Analysis Date2015-03-25 19:59:32
MD50e9dd5803e4b45778c6b4832ccb8d24f
SHA1aefb272239d7e4cd4bea42a7f5e2747486039d25

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8522a0511323d944013298ecfbc538e5 sha1: 8d866b8373899c297dcfc4a7b688fdfdcf5ea9aa size: 4096
Section.rdata md5: f959a51dc85e74108083e6c43a03b021 sha1: 257bffef2b199e69cca957e6c57b303cbb07c2e2 size: 1536
Section.data md5: c97afff042b07c9edc60eabeab09efed sha1: 8114fcd24c31f5a2ae766e861f0ec602045fc185 size: 512
Section.rsrc md5: ab7a267a1e28d5250968ade7aeff640e sha1: 5677c6e58e9c3561ab9873aae10e15d2ad886814 size: 8192
Timestamp2013-11-12 19:47:20
PackerBorland Delphi 3.0 (???)
PEhash444e998ac02fb1f0bc474e77a92fc74c29377bd7
IMPhash77bc4c94329925fab055077cd2ff036a
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKDV.1397324
AVAlwil (avast)Dropper-NLO [Drp]
AVArcabit (arcavir)Trojan.GenericKDV.1397324
AVAuthentiumW32/Trojan.EZNV-1891
AVAvira (antivir)TR/Dldr.Upatre.D
AVBullGuardTrojan.GenericKDV.1397324
AVCA (E-Trust Ino)Win32/Upatre.caDUOFB
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVClamAVWin.Trojan.Bublik-434
AVDr. WebTrojan.DownLoad.64693
AVEmsisoftTrojan.GenericKDV.1397324
AVEset (nod32)Win32/TrojanDownloader.Small.ABH
AVFortinetW32/Bublik.AEOV!tr
AVFrisk (f-prot)W32/Trojan3.GLZ
AVF-SecureTrojan.GenericKDV.1397324
AVGrisoft (avg)Generic_r.DEJ
AVIkarusTrojan-Spy.Zbot
AVK7Trojan-Downloader ( 0040f6c11 )
AVKaspersky 2015Trojan.Win32.Bublik.bkiu
AVMalwareBytesTrojan.Email.FA
AVMcafeeDownloader-FSH!0E9DD5803E4B
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.E
AVMicroWorld (escan)Trojan.GenericKDV.1397324
AVRisingTrojan.DL.Win32.Waski.g
AVSophosTroj/Agent-AERX
AVSymantecDownloader
AVTrend MicroTROJ_IN.2991C492
AVVirusBlokAda (vba32)TrojanDownloader.Small
AVCA (E-Trust Ino)Win32/Upatre.caDUOFB
AVF-SecureTrojan.GenericKDV.1397324
AVDr. WebTrojan.DownLoad.64693
AVClamAVWin.Trojan.Bublik-434
AVArcabit (arcavir)Trojan.GenericKDV.1397324
AVBullGuardTrojan.GenericKDV.1397324
AVVirusBlokAda (vba32)TrojanDownloader.Small
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVTrend MicroTROJ_IN.2991C492
AVKasperskyTrojan.Win32.Bublik.bkiu
AVZillya!Trojan.Bublik.Win32.12611
AVEmsisoftTrojan.GenericKDV.1397324
AVIkarusTrojan-Spy.Zbot
AVFrisk (f-prot)W32/Trojan3.GLZ
AVAuthentiumW32/Trojan.EZNV-1891
AVMalwareBytesTrojan.Email.FA
AVMicroWorld (escan)Trojan.GenericKDV.1397324
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.E
AVK7Trojan-Downloader ( 0040f6c11 )
AVFortinetW32/Bublik.AEOV!tr
AVSymantecDownloader
AVGrisoft (avg)Generic_r.DEJ
AVEset (nod32)Win32/TrojanDownloader.Small.ABH
AVAlwil (avast)Dropper-NLO [Drp]
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKDV.1397324
AVAvira (antivir)TR/Dldr.Upatre.D
AVMcafeeDownloader-FSH!0E9DD5803E4B
AVRisingTrojan.DL.Win32.Waski.g

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\defi.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\defi.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\defi.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNScid2012.com
Winsock DNSmatteblackpaint.com

Network Details:

DNScid2012.com
Type: A
174.121.8.194
DNSmatteblackpaint.com
Type: A
54.208.247.222
Flows TCP192.168.1.1:1031 ➝ 174.121.8.194:443
Flows TCP192.168.1.1:1032 ➝ 174.121.8.194:443
Flows TCP192.168.1.1:1033 ➝ 174.121.8.194:443
Flows TCP192.168.1.1:1034 ➝ 174.121.8.194:443
Flows TCP192.168.1.1:1035 ➝ 54.208.247.222:443
Flows TCP192.168.1.1:1036 ➝ 54.208.247.222:443
Flows TCP192.168.1.1:1037 ➝ 54.208.247.222:443
Flows TCP192.168.1.1:1038 ➝ 54.208.247.222:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings