Analysis Date2015-11-01 15:14:19
MD5dbbce164fb2e0f7e68be61eff0ffb540
SHA1ab3d8c5119724492da27057c1f36789404031d04

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 663e00a35e884ed261818d49379ef784 sha1: 980d33231db42c0174047d9af7b250cbd798bbda size: 8192
Section.data md5: e35e48b0e1e767b039c2aee44d1a3547 sha1: 1fb2e908fdff01b74d3abe938f5c44850b03e421 size: 9216
Section.rsrc2 md5: 09a6d447fb78bdfe05b24c3d979032f6 sha1: a0da212235f06c915001b754e00f9b28a8cd3c1a size: 28160
Timestamp1997-10-25 03:03:20
PEhashf93abec00023cf589a693f81f555861d37efce69
IMPhashdc52d15b03267087005a102fdb520892
AVAuthentiumW32/Upatre.E.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVKasperskyTrojan.Win32.Generic
AVIkarusTrojan.Crypt
AVPadvishno_virus
AVTrend MicroTROJ_UP.2B56FF8B
AVSymantecDownloader.Upatre!gen9
AVMalwareBytesTrojan.Upatre
AVClamAVno_virus
AVAd-AwareTrojan.Upatre.Gen.2
AVBitDefenderTrojan.Upatre.Gen.2
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVArcabit (arcavir)Trojan.Upatre.Gen.2
AVZillya!Downloader.UpatreGen.Win32.15
AVFrisk (f-prot)W32/Upatre.E.gen!Eldorado
AVF-SecureTrojan.Upatre.Gen.2
AVEset (nod32)Win32/Kryptik.DMGJ
AVBullGuardTrojan.Upatre.Gen.2
AVMcafeeUpatre-FACE!DBBCE164FB2E
AVDr. WebTrojan.Upatre.3541
AVTwisterno_virus
AVEmsisoftTrojan.Upatre.Gen.2
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVCAT (quickheal)TrjnDwnlder.Upatre.MUE.BC3
AVAvira (antivir)TR/Kryptik.qgmqo
AVRisingno_virus
AVMicroWorld (escan)Trojan.Upatre.Gen.2
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVGrisoft (avg)Generic_s.EUL
AVK7Trojan ( 004c7f3f1 )
AVFortinetW32/Waski.F!tr

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\FIH_244D.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fihatyka.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\fihatyka.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\fihatyka.exe

Network Details:

DNSicanhazip.com
Type: A
64.182.208.184
DNSicanhazip.com
Type: A
64.182.208.185
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
HTTP GEThttp://188.120.194.101:13153/211/OORTHWIN-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Flows TCP192.168.1.1:1031 ➝ 64.182.208.184:80
Flows TCP192.168.1.1:1032 ➝ 188.120.194.101:13153
Flows TCP192.168.1.1:1033 ➝ 173.248.29.43:443
Flows TCP192.168.1.1:1034 ➝ 173.248.29.43:443
Flows TCP192.168.1.1:1035 ➝ 173.248.29.43:443
Flows TCP192.168.1.1:1036 ➝ 173.248.29.43:443
Flows TCP192.168.1.1:1037 ➝ 109.86.226.85:443
Flows TCP192.168.1.1:1038 ➝ 109.86.226.85:443
Flows TCP192.168.1.1:1039 ➝ 109.86.226.85:443
Flows TCP192.168.1.1:1040 ➝ 109.86.226.85:443
Flows TCP192.168.1.1:1041 ➝ 24.220.92.193:443
Flows TCP192.168.1.1:1042 ➝ 24.220.92.193:443
Flows TCP192.168.1.1:1043 ➝ 24.220.92.193:443
Flows TCP192.168.1.1:1044 ➝ 24.220.92.193:443
Flows TCP192.168.1.1:1045 ➝ 176.36.251.208:443
Flows TCP192.168.1.1:1046 ➝ 176.36.251.208:443
Flows TCP192.168.1.1:1047 ➝ 176.36.251.208:443
Flows TCP192.168.1.1:1048 ➝ 176.36.251.208:443
Flows TCP192.168.1.1:1049 ➝ 188.255.165.154:443
Flows TCP192.168.1.1:1050 ➝ 188.255.165.154:443
Flows TCP192.168.1.1:1051 ➝ 188.255.165.154:443
Flows TCP192.168.1.1:1052 ➝ 188.255.165.154:443
Flows TCP192.168.1.1:1053 ➝ 173.216.240.56:443
Flows TCP192.168.1.1:1054 ➝ 173.216.240.56:443
Flows TCP192.168.1.1:1055 ➝ 173.216.240.56:443
Flows TCP192.168.1.1:1056 ➝ 173.216.240.56:443

Raw Pcap

Strings