Analysis Date | 2016-01-28 03:43:11 |
---|---|
MD5 | d8f78ad4e3ee402dfb235167922df29e |
SHA1 | c392d28402362081810c74f65914c17d82d56478 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 | |
---|---|---|
Section | .texto md5: ba01813fdd25db1b9b52307e6909e588 sha1: bd378906afc176bfc8b58f4e65276e9650d7b5c0 size: 8192 | |
Section | data md5: 6b0fba3f2ede3dcff19782cc45a583a9 sha1: ed4b7feba07f65448aed4dcc55764d2a15ade268 size: 9728 | |
Section | rs26 md5: ce323b2cc15bb5869435e4e30a0f8fa6 sha1: 419dc5288cce4a63558a3e1bd90d2f99fe466d50 size: 26624 | |
Timestamp | 2004-03-13 01:22:10 | |
PEhash | 0824390ad2a04e052c236152d42825299e958ba9 | |
IMPhash | 2a92c6b4b47b3cefa65bf2087e247cee | |
AV | Rising | No Virus |
AV | Mcafee | Upatre-FACE!D8F78AD4E3EE |
AV | Avira (antivir) | TR/AD.Yarwi.Y.706 |
AV | Twister | Trojan.DOMG.opkh |
AV | Ad-Aware | Trojan.Generic.15744318 |
AV | Alwil (avast) | Win32:Malware-gen |
AV | Eset (nod32) | Win32/Kryptik.DROP |
AV | Grisoft (avg) | Crypt_s.IXJ |
AV | Symantec | Downloader.Upatre!gen9 |
AV | Fortinet | W32/Waski.F!tr |
AV | BitDefender | Trojan.Generic.15744318 |
AV | K7 | Trojan ( 004c98be1 ) |
AV | Microsoft Security Essentials | PWS:Win32/Dyzap |
AV | MicroWorld (escan) | Trojan.Upatre.Gen.2 |
AV | MalwareBytes | Trojan.Upatre |
AV | Authentium | W32/S-69a2908e!Eldorado |
AV | Frisk (f-prot) | No Virus |
AV | Ikarus | Trojan.Win32.Crypt |
AV | Emsisoft | Trojan.Generic.15744318 |
AV | Zillya! | Downloader.Upatre.Win32.48845 |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Trend Micro | TROJ_UPATRE.SM37 |
AV | CAT (quickheal) | TrjnDwnlder.Upatre.MUE.BC3 |
AV | VirusBlokAda (vba32) | No Virus |
AV | BullGuard | Trojan.Generic.15744318 |
AV | Arcabit (arcavir) | Trojan.Generic.15744318 |
AV | ClamAV | Win.Trojan.Upatre-6078 |
AV | Dr. Web | Trojan.Upatre.6653 |
AV | F-Secure | Trojan.Generic.15744318 |
AV | CA (E-Trust Ino) | No Virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\fashaxur.exe |
---|---|
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\fashaxur.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\fashaxur.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | WininetConnectionMutex |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Winsock DNS | 94.154.107.172 |
Winsock DNS | 68.70.242.203 |
Winsock DNS | 84.246.161.47 |
Winsock DNS | 93.185.4.90 |
Winsock DNS | 76.84.81.120 |
Winsock DNS | 217.168.210.122 |
Winsock DNS | 64.111.36.52 |
Winsock DNS | 178.222.250.35 |
Winsock DNS | icanhazip.com |
Network Details:
DNS | icanhazip.com Type: A 45.32.200.23 |
---|---|
DNS | icanhazip.com Type: A 104.238.162.182 |
HTTP GET | http://icanhazip.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.35 (KHTML, like Gecko) Chrome/44.0.2455.81 Safari/535.35 |
HTTP GET | http://93.185.4.90:12405/UGA1/COMPUTER-XXXXXX/0/51-SP3/0/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.35 (KHTML, like Gecko) Chrome/44.0.2455.81 Safari/535.35 |
Flows TCP | 192.168.1.1:1031 ➝ 45.32.200.23:80 |
Flows TCP | 192.168.1.1:1032 ➝ 93.185.4.90:12405 |
Flows TCP | 192.168.1.1:1033 ➝ 76.84.81.120:443 |
Flows TCP | 192.168.1.1:1034 ➝ 76.84.81.120:443 |
Flows TCP | 192.168.1.1:1035 ➝ 76.84.81.120:443 |
Flows TCP | 192.168.1.1:1036 ➝ 76.84.81.120:443 |
Flows TCP | 192.168.1.1:1037 ➝ 84.246.161.47:443 |
Flows TCP | 192.168.1.1:1038 ➝ 84.246.161.47:443 |
Flows TCP | 192.168.1.1:1039 ➝ 84.246.161.47:443 |
Flows TCP | 192.168.1.1:1040 ➝ 84.246.161.47:443 |
Flows TCP | 192.168.1.1:1041 ➝ 217.168.210.122:443 |
Flows TCP | 192.168.1.1:1042 ➝ 217.168.210.122:443 |
Flows TCP | 192.168.1.1:1043 ➝ 217.168.210.122:443 |
Flows TCP | 192.168.1.1:1044 ➝ 217.168.210.122:443 |
Flows TCP | 192.168.1.1:1045 ➝ 68.70.242.203:443 |
Flows TCP | 192.168.1.1:1046 ➝ 68.70.242.203:443 |
Flows TCP | 192.168.1.1:1047 ➝ 68.70.242.203:443 |
Flows TCP | 192.168.1.1:1048 ➝ 68.70.242.203:443 |
Flows TCP | 192.168.1.1:1049 ➝ 64.111.36.52:443 |
Flows TCP | 192.168.1.1:1050 ➝ 64.111.36.52:443 |
Flows TCP | 192.168.1.1:1051 ➝ 64.111.36.52:443 |
Flows TCP | 192.168.1.1:1052 ➝ 64.111.36.52:443 |
Flows TCP | 192.168.1.1:1053 ➝ 178.222.250.35:443 |
Flows TCP | 192.168.1.1:1054 ➝ 178.222.250.35:443 |
Flows TCP | 192.168.1.1:1055 ➝ 178.222.250.35:443 |
Flows TCP | 192.168.1.1:1056 ➝ 178.222.250.35:443 |
Flows TCP | 192.168.1.1:1057 ➝ 94.154.107.172:443 |
Flows TCP | 192.168.1.1:1058 ➝ 94.154.107.172:443 |
Raw Pcap
0x00000000 (00000) 47455420 2f204854 54502f31 2e310d0a GET / HTTP/1.1.. 0x00000010 (00016) 41636365 70743a20 74657874 2f2a2c20 Accept: text/*, 0x00000020 (00032) 6170706c 69636174 696f6e2f 2a0d0a55 application/*..U 0x00000030 (00048) 7365722d 4167656e 743a204d 6f7a696c ser-Agent: Mozil 0x00000040 (00064) 6c612f35 2e302028 57696e64 6f777320 la/5.0 (Windows 0x00000050 (00080) 4e542036 2e312920 4170706c 65576562 NT 6.1) AppleWeb 0x00000060 (00096) 4b69742f 3533352e 33352028 4b48544d Kit/535.35 (KHTM 0x00000070 (00112) 4c2c206c 696b6520 4765636b 6f292043 L, like Gecko) C 0x00000080 (00128) 68726f6d 652f3434 2e302e32 3435352e hrome/44.0.2455. 0x00000090 (00144) 38312053 61666172 692f3533 352e3335 81 Safari/535.35 0x000000a0 (00160) 0d0a486f 73743a20 6963616e 68617a69 ..Host: icanhazi 0x000000b0 (00176) 702e636f 6d0d0a43 61636865 2d436f6e p.com..Cache-Con 0x000000c0 (00192) 74726f6c 3a206e6f 2d636163 68650d0a trol: no-cache.. 0x000000d0 (00208) 0d0a .. 0x00000000 (00000) 47455420 2f554741 312f434f 4d505554 GET /UGA1/COMPUT 0x00000010 (00016) 45522d58 58585858 582f302f 35312d53 ER-XXXXXX/0/51-S 0x00000020 (00032) 50332f30 2f204854 54502f31 2e310d0a P3/0/ HTTP/1.1.. 0x00000030 (00048) 55736572 2d416765 6e743a20 4d6f7a69 User-Agent: Mozi 0x00000040 (00064) 6c6c612f 352e3020 2857696e 646f7773 lla/5.0 (Windows 0x00000050 (00080) 204e5420 362e3129 20417070 6c655765 NT 6.1) AppleWe 0x00000060 (00096) 624b6974 2f353335 2e333520 284b4854 bKit/535.35 (KHT 0x00000070 (00112) 4d4c2c20 6c696b65 20476563 6b6f2920 ML, like Gecko) 0x00000080 (00128) 4368726f 6d652f34 342e302e 32343535 Chrome/44.0.2455 0x00000090 (00144) 2e383120 53616661 72692f35 33352e33 .81 Safari/535.3 0x000000a0 (00160) 350d0a48 6f73743a 2039332e 3138352e 5..Host: 93.185. 0x000000b0 (00176) 342e3930 3a313234 30350d0a 43616368 4.90:12405..Cach 0x000000c0 (00192) 652d436f 6e74726f 6c3a206e 6f2d6361 e-Control: no-ca 0x000000d0 (00208) 6368650d 0a0d0a che.... 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+.
Strings