Analysis Date2015-11-16 21:37:36
MD5d894ee4340f513aeb88d4930ab772125
SHA1c3bd19129014b552e12b6bcb3e7b041247adcd10

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectioncode md5: a062b69250790950654de752df6228a1 sha1: 750600daf76825b35ef9c4fafab8fd134b39a987 size: 2560
Section.data md5: 5d2bfff5cad1cfdf51c67ea0d028a8ab sha1: c79d86e5b981e14425253a66e39e1bb397a1e1b1 size: 11776
Section.rsrc md5: 4ff98c10abb8b000cd80aaf08a3cc334 sha1: d9131369a446c9ee9164ed12d42e5b97c0b9b930 size: 27136
Section.reloc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.DAT md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp1997-10-28 22:08:58
PEhashb40a54967439991ab5828a5043375b38f7a2e249
IMPhashbb993a486057964d5a9655d0992159ef
AVRising0x5936344b
AVMcafeeUpatre-FAAR!D894EE4340F5
AVAvira (antivir)TR/Dldr.Waski.xzeg
AVTwisterTrojanDldr.Upatre.fid.tosj
AVAd-AwareTrojan.Agent.BJHJ
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/TrojanDownloader.Waski.F
AVGrisoft (avg)Downloader.Agent2.BXRJ
AVSymantecDownloader.Upatre!gen9
AVFortinetW32/Waski.F!tr
AVBitDefenderTrojan.Agent.BJHJ
AVK7Trojan-Downloader ( 004b8d561 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BC
AVMicroWorld (escan)Trojan.Agent.BJHJ
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Upatre.E.gen!Eldorado
AVFrisk (f-prot)W32/Upatre.E.gen!Eldorado
AVIkarusTrojan.Injector
AVEmsisoftTrojan.Agent.BJHJ
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_UP.610F9D6E
AVCAT (quickheal)TrojanDwnldr.Upatre.MUE.A5
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVPadvishno_virus
AVBullGuardTrojan.Agent.BJHJ
AVArcabit (arcavir)Trojan.Agent.BJHJ
AVClamAVno_virus
AVDr. WebTrojan.Upatre.201
AVF-SecureTrojan.Agent.BJHJ
AVCA (E-Trust Ino)no_virus
AVRising0x5936344b
AVMcafeeUpatre-FAAR!D894EE4340F5
AVAvira (antivir)TR/Dldr.Waski.xzeg
AVTwisterTrojanDldr.Upatre.fid.tosj
AVAd-AwareTrojan.Agent.BJHJ
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/TrojanDownloader.Waski.F
AVGrisoft (avg)Downloader.Agent2.BXRJ
AVSymantecDownloader.Upatre!gen9
AVFortinetW32/Waski.F!tr
AVBitDefenderTrojan.Agent.BJHJ
AVK7Trojan-Downloader ( 004b8d561 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BC
AVMicroWorld (escan)Trojan.Agent.BJHJ
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Upatre.E.gen!Eldorado
AVFrisk (f-prot)W32/Upatre.E.gen!Eldorado
AVIkarusTrojan.Injector

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tempB83F.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\quinadet.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\quinadet.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\quinadet.exe

Network Details:

DNSicanhazip.com
Type: A
64.182.208.184
DNSicanhazip.com
Type: A
64.182.208.185
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
HTTP GEThttp://81.7.109.65:13360/SATAS12/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Flows TCP192.168.1.1:1031 ➝ 64.182.208.184:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13360
Flows TCP192.168.1.1:1033 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1034 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1035 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1036 ➝ 91.240.97.66:443
Flows TCP192.168.1.1:1037 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1038 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1039 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1040 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1041 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1042 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1043 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1044 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1045 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1046 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1047 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1048 ➝ 91.240.97.64:443
Flows TCP192.168.1.1:1049 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1050 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1051 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1052 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1053 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1054 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1055 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1056 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1057 ➝ 91.240.97.45:443
Flows TCP192.168.1.1:1058 ➝ 91.240.97.45:443

Raw Pcap

Strings
5&f,(&R?0
$7[|P.p
8Ni=%t
ACKMIOz
|ACKMIz
ACUIProviderInvokeUI
aL-xS-
AmpFactorToDB
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
B.data
BmQueryBounds
BmRelease
BmSaveToStream
|CAKMIz
CheckNetDrive
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
ConnectDlgProc
CreatePipe
CryptUIDlgCertMgr
CryptUIDlgFreeCAContext
CryptUIDlgSelectCA
CryptUIDlgSelectCertificateA
CryptUIDlgSelectCertificateFromStore
CryptUIDlgSelectCertificateW
CryptUIDlgSelectStoreA
CryptUIDlgSelectStoreW
CryptUIDlgViewContext
CryptUIDlgViewCRLA
CryptUIDlgViewCRLW
CryptUIDlgViewCTLA
CryptUIDlgViewCTLW
CryptUIDlgViewSignerInfoA
CryptUIDlgViewSignerInfoW
CRYPTUI.dll
c?(!T?%
DefCreate
DefCreateFromClip
DefCreateFromFile
DefCreateFromTemplate
DefCreateInvisible
DefLoadFromStream
DibChangeData
DibClone
DibCopy
DibDraw
DibEnumFormat
,dmXrX?
DNSAPI.dll
DnsQuery_A
DnsQueryConfig
DnsQueryConfigAllocEx
DnsQueryConfigDword
DnsQueryExA
DnsQueryExUTF8
DnsQueryExW
DnsQuery_UTF8
DnsQuery_W
DnsRecordBuild_UTF8
DnsRecordBuild_W
DnsRecordCompare
DnsRecordCopyEx
DnsRecordListFree
DnsRecordSetCompare
DnsRecordSetCopyEx
DUserCastClass
DUserDeleteGadget
duser.DLL
:E;com;
EnumCalendarInfoW
ExitProcess
fmifs.dll
GetCommandLineA
GetCommState
GetOEMCP
GetVersionExW
GetWindowsDirectoryA
)gUWSg
&%h5KVDM
heio.h2\sbhtem3h\sys
IsRasmanProcess
i <XvQ^1|
/	Jz?a
kernel32.dll
,#kyaJ
lpk.dll
LpkEditControl
LpkGetCharacterPlacement
MprAdminInterfaceCreate
mprapi.dll
msvcrt.dll
olecli32.dll
>p0!HNa;
PdhCreateSQLTablesW
pdh.dll
PdhEnumLogSetNamesA
PdhEnumLogSetNamesW
PdhEnumMachinesA
PdhEnumMachinesHA
PdhEnumMachinesHW
PdhEnumMachinesW
PdhEnumObjectItemsA
PdhEnumObjectItemsHA
PdhEnumObjectItemsHW
PdhEnumObjectItemsW
PdhEnumObjectsA
PdhEnumObjectsHA
PdhEnumObjectsHW
PdhEnumObjectsW
PdhExpandCounterPathA
pstorec.dll
PStoreCreateInstance
qB=9l|*
quartz.dll
QueryDeviceInformation
QueryDosDeviceA
RasActivateRoute
RasActivateRouteEx
RasAddConnectionPort
RasAddNotification
RasAllocateRoute
RasBundleClearStatistics
RasBundleClearStatisticsEx
RasBundleGetPort
RasBundleGetStatistics
RasBundleGetStatisticsEx
RasCompressionGetInfo
RasCompressionSetInfo
RasConnectionEnum
RasConnectionGetStatistics
RasCreateConnection
RasDeAllocateRoute
RasDestroyConnection
RasDeviceConnect
rasman.dll
REGAPI.dll
RegBuildNumberQuery
RegCdCreateA
RegCdCreateW
RegCdDeleteA
RegCdDeleteW
RegCdEnumerateA
RegCdEnumerateW
RegCdQueryA
RegCdQueryW
RegCloseServer
RegConsoleShadowQueryA
RegConsoleShadowQueryW
RegDefaultUserConfigQueryA
RegDefaultUserConfigQueryW
.reloc
</requestedExecutionLevel>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false">
</requestedPrivileges>
<requestedPrivileges>
</security>
<security>
TaL]Au7
!This program cannot be run in DOS mode.
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
v_][_+
wx-zN+(s
YAfjrq
( _Y][SQ
Y][SQ3