Analysis Date2016-01-27 15:29:01
MD5faeedef292a583fff2f2653555e4b5b8
SHA1beadf1f7ad1c7fc36ac1dd41bb00f3ea8bfa8146

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 11e95f3c453ff2c3c3be83f53aaf63ff sha1: 5aef7428348d105204d7731d261ed42f50c7ae18 size: 11776
Section.rdata md5: 144fcd833113606dcc7e13d7b695c248 sha1: 20626209352e635e7bc22a7f2310182a93f208bc size: 2560
Section.data md5: d304b4ba28c507b3f2b6d9bd384fe624 sha1: 0fb71a3fd6e54e5439778a6ea32a4c896f0dafa4 size: 512
Section.rsrc md5: d0a70f84cb1ad9ece009e02df9fd1008 sha1: 7379fe3d75305d610e2698310cd4bd2dd6ea047d size: 19456
Timestamp2014-11-27 20:33:52
VersionLegalCopyright:
InternalName: WinappInternal
FileVersion: 1.1.2.17
CompanyName: Winapp
LegalTrademarks:
ProductName: Winapp
ProductVersion: 2.17
FileDescription: Winapp
OriginalFilename:
PackerBorland Delphi 3.0 (???)
PEhash0f8a57570395a135adc6dd26f998669ad1231dbe
IMPhash7bf949ab44a3cf9f0993f4b5d8416436
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeUpatre-FACX!FAEEDEF292A5
AVAvira (antivir)TR/Yarwi.cjamnc
AVTwisterTrojan.Girtk.DRNZ.wwge
AVAd-AwareTrojan.Generic.15752631
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.DRKU
AVGrisoft (avg)Crypt_s.IWZ
AVSymantecDownloader.Upatre!gen5
AVFortinetNo Virus
AVBitDefenderTrojan.Generic.15752631
AVK7Trojan ( 004c97961 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BW
AVMicroWorld (escan)Trojan.Generic.15752631
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/S-2f97ae4d!Eldorado
AVEmsisoftTrojan.Generic.15752631
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVZillya!Downloader.Upatre.Win32.47748
AVKasperskyTrojan-Downloader.Win32.Upatre.eccs
AVTrend MicroTROJ_UPATRE.SM37
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVCAT (quickheal)Trojan.Kadena.B4
AVBullGuardTrojan.Generic.15752631
AVArcabit (arcavir)Trojan.Generic.15752631
AVClamAVWin.Trojan.Upatre-5914
AVDr. WebTrojan.DownLoader15.55299
AVF-SecureTrojan.Generic.15752631

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\osenbraw.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\osenbraw.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\osenbraw.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\checkip.dyndns[1].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS94.154.107.172
Winsock DNS188.255.243.105
Winsock DNS194.106.166.22
Winsock DNS68.70.242.203
Winsock DNS64.111.36.52
Winsock DNS178.222.250.35
Winsock DNS188.255.236.184
Winsock DNScheckip.dyndns.org

Network Details:

DNScheckip.dyndns.com
Type: A
216.146.43.70
DNScheckip.dyndns.com
Type: A
91.198.22.70
DNScheckip.dyndns.com
Type: A
216.146.38.70
DNScheckip.dyndns.org
Type: A
HTTP GEThttp://checkip.dyndns.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Flows TCP192.168.1.1:1031 ➝ 216.146.43.70:80
Flows TCP192.168.1.1:1032 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1033 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1034 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1035 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1036 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1037 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1038 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1039 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1040 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1041 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1042 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1043 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1044 ➝ 94.154.107.172:443
Flows TCP192.168.1.1:1045 ➝ 94.154.107.172:443
Flows TCP192.168.1.1:1046 ➝ 94.154.107.172:443
Flows TCP192.168.1.1:1047 ➝ 94.154.107.172:443
Flows TCP192.168.1.1:1048 ➝ 194.106.166.22:443
Flows TCP192.168.1.1:1049 ➝ 194.106.166.22:443
Flows TCP192.168.1.1:1050 ➝ 194.106.166.22:443
Flows TCP192.168.1.1:1051 ➝ 194.106.166.22:443
Flows TCP192.168.1.1:1052 ➝ 188.255.243.105:443
Flows TCP192.168.1.1:1053 ➝ 188.255.243.105:443
Flows TCP192.168.1.1:1054 ➝ 188.255.243.105:443
Flows TCP192.168.1.1:1055 ➝ 188.255.243.105:443

Raw Pcap

Strings