Analysis | #totalhash

Analysis Date	2016-01-28 03:43:11
MD5	d8f78ad4e3ee402dfb235167922df29e
SHA1	c392d28402362081810c74f65914c17d82d56478

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386
Section	.texto md5: ba01813fdd25db1b9b52307e6909e588 sha1: bd378906afc176bfc8b58f4e65276e9650d7b5c0 size: 8192
Section	data md5: 6b0fba3f2ede3dcff19782cc45a583a9 sha1: ed4b7feba07f65448aed4dcc55764d2a15ade268 size: 9728
Section	rs26 md5: ce323b2cc15bb5869435e4e30a0f8fa6 sha1: 419dc5288cce4a63558a3e1bd90d2f99fe466d50 size: 26624
Timestamp	2004-03-13 01:22:10
PEhash	0824390ad2a04e052c236152d42825299e958ba9
IMPhash	2a92c6b4b47b3cefa65bf2087e247cee
AV	Rising	No Virus
AV	Mcafee	Upatre-FACE!D8F78AD4E3EE
AV	Avira (antivir)	TR/AD.Yarwi.Y.706
AV	Twister	Trojan.DOMG.opkh
AV	Ad-Aware	Trojan.Generic.15744318
AV	Alwil (avast)	Win32:Malware-gen
AV	Eset (nod32)	Win32/Kryptik.DROP
AV	Grisoft (avg)	Crypt_s.IXJ
AV	Symantec	Downloader.Upatre!gen9
AV	Fortinet	W32/Waski.F!tr
AV	BitDefender	Trojan.Generic.15744318
AV	K7	Trojan ( 004c98be1 )
AV	Microsoft Security Essentials	PWS:Win32/Dyzap
AV	MicroWorld (escan)	Trojan.Upatre.Gen.2
AV	MalwareBytes	Trojan.Upatre
AV	Authentium	W32/S-69a2908e!Eldorado
AV	Frisk (f-prot)	No Virus
AV	Ikarus	Trojan.Win32.Crypt
AV	Emsisoft	Trojan.Generic.15744318
AV	Zillya!	Downloader.Upatre.Win32.48845
AV	Kaspersky	Trojan.Win32.Generic
AV	Trend Micro	TROJ_UPATRE.SM37
AV	CAT (quickheal)	TrjnDwnlder.Upatre.MUE.BC3
AV	VirusBlokAda (vba32)	No Virus
AV	BullGuard	Trojan.Generic.15744318
AV	Arcabit (arcavir)	Trojan.Generic.15744318
AV	ClamAV	Win.Trojan.Upatre-6078
AV	Dr. Web	Trojan.Upatre.6653
AV	F-Secure	Trojan.Generic.15744318
AV	CA (E-Trust Ino)	No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\fashaxur.exe
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\fashaxur.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\fashaxur.exe

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates File	C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Cookies\index.dat
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex	c:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex	WininetConnectionMutex
Creates Mutex	c:!documents and settings!administrator!cookies!
Creates Mutex	c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS	94.154.107.172
Winsock DNS	68.70.242.203
Winsock DNS	84.246.161.47
Winsock DNS	93.185.4.90
Winsock DNS	76.84.81.120
Winsock DNS	217.168.210.122
Winsock DNS	64.111.36.52
Winsock DNS	178.222.250.35
Winsock DNS	icanhazip.com

Network Details:

