Analysis Date2015-11-13 16:41:04
MD558514e5f8ed9ccce6cdb7b65b9251d34
SHA1cd1cfe1d5ae0d7545f4d93c3523509451bca19af

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e9af925c227c52eedac734100d91ca04 sha1: 7096502bdf4e0b5877dd1040b8922463a67c0a94 size: 8192
Section.rdata md5: e650fc4c0c9f77b39a13ea88fcd19bf2 sha1: 0909a07308e88f93af948a648ce98a84954f0554 size: 1024
Section.data md5: b22b1aca73f48731835b0993fdfb6a0f sha1: bd40e5e0d29fefe77078c4064b29273a901d06a9 size: 512
Sectionidata md5: a474a6abda76f5a30bfd26c1a88a98a1 sha1: 35364bf7f9beca09ed5885735082a2849c7a4bcc size: 2048
Sectionpdata md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Sectionxdata md5: 6ac62a03a34c0912688759938059dea7 sha1: aea6d366499e0236358ac4dcae08ec2567668aab size: 1024
Section.rsrc md5: e42f862d998d320d5b895d2adf50e07b sha1: 934c6701e8e20efe5f7a887db98b5b847c4d8757 size: 10752
Timestamp2013-11-11 06:12:14
PEhash326c7f633b6df57c01a8187841d3a7afbc44d31a
IMPhash26f5feba9f88915899ef8220273d88c0
AVCA (E-Trust Ino)Win32/Zbot.HNB
AVCA (E-Trust Ino)Win32/Zbot.HNB
AVRisingno_virus
AVMcafeeObfuscated-FAEV!hb
AVAvira (antivir)TR/Dldr.Upatre.A.101
AVTwisterTrojan.10EF93DBC2310CB0
AVAd-AwareTrojan.GenericKD.1392517
AVAlwil (avast)Crypt-QDW [Trj]
AVEset (nod32)Win32/TrojanDownloader.Small.AAB
AVGrisoft (avg)Zbot.DJH
AVSymantecDownloader
AVFortinetW32/Small.ABS!tr
AVBitDefenderTrojan.GenericKD.1392517
AVK7Trojan ( 0001140e1 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVMicroWorld (escan)Trojan.GenericKD.1392517
AVMalwareBytesTrojan.Downloader
AVAuthentiumW32/Trojan.ORRT-1078
AVFrisk (f-prot)W32/Trojan3.GLD
AVIkarusTrojan.Win32.Badur
AVEmsisoftTrojan.GenericKD.1392517
AVZillya!Trojan.Agent.Win32.432411
AVKasperskyTrojan.Win32.Agent.ibea
AVTrend MicroTROJ_UPATRE.SMCF
AVCAT (quickheal)TrojanPWS.Zbot.Gen
AVVirusBlokAda (vba32)Trojan.Agent
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.1392517
AVArcabit (arcavir)Trojan.GenericKD.1392517
AVClamAVWin.Trojan.Agent-845628
AVDr. WebTrojan.DownLoad.64688
AVF-SecureTrojan:W32/Agent.DUOZ
AVRisingno_virus
AVMcafeeObfuscated-FAEV!hb
AVAvira (antivir)TR/Dldr.Upatre.A.101
AVTwisterTrojan.10EF93DBC2310CB0
AVAd-AwareTrojan.GenericKD.1392517
AVAlwil (avast)Crypt-QDW [Trj]
AVEset (nod32)Win32/TrojanDownloader.Small.AAB
AVGrisoft (avg)Zbot.DJH
AVSymantecDownloader
AVFortinetW32/Small.ABS!tr
AVBitDefenderTrojan.GenericKD.1392517
AVK7Trojan ( 0001140e1 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVMicroWorld (escan)Trojan.GenericKD.1392517
AVMalwareBytesTrojan.Downloader
AVAuthentiumW32/Trojan.ORRT-1078
AVFrisk (f-prot)W32/Trojan3.GLD

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fina.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\fina.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\fina.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSting-spa.com
Winsock DNSchristianos.com

Network Details:

DNSting-spa.com
Type: A
50.56.218.189
DNSchristianos.com
Type: A
202.146.219.9
Flows TCP192.168.1.1:1031 ➝ 50.56.218.189:443
Flows TCP192.168.1.1:1032 ➝ 50.56.218.189:443
Flows TCP192.168.1.1:1033 ➝ 50.56.218.189:443
Flows TCP192.168.1.1:1034 ➝ 50.56.218.189:443
Flows TCP192.168.1.1:1035 ➝ 202.146.219.9:443
Flows TCP192.168.1.1:1036 ➝ 202.146.219.9:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings