Analysis Date2015-10-23 14:01:44
MD58c1cd314570622a91a6239385e26a335
SHA1abeff51b165a887bf61b88cc87e2b55061b2409f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.code md5: c6c1533004078c025e38849f27ddaa40 sha1: edfd02e4eb52c88a8268ed7e0f4efaa6e3e54bb9 size: 2560
Section.data md5: a7e5cd1a9e6289b24c1023b996e5f130 sha1: 49e83f06848c4585631ba9b646c0e67e13484d18 size: 10752
SectionrSRC md5: afc7577a934d6060279ca254a0ec7dd4 sha1: a0fbc5f1f0f069bdd070ac20ba47b20ebef11601 size: 29696
Section.reloc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.neolit md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp1997-10-28 22:08:58
PEhash88de884d0ccb68ab54ecc55b72e348348ed2264c
IMPhash867154328e8b682181c5adf161c84834
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Upatre.AQ
AVDr. WebTrojan.Upatre.201
AVClamAVno_virus
AVArcabit (arcavir)Trojan.Upatre.AQ
AVBullGuardTrojan.Upatre.AQ
AVPadvishno_virus
AVVirusBlokAda (vba32)Backdoor.Caphaw
AVCAT (quickheal)TrojanDwnldr.Upatre.MUE.A5
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftTrojan.Upatre.AQ
AVIkarusTrojan-Spy.Agent
AVFrisk (f-prot)W32/Upatre.E.gen!Eldorado
AVAuthentiumW32/Upatre.E.gen!Eldorado
AVMalwareBytesTrojan.Upatre
AVMicroWorld (escan)Trojan.Upatre.AQ
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVK7Trojan ( 004c123f1 )
AVBitDefenderTrojan.Upatre.AQ
AVFortinetW32/Waski.F!tr
AVSymantecDownloader.Upatre!gen9
AVGrisoft (avg)Generic_s.ENH
AVEset (nod32)Win32/TrojanDownloader.Waski.F
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareTrojan.Upatre.AQ
AVTwisterBackdoor.Caphaw.vhy.urzu
AVAvira (antivir)TR/Dldr.Upatre.ID
AVMcafeeUpatre-FAAR!8C1CD3145706
AVRising0x592779b0

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\sefonot.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tmpB59.log
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\sefonot.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\sefonot.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS83.239.125.206
Winsock DNS78.157.227.34
Winsock DNS83.219.139.124
Winsock DNS176.106.142.52

Network Details:

Flows TCP192.168.1.1:1031 ➝ 176.106.142.52:443
Flows TCP192.168.1.1:1031 ➝ 176.106.142.52:443
Flows TCP192.168.1.1:1032 ➝ 176.106.142.52:443
Flows TCP192.168.1.1:1033 ➝ 176.106.142.52:443
Flows TCP192.168.1.1:1034 ➝ 176.106.142.52:443
Flows TCP192.168.1.1:1035 ➝ 83.219.139.124:443
Flows TCP192.168.1.1:1036 ➝ 83.219.139.124:443
Flows TCP192.168.1.1:1037 ➝ 83.219.139.124:443
Flows TCP192.168.1.1:1038 ➝ 83.219.139.124:443
Flows TCP192.168.1.1:1039 ➝ 78.157.227.34:443
Flows TCP192.168.1.1:1040 ➝ 78.157.227.34:443
Flows TCP192.168.1.1:1041 ➝ 78.157.227.34:443
Flows TCP192.168.1.1:1042 ➝ 78.157.227.34:443
Flows TCP192.168.1.1:1043 ➝ 83.239.125.206:443
Flows TCP192.168.1.1:1044 ➝ 83.239.125.206:443
Flows TCP192.168.1.1:1045 ➝ 83.239.125.206:443
Flows TCP192.168.1.1:1046 ➝ 83.239.125.206:443
Flows TCP192.168.1.1:1047 ➝ 176.106.142.52:443
Flows TCP192.168.1.1:1048 ➝ 176.106.142.52:443
Flows TCP192.168.1.1:1049 ➝ 176.106.142.52:443
Flows TCP192.168.1.1:1050 ➝ 176.106.142.52:443

Raw Pcap

Strings
??1CCritSec@@QAE@XZ
??1CObject@@UAE@XZ
??1CStringArray@@UAE@XZ
??1CString@@QAE@XZ
??1CSyncObject@@UAE@XZ
*1GJ?g*
*1"\NB
3G*sGJ
??4CPlex@@QAEAAU0@ABU0@@Z
??4CString@@QAEABV0@ABV0@@Z
??4CString@@QAEABV0@D@Z
??4CString@@QAEABV0@G@Z
??4CString@@QAEABV0@PBD@Z
??4CString@@QAEABV0@PBE@Z
??4CString@@QAEABV0@PBG@Z
5&f,(&R?0
6Zj%Ms
??8@YG_NABVCString@@0@Z
??8@YG_NABVCString@@PBG@Z
??8@YG_NPBGABVCString@@@Z
??9@YG_NABVCString@@0@Z
??9@YG_NABVCString@@PBG@Z
??9@YG_NPBGABVCString@@@Z
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
b]!{`4
B^kZ}C7
BMAPIAddress
BMAPIDetails
BMAPIFindNext
BMAPIGetAddress
BMAPIGetReadMail
BMAPIReadMail
BMAPIResolveName
BMAPISaveMail
BMAPISendMail
BmQueryBounds
BmRelease
BmSaveToStream
CheckNetDrive
cmc_free
cmc_list
cmc_logoff
cmc_logon
cmc_look_up
cmc_query_configuration
cmc_read
cmc_send
cmc_send_documents
c ^OK9)
  </compatibility></assembly>
ConnectDlgProc
ConvertINetString
c?(!T?%
DefCreate
DefCreateFromClip
DefCreateFromFile
DefCreateFromTemplate
DefCreateInvisible
DefLoadFromStream
DibChangeData
DibClone
DibCopy
DibDraw
DibEnumFormat
DsGetDcCloseW
DsGetDcNameA
DsGetDcNameW
DsGetDcNameWithAccountA
DsGetDcNameWithAccountW
DsGetDcNextA
DsGetDcNextW
EnumCalendarInfoW
EnumProcesses
GetACP
GetCommandLineA
GetCommConfig
GetCommState
GetVersionExW
GetWindowsDirectoryA
GJ?GJ?GNGNG
G*sGJ}
g-Smi(
hi32.h2\gdhtem3h\sys
h.n	A;s
imm32.dll
ImmEscapeA
	J/|m4
kernel32.dll
M`ajrmM
MAPI32.dll
mfcsubs.dll
mlang.dll
mpr.DLL
msdart.dll
msvcrt.dll
MulDiv
`N3(S$
.neolit
netapi32.dll
olecli32.dll
PdhCreateSQLTablesW
pdh.dll
PdhEnumLogSetNamesA
PdhEnumLogSetNamesW
PdhEnumMachinesA
PdhEnumMachinesHA
PdhEnumMachinesHW
PdhEnumMachinesW
PdhEnumObjectItemsA
PdhEnumObjectItemsHA
PdhEnumObjectItemsHW
PdhEnumObjectItemsW
PdhEnumObjectsA
PdhEnumObjectsHA
PdhEnumObjectsHW
PdhEnumObjectsW
PdhExpandCounterPathA
psapi.dll
QueryDosDeviceA
~qZ14s
.reloc
rTI%d,
sG*1qd
.S(LS9
!This program cannot be run in DOS mode.
(u],Ub;
V;cw>v7
Vh@F1gH
@'/+Vq"
WNetGetLastErrorA
WNetGetLastErrorW
zYF|.ab;