Analysis Date2015-10-01 09:30:16
MD5bc5d9d6f0e43e535419036d9287f6173
SHA1cfa4a258129a273ff040100da44b79f8f8265253

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectiontext md5: ab4159fe1dc8b78ec81f3b935d88b112 sha1: 85c7858b362f01131b727b45419a64ded18784ab size: 2560
Section.data md5: eab1ac24ee809d82661caf4a923e5cb7 sha1: 6f35a5cf2a693c94bb5fa632dc1577dc13641318 size: 11776
Section.rsrc md5: d45133d2d054e087d082602d14491f49 sha1: d6d934314d48f1b0cedb5470266951abd781cbf4 size: 26112
Section.reloc md5: 1db2a28fd8e57c4c464b350b65462d83 sha1: 1041e46c47a8f138924b81cb33da899bc58f7f0a size: 512
Section.DAT md5: c49efac0886490582f0dd8cb5fe6fbef sha1: caa096b62563f696b27f1560f30a7d6a30d95021 size: 512
Timestamp1997-10-28 22:08:58
PEhashfcc5aab56bee31ec645c989eebd1fea8fb919601
IMPhashc312bb98cf45e74c770b5ff6a8bd003b
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Agent.BJIS
AVDr. WebTrojan.Upatre.201
AVClamAVno_virus
AVArcabit (arcavir)Trojan.Agent.BJIS
AVBullGuardTrojan.Agent.BJIS
AVPadvishno_virus
AVVirusBlokAda (vba32)Trojan.AntiAV
AVCAT (quickheal)TrojanDwnldr.Upatre.MUE.A5
AVTrend MicroTROJ_UP.DB5F9D28
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.AntiAV.Win32.6324
AVEmsisoftTrojan.Agent.BJIS
AVIkarusTrojan.Injector
AVFrisk (f-prot)W32/Upatre.E.gen
AVAuthentiumW32/Upatre.E.gen
AVMalwareBytesSpyware.Dyre
AVMicroWorld (escan)Trojan.Agent.BJIS
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BL
AVK7Trojan ( 004bebb91 )
AVBitDefenderTrojan.Agent.BJIS
AVFortinetW32/Waski.F!tr
AVSymantecTrojan.Gen.2
AVGrisoft (avg)Crypt4.TLF
AVEset (nod32)Win32/TrojanDownloader.Waski.F
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareTrojan.Agent.BJIS
AVTwisterTrojan.Generic.lbhj
AVAvira (antivir)TR/Kryptik.gtas
AVMcafeeUpatre-FABT!BC5D9D6F0E43
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zil7812.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zilinad.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\zilinad.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\zilinad.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS46.16.225.236
Winsock DNS81.7.109.65
Winsock DNS85.248.2.228
Winsock DNS95.80.123.41
Winsock DNS5.44.15.70
Winsock DNS128.0.85.11
Winsock DNS91.240.97.54
Winsock DNS46.151.130.90
Winsock DNSicanhazip.com

Network Details:

DNSicanhazip.com
Type: A
104.238.145.30
DNSicanhazip.com
Type: A
104.238.136.31
DNSicanhazip.com
Type: A
104.238.141.75
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
HTTP GEThttp://81.7.109.65:13402/WANS22/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Flows TCP192.168.1.1:1031 ➝ 104.238.145.30:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13402
Flows TCP192.168.1.1:1033 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1034 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1035 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1036 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1037 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1038 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1039 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1040 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1041 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1042 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1043 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1044 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1045 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1046 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1047 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1048 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1049 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1050 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1051 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1052 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1053 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1054 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1055 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1056 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1057 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1058 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1059 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1060 ➝ 46.151.130.90:443

Raw Pcap

Strings
1uaChn
+[2u{o3er
3\caJR
93}kWsy
9?b5%8
AB@CGF
AmpFactorToDB
(|A;S)$
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AtlAxAttachControl
AtlComPtrAssign
atl.dll
authz.dll
AuthzFreeAuditEvent
AuthziAllocateAuditParams
AuthziFreeAuditEventType
AuthziFreeAuditParams
AuthziFreeAuditQueue
AuthziInitializeAuditEvent
AuthziInitializeAuditEventType
AuthziInitializeAuditParams
AuthziInitializeAuditParamsFromArray
AuthziInitializeAuditParamsWithRM
AuthziInitializeAuditQueue
AuthziLogAuditEvent
AuthziModifyAuditEvent
AuthziModifyAuditEventType
AuthziModifyAuditQueue
AuthziSourceAudit
avicap32.DLL
B@CFG"
B@CGFw
B.data
C^AD6+
capCreateCaptureWindowA
capGetDriverDescriptionA
CFGMGR32.dll
CM_Add_Empty_Log_Conf
CM_Add_Empty_Log_Conf_Ex
CM_Add_IDA
CM_Add_ID_ExA
CM_Add_ID_ExW
CM_Add_IDW
CM_Add_Range
CM_Add_Res_Des
CM_Add_Res_Des_Ex
CM_Connect_MachineA
CM_Connect_MachineW
CM_Create_DevNodeA
CMP_Init_Detection
c;M.Z=
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CreateMutexA
DecodePointer
DNSAPI.dll
DnsQuery_A
DnsQueryConfig
DnsQueryConfigAllocEx
DnsQueryConfigDword
DnsQueryExA
DnsQueryExUTF8
DnsQueryExW
DnsQuery_UTF8
DnsQuery_W
DnsRecordBuild_UTF8
DnsRecordBuild_W
DnsRecordCompare
DnsRecordCopyEx
DnsRecordListFree
DnsRecordSetCompare
DnsRecordSetCopyEx
DsGetDcCloseW
DsGetDcNameA
DsGetDcNameW
DsGetDcNameWithAccountA
DsGetDcNameWithAccountW
DsGetDcNextA
DsGetDcNextW
DsGetDcOpenA
DsGetDcOpenW
DsGetDcSiteCoverageA
DsGetDcSiteCoverageW
DsGetForestTrustInformationW
DsGetSiteNameA
DsGetSiteNameW
ExitProcess
GetCommandLineA
GetCommState
GetOEMCP
GetWindowsDirectoryA
h.dllhtsrv
I+Ihvr
IsRasmanProcess
j	~\ay
kernel32.dll
*k\R#G
#l3\Gl
MprAdminInterfaceCreate
mprapi.dll
msvcrt.dll
/M(V_O{
N5!\E^
NDdeApi.dll
NDdeGetErrorStringA
netapi32.dll
NOKHJI
!&O_6F
pstorec.dll
PStoreCreateInstance
quartz.dll
RasActivateRoute
RasActivateRouteEx
RasAddConnectionPort
RasAddNotification
RasAllocateRoute
RasBundleClearStatistics
RasBundleClearStatisticsEx
RasBundleGetPort
RasBundleGetStatistics
RasBundleGetStatisticsEx
RasCompressionGetInfo
RasCompressionSetInfo
RasConnectionEnum
RasConnectionGetStatistics
RasCreateConnection
RasDeAllocateRoute
RasDestroyConnection
RasDeviceConnect
rasman.dll
REGAPI.dll
RegBuildNumberQuery
RegCdCreateA
RegCdCreateW
RegCdDeleteA
RegCdDeleteW
RegCdEnumerateA
RegCdEnumerateW
RegCdQueryA
RegCdQueryW
RegCloseServer
RegConsoleShadowQueryA
RegConsoleShadowQueryW
RegDefaultUserConfigQueryA
RegDefaultUserConfigQueryW
.reloc
</requestedExecutionLevel>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false">
</requestedPrivileges>
<requestedPrivileges>
S&9T/7
</security>
<security>
SetErrorMode
SetFilePointer
!This program cannot be run in DOS mode.
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
uem3JRh\sys
W*e51d
-X}`&(]2
xB2j!5J1
X,UR6s
\z|fY3