Analysis Date2016-01-28 03:43:11
MD5d8f78ad4e3ee402dfb235167922df29e
SHA1c392d28402362081810c74f65914c17d82d56478

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.texto md5: ba01813fdd25db1b9b52307e6909e588 sha1: bd378906afc176bfc8b58f4e65276e9650d7b5c0 size: 8192
Sectiondata md5: 6b0fba3f2ede3dcff19782cc45a583a9 sha1: ed4b7feba07f65448aed4dcc55764d2a15ade268 size: 9728
Sectionrs26 md5: ce323b2cc15bb5869435e4e30a0f8fa6 sha1: 419dc5288cce4a63558a3e1bd90d2f99fe466d50 size: 26624
Timestamp2004-03-13 01:22:10
PEhash0824390ad2a04e052c236152d42825299e958ba9
IMPhash2a92c6b4b47b3cefa65bf2087e247cee
AVRisingNo Virus
AVMcafeeUpatre-FACE!D8F78AD4E3EE
AVAvira (antivir)TR/AD.Yarwi.Y.706
AVTwisterTrojan.DOMG.opkh
AVAd-AwareTrojan.Generic.15744318
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.DROP
AVGrisoft (avg)Crypt_s.IXJ
AVSymantecDownloader.Upatre!gen9
AVFortinetW32/Waski.F!tr
AVBitDefenderTrojan.Generic.15744318
AVK7Trojan ( 004c98be1 )
AVMicrosoft Security EssentialsPWS:Win32/Dyzap
AVMicroWorld (escan)Trojan.Upatre.Gen.2
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/S-69a2908e!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftTrojan.Generic.15744318
AVZillya!Downloader.Upatre.Win32.48845
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_UPATRE.SM37
AVCAT (quickheal)TrjnDwnlder.Upatre.MUE.BC3
AVVirusBlokAda (vba32)No Virus
AVBullGuardTrojan.Generic.15744318
AVArcabit (arcavir)Trojan.Generic.15744318
AVClamAVWin.Trojan.Upatre-6078
AVDr. WebTrojan.Upatre.6653
AVF-SecureTrojan.Generic.15744318
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fashaxur.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\fashaxur.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\fashaxur.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS94.154.107.172
Winsock DNS68.70.242.203
Winsock DNS84.246.161.47
Winsock DNS93.185.4.90
Winsock DNS76.84.81.120
Winsock DNS217.168.210.122
Winsock DNS64.111.36.52
Winsock DNS178.222.250.35
Winsock DNSicanhazip.com

Network Details:

DNSicanhazip.com
Type: A
45.32.200.23
DNSicanhazip.com
Type: A
104.238.162.182
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.35 (KHTML, like Gecko) Chrome/44.0.2455.81 Safari/535.35
HTTP GEThttp://93.185.4.90:12405/UGA1/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.35 (KHTML, like Gecko) Chrome/44.0.2455.81 Safari/535.35
Flows TCP192.168.1.1:1031 ➝ 45.32.200.23:80
Flows TCP192.168.1.1:1032 ➝ 93.185.4.90:12405
Flows TCP192.168.1.1:1033 ➝ 76.84.81.120:443
Flows TCP192.168.1.1:1034 ➝ 76.84.81.120:443
Flows TCP192.168.1.1:1035 ➝ 76.84.81.120:443
Flows TCP192.168.1.1:1036 ➝ 76.84.81.120:443
Flows TCP192.168.1.1:1037 ➝ 84.246.161.47:443
Flows TCP192.168.1.1:1038 ➝ 84.246.161.47:443
Flows TCP192.168.1.1:1039 ➝ 84.246.161.47:443
Flows TCP192.168.1.1:1040 ➝ 84.246.161.47:443
Flows TCP192.168.1.1:1041 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1042 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1043 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1044 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1045 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1046 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1047 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1048 ➝ 68.70.242.203:443
Flows TCP192.168.1.1:1049 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1050 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1051 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1052 ➝ 64.111.36.52:443
Flows TCP192.168.1.1:1053 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1054 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1055 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1056 ➝ 178.222.250.35:443
Flows TCP192.168.1.1:1057 ➝ 94.154.107.172:443
Flows TCP192.168.1.1:1058 ➝ 94.154.107.172:443

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 74657874 2f2a2c20   Accept: text/*, 
0x00000020 (00032)   6170706c 69636174 696f6e2f 2a0d0a55   application/*..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e302028 57696e64 6f777320   la/5.0 (Windows 
0x00000050 (00080)   4e542036 2e312920 4170706c 65576562   NT 6.1) AppleWeb
0x00000060 (00096)   4b69742f 3533352e 33352028 4b48544d   Kit/535.35 (KHTM
0x00000070 (00112)   4c2c206c 696b6520 4765636b 6f292043   L, like Gecko) C
0x00000080 (00128)   68726f6d 652f3434 2e302e32 3435352e   hrome/44.0.2455.
0x00000090 (00144)   38312053 61666172 692f3533 352e3335   81 Safari/535.35
0x000000a0 (00160)   0d0a486f 73743a20 6963616e 68617a69   ..Host: icanhazi
0x000000b0 (00176)   702e636f 6d0d0a43 61636865 2d436f6e   p.com..Cache-Con
0x000000c0 (00192)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x000000d0 (00208)   0d0a                                  ..

0x00000000 (00000)   47455420 2f554741 312f434f 4d505554   GET /UGA1/COMPUT
0x00000010 (00016)   45522d58 58585858 582f302f 35312d53   ER-XXXXXX/0/51-S
0x00000020 (00032)   50332f30 2f204854 54502f31 2e310d0a   P3/0/ HTTP/1.1..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000040 (00064)   6c6c612f 352e3020 2857696e 646f7773   lla/5.0 (Windows
0x00000050 (00080)   204e5420 362e3129 20417070 6c655765    NT 6.1) AppleWe
0x00000060 (00096)   624b6974 2f353335 2e333520 284b4854   bKit/535.35 (KHT
0x00000070 (00112)   4d4c2c20 6c696b65 20476563 6b6f2920   ML, like Gecko) 
0x00000080 (00128)   4368726f 6d652f34 342e302e 32343535   Chrome/44.0.2455
0x00000090 (00144)   2e383120 53616661 72692f35 33352e33   .81 Safari/535.3
0x000000a0 (00160)   350d0a48 6f73743a 2039332e 3138352e   5..Host: 93.185.
0x000000b0 (00176)   342e3930 3a313234 30350d0a 43616368   4.90:12405..Cach
0x000000c0 (00192)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000d0 (00208)   6368650d 0a0d0a                       che....

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings