Analysis Date2015-07-16 16:21:48
MD5397008139e027292ee6a895fff6d576a
SHA1e66bc0bfc305ee484c6b3c150d99cf67f26ebb13

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 012f4805a07adc743c4939f4d15f57bf sha1: fcc375797f03a8f36d5c42a3706251803405efae size: 7168
Section.rdata md5: c7eba08b5c5e04d79c5ee39c0632b91c sha1: 31775453e152a44951da7b008c0b00cde2c8c451 size: 3072
Section.data md5: 75355569641c9320621d9995babc7830 sha1: 4a5dab335f67686d70e4c570744b06c83b880e4e size: 4096
Section.rsrc md5: 9c04fe9f1f0af7e4341d0ba8403bebb2 sha1: 8b6915f862918925a9081b30c6df9f39e744f277 size: 19456
Timestamp2091-10-15 15:07:47
VersionLegalCopyright: В©Huan and Sanches Mortales; available under the MPL license.
InternalName: Huan and Sanches
FileVersion: 2.0.1
CompanyName: HuSan Corporation
BuildID: ª»ÌÝîÿÿîÝÌ»ªD
LegalTrademarks: HuSan is a Trademark of The Huan and Sanches Mortales.
Comments:
ProductName: HuSan
ProductVersion: 2.0.1
FileDescription: HuSan
OriginalFilename: husan.exe
PackerMicrosoft Visual C 2.0
PEhash6451f4c219c1d1d71f654c2db3ea952323f1ffe9
IMPhash10dc261d9f8903fde964cc27f4902b93
AVRisingTrojan.Win32.Kryptik.af
AVMcafeeDownloader-FASG!397008139E02
AVAvira (antivir)TR/Injector.frtt
AVTwisterTrojanDldr.Upatre.fir.mhrv
AVAd-AwareTrojan.Upatre.Gen.3
AVAlwil (avast)Crypt-SAL [Trj]
AVEset (nod32)Win32/Kryptik.DGGD
AVGrisoft (avg)Generic36.BJLS
AVSymantecTrojan.Gen
AVFortinetW32/Waski.A!tr
AVBitDefenderTrojan.Upatre.Gen.3
AVK7Trojan ( 004c16241 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.BC
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVMalwareBytesTrojan.Upatre.VM3
AVAuthentiumW32/Trojan.HWJA-5498
AVFrisk (f-prot)W32/Trojan3.PEQ
AVIkarusTrojan.Injector
AVEmsisoftTrojan.Upatre.Gen.3
AVZillya!Downloader.Upatre.Win32.24678
AVKasperskyTrojan-Downloader.Win32.Upatre.fir
AVTrend MicroTROJ_UP.70E37AF8
AVCAT (quickheal)Trojan.Kadena.B4
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVPadvishno_virus
AVBullGuardTrojan.Upatre.Gen.3
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVCA (E-Trust Ino)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoader13.2565
AVF-SecureTrojan.Upatre.Gen.3

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\VMB_3D08.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Vmbsetup.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Vmbsetup.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Vmbsetup.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS46.16.225.236
Winsock DNS81.7.109.65
Winsock DNS145.255.5.178
Winsock DNS85.248.2.228
Winsock DNS95.80.123.41
Winsock DNS5.44.15.70
Winsock DNS128.0.85.11
Winsock DNS91.240.97.54
Winsock DNS46.151.130.90
Winsock DNSicanhazip.com

Network Details:

DNSicanhazip.com
Type: A
104.238.141.75
DNSicanhazip.com
Type: A
104.238.136.31
DNSicanhazip.com
Type: A
64.182.208.183
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
HTTP GEThttp://81.7.109.65:13394/WAK21/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
Flows TCP192.168.1.1:1031 ➝ 104.238.141.75:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13394
Flows TCP192.168.1.1:1033 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1034 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1035 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1036 ➝ 5.44.15.70:443
Flows TCP192.168.1.1:1037 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1038 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1039 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1040 ➝ 85.248.2.228:443
Flows TCP192.168.1.1:1041 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1042 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1043 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1044 ➝ 95.80.123.41:443
Flows TCP192.168.1.1:1045 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1046 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1047 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1048 ➝ 91.240.97.54:443
Flows TCP192.168.1.1:1049 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1050 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1051 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1052 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1053 ➝ 145.255.5.178:443
Flows TCP192.168.1.1:1054 ➝ 145.255.5.178:443
Flows TCP192.168.1.1:1055 ➝ 145.255.5.178:443
Flows TCP192.168.1.1:1056 ➝ 145.255.5.178:443
Flows TCP192.168.1.1:1057 ➝ 46.16.225.236:443
Flows TCP192.168.1.1:1058 ➝ 46.16.225.236:443

Raw Pcap

Strings
2.0.1
A00009C0
Append
BuildID
button
Comments
CompanyName
Download
edit
Erase
FileDescription
FileVersion
Huan and Sanches
Huan and Sanches Mortales; available under the MPL license.
HuSan
HuSan Corporation
husan.exe
HuSan is a Trademark of The Huan and Sanches Mortales.
iMainClass
iMainWindow
InternalName
jjjh
LegalCopyright
LegalTrademarks
Megator
MinimalizeClassex
OriginalFilename
PadesoftApplication
ProductName
ProductVersion
QUIT
riched32.DLL
richedit
SaveAs
static
StringFileInfo
Translation
Upload
VarFileInfo
VS_VERSION_INFO
-(*$*'
?	">&0
/&0`@!
/&0`;@A
/&0`;sA
 .?1F$I
21C@L}x
	23+2%
2>& 5;
2	&5&8
&	4'N$P;4
5K	 E(E'OD$ (P
5N;CA"
 6<2'L
'(?,%64
;66JP-
'6K)DO9
<7@#=+9C%
?<$9/02H
9*E)7, 0L
*9%O9&
?=/+A.
 @"A@2D
_acmdln_dll
+ADEP%>4
AP2M1?
&',B06
B>0I6E)"
<B9#!D1+ 
BI3/PM+/O=BJ
(C7/9K
;C(J#6:*#&D:
C/J-$G
CloseHandle
_commode_dll
CopyFileA
C):P=MHA
CreateFileW
CreateWindowExW
CRTDLL.dll
"D.A0)-
@.data
/D/E-=
DefWindowProcW
DialogBoxParamW
DispatchMessageW
E#76!<J
EEA1@ A
?EI'+PC
EndDialog
#F5N$!>L%
FG G	1'
FK@$EF4
_fmode_dll
FN5,G7=G":I9
GetClientRect
GetCurrentDirectoryW
GetLastError
__GetMainArgs
GetMessageW
GetModuleHandleA
GetStartupInfoA
;G)K8?
_global_unwind2
G@OL 1
=H0.:O>
H3* 8?5O:I>:9F
h8. d8.
#@HA('6
H*H+(!6H6C
$%:I0 
?=IFME*1?
_initterm
<>-+$J$=2KN	>
KERNEL32.dll
K"M5)5E
L]Ch|ex
	L_:^da
LJPBC2
LoadAcceleratorsW
LoadCursorW
LoadIconW
LoadLibraryW
LoadStringW
_local_unwind2
@M7.?@
m9-%]8&
MB$9  1'5$'L
M:F<=N'6<
?N#E6%
-O:'>9H<K#
OC%):+K7GA
OK5I.<1
PathCompactPathExW
PathFileExistsW
PathFindExtensionW
PathFindFileNameW
PathIsDirectoryW
PathMatchSpecW
PostQuitMessage
`.rdata
ReadFile
RegisterClassExW
SendMessageW
SetFileAttributesA
SetWindowTextW
SHLWAPI.dll
ShowWindow
;*s%-,X94
!This program cannot be run in DOS mode.
TranslateMessage
UpdateWindow
USER32.dll
VC20XC00U
_XcptFilter
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security>    <requestedPrivileges>     <requestedExecutionLevel  level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>