Analysis Date2017-07-14 11:14:02
MD5a52323fb3e0bdad5e762f7ef56411066
SHA1a73fa57ece511dd973cea0bba31ad39a75246bec

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b6123127c5791198e3e174f1f911d5d6 sha1: cff50ffa442f2adafa154dc1caacc920628441b3 size: 2560
Section.data md5: d447e459653b50488035fa0eeb73205e sha1: 247a07d59dfdeacbc7632ff820aeb5d980df6839 size: 512
Section.xcpad md5: sha1: size:
Section.idata md5: 41e0574f20f21f653aa920261dd7710c sha1: 63a97f03e700c27b1faeb452a2c26c9a4e22c0f2 size: 1536
Section.reloc md5: sha1: size:
Section.rsrc md5: c2534a75b741fe53c4fa27ffe7ed3dc3 sha1: e09a38e8a3c2d581125ce1c1908ef738fdd7d875 size: 7680
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
Packer
PEhash
IMPhash2882965f02737a1b501e426c9c6b57a3
AV360 SafeNo Virus
AVAd-AwareTrojan.GenericKD.1416344
AVAlwil (avast)Crypt-QFY [Trj]
AVArcabit (arcavir)Trojan.GenericKD.1416344
AVAuthentiumW32/Trojan.YYFI-6519
AVAvira (antivir)TR/Rogue.AI.11225
AVBitDefenderTrojan.GenericKD.1416344
AVBullGuardTrojan.GenericKD.1416344
AVCA (E-Trust Ino)Trojan.GenericKD.1416344
AVCAT (quickheal)TrojanDownloader.Upatre.A5
AVClamAVWin.Trojan.Zbot-63693
AVDr. WebTrojan.DownLoad3.28161
AVEmsisoftTrojan.GenericKD.1416344
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVF-SecureTrojan.GenericKD.1416344
AVFortinetW32/Zbot.HFQ!tr
AVFrisk (f-prot)W32/Trojan3.GOZ
AVGrisoft (avg)PSW.Generic12.NEU
AVIkarusTrojan-Spy.Win32.Zbot
AVK7Trojan ( 0001140e1 )
AVKasperskyTrojan-Spy.Win32.Zbot.qsqd
AVMalwareBytesTrojan.FakeMS.ED
AVMcafeePWSZbot-FMO!A52323FB3E0B
AVMicroWorld (escan)Trojan.GenericKD.1416344
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVNANOTrojan.Win32.Zbot.cqjldv
AVPadvishNo Virus
AVRisingNo Virus
AVSUPERAntiSpywareTrojan.Agent/Gen-Dropper
AVSymantecTrojan.Zbot
AVTrend MicroTROJ_UPATRE.SMJ8
AVTwisterSuspicious.B830000000648.mg
AVVirusBlokAda (vba32)TrojanSpy.Zbot
AVWindows DefenderTrojanDownloader:Win32/Upatre
AVZillya!Trojan.Zbot.Win32.142446

Runtime Details:

Screenshot

Process
↳ C:\DOCUME~1\Admin\Local Settings\Temp\budha.exe

Process
↳ C:\a73fa57ece511dd973cea0bba31ad39a75246bec.exe

Creates Filemciwave.dll
Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\a73fa57ece511dd973cea0bba31ad39a75246bec.exe
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\budha.exe
Creates FileC:\WINDOWS\Registration\R000000000007.clb
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\budha.exe
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\budha.exe
Creates Mutex
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex
Creates MutexZonesLockedCacheCounterMutex
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\BaseClass ➝
Drive\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\BaseClass ➝
Drive\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents ➝
C:\Documents and Settings\All Users\Documents\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop ➝
C:\Documents and Settings\All Users\Desktop\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\Admin\Local Settings\Temp\budha.exe ➝
budha\\x00

Network Details:


Raw Pcap

Strings
 s`K
s<+K
@&+K
JRQQQ[
 7`K
 s`K
s.+K
sQ+K
 g`K
H%+K
#jif
 W^K
 ?^K
 /^K
 +^K
 O^K
 S^K
 +^K
 K^K
 [^K
 _^@
5B @
Ph% @
PRFT
SSCL
CreateWindowExA
LoadCursorA
TranslateMessage
set waveaudio door open
LoadLibraryExA
user32.dll
mciSendStringA
Winmm.dll
q*PV
YK9&
["(u
|3kU
LS<N
user32.dll
GDI32.dll
Msacm32.dll
ADVAPI32.dll
IMM32.dll
kernel32.dll
GetModuleHandleA
GetProcAddress
HeapCreate
HeapAlloc
ExitProcess
FreeLibrary
GetMessageA
DefWindowProcA
PostQuitMessage
GetForegroundWindow
SetForegroundWindow
GetDoubleClickTime
GetQueueStatus
LoadIconA
RegisterClassA
RegQueryValueExA
RegOpenKeyA
GetUserNameA
CopySid
GetLengthSid
IntersectClipRect
ExcludeClipRect
UpdateColors
GetTextExtentPoint32A
CreateCompatibleDC
DeleteObject
TextOutA
SetBkColor
SetTextColor
Rectangle
CreateSolidBrush
GetStockObject
CreateFontIndirectA
GetTextExtentExPointA
GetTextMetricsA
CreateFontA
RealizePalette
ImmGetCompositionStringW
ImmSetCompositionFontA
ImmGetContext
ImmSetCompositionWindow
acmStreamOpen
acmDriverPriority
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
TTTTT
BBBBBBBBBBBBBBBBBBBBB
BBBB
TTBTBBBBBBBBBBBBBBB
?????rWW??WWWWWWWW
UVUUUUV
YYYYZZZ|||R
R?rRRr
UUUUUUVVVVV
YZYZYZk
RR?`W
pppp
yUVUV
ZZ|Z
kRRrl``
pppppp
yUUVVYYZZZZ
RRRrW
xxxxx
yyVV
kRkkR
`l`ll
||kRRRR
ooooo
dddd
vvvew
jjjjj
dveeeeeee
IBBK
XXnBBK
XMMXX
nBBK
HHHHM
nBBK
EHEHH
HHHEEHHHHHMM
iiEEEEHHEEEEEEEEEEEEEHHH
fff{
AEiD
DDDDDDEMEiEEDDDEEEEEEEEHXnBBK
JJJF
FFFDDHEDDDDDDDDDDDDDDEMnBBK
DFDDFJJJJJJDEHMHHDFJFFFDDFFDDDMnBBK
FFDDDDFJOmJFFcDDFDEFJJDDF[HDDD[M
mmJFD[E[[DJSSSSbOO
OmF[DMHDMXXXMMD
cDcFObOSJD[[[[FSF
aaaQQQQFDFS
FcDDcS
QScFSQQSFFFFSb
hQJJDFOQOSJQaa_aQ
^aQOJFFF[Dba
haahsssshhOFFF[D[[D[
aaah_
SSQs^^~ss~~~~~saQQOODX[OOEDa
^^]]]]]
^ha__tbFDFQQbh
PgNNNgNNNNggggg]]]]]]^aa
_OmDHOOa}^
zNNNNNNNNNNNNNNgggNNNgaFmttmEMm_t_^}__t
\PPPPPPPPPPzPPPNNPPPNghScDmJDMJmO}__}}_
^_QOFD__FOmFmQ_
\\\\\\\\\\\\\\\\
\\\\N
GGGGGGGGGGGGGGGGGGGGGGGGGGGGn
nGGTTTT
uuuuII
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
4AWb
HXKt
h$$Y
~ ?x
&y!G
@-FV