Analysis Date2015-11-12 13:11:42
MD58ba74fc22dea6ac70a0f35ec16c508a3
SHA1b3b93a09c600caab1e31f8773cf9dd30a9805173

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 437a3a0df74c6d315dacfa92bb316bb3 sha1: 4eb741bcc02e924394146b591813dd93c926fe5d size: 3584
Section.code md5: 6770eaf16b1fa1a072d68091db239b69 sha1: 0a67691b3f7ad9ff31eebb9c3b9f851acb61f257 size: 512
Section.data md5: 57f5c48195917e9cb31c02be508eb95b sha1: 8149ba90ca34af1b80db110b3dc3e06198723592 size: 7680
Section.idata md5: 92026532075ae2b437cdc864b99c590c sha1: ab92df010afb71e17e77e8f8e22e82675953ddc8 size: 2560
Section.rsrc md5: 046ec9f649212246e19792d8ce49ae9f sha1: 26cf1c076f95ee9a5c86afda72e81ee823209f1f size: 5632
Timestamp2003-09-17 01:37:06
VersionLegalCopyright: Copyright (C) 2011
InternalName: go.exe
FileVersion: 5.1.1.1
CompanyName: MS Corp
SpecialBuild:
LegalTrademarks:
FileDescrsiption: go.exe
Comments:
ProductName: Go
ProductVersion: 5.1.1.1
PrivateBuild:
OriginalFilename: go.exe
PackerProgram Protector XP v1.0
PEhash8959da66eabb0ddf9080d01ff3fdac37d7090bcb
IMPhash92a943ee4a19b671211e8e896bab8035
AVCA (E-Trust Ino)Win32/Upatre.TNfJfeD
AVCA (E-Trust Ino)Win32/Upatre.TNfJfeD
AVRisingTrojan.Win32.Upatre.b
AVMcafeeDownloader-FVS!8BA74FC22DEA
AVAvira (antivir)TR/Yarwi.A.1077
AVTwisterTrojan.8EFD10AD67CD60B3
AVAd-AwareTrojan.GenericKD.1386759
AVAlwil (avast)Agent-ASRB [Trj]
AVEset (nod32)Win32/TrojanDownloader.Small.AAB
AVGrisoft (avg)Patched_c.BHFC
AVSymantecTrojan.Zbot
AVFortinetW32/Kryptik.PK!tr
AVBitDefenderTrojan.GenericKD.1386759
AVK7Trojan-Downloader ( 00457c511 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVMicroWorld (escan)Trojan.GenericKD.1386759
AVMalwareBytesTrojan.Dropper
AVAuthentiumW32/Trojan.AYUR-2029
AVFrisk (f-prot)W32/Trojan3.GKY
AVIkarusTrojan.Patched_c
AVEmsisoftTrojan.GenericKD.1386759
AVZillya!No Virus
AVKasperskyTrojan-Downloader.Win32.Small.cwrr
AVTrend MicroTROJ_UPATRE.SM37
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVVirusBlokAda (vba32)Trojan.Bublik
AVPadvishNo Virus
AVBullGuardTrojan.GenericKD.1386759
AVArcabit (arcavir)Trojan.GenericKD.1386759
AVClamAVWin.Trojan.Generickd-440
AVDr. WebTrojan.DownLoad3.28161
AVF-SecureTrojan.GenericKD.1386759
AVRisingTrojan.Win32.Upatre.b
AVMcafeeDownloader-FVS!8BA74FC22DEA
AVAvira (antivir)TR/Yarwi.A.1077
AVTwisterTrojan.8EFD10AD67CD60B3
AVAd-AwareTrojan.GenericKD.1386759
AVAlwil (avast)Agent-ASRB [Trj]
AVEset (nod32)Win32/TrojanDownloader.Small.AAB
AVGrisoft (avg)Patched_c.BHFC
AVSymantecTrojan.Zbot
AVFortinetW32/Kryptik.PK!tr
AVBitDefenderTrojan.GenericKD.1386759
AVK7Trojan-Downloader ( 00457c511 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVMicroWorld (escan)Trojan.GenericKD.1386759
AVMalwareBytesTrojan.Dropper
AVAuthentiumW32/Trojan.AYUR-2029
AVFrisk (f-prot)W32/Trojan3.GKY

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSseminyak-italian.com
Winsock DNSindowines.net

Network Details:

DNSseminyak-italian.com
Type: A
198.1.84.100
DNSindowines.net
Type: A
198.1.84.101
Flows TCP192.168.1.1:1031 ➝ 198.1.84.100:443
Flows TCP192.168.1.1:1032 ➝ 198.1.84.100:443
Flows TCP192.168.1.1:1033 ➝ 198.1.84.100:443
Flows TCP192.168.1.1:1034 ➝ 198.1.84.100:443
Flows TCP192.168.1.1:1035 ➝ 198.1.84.101:443
Flows TCP192.168.1.1:1036 ➝ 198.1.84.101:443
Flows TCP192.168.1.1:1037 ➝ 198.1.84.101:443
Flows TCP192.168.1.1:1038 ➝ 198.1.84.101:443
Flows TCP192.168.1.1:1039 ➝ 198.1.84.100:443
Flows TCP192.168.1.1:1040 ➝ 198.1.84.100:443

Raw Pcap

Strings