Analysis Date2015-10-21 05:04:14
MD5311a6c02dfba9dc8520d2650f27a68d7
SHA1b938f1828c44a35e224432565283e8a0f76ed5cc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectioncode md5: 9e2ca113229982ab25b94853085933e6 sha1: ada35ac141498a96280d9485a95df0ea58034f80 size: 2560
Section.data md5: 5d2bfff5cad1cfdf51c67ea0d028a8ab sha1: c79d86e5b981e14425253a66e39e1bb397a1e1b1 size: 11776
Section.rsrc md5: 4ff98c10abb8b000cd80aaf08a3cc334 sha1: d9131369a446c9ee9164ed12d42e5b97c0b9b930 size: 27136
Section.reloc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.DAT md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp1997-10-28 22:08:58
PEhashb40a54967439991ab5828a5043375b38f7a2e249
IMPhashbb993a486057964d5a9655d0992159ef
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Agent.BJHJ
AVDr. WebTrojan.Upatre.201
AVClamAVno_virus
AVArcabit (arcavir)Trojan.Agent.BJHJ
AVBullGuardTrojan.Agent.BJHJ
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVCAT (quickheal)TrojanDwnldr.Upatre.MUE.A5
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftTrojan.Agent.BJHJ
AVIkarusTrojan.Injector
AVFrisk (f-prot)W32/Upatre.E.gen!Eldorado
AVAuthentiumW32/Upatre.E.gen!Eldorado
AVMalwareBytesTrojan.Upatre
AVMicroWorld (escan)Trojan.Agent.BJHJ
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BC
AVK7no_virus
AVBitDefenderTrojan.Agent.BJHJ
AVFortinetW32/Waski.F!tr
AVSymantecDownloader.Upatre!gen9
AVGrisoft (avg)Downloader.Agent2.BXRJ
AVEset (nod32)Win32/TrojanDownloader.Waski.F
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVAd-AwareTrojan.Agent.BJHJ
AVTwisterTrojanDldr.Upatre.fid.tosj
AVAvira (antivir)TR/Dldr.Waski.xzeg
AVMcafeeUpatre-FAAR!311A6C02DFBA
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tempB83F.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\quinadet.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\quinadet.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\quinadet.exe

Network Details:

DNSicanhazip.com
Type: A
104.238.136.31
DNSicanhazip.com
Type: A
104.238.145.30
DNSicanhazip.com
Type: A
104.238.141.75
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
HTTP GEThttp://81.7.109.65:13362/SATAS12/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Flows TCP192.168.1.1:1031 ➝ 104.238.136.31:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13362
Flows TCP192.168.1.1:1033 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1034 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1035 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1036 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1037 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1038 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1039 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1040 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1041 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1042 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1043 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1044 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1045 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1046 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1047 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1048 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1049 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1050 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1051 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1052 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1053 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1054 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1055 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1056 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1057 ➝ 91.240.97.45:443
Flows TCP192.168.1.1:1058 ➝ 91.240.97.45:443

Raw Pcap

Strings
5&f,(&R?0
$7[|P.p
8Ni=%t
ACKMIOz
|ACKMIz
ACUIProviderInvokeUI
aL-xS-
AmpFactorToDB
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
B.data
BmQueryBounds
BmRelease
BmSaveToStream
|CAKMIz
CheckNetDrive
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
ConnectDlgProc
CreatePipe
CryptUIDlgCertMgr
CryptUIDlgFreeCAContext
CryptUIDlgSelectCA
CryptUIDlgSelectCertificateA
CryptUIDlgSelectCertificateFromStore
CryptUIDlgSelectCertificateW
CryptUIDlgSelectStoreA
CryptUIDlgSelectStoreW
CryptUIDlgViewContext
CryptUIDlgViewCRLA
CryptUIDlgViewCRLW
CryptUIDlgViewCTLA
CryptUIDlgViewCTLW
CryptUIDlgViewSignerInfoA
CryptUIDlgViewSignerInfoW
CRYPTUI.dll
c?(!T?%
DefCreate
DefCreateFromClip
DefCreateFromFile
DefCreateFromTemplate
DefCreateInvisible
DefLoadFromStream
DibChangeData
DibClone
DibCopy
DibDraw
DibEnumFormat
,dmXrX?
DNSAPI.dll
DnsQuery_A
DnsQueryConfig
DnsQueryConfigAllocEx
DnsQueryConfigDword
DnsQueryExA
DnsQueryExUTF8
DnsQueryExW
DnsQuery_UTF8
DnsQuery_W
DnsRecordBuild_UTF8
DnsRecordBuild_W
DnsRecordCompare
DnsRecordCopyEx
DnsRecordListFree
DnsRecordSetCompare
DnsRecordSetCopyEx
DUserCastClass
DUserDeleteGadget
duser.DLL
:E;com;
EnumCalendarInfoW
ExitProcess
fmifs.dll
GetCommandLineA
GetCommState
GetOEMCP
GetVersionExW
GetWindowsDirectoryA
)gUWSg
&%h5KVDM
heio.h2\sbhtem3h\sys
IsRasmanProcess
i <XvQ^1|
/	Jz?a
kernel32.dll
,#kyaJ
lpk.dll
LpkEditControl
LpkGetCharacterPlacement
MprAdminInterfaceCreate
mprapi.dll
msvcrt.dll
olecli32.dll
>p0!HNa;
PdhCreateSQLTablesW
pdh.dll
PdhEnumLogSetNamesA
PdhEnumLogSetNamesW
PdhEnumMachinesA
PdhEnumMachinesHA
PdhEnumMachinesHW
PdhEnumMachinesW
PdhEnumObjectItemsA
PdhEnumObjectItemsHA
PdhEnumObjectItemsHW
PdhEnumObjectItemsW
PdhEnumObjectsA
PdhEnumObjectsHA
PdhEnumObjectsHW
PdhEnumObjectsW
PdhExpandCounterPathA
pstorec.dll
PStoreCreateInstance
qB=9l|*
quartz.dll
QueryDeviceInformation
QueryDosDeviceA
RasActivateRoute
RasActivateRouteEx
RasAddConnectionPort
RasAddNotification
RasAllocateRoute
RasBundleClearStatistics
RasBundleClearStatisticsEx
RasBundleGetPort
RasBundleGetStatistics
RasBundleGetStatisticsEx
RasCompressionGetInfo
RasCompressionSetInfo
RasConnectionEnum
RasConnectionGetStatistics
RasCreateConnection
RasDeAllocateRoute
RasDestroyConnection
RasDeviceConnect
rasman.dll
REGAPI.dll
RegBuildNumberQuery
RegCdCreateA
RegCdCreateW
RegCdDeleteA
RegCdDeleteW
RegCdEnumerateA
RegCdEnumerateW
RegCdQueryA
RegCdQueryW
RegCloseServer
RegConsoleShadowQueryA
RegConsoleShadowQueryW
RegDefaultUserConfigQueryA
RegDefaultUserConfigQueryW
.reloc
</requestedExecutionLevel>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false">
</requestedPrivileges>
<requestedPrivileges>
</security>
<security>
TaL]Au7
!This program cannot be run in DOS mode.
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
v_][_+
wx-zN+(s
YAfjrq
( _Y][SQ
Y][SQ3