Analysis Date2015-10-28 00:01:11
MD57fdd58bb6632ceb155964655ac6bee0f
SHA1bd40b350b836bf5305b3c6b5aa8bfb382cbf6672

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 686740608f033142b324b9085bea2f7b sha1: 786fe907002bc3102d338aaef1381497b9fc4c31 size: 11264
Section.data md5: d58f513819165f7d86252c27d9131ec4 sha1: 33305022d0d71eddee5af91ddd830272d1e99514 size: 6144
Section.rsrc md5: 5c0d5f31002641ff80345b737320b9a0 sha1: 43218e05066380146124be207f3d2482ea8acf56 size: 14848
Timestamp2015-09-25 04:33:51
VersionFileVersion: 1, 0, 1, 5
CompanyName: CitizenSoft utils
SpecialBuild: 270623468
LegalTrademarks: Copyright (C)2014 CitizenSoft
ProductName: Citizen Utils
ProductVersion: 1, 0, 1, 3
FileDescription: CitizenSoft utils
OriginalFilename: Chanility.exe
PackerMicrosoft Visual C++ 5.0
PEhash63252b87f843e0e6b4d7a3788728135309fcc18b
IMPhash9f85bd3ffc37325b385df69cfa7a796a
AVCA (E-Trust Ino)no_virus
AVRisingTrojan.Win32.Kryptik.af
AVMcafeeDownloader-FASG!7FDD58BB6632
AVAvira (antivir)TR/Dldr.Upatre.IH
AVTwisterTrojanDldr.Upatre.fij.dwow
AVAd-AwareTrojan.Downloader.JRQD
AVAlwil (avast)Crypt-SAL [Trj]
AVEset (nod32)Win32/Kryptik.DGBJ
AVGrisoft (avg)Crypt4.SQO
AVSymantecDownloader.Upatre!gen5
AVFortinetW32/Agent.BI!tr
AVBitDefenderTrojan.Downloader.JRQD
AVK7no_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVMicroWorld (escan)Trojan.Downloader.JRQD
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Trojan.MGGW-2098
AVFrisk (f-prot)W32/Trojan3.PDI
AVIkarusTrojan.Injector
AVEmsisoftTrojan.Downloader.JRQD
AVZillya!no_virus
AVKasperskyTrojan-Downloader.Win32.Upatre.fij
AVTrend MicroTROJ_UP.70E37AF8
AVCAT (quickheal)TrojanDwnldr.Upatre.FN4
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVPadvishno_virus
AVBullGuardTrojan.Downloader.JRQD
AVArcabit (arcavir)Trojan.Downloader.JRQD
AVClamAVno_virus
AVDr. WebTrojan.DownLoader13.1888
AVF-SecureTrojan.Downloader.JRQD

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\avodCCE2.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\avodintstall.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\avodintstall.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\avodintstall.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS77.233.186.165
Winsock DNS109.196.204.142
Winsock DNS81.7.109.65
Winsock DNS217.12.59.234
Winsock DNS95.80.123.41
Winsock DNS91.240.97.66
Winsock DNS195.218.251.42
Winsock DNSicanhazip.com
Winsock DNS91.240.97.70

Network Details:

