Troj/Upatre-DQ

Category: Viruses and SpywareProtection available since:01 Aug 2014 19:28:28 (GMT)
Type: TrojanLast Updated:01 Aug 2014 19:28:28 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Upatre-DQ include:

Example 1

File Information

Size
25K
SHA-1
18ea3e5c84665e61a2d1dad3460af34691d84a8f
MD5
2234525bae05aa45e9eb0c65b80fb113
CRC-32
e98214e7
File type
Windows executable
First seen
2014-08-01

Example 2

File Information

Size
24K
SHA-1
4c9e3c33a6f96b5273d01502064adec5cb0eaff7
MD5
c4683e2af3f4330412b365b8fcacab82
CRC-32
be619d56
File type
Windows executable
First seen
2014-08-01

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\qigelofaqi.exe
    Size
    124K
    SHA-1
    5ad5e94be7f330908f986b47dac4b663aa08c447
    MD5
    8c6af1c21d99fcdf51044b9fb546ce65
    CRC-32
    973e4717
    File type
    Windows executable
    First seen
    2014-08-01
  • c:\Documents and Settings\test user\Local Settings\Temp\yqskw.exe
    Size
    164K
    SHA-1
    a4722e474c9830887a62a0784f791a1a5e6c5267
    MD5
    e64a1487561689eb268e927968c1e80d
    CRC-32
    d6876f41
    File type
    Windows executable
    First seen
    2014-08-01
  • c:\Documents and Settings\test user\Application Data\lq490rt.ocx
    Size
    474
    SHA-1
    9717466105fc46186218834e2e4b70b0a8b13756
    MD5
    1cfc5d01dc23a084265539c0aae9f6b1
    CRC-32
    176ac9d2
    File type
    Unspecified binary - probably data
    First seen
    2014-08-01
  • c:\Documents and Settings\test user\Local Settings\Temp\noonb.exe
    Size
    124K
    SHA-1
    5ad5e94be7f330908f986b47dac4b663aa08c447
    MD5
    8c6af1c21d99fcdf51044b9fb546ce65
    CRC-32
    973e4717
    File type
    Windows executable
    First seen
    2014-08-01
  • c:\Documents and Settings\test user\Application Data\cmd.exe
    Size
    273K
    SHA-1
    907824f4bf20baac1a338be196ce9a73c95360ff
    MD5
    f3b4110a4d4963288e304b5011ca5e3b
    CRC-32
    e962f68b
    File type
    Windows executable
    First seen
    2014-08-01
  • c:\Documents and Settings\test user\Local Settings\Temp\MSWQC.tmp
  • c:\Documents and Settings\test user\Local Settings\Temp\zxrpm.exe
    Size
    25K
    SHA-1
    18ea3e5c84665e61a2d1dad3460af34691d84a8f
    MD5
    2234525bae05aa45e9eb0c65b80fb113
    CRC-32
    e98214e7
    File type
    Windows executable
    First seen
    2014-08-01
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    qigelofaqi
    c:\Documents and Settings\test user\qigelofaqi.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion
    VendorId
    □g□@□□@□□@L□□□□□□□□□□□□□
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    C:\DOCUME~1\support\LOCALS~1\Temp\yqskw.exe
    C:\DOCUME~1\support\LOCALS~1\Temp\yqskw.exe:*:Enabled:Microsoft Office
Processes Created
  • c:\Documents and Settings\test user\application data\cmd.exe
  • c:\docume~1\support\locals~1\temp\noonb.exe
  • c:\docume~1\support\locals~1\temp\ohgah.exe
  • c:\docume~1\support\locals~1\temp\yqskw.exe
  • c:\docume~1\support\locals~1\temp\zxrpm.exe
HTTP Requests
  • http://188.165.227.61/
  • http://94.23.247.202/0108hk1/PC/1/0/0/
  • http://94.23.247.202/0108hk1/PC/41/5/4/
  • http://94.23.247.202/0108ok1/PC/1/0/0/
  • http://94.23.247.202/0108ok1/PC/41/5/4/
  • http://94.23.247.202/0108uk1/PC/0/51-SP3/0/
  • http://94.23.247.202/0108uk1/PC/1/0/0/
  • http://94.23.247.202/0108uk1/PC/41/5/4/
  • http://acanthe.be/css/01u1.rar
  • http://porfintengoweb.com/css/heap_61_id3.rar
  • http://theothersmag.com/covers/opened.rar
IP Connections
  • 188.165.227.61:20050
  • 188.165.227.61:80
  • 94.23.247.202:80
DNS Requests
  • 101hotel.is
  • 4joo.com
  • acanthe.be
  • alten.co.uk
  • aqarea.com
  • araf.de
  • atb-lit.com
  • dendai.com
  • dicre.com
  • djvjp.com
  • dreamhop.com
  • eretz.org
  • google.com
  • hbymail.com
  • heffeter.com
  • helinc.com
  • interdisc.de
  • madkom.pl
  • mjol.co.uk
  • mygolf1.com
  • ommetals.com
  • onshodo.net
  • plei.net
  • porfintengoweb.com
  • rdplf.org
  • stun.ideasip.com
  • stun.l.google.com
  • stun.rixtelecom.se
  • stun2.l.google.com
  • theothersmag.com
  • tip-top.cz
  • torlys.com
  • zyrion.com