| Analysis Date | 2015-10-28 00:01:11 |
|---|---|
| MD5 | 7fdd58bb6632ceb155964655ac6bee0f |
| SHA1 | bd40b350b836bf5305b3c6b5aa8bfb382cbf6672 |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: 686740608f033142b324b9085bea2f7b sha1: 786fe907002bc3102d338aaef1381497b9fc4c31 size: 11264 | |
| Section | .data md5: d58f513819165f7d86252c27d9131ec4 sha1: 33305022d0d71eddee5af91ddd830272d1e99514 size: 6144 | |
| Section | .rsrc md5: 5c0d5f31002641ff80345b737320b9a0 sha1: 43218e05066380146124be207f3d2482ea8acf56 size: 14848 | |
| Timestamp | 2015-09-25 04:33:51 | |
| Version | FileVersion: 1, 0, 1, 5 CompanyName: CitizenSoft utils SpecialBuild: 270623468 LegalTrademarks: Copyright (C)2014 CitizenSoft ProductName: Citizen Utils ProductVersion: 1, 0, 1, 3 FileDescription: CitizenSoft utils OriginalFilename: Chanility.exe | |
| Packer | Microsoft Visual C++ 5.0 | |
| PEhash | 63252b87f843e0e6b4d7a3788728135309fcc18b | |
| IMPhash | 9f85bd3ffc37325b385df69cfa7a796a | |
| AV | CA (E-Trust Ino) | no_virus |
| AV | Rising | Trojan.Win32.Kryptik.af |
| AV | Mcafee | Downloader-FASG!7FDD58BB6632 |
| AV | Avira (antivir) | TR/Dldr.Upatre.IH |
| AV | Twister | TrojanDldr.Upatre.fij.dwow |
| AV | Ad-Aware | Trojan.Downloader.JRQD |
| AV | Alwil (avast) | Crypt-SAL [Trj] |
| AV | Eset (nod32) | Win32/Kryptik.DGBJ |
| AV | Grisoft (avg) | Crypt4.SQO |
| AV | Symantec | Downloader.Upatre!gen5 |
| AV | Fortinet | W32/Agent.BI!tr |
| AV | BitDefender | Trojan.Downloader.JRQD |
| AV | K7 | no_virus |
| AV | Microsoft Security Essentials | TrojanDownloader:Win32/Upatre |
| AV | MicroWorld (escan) | Trojan.Downloader.JRQD |
| AV | MalwareBytes | Trojan.Upatre |
| AV | Authentium | W32/Trojan.MGGW-2098 |
| AV | Frisk (f-prot) | W32/Trojan3.PDI |
| AV | Ikarus | Trojan.Injector |
| AV | Emsisoft | Trojan.Downloader.JRQD |
| AV | Zillya! | no_virus |
| AV | Kaspersky | Trojan-Downloader.Win32.Upatre.fij |
| AV | Trend Micro | TROJ_UP.70E37AF8 |
| AV | CAT (quickheal) | TrojanDwnldr.Upatre.FN4 |
| AV | VirusBlokAda (vba32) | TrojanDownloader.Upatre |
| AV | Padvish | no_virus |
| AV | BullGuard | Trojan.Downloader.JRQD |
| AV | Arcabit (arcavir) | Trojan.Downloader.JRQD |
| AV | ClamAV | no_virus |
| AV | Dr. Web | Trojan.DownLoader13.1888 |
| AV | F-Secure | Trojan.Downloader.JRQD |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\avodCCE2.log |
|---|---|
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\avodintstall.exe |
| Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\avodintstall.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\avodintstall.exe
| Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
|---|---|
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
| Creates File | PIPE\lsarpc |
| Creates File | \Device\Afd\Endpoint |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
| Deletes File | C:\malware.exe |
| Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
| Creates Mutex | WininetConnectionMutex |
| Creates Mutex | c:!documents and settings!administrator!cookies! |
| Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
| Winsock DNS | 77.233.186.165 |
| Winsock DNS | 109.196.204.142 |
| Winsock DNS | 81.7.109.65 |
| Winsock DNS | 217.12.59.234 |
| Winsock DNS | 95.80.123.41 |
| Winsock DNS | 91.240.97.66 |
| Winsock DNS | 195.218.251.42 |
| Winsock DNS | icanhazip.com |
| Winsock DNS | 91.240.97.70 |
Network Details:
| DNS | icanhazip.com Type: A 64.182.208.185 |
|---|---|
| DNS | icanhazip.com Type: A 64.182.208.184 |
