CM_Add_Res_Des_Ex
CM_Connect_MachineA
CM_Connect_MachineW
CM_Create_DevNodeA
CMP_Init_Detection
c;M.Z=
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CreateMutexA
DecodePointer
DNSAPI.dll
DnsQuery_A
DnsQueryConfig
DnsQueryConfigAllocEx
DnsQueryConfigDword
DnsQueryExA
DnsQueryExUTF8
DnsQueryExW
DnsQuery_UTF8
DnsQuery_W
DnsRecordBuild_UTF8
DnsRecordBuild_W
DnsRecordCompare
DnsRecordCopyEx
DnsRecordListFree
DnsRecordSetCompare
DnsRecordSetCopyEx
DsGetDcCloseW
DsGetDcNameA
DsGetDcNameW
DsGetDcNameWithAccountA
DsGetDcNameWithAccountW
DsGetDcNextA
DsGetDcNextW
DsGetDcOpenA
DsGetDcOpenW
DsGetDcSiteCoverageA
DsGetDcSiteCoverageW
DsGetForestTrustInformationW
DsGetSiteNameA
DsGetSiteNameW
ExitProcess
GetCommandLineA
GetCommState
GetOEMCP
GetWindowsDirectoryA
h.dllhtsrv
I+Ihvr
IsRasmanProcess
j	~\ay
kernel32.dll
*k\R#G
#l3\Gl
MprAdminInterfaceCreate
mprapi.dll
msvcrt.dll
/M(V_O{
N5!\E^
NDdeApi.dll
NDdeGetErrorStringA
netapi32.dll
NOKHJI
!&O_6F
pstorec.dll
PStoreCreateInstance
quartz.dll
RasActivateRoute
RasActivateRouteEx
RasAddConnectionPort
RasAddNotification
RasAllocateRoute
RasBundleClearStatistics
RasBundleClearStatisticsEx
RasBundleGetPort
RasBundleGetStatistics
RasBundleGetStatisticsEx
RasCompressionGetInfo
RasCompressionSetInfo
RasConnectionEnum
RasConnectionGetStatistics
RasCreateConnection
RasDeAllocateRoute
RasDestroyConnection
RasDeviceConnect
rasman.dll
REGAPI.dll
RegBuildNumberQuery
RegCdCreateA
RegCdCreateW
RegCdDeleteA
RegCdDeleteW
RegCdEnumerateA
RegCdEnumerateW
RegCdQueryA
RegCdQueryW
RegCloseServer
RegConsoleShadowQueryA
RegConsoleShadowQueryW
RegDefaultUserConfigQueryA
RegDefaultUserConfigQueryW
.reloc
</requestedExecutionLevel>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false">
</requestedPrivileges>
<requestedPrivileges>
S&9T/7
</security>
<security>
SetErrorMode
SetFilePointer
!This program cannot be run in DOS mode.
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
uem3JRh\sys
W*e51d
-X}`&(]2
xB2j!5J1
X,UR6s
\z|fY3