Analysis Date2015-10-03 08:17:26
MD5999b70310eb96287ee4630657da48937
SHA1a5b620e5eed7d6fd4244ac5fe9ae04edb6f8a86e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b274abbe66a553a0a0e9b16fd15da7c9 sha1: 5f03946a192e7b95aa5e73ba4dea44eff792b32d size: 6656
Section.rdata md5: 15ce3324221d9a28fc94fcef5b54391c sha1: 1456cc2ed9153ae5e9e12197bad4545459281c73 size: 3584
Section.data md5: e70ffaaa5d61b34185f69c08e83dc6c0 sha1: 68f7568143e40ea699dd4ccf813552bfa8b2e51a size: 512
Section.rsrc md5: 47c50ada33859be11d8aa2da1d5a593e sha1: 306304cda174973e739c637fc7a7e3c693cbab92 size: 18432
Timestamp2013-12-01 03:25:48
PackerMicrosoft Visual C 2.0
PEhashc1830d9db70e615d2e8ba12a16af60eb7eee2af7
IMPhashf63ef693c81cd0c55b4febc62b6f1313
AVCA (E-Trust Ino)no_virus
AVRisingTrojan.Win32.Kryptik.af
AVMcafeeUpatre-FACH!999B70310EB9
AVAvira (antivir)TR/Spy.ZBot.txzdsr
AVTwisterTrojan.Girtk.DKRX.rmwy
AVAd-AwareTrojan.Upatre.Gen.3
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.DKRX
AVGrisoft (avg)Generic_r.FDF
AVSymantecDownloader.Upatre!gen5
AVFortinetW32/Waski.A!tr
AVBitDefenderTrojan.Upatre.Gen.3
AVK7Trojan ( 004c5a121 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVMalwareBytesTrojan.Upatre.NT
AVAuthentiumW32/Upatre.AI.gen!Eldorado
AVFrisk (f-prot)W32/Upatre.AI.gen!Eldorado
AVIkarusVirTool.Obfuscator
AVEmsisoftTrojan.Upatre.Gen.3
AVZillya!Downloader.UpatreGen.Win32.44
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_UP.4A2FF0E3
AVCAT (quickheal)Trojan.Kadena.B4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardTrojan.Upatre.Gen.3
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVClamAVno_virus
AVDr. WebTrojan.DownLoader16.29817
AVF-SecureTrojan.Upatre.Gen.3

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DenkLog61.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Denkhus.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Denkhus.exe
Creates MutexNintendo

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Denkhus.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexNintendo
Winsock DNS81.93.205.218
Winsock DNS91.83.152.76
Winsock DNS62.204.250.26
Winsock DNS81.93.205.251
Winsock DNS193.86.104.15
Winsock DNS185.47.89.249
Winsock DNS217.168.210.122
Winsock DNS79.120.246.61
Winsock DNS94.103.54.19
Winsock DNSicanhazip.com
Winsock DNS178.253.205.89
Winsock DNS188.120.194.101
Winsock DNS160.218.186.106
Winsock DNS84.246.161.47
Winsock DNS81.90.175.7
Winsock DNS87.229.109.250
Winsock DNS38.124.172.139

Network Details:

DNSicanhazip.com
Type: A
104.238.145.30
DNSicanhazip.com
Type: A
104.238.141.75
DNSicanhazip.com
Type: A
104.238.136.31
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.36 (KHTML, like Gecko) Chrome/42.0.2357.81 Safari/536.36
HTTP GEThttp://188.120.194.101:13030/NIKI11/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.36 (KHTML, like Gecko) Chrome/42.0.2357.81 Safari/536.36
HTTP GEThttp://188.120.194.101:13030/NIKI11/COMPUTER-XXXXXX/41/1/2/
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.36 (KHTML, like Gecko) Chrome/42.0.2357.81 Safari/536.36
Flows TCP192.168.1.1:1031 ➝ 104.238.145.30:80
Flows TCP192.168.1.1:1032 ➝ 188.120.194.101:13030
Flows TCP192.168.1.1:1033 ➝ 84.246.161.47:443
Flows TCP192.168.1.1:1034 ➝ 84.246.161.47:443
Flows TCP192.168.1.1:1035 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1036 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1037 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1038 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1039 ➝ 193.86.104.15:443
Flows TCP192.168.1.1:1040 ➝ 193.86.104.15:443
Flows TCP192.168.1.1:1041 ➝ 160.218.186.106:443
Flows TCP192.168.1.1:1042 ➝ 160.218.186.106:443
Flows TCP192.168.1.1:1043 ➝ 62.204.250.26:443
Flows TCP192.168.1.1:1044 ➝ 62.204.250.26:443
Flows TCP192.168.1.1:1045 ➝ 94.103.54.19:443
Flows TCP192.168.1.1:1046 ➝ 94.103.54.19:443
Flows TCP192.168.1.1:1047 ➝ 79.120.246.61:443
Flows TCP192.168.1.1:1048 ➝ 79.120.246.61:443
Flows TCP192.168.1.1:1049 ➝ 81.93.205.218:443
Flows TCP192.168.1.1:1050 ➝ 81.93.205.218:443
Flows TCP192.168.1.1:1051 ➝ 81.93.205.251:443
Flows TCP192.168.1.1:1052 ➝ 81.93.205.251:443
Flows TCP192.168.1.1:1053 ➝ 87.229.109.250:443
Flows TCP192.168.1.1:1054 ➝ 87.229.109.250:443
Flows TCP192.168.1.1:1055 ➝ 91.83.152.76:443
Flows TCP192.168.1.1:1056 ➝ 91.83.152.76:443
Flows TCP192.168.1.1:1057 ➝ 178.253.205.89:443
Flows TCP192.168.1.1:1058 ➝ 178.253.205.89:443
Flows TCP192.168.1.1:1059 ➝ 185.47.89.249:443
Flows TCP192.168.1.1:1060 ➝ 185.47.89.249:443
Flows TCP192.168.1.1:1061 ➝ 38.124.172.139:443
Flows TCP192.168.1.1:1062 ➝ 38.124.172.139:443
Flows TCP192.168.1.1:1063 ➝ 188.120.194.101:13030
Flows TCP192.168.1.1:1064 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1065 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1066 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1067 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1068 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1069 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1070 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1071 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1072 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1073 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1074 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1075 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1076 ➝ 193.86.104.15:443
Flows TCP192.168.1.1:1077 ➝ 193.86.104.15:443
Flows TCP192.168.1.1:1078 ➝ 193.86.104.15:443
Flows TCP192.168.1.1:1079 ➝ 193.86.104.15:443

Raw Pcap

Strings