| HTTP GET | http://icanhazip.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1) |
| HTTP GET | http://81.7.109.65:13360/SATAS112/COMPUTER-XXXXXX/0/51-SP3/0/ User-Agent: Mozilla/5.0 (Windows NT 6.1) |
| Flows TCP | 192.168.1.1:1031 ➝ 64.182.208.185:80 |
| Flows TCP | 192.168.1.1:1032 ➝ 81.7.109.65:13360 |
| Flows TCP | 192.168.1.1:1033 ➝ 91.240.97.70:443 |
| Flows TCP | 192.168.1.1:1034 ➝ 91.240.97.70:443 |
| Flows TCP | 192.168.1.1:1035 ➝ 91.240.97.70:443 |
| Flows TCP | 192.168.1.1:1036 ➝ 91.240.97.70:443 |
| Flows TCP | 192.168.1.1:1037 ➝ 109.196.204.142:443 |
| Flows TCP | 192.168.1.1:1038 ➝ 109.196.204.142:443 |
| Flows TCP | 192.168.1.1:1039 ➝ 109.196.204.142:443 |
| Flows TCP | 192.168.1.1:1040 ➝ 109.196.204.142:443 |
| Flows TCP | 192.168.1.1:1041 ➝ 77.233.186.165:443 |
| Flows TCP | 192.168.1.1:1042 ➝ 77.233.186.165:443 |
| Flows TCP | 192.168.1.1:1043 ➝ 77.233.186.165:443 |
| Flows TCP | 192.168.1.1:1044 ➝ 77.233.186.165:443 |
| Flows TCP | 192.168.1.1:1045 ➝ 95.80.123.41:443 |
| Flows TCP | 192.168.1.1:1046 ➝ 95.80.123.41:443 |
| Flows TCP | 192.168.1.1:1047 ➝ 95.80.123.41:443 |
| Flows TCP | 192.168.1.1:1048 ➝ 95.80.123.41:443 |
| Flows TCP | 192.168.1.1:1049 ➝ 195.218.251.42:443 |
| Flows TCP | 192.168.1.1:1050 ➝ 195.218.251.42:443 |
| Flows TCP | 192.168.1.1:1051 ➝ 195.218.251.42:443 |
| Flows TCP | 192.168.1.1:1052 ➝ 195.218.251.42:443 |
| Flows TCP | 192.168.1.1:1053 ➝ 217.12.59.234:443 |
| Flows TCP | 192.168.1.1:1054 ➝ 217.12.59.234:443 |
| Flows TCP | 192.168.1.1:1055 ➝ 217.12.59.234:443 |
| Flows TCP | 192.168.1.1:1056 ➝ 217.12.59.234:443 |
| Flows TCP | 192.168.1.1:1057 ➝ 91.240.97.66:443 |
| Flows TCP | 192.168.1.1:1058 ➝ 91.240.97.66:443 |
Raw Pcap
Strings
_
040B26E1
1, 0, 1, 3
1, 0, 1, 5
270623468
button
Chanility.exe
CitizenSoft utils
Citizen Utils
CompanyName
Copyright (C)2014 CitizenSoft
edit
FileDescription
FileVersion
iMainClass
iMainWindow
LegalTrademarks
Megator
MozeClass
OriginalFilename
ProductName
ProductVersion
QUIT
richedit
SpecialBuild
static
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
WindowApplication_B
0I&B*!,
,1E%'82&E1)
,1G+A
1&J,*N
1-L2NE%C
1O I;.&#P
*2D4>*
2 $EP8(N
2F>,L1"*K&
375M#)
3EG6AF
-3.*"G3F
49!*$2
4B2A13
%4PGG-
!59.+.
5M5A4 /7H2
5O$9G
=6 0'A/)
6$NI#7(
6P"N#3
*8$2=(
976M&K
;9C0=1H
9-NC.=F%",)J+"
_adjust_fdiv
B !!7)
"+'B>J
Bm.IdP
BO'J 2
C8+I:M*
C)I5#2&B1I$
_controlfp
CreateFileW
CreateWindowExW
`.data
DefWindowProcW
DestroyWindow
<D&GE216DK61
DispatchMessageW
Docused
-E)B"A#(
Eh0PhP
_except_handler3
:\*eylz
GetClientRect
GetCommandLineW
GetLastError
__getmainargs
GetMessageW
GetModuleFileNameW
GetModuleHandleA
GetProcessHeap
GetStartupInfoA
:<H$2.
;H "5#
>!HA B
HeapAlloc
.<I&< M
_initterm
$@$J :
,jdh0Q@
JF G"OCH$:
=JN-!,O1E'
KERNEL32.dll
K:%:)/IK:
LoadAcceleratorsW
LoadCursorW
LoadIconW
LoadLibraryA
LoadLibraryW
LoadStringW
lstrcatW
lstrcpyW
L# tgn
Modinga
MSVCRT.dll
nhFZy$
NKL%;A
Nodinga
Nodinge
O0&90C2
O>5PE4
;OC:7?
OK@)IL=
__p__acmdln
PathCompactPathExW
PathFileExistsW
PathFindExtensionW
PathFindFileNameW
PathIsDirectoryW
PathMatchSpecW
__p__commode
__p__fmode
PostQuitMessage
QiG,I@
Qiterational
RegisterClassExW
riched32.DLL
SendMessageW
__set_app_type
SetCurrentDirectoryW
__setusermatherr
SetWindowTextW
SHLWAPI.dll
ShowWindow
Socused
!This program cannot be run in DOS mode.
TranslateMessage
UpdateWindow
USER32.dll
vyyx{y
Witerational
_XcptFilter
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>
xP@PZj
x{yuxvmpnnqqrusvyw
x{yx{y
ZjPPQZ@
ZjQPEE