Analysis Date2016-01-25 14:25:35
MD5c43cb8bea2e69f76a543118196f9acbf
SHA19b2caa14971f2a5e27844f352c36b9297934a55f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 18a409c9ee27ba7e2f52c8d5827db0fb sha1: 0fa852fb3e1c5c2a4a1efc45f41d19e52088cfd1 size: 6144
Section.rdata md5: 9921719d3029dea6a7daef99a3f5619c sha1: 6344c3c270ed183376234a98e674b43b153026b7 size: 1536
Section.data md5: 92ed38dfa29b35d2ea9541f9024b641a sha1: d7393f5ad32e8f4a233a96166981708d3592b1f2 size: 512
Section.rsrc md5: 320a63c0552666c12f361d403bd803b5 sha1: da20a8f355a94e57d8e8adb1b834d44d411a046a size: 10240
Section.reloc md5: 5d5037fb65f960eefa0bdd3de33a413b sha1: 2f850f227b398066e0e7ecfa65309625dab36713 size: 512
Timestamp2014-02-05 04:01:14
PEhashb6248038e0af3e67a33a86bcc7288619ab5ee56f
IMPhash7772dfa3e3a72b92db47c13e7be36e20
AVCA (E-Trust Ino)Win32/Upatre.WLSLQSB
AVRisingNo Virus
AVMcafeeDownloader-FSH!C43CB8BEA2E6
AVAvira (antivir)TR/Dldr.JQKE
AVTwisterTrojan.3195267B1E166539
AVAd-AwareTrojan.GenericKD.1559566
AVAlwil (avast)Agent-AUID [Trj]
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVGrisoft (avg)Crypt_s.FLK
AVSymantecDownloader.Upatre
AVFortinetNo Virus
AVBitDefenderTrojan.GenericKD.1559566
AVK7Trojan ( 00495fc51 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVMicroWorld (escan)Trojan.GenericKD.1559566
AVMalwareBytesTrojan.Email.FakeDoc
AVAuthentiumW32/Trojan.JESA-1918
AVFrisk (f-prot)W32/Trojan3.HKZ
AVIkarusTrojan-Downloader.Win32.Upatre
AVEmsisoftTrojan.GenericKD.1559566
AVZillya!Trojan.Bublik.Win32.13097
AVKasperskyTrojan.Win32.Bublik.bxtq
AVTrend MicroTROJ_UPATRE.SM37
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVVirusBlokAda (vba32)Trojan.Bublik
AVBullGuardTrojan.GenericKD.1559566
AVArcabit (arcavir)Trojan.GenericKD.1559566
AVClamAVNo Virus
AVDr. WebTrojan.DownLoad3.28161
AVF-SecureTrojan-Downloader:W32/Upatre.I

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\realupdater.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\realupdater.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\realupdater.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSsvsmills.com
Winsock DNSjapanrareearths.com

Network Details:

DNSsvsmills.com
Type: A
103.231.41.126
DNSjapanrareearths.com
Type: A
184.168.221.78
HTTP GEThttp://svsmills.com/images/pdf.enc
User-Agent: Updates downloader
HTTP GEThttp://japanrareearths.com/img/pdf.enc
User-Agent: Updates downloader
HTTP GEThttp://svsmills.com/images/pdf.enc
User-Agent: Updates downloader
HTTP GEThttp://japanrareearths.com/img/pdf.enc
User-Agent: Updates downloader
Flows TCP192.168.1.1:1031 ➝ 103.231.41.126:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.78:80
Flows TCP192.168.1.1:1033 ➝ 103.231.41.126:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.78:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 7064662e   GET /images/pdf.
0x00000010 (00016)   656e6320 48545450 2f312e31 0d0a4163   enc HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a207465 78742f2a 2c206170   cept: text/*, ap
0x00000030 (00048)   706c6963 6174696f 6e2f2a0d 0a557365   plication/*..Use
0x00000040 (00064)   722d4167 656e743a 20557064 61746573   r-Agent: Updates
0x00000050 (00080)   20646f77 6e6c6f61 6465720d 0a486f73    downloader..Hos
0x00000060 (00096)   743a2073 76736d69 6c6c732e 636f6d0d   t: svsmills.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f696d61 6765732f 7064662e   GET /images/pdf.
0x00000010 (00016)   656e6320 48545450 2f312e31 0d0a4163   enc HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a207465 78742f2a 2c206170   cept: text/*, ap
0x00000030 (00048)   706c6963 6174696f 6e2f2a0d 0a557365   plication/*..Use
0x00000040 (00064)   722d4167 656e743a 20557064 61746573   r-Agent: Updates
0x00000050 (00080)   20646f77 6e6c6f61 6465720d 0a486f73    downloader..Hos
0x00000060 (00096)   743a2073 76736d69 6c6c732e 636f6d0d   t: svsmills.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f696d67 2f706466 2e656e63   GET /img/pdf.enc
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a2074 6578742f 2a2c2061 70706c69   t: text/*, appli
0x00000030 (00048)   63617469 6f6e2f2a 0d0a5573 65722d41   cation/*..User-A
0x00000040 (00064)   67656e74 3a205570 64617465 7320646f   gent: Updates do
0x00000050 (00080)   776e6c6f 61646572 0d0a486f 73743a20   wnloader..Host: 
0x00000060 (00096)   6a617061 6e726172 65656172 7468732e   japanrareearths.
0x00000070 (00112)   636f6d0d 0a436163 68652d43 6f6e7472   com..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         

0x00000000 (00000)   47455420 2f696d67 2f706466 2e656e63   GET /img/pdf.enc
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a2074 6578742f 2a2c2061 70706c69   t: text/*, appli
0x00000030 (00048)   63617469 6f6e2f2a 0d0a5573 65722d41   cation/*..User-A
0x00000040 (00064)   67656e74 3a205570 64617465 7320646f   gent: Updates do
0x00000050 (00080)   776e6c6f 61646572 0d0a486f 73743a20   wnloader..Host: 
0x00000060 (00096)   6a617061 6e726172 65656172 7468732e   japanrareearths.
0x00000070 (00112)   636f6d0d 0a436163 68652d43 6f6e7472   com..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         


Strings