Analysis Date2015-11-13 22:59:14
MD5922e719afb22cd97cfa3004ec29f8aa1
SHA1f9831c1f4a9057cc8d93364b0871af1a4ed48fbb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ccd6872bf8a30fde0aaef880f6fcab5c sha1: a5e4c50204b2bbe28fd22ab4612069ca0ddc8709 size: 6144
Section.data md5: 006ed4262cd7ae5ded103716a5888458 sha1: 3184fc68cd0ba37ef74f3f86bfd1caedbd5febc8 size: 2048
Section.rdata md5: 6b3988de8f9320f645cf1b02d635f5c8 sha1: 2b88d99bea8aff01ba90edbac807da88e11e6bb1 size: 2560
Section.idata md5: c172974ed6f2dd740abed3a81271b941 sha1: bdd328d3ed06a1f8139fb1d4caf29c748da1580d size: 1536
Section.rsrc md5: 8d585c9cb53383587360245d758df751 sha1: b49f1ff80ef341b3933e07a7861b1d912ae45192 size: 5120
Timestamp2004-05-20 05:59:45
PEhash40798a0e07c1975eae2f4f2f97c0981897c04949
IMPhash641a435995118d1e23b199af0b58ecfd
AVMcafeeBackDoor-FBPV!922E719AFB22
AVMcafeeBackDoor-FBPV!922E719AFB22
AVCA (E-Trust Ino)Win32/Upatre.CG
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVCA (E-Trust Ino)Win32/Upatre.CG
AVMicroWorld (escan)Trojan.GenericKD.1510678
AVMicroWorld (escan)Trojan.GenericKD.1510678
AVArcabit (arcavir)Trojan.GenericKD.1510678
AVPadvishno_virus
AVPadvishno_virus
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVRisingno_virus
AVRisingno_virus
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVSophosTroj/Kryptik-CF
AVAd-AwareTrojan.GenericKD.1510678
AVSymantecTrojan.Zbot
AVSymantecTrojan.Zbot
AVClamAVWin.Trojan.Generickd-339
AVTrend MicroTROJ_UPATRE.SMZ3
AVTrend MicroTROJ_UPATRE.SMZ3
AVClamAVWin.Trojan.Generickd-339
AVTwisterTrojan.4F2E7F5ED9436B8E
AVTwisterTrojan.4F2E7F5ED9436B8E
AVAuthentiumW32/Trojan.FLQZ-0982
AVVirusBlokAda (vba32)no_virus
AVVirusBlokAda (vba32)no_virus
AVDr. WebTrojan.DownLoad3.28161
AVZillya!Trojan.Bublik.Win32.12921
AVZillya!Trojan.Bublik.Win32.12921
AVDr. WebTrojan.DownLoad3.28161
AVAuthentiumW32/Trojan.FLQZ-0982
AVEmsisoftTrojan.GenericKD.1510678
AVEmsisoftTrojan.GenericKD.1510678
AVAlwil (avast)Waski-C [Cryp]
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVAvira (antivir)TR/Dldr.Upatre.A.66
AVFortinetW32/Kryptik.CF!tr
AVFortinetW32/Kryptik.CF!tr
AVAvira (antivir)TR/Dldr.Upatre.A.66
AVFrisk (f-prot)W32/Trojan3.HFT
AVFrisk (f-prot)W32/Trojan3.HFT
AVAlwil (avast)Waski-C [Cryp]
AVF-SecureTrojan.GenericKD.1510678
AVF-SecureTrojan.GenericKD.1510678
AVBitDefenderTrojan.GenericKD.1510678
AVGrisoft (avg)Zbot.FCP

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSnbc-mail.com
Winsock DNSfindenglish.com

Network Details:

DNSfindenglish.com
Type: A
141.8.226.14
DNSnbc-mail.com
Type: A
190.97.162.247
Flows TCP192.168.1.1:1031 ➝ 141.8.226.14:443
Flows TCP192.168.1.1:1032 ➝ 141.8.226.14:443
Flows TCP192.168.1.1:1033 ➝ 141.8.226.14:443
Flows TCP192.168.1.1:1034 ➝ 141.8.226.14:443
Flows TCP192.168.1.1:1035 ➝ 190.97.162.247:443
Flows TCP192.168.1.1:1036 ➝ 190.97.162.247:443
Flows TCP192.168.1.1:1037 ➝ 190.97.162.247:443
Flows TCP192.168.1.1:1038 ➝ 190.97.162.247:443
Flows TCP192.168.1.1:1039 ➝ 141.8.226.14:443
Flows TCP192.168.1.1:1040 ➝ 141.8.226.14:443
Flows TCP192.168.1.1:1041 ➝ 141.8.226.14:443
Flows TCP192.168.1.1:1042 ➝ 141.8.226.14:443
Flows TCP192.168.1.1:1043 ➝ 190.97.162.247:443
Flows TCP192.168.1.1:1044 ➝ 190.97.162.247:443
Flows TCP192.168.1.1:1045 ➝ 190.97.162.247:443
Flows TCP192.168.1.1:1046 ➝ 190.97.162.247:443
Flows TCP192.168.1.1:1047 ➝ 141.8.226.14:443
Flows TCP192.168.1.1:1048 ➝ 141.8.226.14:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings