Analysis Date | 2015-10-28 00:01:11 |
---|---|
MD5 | 7fdd58bb6632ceb155964655ac6bee0f |
SHA1 | bd40b350b836bf5305b3c6b5aa8bfb382cbf6672 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 686740608f033142b324b9085bea2f7b sha1: 786fe907002bc3102d338aaef1381497b9fc4c31 size: 11264 | |
Section | .data md5: d58f513819165f7d86252c27d9131ec4 sha1: 33305022d0d71eddee5af91ddd830272d1e99514 size: 6144 | |
Section | .rsrc md5: 5c0d5f31002641ff80345b737320b9a0 sha1: 43218e05066380146124be207f3d2482ea8acf56 size: 14848 | |
Timestamp | 2015-09-25 04:33:51 | |
Version | FileVersion: 1, 0, 1, 5 CompanyName: CitizenSoft utils SpecialBuild: 270623468 LegalTrademarks: Copyright (C)2014 CitizenSoft ProductName: Citizen Utils ProductVersion: 1, 0, 1, 3 FileDescription: CitizenSoft utils OriginalFilename: Chanility.exe | |
Packer | Microsoft Visual C++ 5.0 | |
PEhash | 63252b87f843e0e6b4d7a3788728135309fcc18b | |
IMPhash | 9f85bd3ffc37325b385df69cfa7a796a | |
AV | CA (E-Trust Ino) | no_virus |
AV | Rising | Trojan.Win32.Kryptik.af |
AV | Mcafee | Downloader-FASG!7FDD58BB6632 |
AV | Avira (antivir) | TR/Dldr.Upatre.IH |
AV | Twister | TrojanDldr.Upatre.fij.dwow |
AV | Ad-Aware | Trojan.Downloader.JRQD |
AV | Alwil (avast) | Crypt-SAL [Trj] |
AV | Eset (nod32) | Win32/Kryptik.DGBJ |
AV | Grisoft (avg) | Crypt4.SQO |
AV | Symantec | Downloader.Upatre!gen5 |
AV | Fortinet | W32/Agent.BI!tr |
AV | BitDefender | Trojan.Downloader.JRQD |
AV | K7 | no_virus |
AV | Microsoft Security Essentials | TrojanDownloader:Win32/Upatre |
AV | MicroWorld (escan) | Trojan.Downloader.JRQD |
AV | MalwareBytes | Trojan.Upatre |
AV | Authentium | W32/Trojan.MGGW-2098 |
AV | Frisk (f-prot) | W32/Trojan3.PDI |
AV | Ikarus | Trojan.Injector |
AV | Emsisoft | Trojan.Downloader.JRQD |
AV | Zillya! | no_virus |
AV | Kaspersky | Trojan-Downloader.Win32.Upatre.fij |
AV | Trend Micro | TROJ_UP.70E37AF8 |
AV | CAT (quickheal) | TrojanDwnldr.Upatre.FN4 |
AV | VirusBlokAda (vba32) | TrojanDownloader.Upatre |
AV | Padvish | no_virus |
AV | BullGuard | Trojan.Downloader.JRQD |
AV | Arcabit (arcavir) | Trojan.Downloader.JRQD |
AV | ClamAV | no_virus |
AV | Dr. Web | Trojan.DownLoader13.1888 |
AV | F-Secure | Trojan.Downloader.JRQD |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\avodCCE2.log |
---|---|
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\avodintstall.exe |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\avodintstall.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\avodintstall.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Deletes File | C:\malware.exe |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | WininetConnectionMutex |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Winsock DNS | 77.233.186.165 |
Winsock DNS | 109.196.204.142 |
Winsock DNS | 81.7.109.65 |
Winsock DNS | 217.12.59.234 |
Winsock DNS | 95.80.123.41 |
Winsock DNS | 91.240.97.66 |
Winsock DNS | 195.218.251.42 |
Winsock DNS | icanhazip.com |
Winsock DNS | 91.240.97.70 |
Network Details:
DNS | icanhazip.com Type: A 64.182.208.185 |
---|---|
DNS | icanhazip.com Type: A 64.182.208.184 |
HTTP GET | http://icanhazip.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1) |
HTTP GET | http://81.7.109.65:13360/SATAS112/COMPUTER-XXXXXX/0/51-SP3/0/ User-Agent: Mozilla/5.0 (Windows NT 6.1) |
Flows TCP | 192.168.1.1:1031 ➝ 64.182.208.185:80 |
Flows TCP | 192.168.1.1:1032 ➝ 81.7.109.65:13360 |
Flows TCP | 192.168.1.1:1033 ➝ 91.240.97.70:443 |
Flows TCP | 192.168.1.1:1034 ➝ 91.240.97.70:443 |
Flows TCP | 192.168.1.1:1035 ➝ 91.240.97.70:443 |
Flows TCP | 192.168.1.1:1036 ➝ 91.240.97.70:443 |
Flows TCP | 192.168.1.1:1037 ➝ 109.196.204.142:443 |
Flows TCP | 192.168.1.1:1038 ➝ 109.196.204.142:443 |
Flows TCP | 192.168.1.1:1039 ➝ 109.196.204.142:443 |
Flows TCP | 192.168.1.1:1040 ➝ 109.196.204.142:443 |
Flows TCP | 192.168.1.1:1041 ➝ 77.233.186.165:443 |
Flows TCP | 192.168.1.1:1042 ➝ 77.233.186.165:443 |
Flows TCP | 192.168.1.1:1043 ➝ 77.233.186.165:443 |
Flows TCP | 192.168.1.1:1044 ➝ 77.233.186.165:443 |
Flows TCP | 192.168.1.1:1045 ➝ 95.80.123.41:443 |
Flows TCP | 192.168.1.1:1046 ➝ 95.80.123.41:443 |
Flows TCP | 192.168.1.1:1047 ➝ 95.80.123.41:443 |
Flows TCP | 192.168.1.1:1048 ➝ 95.80.123.41:443 |
Flows TCP | 192.168.1.1:1049 ➝ 195.218.251.42:443 |
Flows TCP | 192.168.1.1:1050 ➝ 195.218.251.42:443 |
Flows TCP | 192.168.1.1:1051 ➝ 195.218.251.42:443 |
Flows TCP | 192.168.1.1:1052 ➝ 195.218.251.42:443 |
Flows TCP | 192.168.1.1:1053 ➝ 217.12.59.234:443 |
Flows TCP | 192.168.1.1:1054 ➝ 217.12.59.234:443 |
Flows TCP | 192.168.1.1:1055 ➝ 217.12.59.234:443 |
Flows TCP | 192.168.1.1:1056 ➝ 217.12.59.234:443 |
Flows TCP | 192.168.1.1:1057 ➝ 91.240.97.66:443 |
Flows TCP | 192.168.1.1:1058 ➝ 91.240.97.66:443 |
Raw Pcap
Strings
_ 040B26E1 1, 0, 1, 3 1, 0, 1, 5 270623468 button Chanility.exe CitizenSoft utils Citizen Utils CompanyName Copyright (C)2014 CitizenSoft edit FileDescription FileVersion iMainClass iMainWindow LegalTrademarks Megator MozeClass OriginalFilename ProductName ProductVersion QUIT richedit SpecialBuild static StringFileInfo Translation VarFileInfo VS_VERSION_INFO WindowApplication_B 0I&B*!, ,1E%'82&E1) ,1G+A 1&J,*N 1-L2NE%C 1O I;.&#P *2D4>* 2 $EP8(N 2F>,L1"*K& 375M#) 3EG6AF -3.*"G3F 49!*$2 4B2A13 %4PGG- !59.+. 5M5A4 /7H2 5O$9G =6 0'A/) 6$NI#7( 6P"N#3 *8$2=( 976M&K ;9C0=1H 9-NC.=F%",)J+" _adjust_fdiv B !!7) "+'B>J Bm.IdP BO'J 2 C8+I:M* C)I5#2&B1I$ _controlfp CreateFileW CreateWindowExW `.data DefWindowProcW DestroyWindow <D&GE216DK61 DispatchMessageW Docused -E)B"A#( Eh0PhP _except_handler3 :\*eylz GetClientRect GetCommandLineW GetLastError __getmainargs GetMessageW GetModuleFileNameW GetModuleHandleA GetProcessHeap GetStartupInfoA :<H$2. ;H "5# >!HA B HeapAlloc .<I&< M _initterm $@$J : ,jdh0Q@ JF G"OCH$: =JN-!,O1E' KERNEL32.dll K:%:)/IK: LoadAcceleratorsW LoadCursorW LoadIconW LoadLibraryA LoadLibraryW LoadStringW lstrcatW lstrcpyW L# tgn Modinga MSVCRT.dll nhFZy$ NKL%;A Nodinga Nodinge O0&90C2 O>5PE4 ;OC:7? OK@)IL= __p__acmdln PathCompactPathExW PathFileExistsW PathFindExtensionW PathFindFileNameW PathIsDirectoryW PathMatchSpecW __p__commode __p__fmode PostQuitMessage QiG,I@ Qiterational RegisterClassExW riched32.DLL SendMessageW __set_app_type SetCurrentDirectoryW __setusermatherr SetWindowTextW SHLWAPI.dll ShowWindow Socused !This program cannot be run in DOS mode. TranslateMessage UpdateWindow USER32.dll vyyx{y Witerational _XcptFilter <?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly> xP@PZj x{yuxvmpnnqqrusvyw x{yx{y ZjPPQZ@ ZjQPEE