Analysis Date2015-11-13 22:26:34
MD58be7bf4e82bd5c592b2834ce6ecd3201
SHA1f5a9673bc26137663c3d30980c4e5ddb9e7c2c79

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4d1519e5bdeb9ac7ff1c5393caa8dc12 sha1: bbe745260f3ace153fb97373ed8c18cf86d5c1ea size: 5120
Section.rdata md5: 52105ac21dfe92c51a35b37acdd2388b sha1: 8d51ada06dac25fa92e608f5c2cbc927d8c04ce0 size: 1536
Section.data md5: e46d0482c852030a6bb0286aaee466d6 sha1: df1efb279e5ba950ed8f1f37b931b3510b6306fc size: 2560
Section.rsrc md5: ff3ed383a70e009960574d5509992ee6 sha1: c5450ed81912952da3662a6b0be4f8eba9656d23 size: 8192
Timestamp2013-12-06 10:20:26
PackerMicrosoft Visual C++ v6.0
PEhash49b4a87dc9d6e2277756f23983d1e3176ea0124d
IMPhashaae67ce64da17e7d673a29db67ee7a12
AVRisingno_virus
AVMcafeeDownloader-FSH!8BE7BF4E82BD
AVAvira (antivir)TR/Yarwi.B.51
AVTwisterTrojan.A768AE018E443A95
AVAd-AwareTrojan.GenericKD.1441706
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVGrisoft (avg)Generic35.APFQ
AVSymantecDownloader.Upatre!gen5
AVFortinetW32/Waski.A!tr
AVBitDefenderTrojan.GenericKD.1441706
AVK7Trojan-Downloader ( 0048f6391 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.J
AVMicroWorld (escan)Trojan.GenericKD.1441706
AVMalwareBytesTrojan.Dropper.Z
AVAuthentiumW32/Trojan.ZXBF-9105
AVFrisk (f-prot)W32/Trojan3.GRV
AVIkarusTrojan-Downloader.Win32.Upatre
AVEmsisoftTrojan.GenericKD.1441706
AVZillya!Trojan.Bublik.Win32.12658
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_UPATRE.SMBX
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVVirusBlokAda (vba32)Trojan.Bublik
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.1441706
AVArcabit (arcavir)Trojan.GenericKD.1441706
AVClamAVWin.Trojan.Bublik-525
AVDr. WebTrojan.DownLoad3.28161
AVF-SecureTrojan-Downloader:W32/Upatre.I
AVCA (E-Trust Ino)Win32/Upatre.CC
AVRisingno_virus
AVMcafeeDownloader-FSH!8BE7BF4E82BD
AVAvira (antivir)TR/Yarwi.B.51
AVTwisterTrojan.A768AE018E443A95
AVAd-AwareTrojan.GenericKD.1441706
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVGrisoft (avg)Generic35.APFQ
AVSymantecDownloader.Upatre!gen5
AVFortinetW32/Waski.A!tr
AVBitDefenderTrojan.GenericKD.1441706
AVK7Trojan-Downloader ( 0048f6391 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.J
AVMicroWorld (escan)Trojan.GenericKD.1441706
AVMalwareBytesTrojan.Dropper.Z
AVAuthentiumW32/Trojan.ZXBF-9105
AVFrisk (f-prot)W32/Trojan3.GRV
AVIkarusTrojan-Downloader.Win32.Upatre

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hupdater.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\hupdater.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\hupdater.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSadoraacc.com
Winsock DNSwahidexpress.com

Network Details:

DNSwahidexpress.com
Type: A
103.15.74.65
DNSadoraacc.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 103.15.74.65:443
Flows TCP192.168.1.1:1032 ➝ 103.15.74.65:443
Flows TCP192.168.1.1:1033 ➝ 103.15.74.65:443
Flows TCP192.168.1.1:1034 ➝ 103.15.74.65:443
Flows TCP192.168.1.1:1035 ➝ 103.15.74.65:443
Flows TCP192.168.1.1:1036 ➝ 103.15.74.65:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings