Analysis Date2015-10-06 10:42:05
MD56d26bbe68a99a1e155651a94bec6925b
SHA1a01ba535f7aa9454fe596d399547cf4dc87e887d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1cfe640fb916f9e71e2f42ce9463b6e6 sha1: d3cefe831eba88d17380b6e877f968ab01e72878 size: 6144
Section.rdata md5: 5991a0937ea1c73a6ea7d2b50760dccf sha1: b09ba9081a37296905432830e2b7a3f680249f52 size: 1536
Section.data md5: 36f425ac30a34478057dae27a1407f15 sha1: 27c149c9c2f3499e5e8e775de3eeba3e88845640 size: 512
Section.rsrc md5: d312230fc901e21ad5d01f3359ba6e14 sha1: 9a3ea68fc338ca5068121b66142c23539c4c2819 size: 10240
Section.reloc md5: 5941791c6b31ac52e41a5ea0912259d3 sha1: 953eb4ea14eb81b605c22a5b1c6a2a709e64de33 size: 512
Timestamp2014-02-05 03:55:00
PEhash2394682c218c1f7651bd92f22a4a09342e6bc7ab
IMPhash7772dfa3e3a72b92db47c13e7be36e20
AVCA (E-Trust Ino)Win32/Tnega.GXNWZHB
AVRisingno_virus
AVMcafeeDownloader-FSH!6D26BBE68A99
AVAvira (antivir)TR/Yarwi.B.176
AVTwisterTrojan.4EB8D0DD116B77B2
AVAd-AwareTrojan.GenericKD.1559549
AVAlwil (avast)Zbot-TCT [Trj]
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVGrisoft (avg)Generic35.BQYO
AVSymantecDownloader.Upatre
AVFortinetW32/Waski.AC!tr
AVBitDefenderTrojan.GenericKD.1559549
AVK7Trojan-Downloader ( 0040f7f11 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVMicroWorld (escan)Trojan.GenericKD.1559549
AVMalwareBytesTrojan.Downloader.Upatre
AVAuthentiumW32/Trojan.QXZZ-7823
AVFrisk (f-prot)W32/Trojan3.HKY
AVIkarusTrojan-Downloader.Win32.Upatre
AVEmsisoftTrojan.GenericKD.1559549
AVZillya!Downloader.Injecter.Win32.5149
AVKasperskyTrojan-Downloader.Win32.Injecter.jiq
AVTrend MicroTROJ_UPATRE.SMBB
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVVirusBlokAda (vba32)TrojanDownloader.Injecter
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.1559549
AVArcabit (arcavir)Trojan.GenericKD.1559549
AVClamAVWin.Trojan.Generickd-68
AVDr. WebTrojan.DownLoad3.28161
AVF-SecureTrojan-Downloader:W32/Upatre.I

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbsitacademy.com
Winsock DNSwahidexpress.com

Network Details:

DNSbsitacademy.com
Type: A
69.30.205.243
DNSwahidexpress.com
Type: A
103.15.74.65
HTTP GEThttp://bsitacademy.com/img/events/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://wahidexpress.com/scripts/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://bsitacademy.com/img/events/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://wahidexpress.com/scripts/ie.enc
User-Agent: Updates downloader
Flows TCP192.168.1.1:1031 ➝ 69.30.205.243:80
Flows TCP192.168.1.1:1032 ➝ 103.15.74.65:80
Flows TCP192.168.1.1:1033 ➝ 69.30.205.243:80
Flows TCP192.168.1.1:1034 ➝ 103.15.74.65:80

Raw Pcap

Strings