DNSicanhazip.com
Type: A
64.182.208.185
DNSicanhazip.com
Type: A
64.182.208.184
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
HTTP GEThttp://81.7.109.65:13360/SATAS112/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
Flows TCP192.168.1.1:1031 ➝ 64.182.208.185:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13360
Flows TCP192.168.1.1:1033 ➝ 91.240.97.70:443
Flows TCP192.168.1.1:1034 ➝ 91.240.97.70:443
Flows TCP192.168.1.1:1035 ➝ 91.240.97.70:443
Flows TCP192.168.1.1:1036 ➝ 91.240.97.70:443
Flows TCP192.168.1.1:1037 ➝ 109.196.204.142:443
Flows TCP192.168.1.1:1038 ➝ 109.196.204.142:443
Flows TCP192.168.1.1:1039 ➝ 109.196.204.142:443
Flows TCP192.168.1.1:1040 ➝ 109.196.204.142:443
Flows TCP192.168.1.1:1041 ➝ 77.233.186.165:443
Flows TCP192.168.1.1:1042 ➝ 77.233.186.165:443
Flows TCP192.168.1.1:1043 ➝ 77.233.186.165:443
Flows TCP192.168.1.1:1044 ➝ 77.233.186.165:443
Flows TCP192.168.1.1:1045 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1046 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1047 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1048 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1049 ➝ 195.218.251.42:443
Flows TCP192.168.1.1:1050 ➝ 195.218.251.42:443
Flows TCP192.168.1.1:1051 ➝ 195.218.251.42:443
Flows TCP192.168.1.1:1052 ➝ 195.218.251.42:443
Flows TCP192.168.1.1:1053 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1054 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1055 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1056 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1057 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1058 ➝ 91.240.97.66:443

Raw Pcap

Strings
_

040B26E1
1, 0, 1, 3
1, 0, 1, 5
270623468
button
Chanility.exe
CitizenSoft utils
Citizen Utils
CompanyName
Copyright (C)2014 CitizenSoft
edit
FileDescription
FileVersion
iMainClass
iMainWindow
LegalTrademarks
Megator
	MozeClass
OriginalFilename
ProductName
ProductVersion
QUIT
richedit
SpecialBuild
static
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
WindowApplication_B
0I&B*!,
,1E%'82&E1)
 ,1G+A
1&J,*N
1-L2NE%C
1O I;.&#P
*2D4>*
2 $EP8(N
2F>,L1"*K&
375M#)
3EG6AF
-3.*"G3F
49!*$2
4B2A13	
%4PGG-
!59.+.
5M5A4 /7H2
	5O$9G
=6	0'A/)
6$NI#7(
6P"N#3
*8$2=(
976M&K
;9C0=1H
9-NC.=F%",)J+"
_adjust_fdiv
B !!7)
"+'B>J
Bm.IdP
BO'J	2
C8+I:M*
C)I5#2&B1I$
_controlfp
CreateFileW
CreateWindowExW
`.data
DefWindowProcW
DestroyWindow
<D&GE216DK61
DispatchMessageW
Docused
-E)B"A#(
Eh0PhP
_except_handler3
:\*eylz
GetClientRect
GetCommandLineW
GetLastError
__getmainargs
GetMessageW
GetModuleFileNameW
GetModuleHandleA
GetProcessHeap
GetStartupInfoA
	:<H$2.
;H "5#
>!HA	B
HeapAlloc
.<I&<	M
_initterm
$@$J :
,jdh0Q@
JF G"OCH$:
=JN-!,O1E'
KERNEL32.dll
K:%:)/IK:
LoadAcceleratorsW
LoadCursorW
LoadIconW
LoadLibraryA
LoadLibraryW
LoadStringW
lstrcatW
lstrcpyW
L# tgn
Modinga
MSVCRT.dll
nhFZy$
NKL%;A
Nodinga
Nodinge
O0&90C2
O>5PE4
;OC:7?
OK@)IL=
__p__acmdln
PathCompactPathExW
PathFileExistsW
PathFindExtensionW
PathFindFileNameW
PathIsDirectoryW
PathMatchSpecW
__p__commode
__p__fmode
PostQuitMessage
QiG,I@
Qiterational
RegisterClassExW
riched32.DLL
SendMessageW
__set_app_type
SetCurrentDirectoryW
__setusermatherr
SetWindowTextW
SHLWAPI.dll
ShowWindow
Socused
!This program cannot be run in DOS mode.
TranslateMessage
UpdateWindow
USER32.dll
vyyx{y
Witerational
_XcptFilter
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security>    <requestedPrivileges>     <requestedExecutionLevel  level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>
xP@PZj
x{yuxvmpnnqqrusvyw
x{yx{y
ZjPPQZ@
ZjQPEE