DNS	icanhazip.com Type: A 45.32.200.23
DNS	icanhazip.com Type: A 104.238.162.182
HTTP GET	http://icanhazip.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.35 (KHTML, like Gecko) Chrome/44.0.2455.81 Safari/535.35
HTTP GET	http://93.185.4.90:12405/UGA1/COMPUTER-XXXXXX/0/51-SP3/0/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.35 (KHTML, like Gecko) Chrome/44.0.2455.81 Safari/535.35
Flows TCP	192.168.1.1:1031 ➝ 45.32.200.23:80
Flows TCP	192.168.1.1:1032 ➝ 93.185.4.90:12405
Flows TCP	192.168.1.1:1033 ➝ 76.84.81.120:443
Flows TCP	192.168.1.1:1034 ➝ 76.84.81.120:443
Flows TCP	192.168.1.1:1035 ➝ 76.84.81.120:443
Flows TCP	192.168.1.1:1036 ➝ 76.84.81.120:443
Flows TCP	192.168.1.1:1037 ➝ 84.246.161.47:443
Flows TCP	192.168.1.1:1038 ➝ 84.246.161.47:443
Flows TCP	192.168.1.1:1039 ➝ 84.246.161.47:443
Flows TCP	192.168.1.1:1040 ➝ 84.246.161.47:443
Flows TCP	192.168.1.1:1041 ➝ 217.168.210.122:443
Flows TCP	192.168.1.1:1042 ➝ 217.168.210.122:443
Flows TCP	192.168.1.1:1043 ➝ 217.168.210.122:443
Flows TCP	192.168.1.1:1044 ➝ 217.168.210.122:443
Flows TCP	192.168.1.1:1045 ➝ 68.70.242.203:443
Flows TCP	192.168.1.1:1046 ➝ 68.70.242.203:443
Flows TCP	192.168.1.1:1047 ➝ 68.70.242.203:443
Flows TCP	192.168.1.1:1048 ➝ 68.70.242.203:443
Flows TCP	192.168.1.1:1049 ➝ 64.111.36.52:443
Flows TCP	192.168.1.1:1050 ➝ 64.111.36.52:443
Flows TCP	192.168.1.1:1051 ➝ 64.111.36.52:443
Flows TCP	192.168.1.1:1052 ➝ 64.111.36.52:443
Flows TCP	192.168.1.1:1053 ➝ 178.222.250.35:443
Flows TCP	192.168.1.1:1054 ➝ 178.222.250.35:443
Flows TCP	192.168.1.1:1055 ➝ 178.222.250.35:443
Flows TCP	192.168.1.1:1056 ➝ 178.222.250.35:443
Flows TCP	192.168.1.1:1057 ➝ 94.154.107.172:443
Flows TCP	192.168.1.1:1058 ➝ 94.154.107.172:443

Raw Pcap

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 74657874 2f2a2c20   Accept: text/*, 
0x00000020 (00032)   6170706c 69636174 696f6e2f 2a0d0a55   application/*..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e302028 57696e64 6f777320   la/5.0 (Windows 
0x00000050 (00080)   4e542036 2e312920 4170706c 65576562   NT 6.1) AppleWeb
0x00000060 (00096)   4b69742f 3533352e 33352028 4b48544d   Kit/535.35 (KHTM
0x00000070 (00112)   4c2c206c 696b6520 4765636b 6f292043   L, like Gecko) C
0x00000080 (00128)   68726f6d 652f3434 2e302e32 3435352e   hrome/44.0.2455.
0x00000090 (00144)   38312053 61666172 692f3533 352e3335   81 Safari/535.35
0x000000a0 (00160)   0d0a486f 73743a20 6963616e 68617a69   ..Host: icanhazi
0x000000b0 (00176)   702e636f 6d0d0a43 61636865 2d436f6e   p.com..Cache-Con
0x000000c0 (00192)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x000000d0 (00208)   0d0a                                  ..

0x00000000 (00000)   47455420 2f554741 312f434f 4d505554   GET /UGA1/COMPUT
0x00000010 (00016)   45522d58 58585858 582f302f 35312d53   ER-XXXXXX/0/51-S
0x00000020 (00032)   50332f30 2f204854 54502f31 2e310d0a   P3/0/ HTTP/1.1..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000040 (00064)   6c6c612f 352e3020 2857696e 646f7773   lla/5.0 (Windows
0x00000050 (00080)   204e5420 362e3129 20417070 6c655765    NT 6.1) AppleWe
0x00000060 (00096)   624b6974 2f353335 2e333520 284b4854   bKit/535.35 (KHT
0x00000070 (00112)   4d4c2c20 6c696b65 20476563 6b6f2920   ML, like Gecko) 
0x00000080 (00128)   4368726f 6d652f34 342e302e 32343535   Chrome/44.0.2455
0x00000090 (00144)   2e383120 53616661 72692f35 33352e33   .81 Safari/535.3
0x000000a0 (00160)   350d0a48 6f73743a 2039332e 3138352e   5..Host: 93.185.
0x000000b0 (00176)   342e3930 3a313234 30350d0a 43616368   4.90:12405..Cach
0x000000c0 (00192)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000d0 (00208)   6368650d 0a0d0a                       che....

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

Strings