Analysis Date2015-10-08 07:35:37
MD55b66214825997257299641a4f0cf5000
SHA1f25b2a2e5aca8084140a04353a41707251858877

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 04e277d34685c79d48a0e91fd2993a01 sha1: efa7bf2d25e9b8f2e626d8302dbbfd9b16ace584 size: 6144
Section.rdata md5: cd0b9cc4641220c9c5cf662afc536b6a sha1: a237dfc12d9435a08843fa7dcbb79a1266b5e6b9 size: 4096
Section.data md5: 303aa8baa5fbc509655fdfb5be93ca9c sha1: 7f62015293614bfa70c9d4db667a4ea8705a6980 size: 2048
Section.rsrc md5: f4f03ca7a5d1e44ccd9559e8820e4bf0 sha1: 6761eb79c1676b6112b7299b253117bd8510c5e8 size: 19968
Timestamp2014-08-24 15:22:59
PackerMicrosoft Visual C 2.0
PEhashf0254163396cc975a66ac694a20d074f92c8815b
IMPhash012c63bb5f7f1ff21471f621b5d79f47
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Downloader.JRTI
AVDr. WebTrojan.DownLoader13.28245
AVClamAVno_virus
AVArcabit (arcavir)Trojan.Downloader.JRTI
AVBullGuardTrojan.Downloader.JRTI
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVCAT (quickheal)Trojan.Kadena.B4
AVTrend MicroTROJ_UP.9EED1BD4
AVKasperskyTrojan-Downloader.Win32.Upatre.aetm
AVZillya!no_virus
AVEmsisoftTrojan.Downloader.JRTI
AVIkarusTrojan.VB.Crypt
AVFrisk (f-prot)W32/Dalexis.Q.gen!Eldorado
AVAuthentiumW32/Dalexis.Q.gen!Eldorado
AVMalwareBytesTrojan.Upatre
AVMicroWorld (escan)Trojan.Downloader.JRTI
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.G
AVK7Trojan ( 004c29131 )
AVBitDefenderTrojan.Downloader.JRTI
AVFortinetW32/Kryptik.DIEU!tr
AVSymantecDownloader.Upatre!gen5
AVGrisoft (avg)Crypt_s.IMB
AVEset (nod32)Win32/Kryptik.DIGI
AVAlwil (avast)GenMalicious-KNL [Trj]
AVAd-AwareTrojan.Downloader.JRTI
AVTwisterTrojanDldr.Upatre.aetm.uucm
AVAvira (antivir)TR/Crypt.ZPACK.160427
AVMcafeeDownloader-FASG!5B6621482599
AVRisingTrojan.Win32.Kryptik.af

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Xulantar.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\InstallXul.tmp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Xulantar.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Xulantar.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS91.245.26.136
Winsock DNS94.127.129.214
Winsock DNS85.135.104.170
Winsock DNS216.245.211.242
Winsock DNS193.86.104.15
Winsock DNS80.250.7.219
Winsock DNS89.203.194.212
Winsock DNS217.168.210.122
Winsock DNSicanhazip.com
Winsock DNS91.211.17.201
Winsock DNS91.245.19.13
Winsock DNS89.203.144.101
Winsock DNS160.218.186.106
Winsock DNS84.246.161.47
Winsock DNS87.249.142.189
Winsock DNS46.229.124.103
Winsock DNS81.90.175.7
Winsock DNS46.167.215.35

Network Details:

DNSicanhazip.com
Type: A
104.238.145.30
DNSicanhazip.com
Type: A
104.238.141.75
DNSicanhazip.com
Type: A
104.238.136.31
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
HTTP GEThttp://91.211.17.201:13393/KAT22/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
HTTP GEThttp://91.211.17.201:13393/KAT22/COMPUTER-XXXXXX/41/1/2/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Flows TCP192.168.1.1:1031 ➝ 104.238.145.30:80
Flows TCP192.168.1.1:1032 ➝ 91.211.17.201:13393
Flows TCP192.168.1.1:1033 ➝ 85.135.104.170:443
Flows TCP192.168.1.1:1034 ➝ 85.135.104.170:443
Flows TCP192.168.1.1:1035 ➝ 85.135.104.170:443
Flows TCP192.168.1.1:1036 ➝ 85.135.104.170:443
Flows TCP192.168.1.1:1037 ➝ 46.229.124.103:443
Flows TCP192.168.1.1:1038 ➝ 46.229.124.103:443
Flows TCP192.168.1.1:1039 ➝ 46.229.124.103:443
Flows TCP192.168.1.1:1040 ➝ 87.249.142.189:443
Flows TCP192.168.1.1:1041 ➝ 87.249.142.189:443
Flows TCP192.168.1.1:1042 ➝ 84.246.161.47:443
Flows TCP192.168.1.1:1043 ➝ 84.246.161.47:443
Flows TCP192.168.1.1:1044 ➝ 89.203.144.101:443
Flows TCP192.168.1.1:1045 ➝ 89.203.144.101:443
Flows TCP192.168.1.1:1046 ➝ 94.127.129.214:443
Flows TCP192.168.1.1:1047 ➝ 94.127.129.214:443
Flows TCP192.168.1.1:1048 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1049 ➝ 217.168.210.122:443
Flows TCP192.168.1.1:1050 ➝ 89.203.194.212:443
Flows TCP192.168.1.1:1051 ➝ 89.203.194.212:443
Flows TCP192.168.1.1:1052 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1053 ➝ 81.90.175.7:443
Flows TCP192.168.1.1:1054 ➝ 193.86.104.15:443
Flows TCP192.168.1.1:1055 ➝ 193.86.104.15:443
Flows TCP192.168.1.1:1056 ➝ 91.245.26.136:443
Flows TCP192.168.1.1:1057 ➝ 91.245.26.136:443
Flows TCP192.168.1.1:1058 ➝ 160.218.186.106:443
Flows TCP192.168.1.1:1059 ➝ 160.218.186.106:443
Flows TCP192.168.1.1:1060 ➝ 46.167.215.35:443
Flows TCP192.168.1.1:1061 ➝ 46.167.215.35:443
Flows TCP192.168.1.1:1062 ➝ 91.245.19.13:443
Flows TCP192.168.1.1:1063 ➝ 91.245.19.13:443
Flows TCP192.168.1.1:1064 ➝ 80.250.7.219:443
Flows TCP192.168.1.1:1065 ➝ 80.250.7.219:443
Flows TCP192.168.1.1:1066 ➝ 216.245.211.242:443
Flows TCP192.168.1.1:1067 ➝ 216.245.211.242:443
Flows TCP192.168.1.1:1068 ➝ 91.211.17.201:13393
Flows TCP192.168.1.1:1069 ➝ 46.229.124.103:443
Flows TCP192.168.1.1:1070 ➝ 46.229.124.103:443
Flows TCP192.168.1.1:1071 ➝ 46.229.124.103:443
Flows TCP192.168.1.1:1072 ➝ 46.229.124.103:443
Flows TCP192.168.1.1:1073 ➝ 46.229.124.103:443
Flows TCP192.168.1.1:1074 ➝ 46.229.124.103:443
Flows TCP192.168.1.1:1075 ➝ 46.229.124.103:443
Flows TCP192.168.1.1:1076 ➝ 46.229.124.103:443
Flows TCP192.168.1.1:1077 ➝ 87.249.142.189:443
Flows TCP192.168.1.1:1078 ➝ 87.249.142.189:443

Raw Pcap

Strings