Analysis Date2015-03-17 12:36:44
MD58d4bed73b4d18ee5ce1c3b43903e6f04
SHA1d793cff4a2083ef0e0da711e9d1dd11f259e23fc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ba508891b6a03b8be3c6981e1bbf1dde sha1: 55fbe48dac3ffec8de197bf5f9e1ba03aff590e9 size: 3072
Section.rdata md5: 24216e017bf1fa74c1db7ddc5bb13cd4 sha1: 0d2a1f0a9f701e6d4980948187f2b78cde4279c7 size: 1536
Section.rsrc md5: 7c6ce63d2681d3eb1240ad261653574c sha1: 61f039fef6eba6dcf4fec2133712fb683add3f60 size: 13312
Timestamp2013-09-18 15:50:17
PEhashf17c872c35b9cb748c0ac6637c9c9bb381a31d5a
IMPhash688ad82d47fe4314040aa0041646c921
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.1273141
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.1273141
AVAuthentiumW32/Trojan.YBHL-9309
AVAvira (antivir)TR/Dldr.Upatre.A.95
AVBullGuardTrojan.GenericKD.1273141
AVCA (E-Trust Ino)Win32/Upatre.AW
AVCAT (quickheal)TrojanDownloader.Upatre.AP3
AVClamAVWin.Trojan.Agent-757206
AVDr. WebTrojan.DownLoad3.28161
AVEmsisoftTrojan.GenericKD.1273141
AVEset (nod32)Win32/TrojanDownloader.Small.AAB
AVFortinetW32/Small.AABB!tr
AVFrisk (f-prot)W32/Trojan3.GAS
AVF-SecureTrojan:W32/Agent.DUNP
AVGrisoft (avg)Luhe.Fiha.A
AVIkarusVirus.Win32.Zbot
AVK7Trojan-Downloader ( 0040f6811 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesTrojan.Email.FA
AVMcafeeObfuscated-FRN!hb
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.GenericKD.1273141
AVRisingno_virus
AVSophosTroj/Agent-ADQO
AVSymantecDownloader.Trojan
AVTrend MicroTROJ_UPATRE.SM37
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.Fareit.2913

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hhcbrnaff.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\hhcbrnaff.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\hhcbrnaff.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNStalonstamed.com

Network Details:

DNStalonstamed.com
Type: A
204.11.56.45
Flows TCP192.168.1.1:1031 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1032 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1033 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1034 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1035 ➝ 204.11.56.45:443
Flows TCP192.168.1.1:1036 ➝ 204.11.56.45:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings

C:\521db805842a10c16d0d1db9ca1947f00d1de5533cf300d3b66ec70c3919c29b
c:\6f88ea019771db0225d56522fb0ccb8b.exe
C:\DOCUME~1\ADMINI~1.VMG\LOCALS~1\Temp\9E8CF66E8BDB20CDCC7F2305C680A20C88C27E9A
C:\Users\restech\AppData\Local\temp\Temp1_Incoming_FAX_fourpointsnola.com.zip\Incoming_FAX_0819.exe
@KERNEL32.dll
ntdll.dll
\4/iM"_Y
+\+7@R,~
8\Md0z
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXC
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
BeginPaint
e\bCHxNN 
EndPaint
FindResourceW
FreeLibrary
GdipAlloc
GdipBitmapGetPixel
GdipCloneImage
GdipCreateBitmapFromStream
GdipCreateBitmapFromStreamICM
GdipCreateFromHDC
GdipDeleteGraphics
GdipDisposeImage
GdipFree
GdipGetImageHeight
GdipGetImageWidth
gdiplus.dll
GdiplusStartup
GetCurrentProcess
GetDesktopWindow
GetProcAddress
GetProcessHeap
HeapAlloc
IDATXG
KERNEL32.dll
LoadLibraryA
LoadLibraryW
LoadResource
LockResource
lstrcatW
MG)s<x
n8~nI]
NtQueryInformationProcess
OutputDebugStringW
%P8		q
.rdata
ReleaseDC
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
@.rsrc
    </security>
    <security>
SizeofResource
!This program cannot be run in DOS mode.
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
USER32.dll
VirtualAlloc
VirtualFree
wvsprintfW