Analysis Date2015-11-05 03:54:02
MD53c5b696f9f040f6fe7997a840d87119f
SHA1c3507d12358c0d2ab9b0a83f0021e0d1b19df1fe

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1c9cabde003cd2afaef2c7fb4b76b48c sha1: 61a77d0a99d52d4a9b21c3f7a18db60b10cc598b size: 28672
Section.rdata md5: 6887751f7831e76f446e9e9a1f816849 sha1: 96e310b2e49ac024f58d5a98b8d5420bd36320d4 size: 4096
Section.data md5: c84eea1a2b9ebefdda83a7c2f706c28b sha1: 3d92ba3a360ffb2e598045336add492aa329a872 size: 40960
Section.rsrc md5: 6359f4503cf69f71b214c66184325a0d sha1: 721a314ff4a279cbc0c1028342f30c309329e132 size: 24576
Timestamp1982-06-30 16:40:32
VersionFileVersion: 1, 7, 4, 9
ProductVersion: 1, 0, 4, 9
PackerMicrosoft Visual C++ v6.0
PEhashe80522232b54c328594b82b2e35df4909f142724
IMPhashc198dc513ea205655d29d5d9e3512721
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Downloader.JRQQ
AVDr. WebTrojan.Upatre.201
AVClamAVWin.Trojan.Upatre-3924
AVArcabit (arcavir)Trojan.Downloader.JRQQ
AVBullGuardTrojan.Downloader.JRQQ
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVCAT (quickheal)TrojanDownloader.Upatre.RF4
AVTrend MicroTROJ_UPATRE.SMJY
AVKasperskyTrojan-Downloader.Win32.Upatre.fio
AVZillya!Downloader.Upatre.Win32.22825
AVEmsisoftTrojan.Downloader.JRQQ
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)W32/Downldr2.IZRA
AVAuthentiumW32/Downloader.WBWB-6032
AVMalwareBytesTrojan.Upatre.VM4
AVMicroWorld (escan)Trojan.Downloader.JRQQ
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre!rfn
AVK7Trojan ( 004beadd1 )
AVBitDefenderTrojan.Downloader.JRQQ
AVFortinetW32/Waski.HL!tr
AVSymantecDownloader.Upatre!g14
AVGrisoft (avg)Crypt4.TBP
AVEset (nod32)Win32/TrojanDownloader.Waski.F
AVAlwil (avast)Kryptik-PJI [Trj]
AVAd-AwareTrojan.Downloader.JRQQ
AVTwisterTrojanDldr.Upatre.fio.khjv
AVAvira (antivir)TR/Crypt.Xpack.173447
AVMcafeeDownloader-FATE!3C5B696F9F04
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DIDASD9BC.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\UlnAKO3o.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\UlnAKO3o.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\UlnAKO3o.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS91.240.97.71
Winsock DNS109.196.204.142
Winsock DNS81.7.109.65
Winsock DNS91.240.97.38
Winsock DNS217.12.59.234
Winsock DNS80.87.220.102
Winsock DNS46.151.130.90
Winsock DNSicanhazip.com
Winsock DNS91.240.97.36

Network Details:

DNSicanhazip.com
Type: A
64.182.208.185
DNSicanhazip.com
Type: A
64.182.208.184
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
HTTP GEThttp://81.7.109.65:13382/TUSR13/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
Flows TCP192.168.1.1:1031 ➝ 64.182.208.185:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13382
Flows TCP192.168.1.1:1033 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1034 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1035 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1036 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1037 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1038 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1039 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1040 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1041 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1042 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1043 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1044 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1045 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1046 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1047 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1048 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1049 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1050 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1051 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1052 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1053 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1054 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1055 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1056 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1057 ➝ 109.196.204.142:443
Flows TCP192.168.1.1:1058 ➝ 109.196.204.142:443

Raw Pcap

Strings
i.G
tFilpAttributesA
eE
..
-E-0-0
\
...
00 ...........?-  
0
0 
0u&
041904b2
1, 0, 4, 9
1, 7, 4, 9
FileVersion
         (((((                  H
jsrnel32.dll
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
_"""####
!""""##
!""####
?,$=&'
"""####
#########################################################################################################
0B=x#A
1#QNAN
1#SNAN
3/$##t
5?&'X-
7HEvytGst
^}%95  A
_9=T)A
abnormal program termination
auxSetVolume
c"""####
@.data
DestroyWindow
DOMAIN error
DSUVWh
ExitProcess
- floating point not loaded
FreeEnvironmentStringsA
FreeEnvironmentStringsW
g"""####
GAIsProcessorFeaturePresent
GDI32.dll
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetTickCount
GetVersion
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
_hypot
Ke#nel
KERNEL32
KERNEL32.dll
k"""IJ
kspdfgh'd;f3454563356yghdfgh567sdfgsdfhdfiojlxdg
LCMapStringA
LCMapStringW
LoadLibraryA
LoadLibraryW
MessageBoxA
Microsoft Visual C++ Runtime Library
MultiByteToWideChar
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
Program: 
<program name unknown>
"""&p/t
PulseEvent
- pure virtual function call
RaiseException
`.rdata
ResumeThread
RtlUnwind
runtime error 
Runtime Error!
SCardForgetCardTypeA
SelectObject
SetHandleCount
SING error
SS@SSPVSS
!""s"x
TerminateProcess
TerminateThread
!This program cannot be run in DOS mode.
t+Ht$Ht
TLOSS error
t#SSUP
+ttHHtd
t.;t$$t(
t$$VSS
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
user32.dll
USER32.dll
VC20XC00U
Vhrt73lA
VirtualAlloc
VirtualFree
WideCharToMultiByte
WINMM.dll
WinSCard.dll
WriteFile
"WWSh\
####"x
_^][YY
"""zV$#