Analysis Date2015-09-16 20:40:19
MD5cfccb04ebd1cb3269ccc80b806e452b0
SHA1902955c454b14bac659b8daf0430033696650a50

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b9b67370a89e5e5cfd5056b80b71187d sha1: 2a16fdafa6fa2f5e679c1dacb58f3ae355de8009 size: 10752
Section.rdata md5: 23257cffa20165c733d927eb8ad7a01d sha1: 8770f0bf62cc9073952e254a4f24b21c7809fd55 size: 2048
Section.data md5: 3a0e2bba7ed062c102bd2731b3c5c8c2 sha1: d5baa258249088da39ecd00e3e309c1014dcaf67 size: 1024
Section.rsrc md5: 86c74fab9b4ebe99b422d7ade632a64d sha1: 4a88a77f7bbf366ebd15ec797888935dca5d39f7 size: 4608
Timestamp2013-10-25 12:19:20
PEhash1d93774ecc9c923488c9092cf3732d35a18a5b6a
IMPhash72e6bd37badca6d74bb0c3794414b19a
AVCA (E-Trust Ino)Win32/Tnega.ATFD
AVRisingno_virus
AVMcafeeTrojan-FDDP!CFCCB04EBD1C
AVAvira (antivir)TR/Yarwi.B.8
AVTwisterTrojan.130F991906168BC4
AVAd-AwareTrojan.GenericKD.1361230
AVAlwil (avast)Upatre-E [Trj]
AVEset (nod32)Win32/TrojanDownloader.Small.AAB
AVGrisoft (avg)Zbot.CZS
AVSymantecDownloader
AVFortinetW32/Zbot.QMSC!tr
AVBitDefenderTrojan.GenericKD.1361230
AVK7Trojan-Downloader ( 00457c511 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVMicroWorld (escan)Trojan.GenericKD.1361230
AVMalwareBytesTrojan.Email.XGEN
AVAuthentiumW32/Trojan.UMIR-0195
AVFrisk (f-prot)W32/Trojan3.GID
AVIkarusTrojan-PWS.Win32.Fareit
AVEmsisoftTrojan.GenericKD.1361230
AVZillya!Trojan.Agent.Win32.431962
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_UPATRE.BG
AVCAT (quickheal)TrojanDownloader.Upatre.A5
AVVirusBlokAda (vba32)Trojan.Agent
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.1361230
AVArcabit (arcavir)Trojan.GenericKD.1361230
AVClamAVWin.Trojan.Generickd-33
AVDr. WebTrojan.DownLoad.64682
AVF-SecureTrojan.GenericKD.1361230

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winere.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\winere.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\winere.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSnevadaspendthrifttrustblog.com
Winsock DNSbusinesswebstudios.com

Network Details:

DNSbusinesswebstudios.com
Type: A
50.63.202.53
DNSnevadaspendthrifttrustblog.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 50.63.202.53:443
Flows TCP192.168.1.1:1032 ➝ 50.63.202.53:443
Flows TCP192.168.1.1:1033 ➝ 50.63.202.53:443
Flows TCP192.168.1.1:1034 ➝ 50.63.202.53:443
Flows TCP192.168.1.1:1035 ➝ 50.63.202.53:443
Flows TCP192.168.1.1:1036 ➝ 50.63.202.53:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings