Analysis Date2015-11-20 21:18:32
MD5a5740a287254540094b480cd0ff2bbee
SHA1c2adf77056f16fcfb68edde616f4d464d598125d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text2 md5: 2bfaed42f6019bf120f9a60470199ee0 sha1: 01783161b773ca8dbd8b6caac8c539b0e8eba270 size: 7168
Section.DATA md5: 016da078d35043875055940a943b7f63 sha1: a5a375988a827700dce5492707dd3c0d70dc343f size: 11264
SectionrSRc md5: d2470a2c0ef8318c61a59ca84614a580 sha1: c49ebbd792461dc8b6552a713d491103f1060449 size: 27136
Timestamp1997-10-25 21:19:52
PEhash1d7aeb3f0bd44352eb4a3af45c47d509ad4a1fb1
IMPhashd525cf03e499d7b9c4da13f69d3229e5
AVRisingError Scanning File
AVMcafeeError Scanning File
AVAvira (antivir)Error Scanning File
AVTwisterError Scanning File
AVAd-AwareError Scanning File
AVAlwil (avast)Error Scanning File
AVEset (nod32)Error Scanning File
AVGrisoft (avg)Error Scanning File
AVSymantecError Scanning File
AVFortinetError Scanning File
AVBitDefenderError Scanning File
AVK7Error Scanning File
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BN
AVMicroWorld (escan)Trojan.Upatre.Gen.2
AVMalwareBytesError Scanning File
AVAuthentiumError Scanning File
AVFrisk (f-prot)Error Scanning File
AVIkarusError Scanning File
AVEmsisoftError Scanning File
AVZillya!Error Scanning File
AVKasperskyError Scanning File
AVTrend MicroError Scanning File
AVCAT (quickheal)TrjnDwnlder.Upatre.MUE.BC3
AVVirusBlokAda (vba32)Error Scanning File
AVPadvishno_virus
AVBullGuardError Scanning File
AVArcabit (arcavir)Error Scanning File
AVClamAVError Scanning File
AVDr. WebError Scanning File
AVF-SecureError Scanning File
AVCA (E-Trust Ino)Error Scanning File
AVRisingError Scanning File
AVMcafeeError Scanning File
AVAvira (antivir)Error Scanning File
AVTwisterError Scanning File
AVAd-AwareError Scanning File
AVAlwil (avast)Error Scanning File
AVEset (nod32)Error Scanning File
AVGrisoft (avg)Error Scanning File
AVSymantecError Scanning File
AVFortinetError Scanning File
AVBitDefenderError Scanning File
AVK7Error Scanning File
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BN
AVMicroWorld (escan)Trojan.Upatre.Gen.2
AVMalwareBytesError Scanning File
AVAuthentiumError Scanning File
AVFrisk (f-prot)Error Scanning File
AVIkarusError Scanning File

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Rysmoon.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Rysmoon.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Rysmoon.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS81.93.205.218
Winsock DNS96.46.103.232
Winsock DNS66.215.30.118
Winsock DNS68.70.242.203
Winsock DNS38.65.142.12
Winsock DNS87.229.109.250
Winsock DNS81.93.205.251
Winsock DNSicanhazip.com

Network Details:

DNSicanhazip.com
Type: A
64.182.208.185
DNSicanhazip.com
Type: A
64.182.208.184
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
HTTP GEThttp://38.65.142.12:3/ON13/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Flows TCP192.168.1.1:1031 ➝ 64.182.208.185:80
Flows TCP192.168.1.1:1032 ➝ 38.65.142.12:3
Flows TCP192.168.1.1:1033 ➝ 81.93.205.218:443
Flows TCP192.168.1.1:1034 ➝ 81.93.205.218:443
Flows TCP192.168.1.1:1035 ➝ 81.93.205.218:443
Flows TCP192.168.1.1:1036 ➝ 81.93.205.218:443
Flows TCP192.168.1.1:1037 ➝ 81.93.205.251:443
Flows TCP192.168.1.1:1038 ➝ 81.93.205.251:443
Flows TCP192.168.1.1:1039 ➝ 81.93.205.251:443
Flows TCP192.168.1.1:1040 ➝ 81.93.205.251:443
Flows TCP192.168.1.1:1041 ➝ 87.229.109.250:443
Flows TCP192.168.1.1:1042 ➝ 87.229.109.250:443
Flows TCP192.168.1.1:1043 ➝ 87.229.109.250:443
Flows TCP192.168.1.1:1044 ➝ 87.229.109.250:443
Flows TCP192.168.1.1:1045 ➝ 96.46.103.232:443
Flows TCP192.168.1.1:1046 ➝ 96.46.103.232:443
Flows TCP192.168.1.1:1047 ➝ 96.46.103.232:443
Flows TCP192.168.1.1:1048 ➝ 96.46.103.232:443
Flows TCP192.168.1.1:1049 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1050 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1051 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1052 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1053 ➝ 66.215.30.118:443
Flows TCP192.168.1.1:1054 ➝ 66.215.30.118:443
Flows TCP192.168.1.1:1055 ➝ 66.215.30.118:443
Flows TCP192.168.1.1:1056 ➝ 66.215.30.118:443

Raw Pcap

Strings